We aim to collect personal data about our suppliers (which for the purposes of this notice includes subcontractors that we use to provide services to clients) only to the extent necessary for us to receive services and goods from our suppliers, manage our relationship with our suppliers and facilitate the provision of services to our clients. Our suppliers may refer relevant data subjects to this Privacy Notice. We generally collect personal data directly from our suppliers and from third parties such as credit rating agencies.
Such personal data may be used for the following purposes:
- Provision of professional services – We undertake a wide range of services, including Audit, Tax, Advisory and Outsourcing services. We may have to process personal data received from suppliers in order to perform such services and/or provide advice and deliverables to our clients.
- Managing, administering and developing our business – We process personal data in order to manage our relationship with clients, develop our business and services, maintain and develop our IT systems, manage and host events, and to administer and manage our website, systems and applications.
- Quality and risk management and security – we use various measures to protect personal data and other client information, which include monitoring the services provided to clients to detect, investigate and resolve security threats. Such monitoring may involve processing personal data, for example the automatic scanning of email correspondence for threats. Our supplier take-on procedures involve processing personal data that may be obtained from publicly available sources (such as sanctions lists, criminal convictions databases, and general internet searches) to identify any risks relating to individuals and organisations that may prevent us from working with a particular supplier.
- Providing information about our services to our clients and audited entities – unless the relevant individual has opted-out, we may use supplier (typically subcontractor) business contact details to provide information about our services.
- Compliance with legal obligations – as a regulated firm, we are subject to various legal obligations that may require us to process and/or retain personal data obtained from suppliers.
Where we process personal data for the above purposes, we rely on the following lawful bases:
1. Where it is necessary for performance of contractual obligations;
2. Where it is necessary for performance of legal obligations;
3. Where it is in our, or a third party’s, legitimate interests, provided that:
i. the processing is necessary to pursue the legitimate interests;
ii. the interests of the data subjects do not override the legitimate interests; and
iii. the data subjects have the right to:
a. request deletion of their personal data, provided they object to our processing and their interests override our own or a third party’s;
b. restrict processing of their personal data, provided they object to the necessity of the processing. In such circumstances, processing may be restricted for such time as to allow us to investigate their objections; and
c. object to the processing of their personal data in circumstances where such processing is necessary for a legitimate interest, or where processing is used for marketing purposes.