Mazars LLP Insolvency Services Privacy Statement
The following information applies to those who receive or are seeking the professional services we provide as Insolvency Practitioners (“IPs”) in respect of formal insolvency appointments for individuals and corporate entities. Formal insolvency appointments include bankruptcy and individual voluntary arrangements in respect of individuals; and receivership, administration, creditors’ voluntary liquidation, compulsory winding up, company voluntary arrangement and members’ voluntary liquidation in respect of corporate entities (“Insolvency Services”). The conditions in this statement apply in addition to those for use of the Mazars LLP website. Where any conflict arises between the website conditions and these conditions, and you are an existing client of our services, the conditions contained in this ‘Mazars LLP Insolvency Services Privacy Statement’ section shall prevail.
This statement covers activities undertaken by our IPs and their teams when acting as a Data Controller and Data Processor. Details of our IPs registered as Data Controllers can be found on the ICO register at www.ico.org.uk.
Types of Personal Data Processed
The types of personal data processed will vary depending on the data we are required to process in order to deliver the Insolvency Services. In order for us to deliver the Insolvency Services it may be necessary for us to process both ‘personal data’ as defined in Article 4(1) General Data Protection Regulation (EU) 2016/679 (“GDPR”) and or ‘Special Category Personal Data’ as defined in Article 9(1) GDPR.
Categories of Data Subjects
Personal data we process depends on the type of Insolvency Services we provide and may include but may not be limited to data of the insolvent individual, data of directors / shareholders of the corporate entity, employee data, contractor data, supplier data, customer data and data of children.
Categories of data subjects are determined by the data received from the corporate entities and individuals we act for. The main ways in which we collect personal data is directly from the books and records of the individuals and corporate entities, directly from you, or through third parties.
Legal Basis for Data Processing
Where we hold or require personal data from you we normally do so on the following legal bases as defined under GDPR:
- Legitimate interests: We may also use your personal data on the basis of our own legitimate interests in promoting our services and developing our services and assessing our performance, or those of third parties. Activities promoting our services include business to business marketing which you may opt-out of at any time. Opt-out can be achieved by responding using the unsubscribe options contained within the information you have received or by emailing our Data Protection Officer at email@example.com.
- Legal obligations: Certain statutory obligations apply to the Insolvency Services delivered by our IPs which require us to process personal data and in some circumstances to provide it to third parties such as law enforcement, Government or public bodies. Where such obligations arise we will, insofar as is possible without breaching any other duty we owe to those services, advise you of our intention to process your data for their purposes.
- Contract entry and performance: When delivering certain Insolvency Services, we may have engagement terms agreed with the insolvent individuals or insolvent corporate entities. In order to commence delivering the Insolvency Services, we are legally required to take certain steps, such as assuring ourselves of the identity of the insolvent individuals and corporate entities. In order to do so we require some personal data from insolvent individuals and directors and/or shareholders of the corporate entities over which we act. During the course of our Insolvency Services we may require to continue processing personal data about you to enable us to deliver the Insolvency Services.
- Consent: On occasion we may ask your permission to use your data for certain purposes. If this is sought we will make our request clear to you.
Should we require Special Category Personal Data from you we will process it for the establishment, exercise or defence of legal claims as part of the Insolvency Services or on the basis of such processing being necessary for reasons of substantial public interest.
On occasion we may ask your explicit consent to process Special Category Personal Data and will make any such request clear to you at the time.
Duration of Processing
We will process personal data on your behalf for so long as necessary to deliver the Insolvency Services and to comply with our legal obligations. All personal data will be managed in accordance with our Data Retention Policy which reflects current legal requirements, including but not limited to the Insolvency Practitioners Regulations 2005 and the Insolvency Regulations 1994.
Further information is available on request.
Use of sub-processors
As part of our service delivery it is necessary for us to use sub-processors including third parties, Mazars LLP and its subsidiaries.
Our IPs utilise Mazars LLP IT services and infrastructure. IT support is largely provided by parties external to Mazars UK. Some solutions utilised are cloud based and our need to rely upon those systems varies depending upon the services we deliver to you.
All sub-processors are bound by Mazars LLP on behalf of all Mazars subsidiaries and our Insolvency Practitioners to provide an appropriate level of protection for personal data.
Most sub-processors do not engage directly with your personal data and simply provide secure storage solutions for the data we process. Unless we have otherwise expressly agreed conditions with them, sub-processors are prohibited from using your personal data for their own purposes.
Mazars LLP, its subsidiaries, affiliated companies and IPs utilise a number of suppliers to provide us with IT and other associated services for the delivery of our business and services to you. In many cases, the suppliers we use will be granted access to the data we are processing in order to provide us with technical assistance. Such processing activities are not directly related to our principal services to you and are considered ancillary to our own internal activities.
As an International firm, our people need to be able to work from anywhere in the world using our IT services. Data may be stored on Mazars encrypted devices and transported with individuals as necessary for the delivery of our Insolvency Services. We have put in place appropriate technical measures to ensure data remain secure irrespective of where our people deliver our services.
As part of our service delivery we process limited personal data for the purposes of, including but not limited to, data storage, back up, destruction, billing, client management, conflict checking and know-how under a standard contractual clauses agreement with a Mazars entity firm in India. Data processing through this firm occurs only upon our instructions for the purposes set out within this statement.
We may process your personal data through any of our other Group member firms worldwide. In the event this is necessary we will ensure appropriate controls exist in the form of EU standard contractual clauses to protect your data and data subject rights and freedoms.
Should we act as a Data Processor on your behalf you permit us to use EU standard contractual clause agreements with our chosen sub-processors on your behalf. All such agreements will be in our name and you may enforce rights against the sub-processor(s) directly through us.
Your Data Subject Rights
When we act as the Data Controller for your personal data you may exercise a number of rights.
- Request access to the personal data we hold about you
- Ask us to correct any data which are inaccurate
- Request to have your personal data deleted
- Put in place restrictions on our processing of your data
- Ask us to transfer your data to another controller (data portability)
We will handle all exercise of your data subject rights in accordance with the requirements of GDPR and any national laws applicable at the time of your request, including any regulatory obligations required of us. Requests should be submitted in writing to our Data Protection Officer (firstname.lastname@example.org).
If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the matter for you, you may take your complaint to the Information Commissioner’s Office. Further details can be found via their website at www.ico.org.uk.
On our behalf, Mazars LLP has put technological and organisational controls, including policies and procedures, in place to protect your personally identifiable information from loss, misuse, alteration or unintentional destruction. Our personnel who have access to the data have been trained to maintain the confidentiality of such information. Conditions to protect data to at least the same standard as we do are cascaded to all our contractors, sub processors and suppliers.
Regular monitoring and testing of our security defences is carried out to ensure they continue to be effective against the latest threats.
Data transferred over the internet by us and through our website are protected using encryption technologies to ensure they remain secure.
Please note that no communications over the internet can be guaranteed as secure. Whilst we take appropriate steps to protect your data we cannot guarantee that it will remain secure in transit. Once data reaches your network or possession it is your responsibility to ensure it remains secure.
Controls put in place by Mazars LLP also apply to all direct subsidiaries.
Targeted emails from us may include additional data privacy information as required by applicable privacy laws.
Changes to this Statement
We recommend you check this statement on a regular basis to ensure you remain in agreement with the activities we carry out in respect of processing personal data.
Should we make significant changes to the way we process data, we will draw your attention to the relevant part(s) of this statement through email and or other appropriate communications as part of delivering the Insolvency Services.
Any changes to our ‘Website’ privacy notice shall be managed in accordance with the terms stated thereunder.