PRIVACY POLICY

This Privacy Notice tells you what to expect in relation to your personal information which is collected, handled, and processed by Baldwin Scofield.

References to “Baldwin Scofield”, “We”, “us” are to any or all of Baldwin Scofield Accountancy LLP and the other companies and entities that are associated with us. Our registered office is at 3 Newhouse Business Centre, Old Crawley Road, Horsham, RH12 4RU and a full list of Baldwin Scofield entities is available at our registered office on request.

We are committed to handling all personal information lawfully, fairly, and transparently in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the ICAEW Code of Ethics.

This notice applies to:

Clients, prospective clients, and their representatives;
Employees, contractors, and job applicants;
Suppliers, service providers, and professional contacts;
Users of our website and online collaboration tools.

Data Controller and Compliance

Each entity acts as a data controller for its own processing activities and may act as a data processor for group or client services.

All partners, staff, and contractors receive GDPR and information-security training on induction and at least every three years (or sooner if law changes).
Our internal GDPR Policy and Information Security Policy are available on request.

Information We Collect

We may collect, store, and process the following categories of data:

Information You Provide to Us

Contact details (name, address, email, telephone number);
Identity verification and AML documentation (passport, proof of address, company ownership records);
Financial, tax, and accounting information;
Engagement correspondence and contracts;
Employment, HR, or payroll data (where applicable);
Any information you voluntarily provide through our forms, emails, or meetings.

Information We Collect Automatically

Technical data such as IP address, browser type, device identifiers, and website usage patterns;
System access logs from firm applications;
Records of correspondence, video calls, or virtual meetings (where necessary for service or compliance).

Information from Third Parties

Client and counterparty information from public records, credit reference agencies, regulators, and other professionals;
Employee references or background checks via authorised HR partners;
Sanctions screening or AML verification data.

How We Use Your Information

We process personal data for legitimate professional purposes, including:

Providing accounting, tax, payroll, and advisory services;
Performing client onboarding, due diligence, and risk management;
Fulfilling legal and regulatory obligations (ICAEW, HMRC, Companies House, NCA, etc.);
Managing client and supplier relationships;
Processing payments and billing;
Conducting audits, reviews, and internal quality monitoring;
Administering recruitment, HR, and payroll;
Communicating updates, news, or marketing (where consented);
Ensuring IT, data, and cyber security monitoring.

We may also use anonymised, aggregated data for analytics and performance reporting. No individual will be identifiable from such data.

Lawful Bases for Processing

We will always balance our legitimate interests with your data protection rights and freedoms.

How We Share Information

We may share personal data with:

Regulators (e.g., ICAEW, HMRC, Companies House, NCA, ICO);
Third-party service providers such as IT, cloud storage, HR systems, accountants, or AML software, under confidentiality and data protection agreements;
Professional advisers and insurers (e.g., auditors, solicitors, PII providers);
Subcontractors and group entities within the Baldwin Scofield group (LLP, Ltd, Trustees Ltd) under intra-group agreements;
Authorities or law enforcement agencies, when required by law or regulation.

We do not sell, trade, or rent personal data.

International Data Transfers

We primarily store and process data within the United Kingdom.

If limited data processing occurs outside the UK (for example, via global software providers such as Microsoft or Google), we ensure that:

Transfers are governed by UK International Data Transfer Agreements (IDTA) or Standard Contractual Clauses (SCCs);
Equivalent levels of data protection are maintained by all providers.

All core systems used by the firm provide UK GDPR–compliant hosting and encryption.

Data Retention and Deletion

We retain personal data only for as long as necessary to fulfil the purpose it was collected for, or as required by law or professional regulations.

After these periods, data will be securely deleted or anonymised, unless retention is required for ongoing legal, regulatory, or professional obligations.

Data Security

We maintain a robust information security framework to protect data from unauthorised access, loss, or misuse.

Our controls include:

Secure cloud-based data storage (UK and EU servers only);
Encryption of data at rest and in transit;
Multi-factor authentication (MFA) for all systems;
Role-based access control and least-privilege permissions;
Regular penetration testing and vulnerability scanning;
Cyber Essentials certification and ongoing staff cyber training;
Incident response and breach notification procedures compliant with ICO requirements.

All employees receive annual training on data protection and cybersecurity.

Recruitment and Employment Data

We collect and process personal data of job applicants and employees for recruitment, HR management, and payroll.

This may include CVs, qualifications, references, right-to-work documentation, and remuneration details.

All recruitment and HR data is used only for lawful employment purposes and securely deleted after applicable retention periods.

Website, Cookies, and Analytics

Last updated October 15, 2025

What are cookies?

Cookies are small text files placed on your device to make our website work efficiently, improve performance, and provide analytics.

Why we use cookies

We use first-party and approved third-party cookies to:

Enable core site functionality (security, load balancing, session management);
Measure site performance and usage trends;
Remember your cookie preferences;
Support embedded content (e.g., YouTube videos or LinkedIn widgets).

We do not use cookies for behavioural advertising.

Consent and control

When you first visit, a cookie banner lets you accept all, reject non-essential, or manage preferences. You can change choices any time via browser settings or the “Cookie Preferences” link in our footer. Essential cookies cannot be disabled.

Managing cookies in your browser

As the means by which you can refuse cookies through your web browser controls vary from browser to browser, you should visit your browser’s help menu for more information. The following is information about how to manage cookies on the most popular browsers:

In addition, most advertising networks offer you a way to opt out of targeted advertising. If you would like to find out more information, please visit:

Other tracking technologies

Cookies are not the only way to recognise or track visitors to a website. We may use other, similar technologies from time to time, like web beacons (sometimes called “tracking pixels” or “clear gifs”). These are tiny graphics files that contain a unique identifier that enables us to recognise when someone has visited our Website or opened an email including them. This allows us, for example, to monitor the traffic patterns of users from one page within a website to another, to deliver or communicate with cookies, to understand whether you have come to the website from an online advertisement displayed on a third-party website, to improve site performance, and to measure the success of email marketing campaigns. In many instances, these technologies are reliant on cookies to function properly, and so declining cookies will impair their functioning.

Updates

We may update this Cookie Policy from time to time in order to reflect, for example, changes to the cookies we use or for other operational, legal, or regulatory reasons. Please therefore revisit this Cookie Policy regularly to stay informed about our use of cookies and related technologies.

The date at the top of this Cookie Policy indicates when it was last updated.

Your Rights

You have a number of legal rights in relation to the personal information that we hold about you and you can exercise your rights by contacting us using the details set out below.

These rights include:

Obtaining information regarding the processing of your personal information and access to the personal information which we hold about you.
Please note that there may be circumstances in which we are entitled to refuse requests for access to copies of personal information. In particular, information that is subject to legal professional privilege will not be disclosed other than to our client and as authorised by our client.
Requesting that we correct your personal information if it is inaccurate or incomplete.
Requesting that we erase your personal information in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal information but we are legally entitled to retain it.
Objecting to, and requesting that we restrict, our processing of your personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal information but we are legally entitled to refuse that request.
In some circumstances, receiving some personal information in a structured, commonly used and machine-readable format and/or requesting that we transmit the information to a third party where this is technically feasible. Please note that this right only applies to personal information which you have provided to us.
Withdrawing your consent, although in certain circumstances it may be lawful for us to continue processing without your consent if we have another legitimate reason (other than consent) for doing so.
Lodging a complaint with the relevant data protection authority, if you think that any of your rights have been infringed by us.
We can, on request, tell you which data protection authority is relevant to the processing of your personal information.

How to Contact Us

If you would like further information on the collection, use, disclosure, transfer or processing of your personal information or the exercise of any of the rights listed above, please contact us. You can do this by email addressed to info@baldwinscofield.co.uk or in writing to Data Protection Officer, Baldwin Scofield Accountancy LLP,3 Newhouse Business Centre, Old Crawley Road, Horsham, West Sussex, RH12 4RU.

  
      Purpose
      Lawful Basis (UK GDPR)
    
      Providing professional services
      Contractual necessity
    
      Compliance with AML, tax, or regulatory obligations
      Legal obligation
    
      Client and firm relationship management
      Legitimate interest
    
      Marketing communications (newsletters, updates)
      Consent or legitimate interest
    
      Recruitment and HR administration
      Contractual necessity and legal obligation
    
      Cybersecurity and IT monitoring
      Legitimate interest
    
      Recording calls or meetings (if applicable)
      Legitimate interest and transparency

  
      Data Type
      Retention Period
      Legal/Regulatory Reference
    
      Client engagement files
      Minimum 6 years post-disengagement
      ICAEW Practice Assurance Standard 4
    
      AML records (CDD, risk assessments)
      5 years from end of relationship
      Reg. 40, MLR 2017
    
      Tax and accounting records
      6 years from tax year end
      HMRC requirement
    
      HR and employment records
      6 years post-employment
      Employment law
    
      Recruitment data
      1 year after recruitment cycle
      Legitimate interest
    
      Marketing data
      Until consent withdrawn or 2 years of inactivity
      UK GDPR
    
      CCTV/visitor logs
      Up to 3 months
      Legitimate interest
    
      Disengagement correspondence
      6 years
      ICAEW guidance