Privacy policy
The Xeinadin website: https://xeinadin.ie/ is maintained by Xeinadin Limited – Registered Office: Building 1, Swift Square, Northwood Park, Northwood, Dublin 9, D09 A0E4, Ireland; Registered Number – 634393. Registered in the Republic of Ireland.
You can contact us on 01 835 1124 or write to us at [email protected]
The purpose of this Privacy Notice is to clarify to you how Xeinadin Limited manages your data in line with GDPR and other data protection regulation. Xeinadin is obligated by law to safeguard any personal information that we hold or process and this Privacy Notice outlines the necessary actions that we take to accomplish this. All information processed by us, whether handled via our website or within our internal processes is handled lawfully in accordance with the General Data Protection Regulation (GDPR).
What is Personal Data?
In this Privacy Notice and in our communication with you, the terms ‘personal data’, ‘personal information’ or ‘personally identifiable information’ may be used interchangeably. In all circumstances, and as defined by GDPR, personal refers to “any information relating to an identified or identifiable natural person (‘data subject’)”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Our lawful basis for collecting your personal data:
As per the GDPR requirements, it is mandatory for us to identify a lawful basis that justifies the requirement for processing personal data, necessary to a specific purpose. As a accountancy organisation, it is usually necessary for us to process your data for the purpose of fulfilling our contract with you. This lawful basis is regarded as the contractual basis for processing.
There are other lawful bases, which include:
- Your consent
- We have a legal obligation to process your data
- We process your data for your vital interest (to save your life)
- We need to process your data to perform a public task
- We have a legitimate interest for processing your data
We will process your personal data only in line with the lawful basis for which we collect it, unless we have reasonable grounds to believe that it is for a similar purpose that is compatible with the original lawful basis.
The Lawful Basis of Consent:
If we have used your ‘consent’ as our lawful basis for processing of your data, then it must have been given by you freely, specifically, on an informed basis, and with a clear affirmative action (you opted in). You have the right to withdraw your consent at any time by emailing [email protected] or calling us on 01 835 1124 . Once you withdraw your consent, we will immediately cease processing your data. However, please be aware that this may also result in us being unable to provide our services to you any further.
Your information will be retained for as long as your consent is not withdrawn and the purpose for which the information was collected remain valid. To ensure that your consent remains valid, we will contact you every twelve (12) months to review your consent and request that you provide fresh consent for a further twelve (12) months.
What types of personal data do we collect?
As a group of accountancy companies, we frequently require personal and financial data in line with the requirements stemming from general accountancy services. We regularly gather and handle the following information to facilitate our services:
- First Name
- Last Name
- Address and Postcode
- Email Address
- Phone Number
- Bank Details
- Government ID
- Family Details (Incl. minors)
- Medical Information
- Pay Slips and Bank Statements
- Tax Returns and other Historic Financial Reports
- National Insurance Numbers
- P45/P60/Income Certificates
- Criminal Offence Data (where disclosed)
- Pension Information
- Stock and Bond information
- Other relevant information
In the case of criminal offence data, the considerations of Articles 9 & 10 of UK GDPR are documented. The processing of such data, will only occur when it is freely given, specific, informed, affirmative and unambiguous in the interest of securing accountancy services, as requested by the data subject.
Throughout the provision of our service, we ‘may’ potentially gather additional information from you directly in order to progress our services.
How do we get your information and why do we have it?
Xeinadin typically receives information from customers on a voluntary basis to assist with our services. To establish a contractual relationship with you, we need to gather and handle your information. Your information is typically processed to perform various accountancy functions, such as (but not limited to):
- Bookkeeping
- Financial Statement Preparation
- Tax Preparation and Planning
- Payroll Processing and Reporting
- Business Advisory Services
- Budgeting and Forecasting
- Management Accounting
- Take a service payment from you
Your personal information may be collected through several various channels such as phone calls, paper evaluation forms and our website portal. After receiving your information, it is uploaded to our secure client management software. Once we have completed our contract with you, your information is deleted in line with our data retention schedule (outlined further on).
How we handle your data:
Xeinadin, in its role as both data controller and data processor, is obligated to follow the data processing principles outlined in the General Data Protection Regulation. By processing your personal information in line with the below principles, Xeinadin is able to facilitate your rights, lawfully handle and safeguards your data.
The principles that Xeinadin abide by are:
The Principle of Lawfulness Fairness and Transparency – We only collect and process Personal Information in a way that is lawfully, fair, and transparent to you
The Principle of Accountability – We take responsibility for what we do with your personal data and how we comply with the other principles, and are able to demonstrate our compliance
The Purpose Limitation Principle – We only process your personal information for specified, explicit and legitimate purposes
The Data Minimisation Principle – The personal data collected that we process is adequate, relevant, and limited to what is necessary
The Data Accuracy Principle – We ensure that the data we process is accurate and, where necessary, kept up to date
The Storage Limitation Principle – We only keep personal information in a form which permits your identification no longer than is necessary
The Integrity & Confidentiality (security) Principle – We ensure that we appropriately secure your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Data Security:
Xeinadin are committed to ensuring the security and protection of your personal information as we understand that a breach of your information may cause undue stress, worry and in extreme cases my impact your rights and freedoms. To prevent such incidents, appropriate security measures in place to limit accidentally loss, unauthorised access, alteration or disclosure of your information.
We use several organisational measures to limit access to your personal data to only the employees, and other third parties who have a business ‘need to know’. Personal data is shared with third parties only when necessary for the provision of services. When doing so, we ensure that third parties have the appropriate security in place and that they are subject to a duty of confidentiality.
In the unlikely event of a data breach, we follow procedures set out by the Data Protection Commission (DPC) to investigate and handle the breach transparently and ethically. Should our data breach investigation process determine that the breach may result in an impact to your rights and freedoms, we will notify you and the DPC where we are legally required to do so.
Who we share your data with:
At Xeinadin, we may share the information that you provide to us with other third parties in alignment with our processing purposes to deliver our services to you. Those trusted third parties and software providers include (but are not limited to):
- BrightPay
- Clearstone
- Creditsafe
- Iris
- Quickbooks
- Sage
- Senta
- Taxfiler
- Xero
- CCH
- Payt
- Revenue Commissioners
- Banking and financial institutions
- Pension Providers
- Government Bodies (e.g. grant issuers)
To safely process your information, all our service providers are obligated to maintain strict confidentiality and process your personal information solely according to our explicit instructions by means of written agreement.
There are circumstances where we may need to share your personal information with third parties to fulfill legal obligations, comply with decisions from judicial authorities or governing bodies, or meet other public interests. Your privacy and confidentiality remain our priority in any such disclosures.
International Data Transfers:
We commonly engage trusted third parties located within the United Kingdom (UK) or the European Economic Area (EEA). However, occasionally, we work with third parties located outside of these geographic areas. When we do, we implement measures and employ suitable safeguards such as Standard Contractual Clauses (SCCs) to uphold the security of your personal information.
Third countries that we currently share data with include:
- India – personal data is protected by our SCC’s
- Pakistan – personal data is protected by our SCC’s
If you would like to know more about the safeguards that we use to secure your information, please get in touch by emailing us at [email protected] or via letter to: The Data Protection Manager, Xeinadin Limited, Building 1, Swift Square, Northwood Park, Northwood, Dublin 9, D09 A0E4, Ireland.
How long do we keep your data?
The Irish Revenue Commissioners stipulate that, by law, Irish accountancy firms must keep personal records for a period of six years from the end of the accounting period to which they relate. However, some records may be required to be kept for a longer period in relation to money laundering regulations. Xeinadin maintains copies of your personal data in line with such stipulations, however, unless otherwise stipulated, all data is deleted six years from the end of the accounting period.
In some cases a minimum amount of personal data is kept for up to twenty years, where absolutely necessary for the purpose of estate planning and capital type transactions.
Your data rights:
Both the UK & EU General Data Protection Regulation give you seven rights in relation to your data. It is important that you understand your rights and for that reason, we have listed them below:
- The right to access – the right to access copies of personal information.
- The right to rectification – the right to ask organisations to rectify information that isn’t correct.
- The right to erasure – the right to have personal information erased in certain circumstances.
- The right to restriction of processing – the right to have processing of personal data restricted in certain circumstances
- The right to object to processing – the right to object to having data processed in the first place or by a specific means.
- The right to data portability – the right to have information transferred from one organisation to another or be given to the data subject directly.
- Rights relating to automated decision making and profiling – the right to challenge the use of automated processing & decision making
Please note that not all rights are absolute. There may be certain circumstances we are unable to facilitate the exercise of your right(s) due certain allowed exemptions. Should this be the case, then we will explain the exemption reason to you in our response.
Exercising your rights – the SAR process:
Access to personal data is the first step to exercising your rights. By exercising your right to access, you are able to receive a copy of all the personal information held about you by Xeinadin. This allows you to understand why your data is being used and to verify that it is being used in accordance with the law. The right to access is exercised by submitting a Subject Access Request (SAR) to the organisation. You can submit a SAR verbally, by speaking to us on the phone or in person, or in writing, including on social media platforms. It is not necessary to use the term “Subject Access Request”; you can simply ask for a copy of your personal information. If you wish to make a written SAR directly to us, you can do so by sending an email to [email protected] or via letter to Xeinadin Limited, Building 1, Swift Square, Northwood Park, Northwood, Dublin 9, D09 A0E4, Ireland.
After receiving your request, we will need to verify your identity before providing you with a copy of your personal data. We will respond to your request within 30 days. Subject Access Requests are typically free of charge. However, if your request is deemed by our data protection manager to be manifestly unfounded or excessive, we may charge a reasonable fee to cover the administrative costs involved.
Information collected while using our website, including Cookies:
Upon visiting the Xeinadin website, certain information is collected from your internet browser for statistical purposes using cookies. These are small text files that are stored on your computers hard drive through your browser. Cookies do not contain any personal information about users but allow us to distinguish you as a separate entity and monitor your actions on our site. Once you close your browser, the cookies are automatically removed.
To find out more about cookies, please visit: http://www.allaboutcookies.org
Google Analytics
We keep track of our website traffic in Google Analytics. Through this way, we analyse the performance of our website, and we’re able to see the effect of our marketing actions. Google Analytics registers, among others:
- What is the source site of your visit?
- How long did you stay on our website?
- Which pages do you visit?
- Which device/operating system/browser do you use?
- Which forms do you fill?
When legally obliged, Google might share this information with third parties. If third parties process the information, Google might also share this information. We signed a data processing agreement with Google and forbade Google to use the obtained information for any other of their services.
No personal data is collected or saved in Google Analytics. The data will not be shared with third partners unless legally obliged
How to complain:
Complaints to Xeinadin
Should you be unhappy with the way in which their personal data is being handled, then a formal complaint may be made to either Xeinadin or to the Data Protection Commission.
Complaints about the handling of data can be made to the Data Protection Team at [email protected]. The Data Protection Team are responsible for ensuring that data is handled in line with legal and regulatory requirements. Received complaints will result in an investigation of the data handling practices of the relevant office of department, prior to the issuing of a final report.
If the complaint is related to the handling of personal data by the Data Protection Team, then the formal Xeinadin complaints procedure can be used. All complaints must be sent to [email protected] this is for both internal and external complaints.
Complaints Handling:
Either department will provide written acknowledgment within 5 business days of its receipt. Giving the name or job title of the individual handling the complaint for the firm (Together with details of the firms’ internal complaints handling procedure).
The Organisation will, by end of eight weeks after its receipt of a complaint send the complainant either a final response; or a response which explains that the Organisation is still not able to make a final response, gives reasons for the further delay and indicated when it expects to be able to provide a final response.
Complaining to the DPC:
If you have any concerns about the way in which Xeinadin handle your personal information, you also have the right to complain to the Data Protection Commission, which is Irelands data protection regulator; the contact details of which can be handled below:
The DPC’s address:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 Rd28
Ireland
Helpline number: (01) 765 01 00 (9:30am – 1pm, & 2pm – 5pm, Mon-Fri)
DPC website: https://www.dataprotection.ie/