GDPR Policy | FM Accounting

1. Our Commitment to Data Protection

FM Accounting Ltd is committed to protecting the personal data of our clients, website visitors, and contacts in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy explains how we apply data protection principles in our operations.

2. Data Protection Principles

We adhere to the seven key principles of the UK GDPR:

Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner
Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only
Data Minimisation: We collect only the data that is necessary for the stated purpose
Accuracy: We take reasonable steps to ensure personal data is accurate and up to date
Storage Limitation: We retain data only for as long as necessary for the purpose it was collected
Integrity and Confidentiality: We process data securely using appropriate technical and organisational measures
Accountability: We are responsible for and can demonstrate compliance with these principles

3. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

Consent (Art. 6(1)(a)): For marketing emails, optional analytics cookies, and newsletter subscriptions
Performance of a Contract (Art. 6(1)(b)): To provide the accounting services you have engaged us for
Legal Obligation (Art. 6(1)(c)): To comply with HMRC requirements, Companies House filings, AML regulations, and professional standards
Legitimate Interests (Art. 6(1)(f)): To improve our services, ensure website security, and respond to enquiries

4. Data Subject Rights

Under UK GDPR, you have the following rights:

Right of Access (Art. 15): Request a copy of the personal data we hold about you
Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations
Right to Restrict Processing (Art. 18): Request limitation of data processing in certain circumstances
Right to Data Portability (Art. 20): Request transfer of your data in a structured, machine-readable format
Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing
Rights Related to Automated Decision-Making (Art. 22): We do not use automated decision-making or profiling

5. Data Subject Access Requests (DSARs)

To submit a DSAR, please email us at info@fmaccounting.net with the subject line "Data Subject Access Request".

We will verify your identity before processing the request
We will respond within 30 calendar days of receiving the verified request
If the request is complex, we may extend this by an additional 60 days with notification
There is no charge for a standard DSAR; however, we may charge a reasonable fee for manifestly unfounded or excessive requests

6. Data Breach Notification

In the event of a personal data breach:

We will assess the breach and its potential impact within 24 hours of becoming aware
If the breach poses a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours
If the breach poses a high risk to individuals, we will notify those affected without undue delay
We will document all breaches, including those that do not require notification, as part of our accountability obligations

7. International Data Transfers

We primarily process data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

UK adequacy decisions for the receiving country
Standard Contractual Clauses (SCCs) approved by the ICO
Binding Corporate Rules where applicable

8. Data Protection Contact

For any data protection queries, concerns, or to exercise your rights, please contact:

Data Protection Officer
FM Accounting Ltd
Email: info@fmaccounting.net

9. Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

2. Data Protection Principles

We adhere to the seven key principles of the UK GDPR:

Lawfulness, Fairness, and Transparency: We process data lawfully, fairly, and in a transparent manner

Purpose Limitation: We collect data for specified, explicit, and legitimate purposes only

Data Minimisation: We collect only the data that is necessary for the stated purpose

Accuracy: We take reasonable steps to ensure personal data is accurate and up to date

Storage Limitation: We retain data only for as long as necessary for the purpose it was collected

Integrity and Confidentiality: We process data securely using appropriate technical and organisational measures

Accountability: We are responsible for and can demonstrate compliance with these principles

3. Lawful Bases for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

Consent (Art. 6(1)(a)): For marketing emails, optional analytics cookies, and newsletter subscriptions

Performance of a Contract (Art. 6(1)(b)): To provide the accounting services you have engaged us for

Legal Obligation (Art. 6(1)(c)): To comply with HMRC requirements, Companies House filings, AML regulations, and professional standards

Legitimate Interests (Art. 6(1)(f)): To improve our services, ensure website security, and respond to enquiries

4. Data Subject Rights

Under UK GDPR, you have the following rights:

Right of Access (Art. 15): Request a copy of the personal data we hold about you

Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data

Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention obligations

Right to Restrict Processing (Art. 18): Request limitation of data processing in certain circumstances

Right to Data Portability (Art. 20): Request transfer of your data in a structured, machine-readable format

Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing

Rights Related to Automated Decision-Making (Art. 22): We do not use automated decision-making or profiling

5. Data Subject Access Requests (DSARs)

To submit a DSAR, please email us at info@fmaccounting.net with the subject line "Data Subject Access Request".

We will verify your identity before processing the request

We will respond within 30 calendar days of receiving the verified request

If the request is complex, we may extend this by an additional 60 days with notification

There is no charge for a standard DSAR; however, we may charge a reasonable fee for manifestly unfounded or excessive requests

6. Data Breach Notification

In the event of a personal data breach:

We will assess the breach and its potential impact within 24 hours of becoming aware

If the breach poses a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours

If the breach poses a high risk to individuals, we will notify those affected without undue delay

We will document all breaches, including those that do not require notification, as part of our accountability obligations