GDPR Compliance

Our Commitment to GDPR

AccountancyForms is fully committed to compliance with the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018. We understand the importance of protecting personal data and have implemented comprehensive measures to ensure compliance with these regulations.

What is GDPR?

The GDPR is a comprehensive data protection law that came into effect on 25 May 2018. It sets strict requirements for how organizations collect, process, store, and protect personal data of individuals in the European Union and the UK.

GDPR Principles We Follow

AccountancyForms adheres to all seven GDPR principles:

1. Lawfulness, Fairness, and Transparency

We process data lawfully, fairly, and in a transparent manner. We clearly communicate how we collect and use personal data.

2. Purpose Limitation

We collect data only for specific, explicit, and legitimate purposes. We do not use data for purposes incompatible with those for which it was collected.

3. Data Minimization

We only collect data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

4. Accuracy

We ensure personal data is accurate and kept up to date. We provide mechanisms for users to update their information.

5. Storage Limitation

We retain personal data only for as long as necessary. We have clear retention policies and securely delete data when no longer needed.

6. Integrity and Confidentiality

We implement appropriate technical and organizational measures to ensure data security, including protection against unauthorized or unlawful processing.

7. Accountability

We are responsible for and can demonstrate compliance with all GDPR principles through documentation and regular audits.

Your Rights Under GDPR

As a data subject, you have the following rights under GDPR:

Right to be Informed

You have the right to clear information about how we collect and use your personal data.

Right of Access

You can request a copy of the personal data we hold about you. We will provide this within 30 days at no charge.

Right to Rectification

You can request that we correct inaccurate or incomplete personal data.

Right to Erasure

You have the right to request deletion of your personal data in certain circumstances.

Right to Restrict Processing

You can request that we limit how we use your personal data in certain situations.

Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format.

Right to Object

You can object to certain types of processing, including direct marketing.

Rights Related to Automated Decision Making

You have rights regarding automated decision-making and profiling. We do not currently use automated decision-making.

How We Protect Your Data

We implement comprehensive security measures to protect your personal data:

  • End-to-end encryption for data in transit (TLS/SSL)
  • Encryption at rest for all stored data
  • Regular security audits and penetration testing
  • Multi-factor authentication for accountant accounts
  • Role-based access controls
  • Regular staff training on data protection
  • Incident response and breach notification procedures
  • Secure backup and disaster recovery systems

Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract: Processing necessary to fulfill our services to you
  • Consent: Where you have given clear consent for specific purposes
  • Legal obligation: To comply with UK tax and financial regulations
  • Legitimate interests: To improve our services and prevent fraud

Data Processing Records

We maintain detailed records of all processing activities, including:

  • The purposes of processing
  • Categories of data subjects and personal data
  • Categories of recipients of personal data
  • Details of transfers to third countries
  • Retention periods
  • Technical and organizational security measures

Data Breach Procedures

In the unlikely event of a data breach, we will:

  • Detect and contain the breach immediately
  • Assess the risk to individuals affected
  • Notify the ICO within 72 hours if required
  • Notify affected individuals without undue delay
  • Document the breach and our response
  • Review and improve our security measures

Third-Party Processors

We only work with third-party processors who provide sufficient guarantees of GDPR compliance. All processors are bound by data processing agreements that ensure:

  • Data is processed only on our instructions
  • Appropriate security measures are in place
  • Sub-processors are only used with our authorization
  • Data subject rights can be exercised
  • Data is returned or deleted at the end of the service

International Data Transfers

When we transfer data outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the UK government
  • Binding corporate rules
  • Approved codes of conduct and certifications

Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not handled your data in accordance with GDPR:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane

Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: www.ico.org.uk

Regular Reviews and Updates

We regularly review our GDPR compliance measures and update our policies and procedures to ensure ongoing compliance. This page was last reviewed on November 10, 2025.