MMBA Chartered Certified Accountants & Registered Auditors
This notice applies to
https://www.mmba.co.uk and all services provided by MMBA MMBA Chartered Certified Accountants & Registered Auditors (‘MMBA’, ‘we’, ‘us’, ‘our’) respects your privacy and is committed to protecting your personal data. This privacy notice explains who we are, what personal data we collect, how we use it, who we share it with, and what your rights are under UK data protection law. It applies to everyone who visits our website, uses our services, or whose personal data we may process as a result of providing services to others. It includes website visitors, individual and business clients, prospective clients, and job applicants. This notice does not override or replace any other privacy notice or fair processing notice we provide to you specifically (for example, in your client engagement letter).
1. Who We Are and How to Contact Us
Data Controller
MMBA Chartered Certified Accountants & Registered Auditors is the data controller responsible for your personal data. We are registered with the Information Commissioner’s Office (ICO) in the United Kingdom. Our data privacy manager who oversees all questions relating to this notice. If you have any questions, concerns, or wish to exercise your legal rights, please contact us:
Supervisory Authority
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters, at
www.ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please contact us in the first instance.
2. What Personal Data We Collect
Personal data means any information that can identify a living individual. We collect different types of personal data depending on your relationship with us:
| Category | Examples |
| Identity Data | First name, last name, title, date of birth, username or similar identifier |
| Contact Data | Address, email address, telephone numbers |
| Financial & Transaction Data | Bank account details, payment details, billing history, details of payments to and from you |
| Profile Data | Username and password, preferences, feedback and survey responses, communication preferences |
| Technical Data | IP address, login data, browser type and version, time zone, device identifiers, operating system |
| Usage Data | Pages visited, click-through behaviour, how you use our website and services |
| Marketing & Communications Data | Your preferences for receiving marketing from us and your communication preferences |
| Client Engagement Data | Information provided to us as part of delivering professional services, such as financial records, tax information, business information, and AML due diligence documents |
| Recruitment Data | CV, education history, employment history, references, and other information provided when applying for a role with us |
Special Categories of Personal Data
We do not routinely collect special categories of personal data (such as data about race or ethnicity, religious beliefs, health, sexual orientation, political opinions, trade union membership, or biometric data). In the rare circumstances where we need to process such data (as part of providing our professional services), we will inform you and rely on an appropriate legal basis.
Criminal Convictions Data
We do not collect information about criminal convictions or offences unless required to do so as part of our regulatory obligations (for example, anti-money laundering checks).
Children
This website is not directed at children under the age of 13 and we do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
3. How We Collect Your Personal Data
We collect personal data through the following means:
Direct Interactions
You may provide personal data directly to us when you:
- Contact us by phone, email, post or through our website contact form
- Request a quotation or sign up for our services
- Create an account on our website
- Subscribe to our newsletters or publications
- Enter into an engagement with us as a client
Automated Technologies
When you visit our website, we may automatically collect technical and usage data about your device and browsing activity through cookies, server logs and similar technologies. Please see Section 8 (Cookies) for more details.
Third Parties and Publicly Available Sources
We may receive personal data about you from third parties, including:
- Analytics providers such as Google Analytics
- Anti-money laundering and identity verification services
- Credit reference agencies
- HMRC and other regulatory bodies
- Introducers, referrers and business partners
- Publicly available sources such as Companies House
4. How We Use Your Personal Data
We only use your personal data where we have a lawful basis to do so. The table below sets out the purposes for which we use your personal data and the legal basis we rely on:
| Purpose | Type of data | Legal basis |
| Providing accounting, audit, tax and advisory services | Identity, Contact, Client Engagement, Financial | Performance of contract; Legal obligation |
| Managing our client relationship, including communications and billing | Identity, Contact, Financial, Profile | Performance of contract; Legitimate interests |
| Carrying out anti-money laundering and identity checks (KYC/AML) | Identity, Contact, Financial | Legal obligation |
| Complying with legal, regulatory and professional obligations (e.g. ACCA, HMRC) | Identity, Contact, Client Engagement | Legal obligation |
| Processing enquiries and responding to website contact forms | Identity, Contact | Legitimate interests |
| Sending relevant news, insights and marketing communications | Identity, Contact, Marketing | Legitimate interests; Consent (for third-party marketing) |
| Improving and developing our website and digital services | Technical, Usage | Legitimate interests |
| Recruiting employees and managing applications | Identity, Contact, Recruitment | Legitimate interests; Performance of contract (pre-employment) |
| Preventing fraud and ensuring security of our systems | Technical, Identity | Legitimate interests; Legal obligation |
| Business analysis, planning and reporting | Usage, Profile | Legitimate interests |
Legitimate Interests
Where we rely on ‘legitimate interests’, we have assessed that our interests are not overridden by your interests or fundamental rights. You may object to this processing at any time (see Section 11 for your rights).
Consent
Where we rely on your consent (for example, for certain marketing communications), you have the right to withdraw that consent at any time by contacting us or using the unsubscribe link in any marketing message.
Change of Purpose
We will only use your personal data for the purposes for which it was collected, unless we reasonably consider that we need to use it for another compatible purpose. If we need to use it for an unrelated purpose, we will notify you and explain the legal basis for doing so.
5. Marketing
Our Marketing
We may send you information about our services, industry updates and insights if you have engaged with us as a client, requested information from us, or otherwise indicated an interest, and you have not opted out.
Third-Party Marketing
We will not share your personal data with any third party for their own marketing purposes without your explicit consent.
Opting Out
You can opt out of marketing communications at any time by:
- Clicking the ‘unsubscribe’ link in any marketing email
- Calling us on 01772 378020
Opting out of marketing will not affect service-related or legally required communications.
6. Who We Share Your Personal Data With
We may share your personal data with the following categories of recipients, only to the extent necessary and appropriate:
| Recipient | Reason for sharing |
| Professional advisers (lawyers, bankers, insurers) | To obtain advice and support in delivering our services |
| IT service providers and cloud platform providers | To host and support our systems and infrastructure |
| HM Revenue & Customs (HMRC) | To comply with tax, payroll and reporting obligations |
| The FRC and ACCA | To comply with our regulatory and professional obligations |
| Anti-money laundering verification services | To carry out legally required identity and KYC checks |
| Document storage and archiving providers | For secure storage of client and business records |
| Successor businesses (in the event of a sale or merger) | Personal data may transfer to the new owners on the same basis as set out in this notice |
We require all third parties to keep your personal data secure and to process it only for the specified purpose and in accordance with our instructions. We do not sell your personal data to third parties.
7. International Transfers
We do not routinely transfer your personal data outside the United Kingdom. If we ever need to do so (for example, in relation to overseas tax matters or entities) , we will make sure that appropriate safeguards are in place in accordance with UK data protection law, such as standard contractual clauses approved by the ICO.
8. Cookies
Our website uses cookies (small text files placed on your device when you visit our site). We use cookies to:
- Make sure that the website functions correctly (strictly necessary cookies)
- Understand how visitors use our site so we can improve it (analytical cookies, e.g. Google Analytics)
- Remember your preferences for future visits (functional cookies)
- Deliver relevant content or measure the effectiveness of our communications (marketing cookies)
When you first visit our website, you will be asked to confirm your cookie preferences. You can update your choices at any time. You can also control cookies through your browser settings; for guidance, visit
http://www.allaboutcookies.org Please note that disabling certain cookies may affect the functionality of our website. For full details on the specific cookies we use, their duration and purpose.
9. Data Security
We take the security of your personal data seriously and have put in place appropriate technical and organisational measures to protect it against accidental loss, unauthorised access, alteration or disclosure. These include:
- Secure, encrypted storage of personal and financial data
- Access controls and authentication procedures
- Staff training on data protection obligations
- Regular review of our information security practices
We also require all third-party service providers who process personal data on our behalf to maintain appropriate security standards. In the unlikely event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in accordance with our legal obligations.
10. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which it was collected, including meeting any legal, accounting or regulatory requirements. In determining the appropriate retention period, we consider:
- The nature and sensitivity of the data
- The potential risk of harm from unauthorised use or disclosure
- The purposes for which we process the data
- Applicable legal and regulatory requirements
| Type of data | Typical retention period |
| Client files and engagement records | 7 years from end of engagement (in line with ACCA and statutory requirements) |
| Anti-money laundering records | 5 years from the end of the business relationship |
| Accounting and financial records | 6 years from the end of the relevant financial year |
| Job applicant data (unsuccessful applicants) | 6 months from the end of the recruitment process |
| Website enquiry and contact form data | 12 months from receipt, unless a client relationship follows |
| Marketing preferences | Until you opt out or request erasure |
Full details of our retention schedule are available on request. We also apply specific retention periods to data collected during our business development and onboarding process.
- General website enquiries that do not progress to a client relationship are retained for 2 years.
- Proposal requests and quotations that are not accepted are kept for 3 years. Where discussions with a prospect are ongoing, we retain relevant data for 3 years from the date of last meaningful contact.
- Any anti-money laundering (AML) information obtained during the onboarding process where the client does not ultimately proceed is retained for 5 years, in line with our obligations under the Money Laundering Regulations.
11. Your Legal Rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data:
| Right | What it means |
| Right of access | You can request a copy of the personal data we hold about you (a ‘Subject Access Request’) |
| Right to rectification | You can ask us to correct any inaccurate or incomplete data we hold about you |
| Right to erasure | You can ask us to delete your personal data where there is no good reason for us to continue holding it |
| Right to restriction | You can ask us to pause our use of your data in certain circumstances (e.g. while we verify its accuracy) |
| Right to data portability | You can ask us to provide your data in a structured, machine-readable format for transfer to another provider (where applicable) |
| Right to object | You can object to us processing your data where we rely on legitimate interests, including for direct marketing |
| Right to withdraw consent | Where we rely on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing |
12. How to Exercise Your Rights
To exercise any of these rights, please contact our Data Privacy Manager at
info@mmba.co.uk or write to us at our registered address.
No Fee
You will not normally need to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive, or we may decline to comply with such a request.
Verification
We may need to verify your identity before we can action your request, to make sure that your personal data is only disclosed to those who have the right to receive it.
Response Time
We will aim to respond to all valid requests within one calendar month. If your request is particularly complex, we may extend this by a further two months, in which case we will notify you.
13. Glossary of Lawful Bases
Performance of Contract:
Processing that is necessary for us to deliver the services you have engaged us for, or to take steps at your request before entering into a contract with you.
Legal Obligation:
Processing required to comply with a legal or regulatory rule we are subject to, such as anti-money laundering regulations, tax law or professional rules set by ACCA or the FRC.
Legitimate Interests:
Processing that is necessary for our legitimate business interests, or those of a third party, where these are not overridden by your interests or rights. We always carry out a balancing assessment before relying on this basis.
Consent:
Where you have given us clear and informed agreement to process your personal data for a specific purpose. You may withdraw consent at any time.
14. Third-Party Websites
Our website may contain links to third-party websites, plug-ins and applications. Clicking on those links may allow third parties to collect or share data about you. We do not control those websites and are not responsible for their privacy practices. We encourage you to read the privacy notice of every website you visit.
15. Changes to This Privacy Notice
We may update this privacy notice from time to time to reflect changes in our business, services or applicable law. The ‘last updated’ date at the top of this notice will always reflect the most recent version. Historic versions are available on request. Where changes are material, we will take reasonable steps to notify you; for example, by email or a prominent notice on our website.
