Mazars Financial Planning Limited Privacy Statement

The following information applies to those who receive services from us (Mazars Financial Planning Limited) or who are seeking to do so. These conditions apply in addition to those of use of our website. Where any conflict arises between the Website conditions and these conditions, and you are an existing client of our services, the conditions contained in this ‘Mazars Financial Planning Limited Clients’ section shall prevail.

Data Controller

Mazars Financial Planning Limited is the Data Controller for the personal data you provide to us.

Types of Personal Data Processed

The types of personal data processed will vary depending on the data we require to process in order to deliver to you the requested service(s) and in accordance with our engagement terms with you. We may need to process both ‘personal data’ as defined in Section 3(2) of the Data Protection Act 2018 and or ‘special category personal data’ as defined in Article 9(1) GDPR.

Categories of Data Subjects

Categories of data subjects will include you as the data subject and the data of any other data subjects you provide to us in connection with our delivery of the services.  This may include the data of adults and children and be of but not limited to demographic, financial and or health data.

Data may include but not be limited to the following categories:


Examples (not an exhaustive list)


Name, address, date of birth, telephone number, email address, marital status


Bank details, salary information, tax liabilities, other pay   deductions, payments to others


Employer, job title, employment contact details, employment history


Achievements, social media information, education

Special category

Racial or ethnic origin, political opinions, religious or   philosophical beliefs, trade union membership, health data, sexual orientation

Legal Basis for Data Processing

As the Data Controller for the personal data we collect from you, we have identified a number of legal bases on which to carry out our processing activities.  These are defined under GDPR as:

  • Contract entry and performance: In order to commence working with you as a client we are legally required to take certain steps, such as assuring ourselves of your identity.  In order to do so we require some personal data from you.  During the course of our engagement with you we require to continue processing personal data about you to enable us to deliver the service(s) to you. 

Consent: By providing us with your personal data and asking us to deliver you with specific services you provide us with your permission to utilise your personal data for those purposes. Should we require special category personal data from you we will ask for your permission to process those data. If you are not willing to provide us with certain data we may be unable to deliver some or all of our services and will make this clear to you.

  • Legitimate interests: We may use personal data on the basis of our own legitimate interests in promoting and developing our services, benchmarking and assessing our performance. Activities promoting our services include direct marketing which individuals may opt-out of at any time. Opt-out can be achieved by responding using the unsubscribe options contained within the information you have received or by emailing our Data Protection Officer at We also use personal data in pursuit of the legitimate interests of third parties, including our clients and our suppliers. Those interests include delivering our services and facilitating service improvements in the software we utilise and other ancillary services
  • Legal obligations: certain statutory obligations apply to Mazars Financial Planning Limited’s work which require us to process personal data and in some circumstances to provide it to third parties, such as law enforcement.  Where such obligations arise we will, insofar as is possible without breaching any other duty we owe to those services, advise you of our intention to process your data for their purposes. Under anti-money laundering legislation, we are required to verify the identity of individuals and companies and the beneficial owners of organisations and trusts prior to commencing our services. To comply with this legal requirement, we use Smart Search who check the details you supply against information to which they have access.

Duration of Processing

We will process personal data for so long as you instruct us to do so and in accordance with our professional, legal and statutory rights and / or obligations.  At the cessation of our services to you we will retain your data in accordance with our internal and statutory requirements.

Personal data we collect are managed in accordance with our Data Retention Policy which reflects current legal obligations.  Retention periods for personal data vary.

Use of Processors

As part of our service delivery it is necessary for us to use processors.

Our IT provided through Mazars LLP and technical support is largely provided by parties external to Mazars UK.  Some solutions we utilise are cloud based and our need to rely upon those systems varies depending upon the services we deliver to you.

We also use a number of ancillary service providers in the delivery of our services to our Clients.  Our IT support is largely provided by parties external to Mazars LLP.  Some solutions we utilise are cloud based and our need to rely upon those systems varies depending upon the services we deliver. All ancillary service providers are bound by Mazars LLP on behalf of all Mazars subsidiaries to provide at least the same level of protection for personal data as we do. 

Most ancillary providers do not engage directly with an individual’s data and simply provide secure storage solutions for the data we process.  Unless we have otherwise expressly agreed conditions with them, processors and ancillary providers are prohibited from using an individual’s personal data for their own purposes.

Data Transfers and Sharing

Mazars Financial Planning Limited, our parent company Mazars LLP and all its subsidiaries and affiliated companies utilise a number of suppliers to provide us with IT and other associated services for the delivery of our business and services to you.  In many cases, the suppliers we use will be granted access to the data we are processing in order to provide us with technical assistance.  Such processing activities are not directly related to our principal services to you and are considered ancillary to our own internal activities.

As an International firm, our people need to be able to work from anywhere in the world using our IT services.  Data may be stored on Mazars encrypted devices and transported with individuals as necessary for the delivery of our services in accordance with the terms and conditions we have agreed with you.  We have put in place appropriate technical measures to ensure data remain secure irrespective of where our people deliver our services. 

As part of our service delivery we process limited personal data for the purposes of, including but not limited to, data storage, back up, destruction, billing, client management, conflict checking and know-how under a standard contractual clauses agreement with a Mazars entity firm in India.  Data processing through this firm occurs only upon our instructions, for the purposes set out within this statement.

We may process your personal data through any of our other Group member firms worldwide. In the event this is necessary we will ensure appropriate controls exist in the form of EU standard contractual clauses to protect your data and data subject rights and freedoms.

Where appropriate we use EU standard contractual clause agreements with our chosen sub-processors.  All such agreements will be in our name and you may enforce rights against the sub-processor(s) directly through us.

In order to deliver to you the services you have requested we may need to share your data with third party suppliers in order to source the most appropriate products to meet your needs.  We only share the minimum data necessary in order for them to evaluate their ability to provide you with and offer relevant products and services.  We ensure those company provide adequate protection for the personal data.  Should you choose a product from any of those providers, they will become the data controller for those data transferred to them to enable them to deliver you with the services.  Each company will provide you with their own fair processing / data privacy information.

Your Data Subject Rights

Where we act as a Data Controller for your data you may exercise a number of rights.

You may:

  • Request access to the personal data we hold about you
  • Ask us to correct any data which are inaccurate
  • Request to have your personal data deleted  
  • Put in place restrictions on our processing of your data
  • Ask us to transfer your data to another controller (data portability)

We will handle all exercise of your data subject rights in accordance with the requirements of GDPR and any national laws at the time of your request.  Requests should be submitted in writing to our Data Protection Officer (

If you are dissatisfied with the way we have handled your personal data and we are unable to resolve the matter for you, you may take your complaint to the Information Commissioner’s Office.  Further details can be found via their website at

Should we receive a request from you or one of your staff, clients, customer, contractors or prospects, to exercise data subject rights but we are only acting as a Data Processor, we will forward the request to you as Data Controller to process.  Unless you explicitly instruct us not to we will advise the data subject that we have passed their request to you.

Data Security

We ensure appropriate technological and organisational controls are in place to protect your personally identifiable information from loss, misuse, alteration or unintentional destruction. Our personnel who have access to your personal data have been trained to maintain the confidentiality of such information.  Conditions to protect data to at least the same standard as we do are cascaded to all our contractors, sub processors and suppliers. 

Regular monitoring and testing of our security defences is carried out to ensure they continue to be effective against the latest threats.

Data transferred over the internet by us and through our website are protected using encryption technologies to ensure they remain secure.

Please note that no communications over the internet can be guaranteed as secure.  Whilst we take appropriate steps to protect your data we cannot guarantee that it will remain secure in transit.  Once data reaches your network it is your responsibility to ensure it remains secure. 

Our controls are put in place by Mazars LLP on our behalf and also apply to their direct subsidiaries.

Marketing emails

Some of our marketing emails may contain web beacons, web bugs, cookies or other similar technologies which enable us to understand whether you open, read, or delete the message and any interaction you make with links contained therein.  When you click on a link in a marketing email you receive from us we may also use cookies to log what pages you view, in accordance with our cookies policy.

Targeted emails from us may include additional data privacy information as required by applicable privacy laws. 


As of October 2020, we carry out profiling as defined in Article 4(4) GDPR for the purposes of marketing, developing our business and understanding the needs of our clients.  To facilitate this, we collect data from the following sources as a result of your interactions with us:

  • Our website;
  • Our social media sites which may in turn collect data from your personal social media accounts; and
  • Zoom (or other such facility) in the event you register for and attend an event we have organised.

We do not use profiling technologies for any credit or other automated decision taking processes.

Changes to this Statement

We recommend you check this statement on a regular basis to ensure you remain happy with the activities we carry out in respect of processing personal data.

Should we make significant changes to the way we process data, we will draw your attention to the relevant part(s) of this statement through email and or other appropriate communications as part of our engagement activities with you. 

Any changes to our ‘Website’ privacy notice shall be managed in accordance with the terms stated thereunder. 

Last updated: August 2023