Knox Cropper is committed to protecting and respecting your privacy. For the purposes of the General Data Protection Regulation (GDPR) and any subsequent UK legislation covering data protection the Data Controller is Knox Cropper. The person responsible for data protection in the organisation Stephen Anderson, and if you have any questions about this Policy or concerning your personal information please contact him at hemel@knoxcropper.com or call 01442 218309.

This notice describes how we collect and use personal data about you, in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act [1998 OR 2018] and any other national implementing laws, regulations and secondary legislation, as amended or updated from time to time, in the UK (‘Data Protection Legislation’).

This Policy may change from time to time and, if so, we will advertise any significant changes on our website or contact you directly with the information.

What information we collect

The type and amount of information we collect depends on why you are providing it.

The information we hold about you may include the following:

  • your personal details (such as your name and/or address);
  • details of contact we have had with you in relation to the provision, or the proposed provision, of our services;
  • details of any services you have received from us;
  • our correspondence and communications with you;
  • information about any complaints and enquiries you make to us;
  • Information we receive from other sources, such as publicly available information or information provided by your employer.

How we collect information

We may collect information from you whenever you contact us or have any involvement with us for example when you:

  • attend a meeting with us and provide us with information
  • contact us in any way including online, email, phone or post

How we use your information

We will use your personal information in a number of ways which reflect the legal basis applying to processing of your data. These may include:

  • carry out our obligations arising from any agreements entered into between you or your employer or our clients and us (which will most usually be for the provision of our services);
  • carry out our obligations arising from any agreements entered into between our clients and us (which will most usually be for the provision of our services) where you may be a subcontractor, supplier or customer of our client;
  • provide you with information related to our services and our events and activities that you request from us or which we feel may interest you, provided you have consented to be contacted for such purposes;
  • seek your thoughts and opinions on the services we provide; and
  • notify you about any changes to our services.

In some circumstances we may anonymise or pseudonymise the personal data so that it can no longer be associated with you, in which case we may use it without further notice to you.

If you refuse to provide us with certain information when requested, we may not be able to perform the contract we have entered into with you. Alternatively, we may be unable to comply with our legal or regulatory obligations.

We may also process your personal data without your knowledge or consent, in accordance with this notice, where we are legally required or permitted to do so.

Our legal basis for processing your information

Knox Croppers lawful basis for processing the above data is as follows:

Client data

1. Audits

Personal Data required for Audit purposes will normally be held under the legal obligation basis.

2. Other client work

Personal Data required for other work will generally be held under the legitimate interest basis. However, where we have a specific contract (engagement letter) with the data subject, which is often the case with our personal tax work, the personal data may be held under the contract basis.

Firm data

1. Staff Data


Certain personal data held for staff will be held under the legal obligation basis to fulfill HMRC obligations. Other data will be held under the contract basis in accordance with the contract of employment.

2. Supplier Data

Supplier personal data will normally be held under the legitimate interest basis.

How we keep your information safe

We understand the importance of security of your personal information and take appropriate steps to safeguard it by encrypting all of our computers.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We always ensure only authorised persons have access to your information, which means only our staff and contractors. We always ensure that everyone who has access is appropriately trained to manage your information.

With regard to data transmission over the internet we use an online document exchange portal that encrypts documents that we are sending to clients or vice versa. We encourage clients to send any personal data they need to give us via this method. Should you choose to send us data over the internet via another means we cannot guarantee the security of this information and you do this at your own risk.

Who has access to your information?

  • Appropriate staff.
  • Third parties who provide services for us, for example our IT suppliers. We select our third party service providers with care. We provide these third parties with the information that is necessary to provide the service and we will have an agreement in place that requires them to operate with the same care over data protection as we do.
  • Third parties if we run an event in conjunction with them. We will let you know how your data is used when you register for any event.
  • We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.

We may also disclose your personal information if we are required to do so under any legal obligation, or where doing so would not infringe your rights, but is necessary and in the public interest.

Other than this, we will not share your information with other organisations without your consent.

Keeping your information up to date

We really appreciate it if you let us know if your contact details change. You can do so by contacting the Partner who is responsible for your affairs.

Children’s Information

Where appropriate we will ask for consent from a parent or guardian to collect information about children (under 16s).

How long we keep your information for

We will hold your personal information for as long as it is necessary for the relevant activity

When assessing what retention period is appropriate for your personal data, we take into consideration:

  • the requirements of our business and the services provided;
  • any statutory or legal obligations;
  • the purposes for which we originally collected the personal data;
  • the lawful grounds on which we based our processing;
  • the types of personal data we have collected;
  • the amount and categories of your personal data; and
  • whether the purpose of the processing could reasonably be fulfilled by other means.

Change of purpose

Where we need to use your personal data for another reason, other than for the purpose for which we collected it, we will only use your personal data where that reason is compatible with the original purpose.

Should it be necessary to use your personal data for a new purpose, we will notify you and communicate the legal basis which allows us to do so before starting any new processing.

Your rights

You have the right to request details of the processing activities that we carry out with your personal information through making a Subject Access Request. Such requests have to be made in writing and are only subject to a charge in very limited circumstances which will be explained to you if relevant. More details about how to make a request, and the procedure to be followed, can be found in our Data Protection Policy. To make a request please contact the Partner responsible for your affairs.

You also have the following rights:

  • the right to request rectification of information that is inaccurate or out of date;
  • the right to erasure of your information (known as the “right to be forgotten”);
  • the right to restrict the way in which we are dealing with and using your information;
  • the right to request that your information be provided to you in a format that is secure and suitable for re-use (known as the “right to portability”);
  • rights in relation to automated decision making and profiling including profiling for marketing purposes.

All of these rights are subject to certain safeguards and limits or exemptions, further details of which can be found in our Data Protection Policy. To exercise any of these rights, you should contact the Partner responsible for your affairs.

If you are not happy with the way in which we have processed or dealt with your information, you can complain to the Information Commissioner’s Office. Further details about how to complain can be found at https://www.dataprotection.ie/docs/Making-a-Complaint-to-the-Data-Protection-Commissioner/r/18.htm

Changes to this Privacy Policy

This Policy may be changed from time to time. If we make any significant changes we will advertise this on our website or contact you directly with the information.

Do please check this Policy each time you consider giving your personal information to us.