Types of Personal Data Processed
The types of personal data collected and processed by us will vary depending on the data we are required to process in accordance with the contracts with our Clients. We may be asked to process both ‘personal data’ as defined in Section 3(2) of the Data Protection Act 2018 and or ‘Special Category Personal Data’ as defined in Article 9(1) GDPR.
Categories of Data Subjects
Personal data we process for our own purposes and/or in accordance with contracts with our Clients may include but may not be limited to third party and prospective clients data, our Client’s staff data, our Client’s contractor data supplier data and data of children.
Data about these individuals may include but not be limited to the following categories:
Categories of data subjects will, for so far as we act as a Data Processor, be determined by our Clients and as contemplated by our contracts with them. Normally, we will only require limited aspects of our Client’s staff data for our own purposes and will advise our Clients should it become necessary for us to process any other categories of personal data for our own purposes.
Legal Basis for Data Processing
Generally, it will be our Client’s responsibility as a Data Controller to ensure we are provided with personal data for processing activities for which they have identified a legal basis for such processing. We will not accept responsibility for our Client’s providing us with personal data where they have no legal basis for doing so.
Where we require personal data from our Clients for our own purposes we normally do so on the following legal bases as defined under GDPR:
- Contract entry and performance: In order to commence working with our Clients we are legally required to take certain steps, such as assuring ourselves of their identity. In order to do so we require some personal data from our Clients and personal data relating to individuals they are connected with. During the course of our work with Clients we may need to process personal data about individuals to enable us to deliver the service(s) to our Clients.
- Legitimate interests: We may use personal data on the basis of our own legitimate interests in promoting and developing our services, benchmarking and assessing our performance. Activities promoting our services include direct marketing which individuals may opt-out of at any time. Opt-out can be achieved by responding using the unsubscribe options contained within the information you have received or by emailing our Data Protection Officer at email@example.com. We also use personal data in pursuit of the legitimate interests of third parties, including our clients and our suppliers. Those interests include delivering our services and facilitating service improvements in the software we utilise and other ancillary services.
- Legal obligations: Certain statutory and/or regulatory professional rights and obligations apply to Mazars LLP (and its subsidiaries’) work which require us to process personal data and in some circumstances to provide it to third parties such as our regulators and supervisory authorities, law enforcement authorities and agencies, or other such competent authorities.
Where we receive Special Category Personal Data as a result of our professional engagements with Clients, we process these on the basis that explicit consent has been given to our Clients to provide such data to us, or otherwise in accordance with the other legal bases set out through Article 9 GDPR (Section 10 DPA).
Where we process Special Category Personal Data relating to an individual for our own purposes, we will seek consent to process such data or otherwise process the same in accordance with the other legal bases set out through Article 9 GDPR (Section 10 DPA).
Duration of Processing
We will process personal data for as long as we are required to do so for the purposes of the services we provide to our Clients and to meet our legal, professional and statutory rights and/or obligations, and for our prudent risk management purposes of data retention in accordance with our Data Retention Policy. At the cessation of our processing activities it is our Client’s choice as to what happens to the personal data we have been provided with, however, we will need to retain personal data as evidence of the services that we have provided to our Clients. Any personal data retained in this way shall be kept confidential and shall be maintained by us appropriately until it is destroyed in accordance with our Data Retention Policy. We will work with our Clients to carry out their reasonable instructions.
Personal data we collect for our own purposes will be managed in accordance with our Data Retention Policy which reflects current legal, professional and regulatory rights and obligations.
Use of sub-processors
As part of our service delivery it may be necessary for us to use sub-processors. Where we engage a sub-processors to work directly on the services provided to our Clients we will notify our Clients of the same.
We also use a number of ancillary service providers in the delivery of our services to our Clients. Our IT support is largely provided by parties external to Mazars LLP. Some solutions we utilise are cloud based and our need to rely upon those systems varies depending upon the services we deliver. All ancillary service providers are bound by Mazars LLP on behalf of all Mazars subsidiaries to provide at least the same level of protection for personal data as we do.
Most ancillary providers do not engage directly with an individual’s data and simply provide secure storage solutions for the data we process. Unless we have otherwise expressly agreed conditions with them, sub-processors and ancillary providers are prohibited from using an individual’s personal data for their own purposes.
Mazars LLP and our subsidiaries and affiliated companies utilise a number of suppliers to provide us with IT and other associated services for the delivery of our business and services. In some cases, the suppliers we use will be granted access to the personal data we are processing in order to provide us with technical assistance. Such processing activities are not directly related to our principal services to Clients and are considered ancillary to our own internal activities.
As an International firm, our people need to be able to work from anywhere in the world using our IT services. Personal data may be stored on Mazars encrypted devices and transported with individuals as necessary for the delivery of our services in accordance with the terms and conditions we have agreed with our Clients. We have put in place appropriate technical measures to ensure data remain secure irrespective of where our people deliver our services.
As part of our service delivery we process limited personal data for the purposes of, including but not limited to, data storage, back up, destruction, billing, client management, administration, conflict checking and know-how under a standard contractual clauses agreement with Mazars Delhi. Data processing through this firm occurs only upon our instructions for the purposes set out within this statement.
We may process personal data through any of our other Group member firms worldwide. In the event this is necessary we will ensure appropriate controls exist and execute EU standard contractual clauses where necessary to protect personal data and data subject rights and freedoms.
Where we act as a Data Processor on our Client’s behalf you we are permitted by our Clients to use EU standard contractual clause agreements with our chosen sub-processors. All such agreements will be in our name and individuals covered by this statement may enforce rights against the sub-processor(s) directly through us.
Your Data Subject Rights
Where we act as a Data Controller for personal data you may exercise a number of rights.
- Request access to the personal data we hold about you
- Ask us to correct any data which are inaccurate
- Request to have your personal data deleted
- Put in place restrictions on our processing of your data
- Ask us to transfer your data to another controller (data portability)
We will handle all exercise of your data subject rights in accordance with the requirements of GDPR and any national laws at the time of your request. Requests should be submitted in writing to our Data Protection Officer (firstname.lastname@example.org).
If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the matter for you, you may take your complaint to the Information Commissioner’s Office. Further details can be found via their website at www.ico.org.uk.
Should we receive a request from any individual to exercise data subject rights but we are only acting as a Data Processor, we will forward the request to our Client as Data Controller to process. Unless we are explicitly instructed not to we will advise the individual that we have passed their request to the Data Controller.
Mazars LLP has put technological and organisational controls, including policies and procedures, in place to protect personally identifiable information from loss, misuse, alteration or unintentional destruction. Our personnel who have access to the data have been trained to maintain the confidentiality of such information. Conditions to protect data to at least the same standard as we do are cascaded to all our contractors, sub processors and suppliers.
We carry out regular monitoring and testing of our security defences to ensure they continue to be effective against the latest threats.
Data transferred over the internet by us and through our website are protected using encryption technologies to ensure they remain secure.
Please note that no communications over the internet can be guaranteed as secure. Whilst we take appropriate steps to protect personal data we cannot guarantee that it will remain secure in transit. Once data reaches your network it is your responsibility to ensure it remains secure.
Controls put in place by Mazars LLP also apply to our direct subsidiaries worldwide.
Targeted emails from us may include additional data privacy information as required by applicable privacy laws.
As of October 2020, we carry out profiling as defined in Article 4(4) GDPR for the purposes of marketing, developing our business and understanding the needs of our clients. To facilitate this, we collect data from the following sources as a result of your interactions with us:
- Our website;
- Our social media sites which may in turn collect data from your personal social media accounts; and
- Zoom (or other such facility) in the event you register for and attend an event we have organised.
We do not use profiling technologies for any credit or other automated decision taking processes.
Data Protection EU Representative
In accordance with Article 27 GDPR we have designated an EU representative to act on our behalf if and when we undertake data processing activities to which article 3(2) of GDPR applies.
Our representative is:
Bellevue 5 - B 1001
We take our obligations to protect the welfare of our staff, visitors, contractors and anyone else who comes into contact with us seriously. In the event and as a result of you coming into contact with any of our staff, visitors, contractors or other persons, we are subsequently asked to provide your personal data to NHS Test and Trace services, we will do so, in accordance with government guidelines, on the following basis:
- Our legitimate interests in protecting the welfare of you, us and the wider public; and
- In pursuit of the legitimate interests of the departments, offices and/or agencies of the Department of Health and Social Care.
Changes to this Statement
We recommend you check this statement on a regular basis to ensure you remain in agreement with the activities we carry out in respect of processing personal data.
Should we make significant changes to the way we process personal data, we will draw your attention to the relevant part(s) of this statement through email and or other appropriate communications as part of our business activities.
Any changes to our ‘Website’ privacy statement shall be managed in accordance with the terms stated thereunder.
Last updated: November 2020
FOR ANY ENQUIRIES, PLEASE CONTACT: PRIVACY@MAZARS.CO.UK