Privacy Notice – My Books Online Limited

My Books Online Limited takes your privacy very seriously and we work hard to ensure we are GDPR compliant.

Background

This Notice sets out the obligations of My Books Online Limited, a limited company registered in England and Wales under number 10061965, whose registered office is at The Castle Mill, Minneymoor Hill, Conisbrough, Doncaster, England, DN12 3EN (“the Company”) regarding data protection and the rights of our users (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).

My Books Online Limited takes your privacy very seriously and knows that you care how your personal data is used. We respect and value the privacy of all of our customers and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law.

We respect and value the privacy of everyone who visits this website, www.my-books.co.uk (“Our Site”) and uses our services and will only collect and use personal data in ways that are described here, and in a manner that is consistent with our obligations and your rights under the law.

Our Privacy Policy explains how we use your personal data: how it is collected, how it is held, and how it is processed. It will also assist you in understanding the rights, obligations and responsibilities under the law with regards our use of your data, as well as making clear what your rights are.

If you do not accept and agree with this Privacy Notice, you must stop using Our Site and services immediately.

1. Definitions and Interpretation

In this Notice, the following terms shall have the following meanings:

Data Information stored electronically, on a computer, server, or in certain paper-based filing systems.
Data Controller My Books Online Limited has determined the purposes for which, and the manner in which, your Personal Data is processed. The Data Controller has overall responsibility for compliance with the Data Protection Laws. Any questions about the operation of this Notice or any concerns that the Notice has not been followed should be referred in the first instance to Ellie Appleby at privacy@my-books.co.uk.
Data Processor In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data Subjects All living individuals we hold Personal Data for. All Data Subjects have legal rights concerning the processing and storage of their personal information.
Data Users Our employees whose work involves processing your Personal Data. Data users are responsible for the proper use of the data they process and must protect the data they handle in accordance with this Notice
Personal Data means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data, including personal data that you may give to us either via Our Site, or using any other of the 3rd party systems we use. This definition shall, where applicable, incorporate the definitions provided in the EU Regulation 2016/679 – the General Data Protection Regulation (“GDPR”);
Privacy Manager Ellie Appleby is the appointed officer who is responsible for awareness-raising, training staff and informing and advising the Data Controller, Data Processors and Data Users how to ensure compliance with the enactments, and to monitor that compliance. Ellie can be contacted at privacy@my-books.co.uk
Processing Any activity in which the data is used, including (but not limited to) obtaining, recording, organising, amending, retrieving, using, disclosing, erasing, destroying and/or holding the data. The term “processing” also includes transferring personal data to third parties.
We/Us/Our means My Books Online Limited a limited company registered in England and Wales under number 10061965, whose registered office is at The Castle Mill Minneymoor Hill, Conisbrough, Doncaster, England, DN12 3EN (“the Company”.)

2. Information About Us

This Notice sets out the obligations of My Books Online Limited a limited company registered in England and Wales under number 10061965, whose registered office is at The Castle Mill Minneymoor Hill, Conisbrough, Doncaster, England, DN12 3EN

Data Protection Officer: Ellie Appleby

Email address: privacy@my-books.co.uk

Telephone number: 0330 390 2015

Postal Address: My Books Online Ltd, The Castle Mill, Minneymoor Hill, Conisbrough, Doncaster, England, DN12 3EN

3. Notice Statement

In accordance with the GDPR, anyone processing Personal Data must comply with the six principles of good practice. These provide that Personal Data must:

  1. be processed fairly, lawfully and transparently;
  2. only be used for the purpose for which it was collected;
  3. be adequate, relevant and not excessive for the purpose for which it is being processed;
  4. be accurate and kept up-to-date;
  5. not be kept longer than necessary to fulfil the purpose of its collection; and
  6. be kept secure and protected from unauthorised processing, loss, damage or destruction, which includes the data not being transferred to a country or territory outside the European Economic Area unless the Personal Data is adequately protected (for example under EU-US Privacy Shield) and/or consent of the Data Subject has been provided.

4. What is Personal Data?

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

Personal data is, in simpler terms, any information about you or another individual that enables you or them to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.

The personal data that we use is set out in Part 6, below.

5. What Are My Rights?

Under the GDPR, you have the following rights, which we will always work to uphold:

  • The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 13.
  • The right to access the personal data we hold about you.
  • The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
  • The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have.
  • The right to restrict (i.e. prevent) the processing of your personal data.
  • The right to object to us using your personal data for a particular purpose or purposes.
  • The right to data portability. This means that you can ask us for a copy of your personal data held by us to re-use with another service or business in many cases.

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 13. Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.

6. What Personal Data Do You Collect?

We may collect some or all of the following personal data (this may vary according to your relationship with us, the list is not exhaustive and is subject to change):

  • Name
  • Address
  • Date of Birth
  • Email address
  • Telephone number(s)
  • Business name
  • Job title
  • Information about your preferences and interests
  • Copies of Identification used for Anti Money Laundering purposes
  • Financial information such as bank account details, accounting details, and other relevant financial information that we use to perform our contractual obligation
  • Size of your business in terms of annual revenue, and if appropriate, details of your property portfolio
  • Business goals

We will only ever collect and process your Personal Data as required to fulfil the specific purpose/s of our contract and agreements with you.

7. How Do You Use My Personal Data?

Under the GDPR, we must always have a lawful basis for using personal data. In the case of our clients, the lawful basis will either be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data may be used for one of the following purposes:

  • To fulfil our contractual obligations and responsibilities to you.
  • To provide, maintain and improve our bookkeeping services.
  • Personalising and tailoring our products and services for you.
  • Communicating with you. This may include responding to emails, calls or messages from you.
  • Supplying you with information by email, text message and post that you have opted-in to (you may unsubscribe or opt-out at any time by choosing unsubscribe or ‘opt-out’ from our correspondence, or by contacting us).
  • With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email, telephone, text message and/or post with information, news, and offers on our products and services. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.
  • Should we deem it necessary to process your Personal Data for purposes outside and/or beyond the reasons for which it was originally collected, we will contact you first, to inform you of those purposes and our intent and may also apply for your consent.

8. How Long Will You Keep My Personal Data?

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):

  • Personal data for marketing purposes prior to you signing up to become a client – this will be retained until you fail to engage with our content for a period of 6 months or until you opt-out of our communications.
  • Personal data for marketing purposes whilst you’re a client – this will be retained for the duration of you being a client so we can best support you and provide you with information about relevant products and services, which we also provide and which we feel you will also benefit from.
  • Personal data for marketing purposes after you were a client – this will be retained until you fail to engage with our content for a period of 6 months or until you opt-out of our communications.

In certain circumstances we are legally obligated to hold accounting records for a minimum of 6 years. These accounting records may include personal data.

Once Personal Data is no longer required, we will take all reasonable steps to destroy and erase it.

9. How and Where Do You Store or Transfer My Personal Data?

We store your personal data using a variety of 3rd party online systems. We have done our own due diligence to check all the software systems we use are fully GDPR compliant. A link to all our external software providers or organisations we may share your personal data with, along with their own privacy policies can be found below:

As far as is reasonably practical, any personal data we store is held with the EEA (the “EEA” consists of all EU member states, plus Norway, Iceland, and Liechtenstein). This means that it will be fully protected under the GDPR.

We may store or transfer some or all of your personal data in countries that are not part of the European Economic Area. These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA. This means that we will take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK under GDPR.

In this situation, your personal data will be securely passed to those companies and will be subject to the Privacy & Data Policies they have in place and which we have already agreed too. We will ensure that the method of passing data to them complies with the securest methods appropriate to the passing and nature of that data.

In order to help us provide you with maximum value, we use GoProposal to generate Proposals, Renewals, Extra Work Orders and our Letters of Engagement. GoProposal stores your personal data in order to send you the required documentation so that we can engage you as a client and for you to confirm acceptance of our services. GoProposal stores your personal data in the UK which means you are fully protected under the GDPR. If you wish to retrieve your personal data from GoProposal or have it deleted, then please contact us. Alternatively, you can visit https://goproposal.com/subject-access-request-form/

10. Do You Share My Personal Data?

In the course of us fulfilling our role as your bookkeeping service, it will be necessary for us to disclose your Personal Data in certain situations:

  • In our role as your bookkeeper we may need to share your Personal Data with certain bodies to fulfil our contract with you such as suppliers, contractors and sub-contractors, HMRC, ICB and other governmental, regulatory bodies.
  • As stated in section 9, we use various 3rd party software providers in order to fulfil our contractual obligations to you, and in doing so we will need to share your personal data with them. We do all we can to ensure all our providers are GDPR compliant or at the very least apply equivalent and adequate safeguards. The privacy policies of all our software providers can be found in the links in section 9.
  • If we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, lawful requests, court orders and legal process.
  • To enforce or apply any contract or other agreement with you.
  • To protect our rights, property or safety and that of our employees, members or others, and in the course of investigating and preventing money laundering and fraud.

11. How Can I Access My Personal Data?

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.

All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 13.

There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within 30 days and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.

If we do not take any action within one month after receiving your request, you are entitled to request an explanation from us as to why no action was taken and you may make a complaint to the ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow Cheshire SK9 5AF (Tel: 0303 123 1113) (email. casework@ico.org.uk)

12. How Can I Have My Data Erased?

If you wish for your personal data to be erased from our various systems, please contact us (See Part 13) and we will follow our strict procedures to ensure that all of your data has been removed from our systems.

Please note that while we are happy to remove any of your personal data we may hold in any of our systems, in certain circumstances we are legally obligated to hold accounting records for a minimum of 6 years. These accounting records may include personal data.

13. How Do I Contact You?

To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details (for the attention of Ellie Appleby):

Email address: privacy@my-books.co.uk

Telephone number: 0330 390 2015

Postal Address: My Books Online Ltd, The Castle Mill, Minneymoor Hill, Conisbrough, Doncaster, England, DN12 3EN

14. Security Notice

We maintain data security by protecting the confidentiality, integrity and availability of your Personal Data, and when we do so we abide by the following definitions:

  • Confidentiality: We ensure that only the people authorised to use your personal data can access it. Employees are prohibited from accessing and viewing your personal data unless it is necessary to do so.
  • Integrity: We will make certain that your Personal Data is accurate and suitable for the purpose for which it is processed.
  • Availability: We have established procedures which mean only our authorised Data Users should be able to access your Personal Data if they need it for authorised purposes.

We also maintain security procedures which include, but are not limited to:

  • We tend not to keep personal data on paper, but if at any time we do, files are stored securely and shredded when no longer required.
  • Data Users shall be appropriately trained and supervised in accordance with this Notice which include requirements that computer monitors do not show confidential information to passers-by and that Data Users log off from or lock their PC/electronic device when it is left unattended.
  • We generally store all our data ‘in the cloud’, therefore it is inherently and permanently backed-up. We routinely back-up electronic information to assist in restoring information in the event of disaster and our software is kept up-to-date with the latest security patches.
  • Our Privacy Manager will ensure that this Notice is kept updated in response to any amendments to the Law.
  • Financial Security
    • Credit card details are never stored by us. Credit cards are transmitted directly to our payment providers over SSL connections and are not logged or stored in our systems.
    • Subscription payments are processed by GoCardless, which are military grade encryption to keep your payment details safe.
  • IT and Password Security
    • We recommend that any passwords that our clients use to log in to any of the 3rd party systems we use are unique and not used for any other web sites. A password manager such as LastPassis recommended to manage your passwords.
    • Our computers have appropriate password security, boundary firewalls and effective anti-malware defences.
    • Wherever possible our staff use 2 Factor Authentication(2FA) to login to our 3rd party systems. 2FA lets you implement strong account security, protects your account against unauthorized access and is SOC2 compliant for security.
    • All software and computer operating systems used by us are actively kept up to date. Any security fixes or patches are treated as top priority and are applied as quickly as possible.

We shall take appropriate security measures against unlawful and/or unauthorised processing of personal data, and against the accidental loss of, or damage to, your Personal Data.

We shall only transfer your Personal Data to a Data Processor (a Data User outside our business) if the Processor agrees to comply with our procedures and policies, or if the Processor puts in place security measures to protect Personal Data, which we consider adequate and to be compliant with GDPR.

14. What if There’s a Data Breach?

We work to the highest levels of security, which can be found in our Security Notice above. However, in the unlikely event of a data breach, then:

  • All personal data breaches must be reported immediately to the Company’s Data Protection Officer.
  • If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer will ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
  • In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
  • Data breach notifications shall include the following information:
    • The categories and approximate number of data subjects concerned;
    • The categories and approximate number of personal data records concerned;
    • The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);
    • The likely consequences of the breach;
    • Details of the measures taken or proposed to be taken by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

15. Changes to this Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be made available on Our Site.

This privacy policy is dated 25 May 2018.

For more information on your rights as an individual under the new GDPR regulations, please visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/