Privacy policy

Halliday Styan LLP - Privacy and Data Protection Notice

Last Updated: 19/10/2025

Halliday Styan LLP ("we," "us," or "our") is deeply committed to protecting the privacy and confidentiality of your personal information. As an accounting firm registered in England and Wales, we are legally required to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

For the purposes of these laws, Halliday Styan LLP acts as the Data Controller for the personal data we process.

1. Contact Information

If you have any questions or concerns about this notice or how we handle your data, please contact us using the details below.

Data Controller: Halliday Styan LLP Registered Address: Flat 11, Bowyer House, 14 Slievemore Close, London, SW4 6BZ Email Contact: contact@hallidaystyan.co.uk

We may revise this notice periodically. When significant changes are made, we will notify you, where appropriate, and ensure an updated copy is made available on our website and upon request.

2. How and Why We Use Your Personal Data

As a chartered accountancy practice, we manage, utilise, and store various categories of personal information relating to our clients, their staff (for payroll purposes), suppliers, and business contacts.

We handle both personal data and company-specific information for the following specific, necessary, and legitimate reasons:

  1. Contractual Service Delivery: To perform our duties and obligations under our formal Letter of Engagement and any subsequent agreements, thereby ensuring the provision of the specific accounting and tax services you have contracted us to supply.

  2. Statutory Compliance and Duty: To meet all mandatory legal, regulatory, and professional requirements, including but not limited to fulfilling obligations under anti-money laundering (AML) legislation, such as the Money Laundering and Terrorist Financing (Amendment) Regulations 2019.

  3. Legal and Professional Safeguarding: To facilitate the investigation, defense, and management of any potential professional liability claims, formal complaints, disciplinary actions, or other legal proceedings against Halliday Styan LLP.

  4. Promotional Communications: To share information with you about other professional services, updates, or offerings from Halliday Styan LLP that may be of relevance or interest to your business, but only where you have provided us with explicit consent to do so.

3. Categories of Personal Data We Collect

To provide our professional services, we may collect and handle the following categories of personal data about clients, their directors, employees, and relevant contacts:

  • Identity Data: Full name, title, date of birth, gender, marital status, and identifying documentation (e.g., passport or driving licence for AML checks).

  • Contact Data: Residential and business addresses, email addresses, and telephone numbers.

  • Financial Data: Bank account details, personal income, employment details, and investment records.

  • Government/Tax ID Data: National Insurance number, Unique Taxpayer Reference (UTR), tax codes, and VAT registration numbers.

  • Technical Data: Internet Protocol (IP) address, location data, and usage details when you interact with our website.

  • Relationship Data: Details concerning your professional role, relationship to our client entity, and other relevant commercial relationships.

Special Category Data

We generally do not routinely process special categories of personal data (such as information about race, religion, or health data).

However, if such information is contained within financial documents you provide us (e.g., medical expense receipts within expense reports), our legal basis for processing this limited data is typically based on its necessity for reasons of substantial public interest, specifically our legal and regulatory compliance in accounting and tax matters.

4. Legal Basis for Processing Your Data (Lawful Basis)

Under the UK GDPR, we must have a lawful basis for every processing activity. We primarily rely on the following bases to process your personal data:

Legal Basis

Description

Examples of Processing

Performance of a Contract

Processing is necessary to deliver the agreed-upon services outlined in our engagement letter.

Preparing and submitting your annual accounts, processing payroll, communicating service updates.

Legal Obligation

Processing is required to comply with a legal or regulatory duty to which we are subject.

Conducting mandatory Anti-Money Laundering (AML) checks, and submitting required tax filings to HMRC.

Legitimate Interests

Processing is necessary for the commercial operation of our practice, provided your interests and fundamental rights do not override ours.

Investigating and defending potential legal claims, recovering debts owed to us, maintaining accurate client records.

Consent

We rely on your clear agreement only in specific, non-core situations.

Sending you non-essential promotional materials or newsletters. You have the right to withdraw this consent at any time.

Consequence of Failure to Provide Data: If you do not provide the information requested where processing is based on a Contract or Legal Obligation, we may be unable to commence or continue acting for you, which could lead to the termination of our professional relationship.

5. Disclosure and Sharing of Your Personal Data

We may need to share your personal data with the following categories of recipients for the purposes outlined in Section 2.

A. Sharing for Service Delivery and Compliance

We may share data with:

  • Statutory Authorities: HM Revenue & Customs (HMRC) for tax compliance, or other regulatory bodies as legally required.

  • Third-Party Processors: Other professional consultants and essential third-party service providers (e.g., software providers, IT support, professional indemnity insurers) who assist us in delivering our services.

  • Authorised Parties: Any other third parties with whom you explicitly permit or require us to correspond (e.g., solicitors, bankers).

  • Successor Parties: An appointed alternate in the event of our firm's incapacity or death.

B. Sharing for Legal Requirements

In specific circumstances, we may be legally required to disclose your personal data to:

  • Courts, tribunals, and relevant judicial bodies.

  • Police or other law enforcement agencies.

  • The Information Commissioner’s Office (ICO).

Note: If you instruct us not to share data that is mandatory for us to fulfill our legal or contractual obligations, we will be unable to continue providing our professional services to you.

6. Data Security and Retention

Data Security Measures

We have implemented robust technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorised manner. Key measures include:

  • Access Control: Limiting access to your personal data strictly to employees, agents, and contractors on a need-to-know basis, all of whom are subject to a duty of confidentiality.

  • Encryption and Authentication: Using secure, encrypted portals for exchanging sensitive client data and implementing strong password policies and multi-factor authentication across all systems.

  • Incident Response: We maintain a formal procedure for promptly detecting, investigating, and reporting any potential data breach or security incident in compliance with our legal obligations.

Data Retention Periods

We will only retain your personal data for as long as is necessary to satisfy our legal, accounting, and reporting requirements, and to fulfil the purposes for which we collected it.

As Data Controller, and in line with recognized accountancy sector best practices, our general retention policy is:

  • Tax Compliance Data: Where we have prepared tax returns, we retain the underlying information for six years from the end of the tax year to which the data relates.

  • Advisory Work: For one-off or ad-hoc consultancy work, we retain documentation for seven years from the date the professional relationship ceased.

  • Ongoing Client Relationship: Data is retained for the entire duration of the client relationship and is then deleted six years after the relationship formally ends.

Your Responsibility to Retain Records: Please note that, regardless of our retention periods, you as the client have a statutory duty to keep certain records. HMRC requires documents relevant to your tax affairs to be retained for specific periods (e.g., six years from the end of the relevant accounting period for limited companies).

7. Your Data Protection Rights

Under the UK GDPR, you have several important rights regarding your personal data. To exercise any of these rights, please contact us using the details provided in Section 1.

A. Right of Access (Subject Access Request - SAR)

You have the right to request a copy of the personal data we hold about you. We will respond promptly, and in any event, no later than one month after receiving your request. To help us process your SAR efficiently, please provide proof of identity and specific details (e.g., your full name, previous addresses, and any client or tax reference numbers).

B. Right to Rectification

You are entitled to have any inaccurate or incomplete data we hold about you corrected immediately.

C. Right to Erasure (The "Right to be Forgotten")

You may request the deletion or removal of your personal data where there is no compelling reason for us to continue processing it. This right is not absolute; we may be legally entitled to refuse this request where processing is necessary to comply with a legal obligation or for the defence of legal claims.

D. Other Rights

You also have the right to:

  • Restrict Processing: To block or suppress the processing of your data under certain conditions.

  • Object to Processing: To object to the processing of your data based on our legitimate interests.

  • Data Portability: To receive your personal data in a machine-readable format for transfer to another service provider (where processing is based on consent or contract).

If you wish to withdraw any consent previously given, please notify us immediately. This withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

8. Concerns and Complaints

If you have any concerns regarding our handling of your personal data, please contact us directly in the first instance.

Halliday Styan LLP Complaint Contact:

  • Email: contact@hallidaystyan.co.uk

  • Address: Flat 11, Bowyer House, 14 Slievemore Close, London, SW4 6BZ

If you remain dissatisfied with our response, you have the right to lodge a formal complaint with the supervisory authority in the UK, which is the Information Commissioner’s Office (ICO).

ICO Contact Details:

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

  • Helpline: 0303 123 1113

  • Website: www.ico.org.uk