Privacy Policy

Your information, how we use it & your rights.

1. Introduction

This Privacy Policy explains how we collect, use and protect personal data when providing professional services to our clients. It is issued to comply with our transparency obligations under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"), and to ensure you understand how your personal information is handled.

This Privacy Policy focuses on personal data processed in connection with our professional services. Information about our employees, workers and contractors is covered in a separate Employee Privacy Notice.

We are committed to complying with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) as it applies in the United Kingdom, and the Data Protection Act 2018 (DPA 2018).

We are regulated by ICAS and are supervised by ICAS for the purposes of anti-money laundering compliance under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Our compliance with data protection law is not in conflict with, and does not override, our legal obligations under the MLR 2017 and the Proceeds of Crime Act 2002 (POCA 2002).

This Policy will be reviewed at least annually and updated as required to reflect changes in legislation, regulatory guidance, or our processing activities. The current version is always available from us on request and, where applicable, on our website.

2. Who We Are

"JMT & Co" and "John M Taylor & Co" are both trading styles of John M Taylor (Paisley) Ltd, a company registered in Scotland (SC367458) with registered office at 9 Glasgow Road, Paisley, Renfrewshire, PA1 3QS.

We are registered as a data controller with the Information Commissioner's Office under registration number Z2039312.

For the purposes of UK data protection legislation, with the exception of payroll services (where we act as data processor — see section 10), we act as data controller in respect of personal data we process in connection with the provision of professional services to you.

Our Data Privacy Manager is responsible for overseeing questions relating to this Privacy Policy and can be contacted at the details below. You may also exercise your data subject rights (see section 15) by contacting the Data Privacy Manager.

Data Privacy Manager
John M Taylor (Paisley) Ltd
9 Glasgow Road, Paisley, Renfrewshire, PA1 3QS

Email: privacy@johnmtaylor.co.uk
Telephone: 0141 848 7474

ICO registration: Z2039312

3. Data Protection Law

We process personal data in accordance with:

The UK General Data Protection Regulation (UK GDPR);
The Data Protection Act 2018 (DPA 2018);
The Data (Use and Access) Act 2025 (DUA Act 2025), which has amended and supplemented certain provisions of the UK GDPR and DPA 2018;
The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), where relevant to electronic communications and marketing; and
Other applicable legal and regulatory requirements, including the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017).

References in this Policy to the "UK GDPR" should be read as references to those provisions as in force from time to time, including as amended by the DUA Act 2025.

4. Personal Data We Collect

Standard personal data

The personal data we collect depends on the nature of our engagement and may include:

Identification and contact details, including name, address, date of birth and contact information;
Tax references and financial information, including income, assets, liabilities and details of transactions;
Payroll and employment-related data, including National Insurance numbers, tax codes, pay and deduction details, pension information and banking details;
Client due diligence information, including identity and verification documents, beneficial ownership information, source of funds, and risk assessment data collected to comply with our AML obligations;
Correspondence, instructions and other information provided in the course of our engagement; and
Information obtained from publicly available sources, including Companies House and HMRC records.

This may include personal data relating to directors, partners, trustees, shareholders, employees, beneficial owners and other connected persons — not only the individual or organisation that is our primary client.

Special category and criminal convictions data
In certain circumstances, the nature of our work means we may process data that falls into one of the special categories set out in Article 9 of the UK GDPR, or criminal convictions and offences data. This is most likely to arise in the following contexts:

Type of Data	Likely Context and Lawful Basis
Health data	Statutory sick pay, fit notes, occupational health information in payroll work; lawful basis: legal obligation (employment law compliance).
Trade union membership	Processing of union subscription deductions through payroll. Lawful basis: legal obligation (employment law compliance).
Disability data	Payroll adjustments; compliance with employment legislation. Lawful basis: legal obligation (employment law compliance).
Criminal convictions and offences data	AML enhanced due diligence; PEP and sanctions screening; information arising in the course of an engagement. Lawful basis: legal obligation (MLR 2017; POCA 2002).

We process special category and criminal convictions data only to the extent required by our legal and regulatory obligations, and we apply additional safeguards to the handling of such data.

Children's data
Where personal data relating to individuals under the age of 18 comes into our possession — for example, in the context of family tax planning, trust work or payroll processing — we apply enhanced care in its handling and will process it only where we have a clear lawful basis to do so.

5. How We Collect Personal Data

We collect personal data:

Directly from you or from individuals authorised to act on your behalf;
From HMRC or other statutory authorities, where we are authorised or required to do so;
From third parties, including electronic identity verification providers, credit reference agencies, Companies House and the HMRC agent portal; and
From publicly available sources, including the Companies House register and the HMRC agent portal.

Where we obtain personal data about you from a source other than directly from you, we will, unless we are prohibited from doing so, take reasonable steps to make you aware of this and provide you with this Privacy Policy.

Please note that where we ask you to provide personal data, whether as a legal requirement (for example, to comply with our AML obligations) or in order to perform our services, your failure to provide the data may mean we are unable to complete the engagement or meet our legal obligations.

6. Why We Process Personal Data

We process personal data only where there is a lawful basis for doing so under UK data protection law. The bases on which we principally rely are:

Performance of contract: processing is necessary to carry out the professional services we have agreed to provide, or to take steps at your request prior to entering into an engagement.
Legal obligation: processing is necessary to comply with legal or regulatory requirements to which we are subject, including tax legislation, AML obligations, and ICAS rules.
Legitimate interests: processing is necessary for the purposes of our legitimate interests, where those interests are not overridden by your interests, rights or freedoms. This includes administering our practice, maintaining our files, and communicating with third parties on your behalf.
Consent: where we request your consent to specific processing, such as sending marketing communications by electronic means. You may withdraw consent at any time without detriment to the services we provide.

Where we process special category data, we rely on one of the additional conditions under Article 9 of the UK GDPR, as set out in Schedule 1 to the DPA 2018 — most commonly, processing necessary for compliance with a legal obligation.

7. Use and Disclosure of Personal Data

Personal data is used solely for purposes connected with the provision of professional services and compliance with our legal and regulatory obligations. We do not sell personal data or use it for unrelated commercial purposes.

Personal data may be disclosed to the following categories of recipients:

HMRC and other statutory or regulatory authorities, where we are required or authorised to do so by law;
ICAS, in connection with regulatory investigations, quality assurance reviews, practice monitoring visits or professional conduct matters;
The National Crime Agency, where we are required to make a suspicious activity report under the Proceeds of Crime Act 2002;
Other regulatory or professional bodies with jurisdiction over our firm or our clients;
Professional advisers, insurers and indemnity providers;
IT, software and cloud service providers engaged to support the delivery of our services (see section 8 below); and
Subcontractors or specialist advisers engaged by us to assist in providing services to you, such as independent examiners or specialist tax counsel.

All third parties to whom personal data is disclosed are required to maintain appropriate confidentiality and implement suitable data protection safeguards.

8. Key Processors and Sub-Processors

In delivering our services, we use third-party software platforms and service providers that process personal data on our behalf as data processors. These are selected with care and are required to implement appropriate technical and organisational measures to protect the data they process.

The principal categories of processors we use are set out below:

Category of Processor	Purpose
Cloud accounting software	Preparation of accounts, tax returns and bookkeeping; data may be hosted on servers within the UK or in a country benefiting from UK adequacy regulations.
Payroll software platforms	Calculation and submission of payroll, PAYE and auto-enrolment returns.
HMRC online services and agent portal	Electronic filing of tax returns and statutory submissions.
Practice management and document storage software	Storage and management of client files, correspondence and working papers.
Electronic identity verification providers	Client due diligence and AML/KYC checks, including PEP and sanctions screening.
Email and communication platforms	Day-to-day client correspondence and secure document exchange and document approval.
IT support and managed services	Maintenance, security and support of our IT infrastructure.

Further information about specific processors and the safeguards in place for any international transfers is available on request from the Data Privacy Manager.

9. Anti-Money Laundering, Terrorist Financing and Proliferation Financing
As a firm supervised by ICAS for anti-money laundering purposes, we are subject to MLR 2017 (as amended, including amendments arising from the Economic Crime (Transparency and Enforcement) Act 2022). These obligations require us to:

Conduct client due diligence (CDD) before and during an engagement, including verifying the identity of clients, beneficial owners and, where applicable, persons acting on a client's behalf;
Carry out ongoing monitoring of business relationships;
Screen clients and connected persons against sanctions lists, PEP registers and adverse media sources;
Assess the risk that a client or transaction may be connected with money laundering, terrorist financing or proliferation financing; and
Report suspicions of money laundering, terrorist financing or proliferation financing to the National Crime Agency.

CDD and related records must be retained for a minimum of five years from the end of the business relationship, or from the date of an occasional transaction. We are required to process personal data for these purposes and cannot agree to restrict or delete such data while these legal obligations subsist.

Please be aware that where we know or suspect that money laundering, terrorist financing or proliferation financing has taken place, we are required by law to submit a Suspicious Activity Report (SAR) to the National Crime Agency. We may be prohibited by law from informing you that such a report has been made ("tipping off").

10. Our Role in Relation to Payroll and Similar Services

The role we play in relation to personal data depends on the nature of the services we provide to you.

Where we do not provide payroll or similar services
In respect of the personal data you provide to us in connection with your engagement — which will principally relate to you, your business and, where relevant, your directors, shareholders and other connected persons — we act as an independent data controller. We determine the purposes for which we use that data (delivery of professional services and compliance with our legal obligations) and are accountable for its lawful processing.

Where we provide payroll or similar services
Where we provide payroll, pension auto-enrolment or similar services on your behalf, the position is different for the personal data of your employees:

You are the data controller: as the employer, you determine the purposes for which your employees' personal data is processed, and you are responsible for the lawfulness of that processing.
We are the data processor: we process your employees' personal data on your behalf, following your documented instructions and the terms of our engagement, to carry out the payroll and related services you have engaged us to provide.

Where a Data Processing Agreement (DPA) is in force between us, the terms of that agreement govern the processing of employee personal data. Our standard DPA is consistent with the requirements of Article 28 of the UK GDPR.

Note for all clients:
Regardless of whether we provide payroll services, if you engage us to handle accounts, tax returns or similar work, we will process personal data relating to your directors, owners, employees or other connected persons as an independent data controller. This Privacy Policy applies to that processing.

11. International Transfers

Where personal data is transferred outside the United Kingdom — for example, through the use of cloud-based software platforms whose servers are located abroad — we take steps to ensure that appropriate safeguards are in place before any such transfer occurs.

The safeguards we rely on may include:

Transfers to countries that benefit from UK adequacy regulations, which provide that the destination country or territory offers a level of data protection essentially equivalent to that in the UK;
International Data Transfer Agreements (IDTAs), as approved by the Information Commissioner; or
The UK Addendum to the EU Standard Contractual Clauses, where appropriate.

Please note that the UK currently benefits from an adequacy decision granted by the European Union, renewed on 19 December 2024, permitting the transfer of personal data from the EEA to the UK.

Further information about the specific safeguards applicable to any international transfer of your personal data is available on request from the Data Privacy Manager.

12. Data Security

We apply appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or disclosure. These measures are set out in our IT & Information Security Policy and Data Protection Policy, which are reviewed and updated regularly.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with our obligations under Article 34 of the UK GDPR. Breaches meeting the threshold for reporting to the Information Commissioner's Office will be reported within 72 hours of our becoming aware.

13. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with our legal, regulatory and professional obligations.

Our standard retention periods are set out in our Data Retention Policy, a summary of which is provided below:

Category	Retention Period
General client files and correspondence	6 years from the end of the relevant tax year or the conclusion of the engagement, whichever is later.
AML / CDD records (client due diligence, transaction monitoring, screening records)	5 years from the end of the business relationship or the date of an occasional transaction, as required by the MLR 2017.
Payroll records	3 years from the end of the tax year to which they relate (PAYE Regulations), subject to any longer period required by specific circumstances.
Pension auto-enrolment records	6 years from the date of the relevant event (The Pensions Regulator requirements).
Accounting and audit records	6 years from the date of the relevant financial statements (Companies Act 2006; Income Tax Act 2007).
Correspondence relating to legal disputes or claims	7 years from the resolution of the matter, or expiry of any applicable limitation period under the Prescription and Limitation (Scotland) Act 1973.
Special category data	Retained only for as long as necessary for the specific purpose for which it was processed, and in no case longer than the applicable standard retention period for the engagement type.

Where retention beyond these standard periods is required — for example, in connection with ongoing legal proceedings, a regulatory investigation, or a specific professional requirement — we will retain the relevant data for only as long as necessary and will document the basis for extended retention.

14. Automated Decision-Making and Profiling

We do not make decisions about you solely by automated means, nor do we carry out profiling of the kind that produces significant legal or similarly significant effects on you, within the meaning of Article 22 of the UK GDPR.

15. Your Rights

You have the following rights under UK data protection law. To exercise any of these rights, please contact our Data Privacy Manager using the details in section 2. We will respond within one calendar month of receiving a valid request, though we may extend this by a further two calendar months in cases of complexity.

Right	Summary
Right of access (subject access)	You may request a copy of the personal data we hold about you and information about how it is processed.
Right to rectification	You may ask us to correct inaccurate or incomplete personal data without undue delay.
Right to erasure	You may request deletion of your personal data in certain circumstances. This right does not apply where we are required to retain data by law (e.g. AML obligations, tax record-keeping).
Right to restriction of processing	You may ask us to restrict processing of your personal data in certain circumstances, for example while the accuracy of the data is contested.
Right to data portability	Where processing is based on consent or contract and carried out by automated means, you may request your data in a structured, commonly used, machine-readable format.
Right to object	You may object to processing based on our legitimate interests. You also have an absolute right to object to processing for direct marketing purposes.
Right to withdraw consent	Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
Rights in relation to automated decision-making	You have the right not to be subject to decisions based solely on automated processing that produce significant effects — see section 14.
Right to lodge a complaint	You may lodge a complaint with the ICO if you consider that our processing does not comply with UK data protection law. The ICO can be contacted at www.ico.org.uk or by calling 0303 123 1113.

To protect the security of personal data, we may need to verify your identity before responding to a request. We may ask for reasonable additional information where necessary to locate the relevant data.

Where a request is manifestly unfounded or excessive — in particular where it is repetitive — we may charge a reasonable fee or refuse the request, and will explain the reasons for doing so.

16. Our Accountability

We maintain a record of our processing activities in accordance with Article 30 of the UK GDPR. This record sets out the purposes for which we process personal data, the categories of data and data subjects, and the safeguards we apply.
We conduct regular staff training on data protection obligations and review our data protection practices, policies and procedures at least annually.

We also carry out data protection impact assessments where a new processing activity is likely to result in a high risk to individuals, as required by Article 35 of the UK GDPR.

17. Electronic Communications and Marketing

Where we send electronic marketing communications — such as newsletters, service updates or details of upcoming events — we do so in accordance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
We will only send you electronic marketing communications where:

You have given us your explicit consent to do so; or
You are an existing client or contact and we are communicating about our own similar services (the "soft opt-in"), in which case we will give you an opportunity to opt out on each communication; or
You are an existing client and we are communicating information that we consider to be of relevance to you, or your business (where relevant), in the context of the services that we are engaged to provide to you.

You may withdraw your consent to receive electronic marketing, or opt out of communications sent under the soft opt-in, at any time by:

Clicking the unsubscribe link in any marketing email we send; or
Contacting our Data Privacy Manager using the details in section 2.

Opting out of marketing communications will not affect your receipt of service-related communications connected with an active engagement.

18. Updates to This Policy

This Privacy Policy may be updated from time to time to reflect changes in the law, regulatory guidance, our services or our processing activities.

Version	Date	Summary of Changes
1.0	May 2018	New Privacy Policy published
2.0	May 2025	Added right of access; specific retention periods; lawful bases expanded; MLR 2017 section updated.
3.0	May 2026	Added: special category and criminal convictions data table; children's data; DUA Act 2025 references; PECR section; data portability and automated decision-making.