10.1 Lawful Basis and Purpose of Processing
To enable us to deliver the services under this engagement, and for related purposes such as updating and enhancing client records, internal analysis, statutory returns, legal and regulatory compliance, and crime prevention, we may obtain, use, process, and disclose personal data relating to you, your business, its shareholders, directors, officers, and employees ("personal data").
10.2 Data Controller Status
Unless otherwise agreed in writing, both parties act as **independent data controllers**. Each party will comply with its respective obligations under applicable data protection laws, including the UK GDPR and Data Protection Act 2018.
You confirm that any personal data you provide to us is lawfully obtained and that you have provided appropriate information to data subjects about its use. You will indemnify and hold us harmless against any losses caused by your failure to meet these obligations.
10.3 Data Processor Responsibilities
Where we act as your **data processor** (e.g. for payroll or bookkeeping services), the following additional terms apply:
* We will only process personal data per your written instructions.
* We will ensure only authorised personnel with confidentiality obligations have access.
* We will take appropriate administrative, physical, and technical safeguards to protect the data.
* We may disclose personal data to our service providers, network firms, professional advisers, or regulators where necessary.
* We will notify you of any intended use of sub-processors and ensure they operate under similar contractual obligations.
* On termination of the engagement, we will delete or return all personal data unless retention is required by law.
* We will maintain records of processing activities and cooperate with reasonable audit requests.
* We will notify you promptly in the event of a data breach, access request, complaint, or enquiry by a regulatory authority.
10.4 Cross-Border Transfers
We may transfer personal data outside the UK or EEA (e.g. to cloud service providers or to our back office/offshoring operations abroad) where required to deliver our services. This includes the use of administrative support teams and processing centres located outside the UK. Where such transfers occur, we will ensure appropriate safeguards are in place, such as adequacy decisions or Standard Contractual Clauses (SCCs).
10.5 Subject Access Requests and Rights
As an independent controller, we may receive subject access or erasure requests. We will evaluate each request individually and act in accordance with applicable law. If such a request pertains to data you provided to us as a processor, we will inform and cooperate with you before responding.
10.6 Privacy Notice
Our full Privacy Notice, which sets out how we collect, use, retain, and disclose personal data, is available on our website: [
https://www.rraccountants.co.uk/disclaimer](
https://www.rraccountants.co.uk/disclaimer)
10.7 Data Protection Contact
If you have any questions or concerns regarding data protection, please contact our Data Protection Officer as detailed in the Key Facts document.
10.8 Independent Review
As part of our quality control commitments, our files may periodically be reviewed by an independent regulatory or professional body. All such reviewers are bound by strict confidentiality obligations.
Effective Date: 24 July 2025