Privacy Notice

This is the Privacy Notice of GDBA LTD (company number 07820725 whose registered office is at Hfm Tax & Accounts, 180 Piccadilly, London, United Kingdom, W1J 9HF (“GDBA LTD”). GDBA LTD is part of a group which is made up of a number of legal entities, details of which can be found here www.gdba.com (“Group”) so where this Privacy Notice refers to “GDBA”, “we”, “us” or “our”, it is referring to the relevant company within the Group. This Privacy Notice sets out how we collect and process your personal data. This Privacy Notice also provides certain information that is legally required and lists your rights in relation to your personal data.

This Privacy Notice relates to personal information that identifies “you” meaning clients, or individuals outside our organization with whom we interact. If you are an employee, contractor or otherwise engaged in work for us or applying to work for us, a separate privacy notice applies to you instead. We do not sell or transfer the data we collect.

This Privacy Notice may vary from time to time so please check it regularly.

This Privacy Notice applies where we are a controller in respect of your personal data – this is where we decide how and why your personal data is processed.

If you wish to correct your personal data held by us or to opt out at any time from receiving marketing correspondence from us or to alter your marketing preferences, please contact us here at https://gdba.com/contact

If you need to contact us in connection with our use or processing of your personal data, or gain access to it, you can contact us at https://gdba.com/contact

The categories of personal data about you that we may collect, use, store, share and transfer are:

• Individual Data. This includes personal data which you provide to us voluntarily, which relates to your identity, such as your first name, middle name, last name, title and your contact details such as your email address and telephone numbers;
• Information Technology Data. This includes personal data which relates to your use of our website, such as traffic data, website logs and other communication data, operating system and platform and other technology on the devices you use to access our website;
• Economic and Financial Data. This includes personal data which relates to your finances, such as your bank account and information which we collect from you for the purposes of the prevention of fraud that you provide to us voluntarily.
• Audio and Visual Data. This includes personal data which is gathered using our CCTV or other recording systems in the form of images, video footage and sound recordings that is taken at any time;
• Health Data. This includes personal data which is voluntarily provided for health and safety purposes or any information you voluntarily provide about allergies or other medical conditions;
• Publicly Available Information. This includes publicly available information relating to individuals who voluntarily supply identifying information for the purpose of communicating with GDBA.

We may also create Personal Data about you, for example, if you contact us by telephone to make a request for services, then we may make a written record of key details of the conversation.

In addition, we may obtain certain special categories of your data / sensitive personal data, and this Privacy Notice specifically sets out how we may process these types of personal data. The special categories of data are: (i) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; and (ii) the processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

We also collect information about criminal convictions and offences if contained in public records upon receipt of proper waivers or authorizations in accordance with applicable law for permissible purposes.

We obtain your personal data from the following sources:

• Directly from you, either in person, via our website or by telephone or via mobile devices. This could include personal data which you voluntarily provide when you:
  • engage us to provide services; or
  • contact us via our website.
• Via automated technologies, Upon engagement to provide services, various technologies such as CCTV or other recording systems, tracking systems or other methods fully disclosed to clients. We may automatically collect Information Technology Data about your equipment, browsing actions and patterns by using cookies, server logs and other similar technologies. We do not sell or transfer the data we collect.
• From someone else, such as:
  • analytics providers;
  • search information providers;
  • providers of technical and payment services;
  • providers of social media platforms (such as Facebook, Twitter and Instagram) for example where you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter;
• From publicly available sources, such as:
  • Companies House; and
  • The Internet.

We collect personal data about you in order to:

• perform our contractual obligations to you. This would include:
  • processing and performing any services requested by you;
  • making or receiving payments, fees and charges; and
  • collecting and recovering money owed.
• manage our relationship with you including:
  • to send you information you have requested; and
  • to deal with your enquiries;
• administer our business and carry out business activities;
• for internal purposes to use data analytics, to identify usage trends, determine and measure the effectiveness and to improve our services, marketing, customer relationships and experiences;
• protect our business including to deal with any misuse of our website and to comply with our security policies at our locations;
• use your personal data to comply with our own legal and industry obligations.
• enforce or apply our terms of use, terms and conditions of supply and other agreements with third parties;
• use your personal data in an official role which we have been designated to carry out by an official authority (e.g. the government) or where we are otherwise carrying out tasks which are in the public interest (e.g. which have been designated as such by government, or which would otherwise be deemed in the public interest);
• to detect and prevent fraud and other illegal activities (and to assist regulators, trade bodies and law enforcement agencies in relation to the same);
• finance, restructure, sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers;
• use our knowledge of any health-related personal data you disclose to us in the event of illness or injury or some other related emergency or to record any accident or injury or other incident you may suffer;
• investigate and defend any third-party claims or allegations.

For certain purposes it may be appropriate for us to obtain your prior consent. The legal basis of consent is only used by us in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.

In the event that we rely on your consent, you may at any time withdraw the specific consent you give to our processing your personal data. Please contact us using the contact details set out in paragraph 1 to do so. Please note even if you withdraw consent for us to use your personal data for a particular purpose we may continue to rely on other lawful bases to process your personal data for other purposes.

Examples of when we may rely on your consent to process your personal data include where, in the provision of our services to you, we need to use your sensitive / special category personal data relating to your health, ethnicity, political, religious or philosophical, trade union membership, genetic, biometric, your sex life, your sexual orientation;

Where we are relying on a basis other than your consent, the lawful basis for processing personal data will be one of the following:

• the processing is necessary in order for us to comply with our legal obligations (such as compliance with anti-money laundering legislation);
• the processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
• processing is necessary for the establishment, exercise or defence of legal claims; or
• the processing is necessary for the pursuit of our legitimate business interests. In particular, our legitimate interests include:
• the processing is necessary in order to protect the vital interests of an individual e.g. where there is a medical emergency at one of our premises;
• • the provision of services;
  • the recovery of debt;
  • the security of our IT network;
  • the prevention of fraud;
  • the reorganisation or sale or refinancing of the business;
  • the study in how to develop and the update of our services;
  • the development of our business strategy; and
  • protecting our business and property.
• the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;

Where we are processing your sensitive / special category personal data one of the following conditions will also apply:

• you have given your explicit consent to the processing;
• the processing relates to personal data which are manifestly made public by you;
• the processing is necessary for the establishment, exercise or defence of legal claims;
• the processing is necessary for archiving purposes in the public interest; scientific or historical research purposes or statistical purposes;
• the processing is necessary to protect an individual’s vital interests where the individual cannot give consent;
• the processing is necessary for reasons of substantial public interest;

We may disclose your personal data to:

• our group companies and affiliates or third party data processers who may process data on our behalf to enable us to carry out our usual business practices. Any such disclosure will only be so that we can process your personal data for the purposes set out in this Privacy Notice;
• HMRC, legal and other regulators or authorities, including those who request your personal data or to report any potential or actual breach of applicable law or regulation where such disclosure is compelled by applicable law;
• external professional advisers such as accountants, bankers, insurers, auditors and lawyers;
• law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights and where disclosure is required by applicable law;
• third parties where necessary for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties;
• third parties which are considering or have decided to acquire some or all of our assets or shares, merge with us or to whom we may transfer our business (including in the event of a reorganisation, dissolution or liquidation); or
• third parties operating plugins or content (such as Facebook, Twitter, Instagram) on our website which you choose to interact with.

If you provide personal data to us about someone else you must ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this Privacy Notice.

You must ensure the individual concerned is aware of the various matters detailed in this Privacy Notice, as those matters relate to that individual, including our identity, how to contact us, the way in which we collect and use personal data and our personal data disclosure practices, that individual’s right to obtain access to the personal data and make complaints about the handling of the personal data, and the consequences if the personal data is not provided.

It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us by contacting us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.

It is possible that personal data we collect from you may be transferred, stored and/or processed outside the European Economic Area including to the United States.

In connection with such transfers we will ensure that:

• there are appropriate safeguards in place such as binding corporate rules or the approved EU model contractual clauses between us and the recipient (as per Article 46 GDPR (or English law equivalent)). A copy of the appropriate safeguard can be obtained by contacting us using the contact details set out in paragraph 2 or
• the transfer is to a country that the European Commission has decided provides an adequate level of protection such as to a country approved by the European Commission or to certain organisations with the US pursuant to the Privacy Shield (as per Article 45 GDPR (or English law equivalent)); or
• one of the derogations for specific situations in the first sub-paragraph of Article 49(1) GDPR (or English law equivalent) applies to the transfer including explicit consent or necessary for the performance of a contract or exercise or defence of legal claims.

We will store your personal data as long as necessary for business obligations and as required by law or in the case of legal proceedings.

In certain circumstances the provision of personal data by you is a requirement to comply with the law or a contract, or necessary to enter into a contract.

It is your choice as to whether you provide us with your personal data necessary to enter into a contract or as part of a contractual requirement. If you do not provide your personal data then the consequences of failing to provide your personal data are that we may not be able to perform to the level you expect under our contract with you.

Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data (see paragraph 6), you may have a number of rights in connection with the processing of your personal data, including:

• Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data (see paragraph 6), you may have a number of rights in connection with the processing of your personal data, including:
• the right to request rectification of any inaccuracies in your personal data or, taking into account the purposes of our processing, to request that incomplete data is completed;
• the right to request, on legitimate grounds as specified in law:
  • erasure of your personal data that we process or control; or
  • restriction of processing of your personal data that we process or control;
• the right to object, on legitimate grounds as specified in law, to the processing of your personal data;
• the right to receive your personal data in a usable format, to the extent applicable in law; and
• the right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://ico.org.uk/concerns/ for how to do this.

If you would like to exercise any of the rights set out above, please contact us using the contact details set out in paragraph 2.