Data Protection Policy

1. Purpose

This Data Protection Policy sets out how TaxStats Ltd ("TaxStats") complies with its obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It describes the principles we follow, the measures we take to protect personal data, and the procedures we have in place to handle data subject requests and data breaches.

2. Data Protection Principles

TaxStats adheres to the seven key principles of the UK GDPR:

• Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner. We inform data subjects about how their data is used through our Privacy Policy and engagement letters.
• Purpose limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it in a manner incompatible with those purposes.
• Data minimisation: We collect only the personal data that is necessary for the purposes for which it is processed.
• Accuracy: We take reasonable steps to ensure that personal data is accurate and kept up to date. We encourage clients to notify us of any changes to their personal information.
• Storage limitation: We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, subject to legal retention requirements.
• Integrity and confidentiality: We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
• Accountability: We maintain records of our data processing activities and can demonstrate compliance with the UK GDPR.

3. Data Protection Officer

TaxStats has appointed a Data Protection Lead who is responsible for overseeing compliance with this policy and data protection legislation. The Data Protection Lead can be contacted at:

Email: privacy@taxstats.co.uk
Address: TaxStats Ltd, Work.Life, 30 Brown Street, Manchester, M2 1DH

4. Data Processing Activities

TaxStats processes personal data in connection with the following activities:

• Providing accounting, tax, payroll, and advisory services to clients
• Filing tax returns, VAT returns, payroll submissions, and company accounts with HMRC and Companies House
• Processing payments and managing client billing
• Managing client communications and support requests
• Marketing our services to prospective and existing clients
• Operating and improving our technology platform
• Complying with legal and regulatory obligations, including anti-money laundering requirements
• Identity verification for Companies House (TaxStats ID)

5. Lawful Basis for Processing

We identify and document the lawful basis for each processing activity before any processing takes place. The lawful bases we rely on include contractual necessity, legal obligation, legitimate interests, and consent. Where we rely on legitimate interests, we conduct a Legitimate Interests Assessment to ensure our interests do not override the rights and freedoms of the data subject.

6. Subject Access Requests

Data subjects have the right to request access to the personal data we hold about them. We handle Subject Access Requests (SARs) as follows:

• SARs can be submitted by email to privacy@taxstats.co.uk or in writing to our registered office.
• We verify the identity of the requester before disclosing any personal data.
• We respond to SARs within one calendar month of receipt. This period may be extended by up to two further months for complex or numerous requests, in which case we will inform the data subject within the first month.
• We provide the information free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, or if additional copies are requested.
• We do not disclose personal data of third parties without their consent unless doing so is reasonable in the circumstances.

7. Data Breach Notification

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In the event of a personal data breach, we follow these procedures:

• The breach is reported internally to the Data Protection Lead immediately upon discovery.
• The Data Protection Lead assesses the nature and severity of the breach and determines whether it is likely to result in a risk to the rights and freedoms of data subjects.
• If the breach is likely to result in a risk to data subjects, we notify the ICO without undue delay and in any event within 72 hours of becoming aware of the breach.
• If the breach is likely to result in a high risk to data subjects, we notify the affected individuals without undue delay.
• We document all breaches, including those that do not require notification, in our breach register.
• We conduct a post-breach review to identify lessons learned and implement improvements.

8. Third-Party Processors

Where we engage third-party processors to process personal data on our behalf, we ensure that:

• A written data processing agreement is in place that meets the requirements of Article 28 of the UK GDPR.
• The processor provides sufficient guarantees of appropriate technical and organisational measures.
• The processor does not engage sub-processors without our prior written consent.
• We conduct due diligence on processors before engagement and review their compliance periodically.

Our key third-party processors include cloud hosting providers, Stripe (payment processing), Finexer (open banking), and SendGrid (email delivery).

9. International Transfers

We primarily store and process personal data within the United Kingdom. Where international transfers are necessary, we ensure they are covered by appropriate safeguards as required by the UK GDPR, including UK adequacy decisions, standard contractual clauses, or binding corporate rules.

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in a high risk to the rights and freedoms of data subjects. This includes processing involving new technologies, large-scale processing of sensitive data, and systematic monitoring of public areas. DPIAs are reviewed and approved by the Data Protection Lead before processing begins.

11. Training and Awareness

All TaxStats employees and contractors who process personal data receive data protection training upon joining and annually thereafter. Training covers the principles of the UK GDPR, recognising and reporting data breaches, handling Subject Access Requests, secure data handling practices, and the specific requirements of our services and client data.

We maintain records of all training completed and regularly assess the effectiveness of our training programme.

12. Records of Processing Activities

We maintain a Record of Processing Activities (ROPA) as required by Article 30 of the UK GDPR. The ROPA includes the purposes of processing, categories of data subjects and personal data, categories of recipients, retention periods, and a description of security measures. The ROPA is reviewed and updated at least annually.

13. Rights of Data Subjects

We have procedures in place to handle all rights requests under the UK GDPR, including the right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making. All rights requests are logged, tracked, and responded to within the statutory timeframes.

14. Data Retention and Disposal

We follow a defined data retention schedule that specifies how long each category of personal data is retained. When personal data is no longer required, it is securely disposed of. Electronic data is permanently deleted using secure deletion methods. Physical documents containing personal data are shredded using cross-cut shredders.

15. Review

This policy is reviewed annually by the Data Protection Lead and updated as necessary to reflect changes in legislation, guidance, or our processing activities. Material changes are communicated to all staff and, where appropriate, to clients.