Skip to content

UK & International Privacy

1. Introduction

  1. This notice explains how Ostberg Sinclair & Co. Ltd collects, uses, stores, shares and otherwise processes personal data in accordance with the Data Protection Act 2018, the UK GDPR and, where our processing activities are subject to it, the EU GDPR. It is intended for individuals who engage with us in the UK and, where relevant, in the EEA or other jurisdictions outside the United States.
  2. Ostberg Sinclair & Co. Ltd is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows: Ostberg Sinclair & Co. Ltd, Aldwych House, 71-91 Aldwych, London, WC2B 4HN, privacy@osandco.com
  3. We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.

Personal data we process

  1. The personal data we process about you depends on the purpose for which you have contacted us, but includes the following data:
    1. Full name, address, e-mail address, telephone number
    2. Date of birth
    3. Job title and company name
    4. Banking details if relevant to the service
    5. Tax filing details if relevant to the service, including Social Security Number (SSN), National Insurance number (NI) and Unique Taxpayer Reference (UTR)
    6. Other personal data that you choose to provide
    7. Employment status
    8. Financial details if relevant to the service
    9. Your Curriculum Vitae (CV) containing personal data
    10. Information from a website enquiry, including IP address, geographical location, operating system, browser type.
    11. To enable our systems to recognize your device and provide features to you, we use cookies. More information can be found by reading our Cookie Policy

2. The purposes for which we intend to process personal data

  1. We intend to process personal data for the following purposes:
    1. To enable us to supply professional services to you as our client.
    2. To fulfil our obligations under relevant laws in force from time to time (e.g., the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 as amended (“MLR 2017”)).
    3. To comply with professional obligations to which we are subject as a member of HMRC and any other professional bodies, including the Association of Taxation Technicians and the Chartered Institute of Taxation.
    4. To use in the investigation and/or defense of potential complaints, disciplinary proceedings and legal proceedings.
    5. To enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen.
    6. To contact you about other services we provide which may be of interest to you if you have consented to us doing so.
    7. For recruitment, we collect personal data to consider your application and assess your suitability for employment
    8. Procurement of services from suppliers

3. The legal bases for our intended processing of personal data

  1. We will rely on a range of legal bases for our activities including:
    1. Contract: where processing is necessary to perform our engagement with you or to take steps at your request before entering into that engagement.
    2. Legal obligation: where processing is necessary for compliance with legal obligations to which we are subject, including obligations under applicable tax, anti-money laundering and regulatory laws.
    3. Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your interests or fundamental rights and freedoms.
    4. Consent: where we specifically ask for your consent to a particular processing activity, such as certain marketing communications or other uses for which consent is required by law. Where we rely on consent, you may withdraw it at any time.

4. Special Category Personal Data

  1. We do not normally collect special category personal data such as health, race or ethnic origin. However, for certain services (e.g., preparation of tax returns), and when required by law, this may be necessary. We will always seek to minimise our processing of special category data to that which is absolutely necessary.

5. Data sharing: Persons/organisations to whom we may give personal data

  1. We will only share data with other organisations when we have a lawful basis to do so and when it is necessary to do so. We do not sell any of your information to third parties. When we do share data, we will ensure that contractual arrangements are in place to protect personal data and to comply with our data protection, confidentiality and security standards. Where we transfer personal data outside the UK (and, where the EU GDPR applies, outside the EEA) to a country that is not recognised as providing an adequate level of protection, we will ensure that appropriate safeguards are in place. In particular, for transfers subject to the UK GDPR we will use the UK Addendum to the EU Standard Contractual Clauses (together with the EU Standard Contractual Clauses). Where the EU GDPR applies, we will use the EU Standard Contractual Clauses (as updated from time to time), together with any supplementary measures required.
  2. We may share your personal data with:
    1. HMRC
    2. tax compliance software companies
    3. any third parties with whom you require or permit us to correspond
    4. subcontractors
    5. tax insurance providers
    6. professional indemnity insurers
    7. HMRC in it’s supervisory or regulatory capacity
  3. If the law allows or requires us to do so, we may share your personal data with:
    1. the police and law enforcement agencies
    2. courts and tribunals
    3. the Information Commissioner’s Office (ICO)
  4. We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you. If you ask us not to share your personal data with such third parties, we may need to cease to act.

6. Data sharing in the event of a sale of all or part of the business

  1. If we were to contemplate selling all or part of our business, we may disclose personal data as part of any due diligence process. This would be governed by a legally binding contract that guarantees confidentiality in compliance with data protection legislation. Any such contract would also bind any prospective purchaser’s professional advisors. If the prospective purchase did not proceed, the contract would oblige the prospective purchaser to erase any and all personal data that had been disclosed in the due diligence process.
  2. If the sale of the business went ahead all data would be passed over as an asset of the business and you would be advised directly about any change of ownership and/or use of your personal data.

7. Retention of personal data

  1. We retain personal data only for as long as reasonably necessary for the purposes described in this notice, including to provide services, comply with legal, tax, accounting, anti-money laundering, regulatory and professional obligations, resolve disputes, establish or defend legal claims, and enforce our agreements. Retention periods vary depending on the nature of the data and the services provided. By way of example, client engagement records, tax and accounting working papers, correspondence, billing records and related service records are typically retained for up to seven years after the end of the relevant engagement unless a longer period is required or justified; anti-money laundering and know-your-client records are retained for the period required by applicable law and regulatory guidance; recruitment records are typically retained for up to twelve months after the conclusion of the recruitment process unless a longer period is required or you consent to a longer retention period; and marketing suppression records may be retained for as long as necessary to ensure that your preferences are respected. We may retain information for longer where required by law, where litigation or an investigation is anticipated or ongoing, or where necessary to protect our legal or regulatory position.

8A. Sources of personal data and whether you must provide it

  1. We usually collect personal data directly from you, but we may also obtain it from third parties where relevant to the services or activities concerned. These sources may include your employer or business, family members or representatives acting on your behalf, referees, recruitment contacts, professional advisers, counterparties, public registers, regulatory or tax authorities, sanctions or identity verification providers, software providers you ask us to use, and other persons or organisations with whom you ask or permit us to liaise.
  2. Where personal data is needed so that we can enter into or perform an engagement, comply with law or regulation, carry out anti-money laundering checks, administer recruitment, or otherwise provide requested services, failure to provide that information may mean that we are unable to act for you, continue acting for you, process an application, or comply with our legal or professional obligations.

8. Requesting personal data we hold about you (subject access requests)

  1. You have a right to request access to your personal data that we hold. Such requests are known as ‘subject access requests’ (“SARs”).
  2. Please submit any subject access request in writing to privacy@osandco.com or to our postal address set out in this notice.
  3. To help us deal with your request more quickly, we may request additional information where necessary to verify your identity. For example:
    1. your date of birth
    2. previous or other name(s) you have used
    3. your previous addresses in the past five years
    4. personal reference number(s) that we may have given you, for example your national insurance number, your tax reference number or your VAT registration number
  4. Please tell us what information you would like to access.
  5. The DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g., if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).
  6. We will not charge you for dealing with a SAR.
  7. You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.
  8. Where you are a data controller and we act for you as a data processor (e.g., by processing payroll), we will assist you with SARs on the same basis as is set out above.

9. Putting things right (the right to rectification)

  1. You have a right to obtain the rectification of any inaccurate personal data concerning you that we hold. You also have a right to have any incomplete personal data that we hold about you completed. Should you become aware that any personal data that we hold about you is inaccurate and/or incomplete, please inform us immediately so we can correct and/or complete it.

10. Deleting your records (the right to erasure)

  1. In certain circumstances you have a right to have the personal data that we hold about you erased. Further information is available on the ICO website (www.ico.org.uk). If you would like your personal data to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure. If applicable, we will supply you with the reasons for refusing your request.

11. The right to restrict processing and the right to object

  1. In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. Further information is available on the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can consider what action, if any, is appropriate.

12. Obtaining and reusing personal data (the right to data portability)

  1. In certain circumstances you have the right to be provided with the personal data that we hold about you in a machine-readable format, e.g., so that the data can easily be provided to a new professional adviser. Further information is available on the ICO website (www.ico.org.uk).
  2. The right to data portability only applies:
    1. to personal data an individual has provided to a controller;
    2. where the processing is based on the individual’s consent or for the performance of a contract; and
    3. when processing is carried out by automated means
  3. We will respond to any data portability requests made to us without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.

13. Withdrawal of consent

  1. Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.
  2. Please note:
    1. the withdrawal of consent does not affect the lawfulness of earlier processing
    2. if you withdraw your consent, we may not be able to continue to provide services to you
    3. even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g., because we have a legal obligation to continue to process your data)

14. Automated decision-making

  1. We do not intend to use automated decision-making in relation to your personal data.

15. Complaints

  1. If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the UK GDPR or Data Protection Act 2018 in some other way, you can complain to us. Please send any complaints to privacy@osandco.com.
  2. If you are not happy with our response, you have a right to lodge a complaint with the ICO (www.ico.org.uk).

16. Cookies

  1. Navigation on our website will result in cookies being placed on your computer. Cookies are small text files that are placed on your computer by the websites that you visit.
  2. We use cookies and similar technologies on our website. Non essential cookies are used only with your consent, and you can change or withdraw your consent at any time using the cookie settings on our website. For further information, please see our Cookie Policy.

Ready to turn complexity into clarity?

We’re here to help you make informed decisions, with confidence.

Cookie Preferences

We use cookies to enhance your browsing experience and analyse site traffic. By clicking "Accept", you consent to our use of cookies.