Our website uses cookies to enhance the visitor experience (what's a cookieCookies are small text files that are stored on your computer when you visit a website. They are mainly used as a way of improving the website functionalities or to provide more advanced statistical data.). Are you happy for us to use cookies during your visits?
Please note: continuing without making a choice equates to giving us your consent, which you can withdraw at any time via our cookies policy page.

  • Share on Facebook
  • Share on LinkedIn
  • Share on Twitter
  • Email this page to a friend

Email: enquiries@freemanco.netTel: 01858 461164

Request a Callback

  • Book a Free Consultation
  • Get a Fixed Quote

Find out how to Make more, Keep more and Work less

  • About You

PRIVACY NOTICE issued by Freeman & Co.(Accountants) Ltd


The Data Protection Act 2018 (“DPA 2018”) and the General Data Protection Regulation (“GDPR”) impose certain legal obligations in connection with the processing of personal data.

Freeman & Co. is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows: Freeman & Co (Accountants) Limited, 12 The Square, Market Harborough, Leicestershire LE16 7PA Telephone 01858 461164.

We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.

Where we act as a data processor on behalf of a data controller (for example, when processing payroll), we provide an additional schedule setting out required information as part of that agreement. That additional schedule should be read in conjunction with this privacy notice.


The purposes for which we intend to process personal data

We intend to process personal data for the following purposes:
• to enable us to supply professional services to you as our client
• to fulfil our obligations under relevant laws in force from time to time (e.g. the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”))
• to comply with professional obligations to which we are subject as a member of the Association of Chartered Certified Accountants
• to use in the investigation and/or defence of potential complaints, disciplinary proceedings and legal proceedings
• to enable us to invoice you for our services and investigate/address any attendant fee disputes that may have arisen
• to contact you about other services we provide which may be of interest to you if you have consented to us doing so


The legal bases for our intended processing of personal data

Our intended processing of personal data has the following legal bases:
• at the time you instructed us to act, you gave consent to our processing your personal data for the purposes
listed above
• the processing is necessary for the performance of our contract with you
• the processing is necessary for compliance with legal obligations to which we are subject (e.g. MLR 2017)

It is a requirement of our contract with you that you provide us with the personal data that we request. If you do not provide the information that we request, we may not be able to provide professional services to you. If this is the case, we will not be able to commence acting or will need to cease to act.


Persons/organisations to whom we may give personal data

We may share your personal data with:

• any third parties with whom you require or permit us to correspond
• an alternate appointed by us in the event of incapacity or death
• tax insurance providers
• professional indemnity insurers
• our professional body (the Association of Chartered Certified Accountants)
• Specialist tax consultants

If the law allows or requires us to do so, we may share your personal data with:

• the police and law enforcement agencies
• courts and tribunals
• the Information Commissioner’s Office (“ICO”).

We may need to share your personal data with the third parties identified above in order to comply with our legal obligations, including our legal obligations to you. If you ask us not to share your personal data with such third parties we may need to cease to act.


Transfers of personal data outside the EU

Your personal data will be processed in the UK only. For Iris Kashflow users please visit our privacy policy page at www.freemanco.net.


Retention of personal data

When acting as a data controller and in accordance with recognised good practice within the tax and accountancy sector we will retain all of our records relating to you as follows:

• where tax returns have been prepared it is our policy to retain information for 8 years from the end of the tax year to which the information relates

• where ad hoc advisory work has been undertaken it is our policy to retain information for 8 years from the date the business relationship ceased

• where we have an ongoing client relationship, data which is needed for more than one year’s tax compliance (e.g. capital gains base costs and claims and elections submitted to HMRC) is retained

throughout the period of the relationship, but will be deleted 8 years after the end of the business relationship unless you as our client ask us to retain it for a longer period.

Our contractual terms provide for the destruction of documents after 8 years and therefore agreement to the contractual terms is taken as agreement to the retention of records for this period, and to their destruction thereafter.

You are responsible for retaining information that we send to you (including details of capital gains base costs and claims and elections submitted) and this will be supplied in the form agreed between us. Documents and records relevant to your tax affairs are required by law to be retained by you as follows:

Individuals, trustees and partnerships
• with trading or rental income: five years and 10 months after the end of the tax year
• otherwise: 22 months after the end of the tax year.

Companies, LLPs and other corporate entities
• six years from the end of the accounting period.

Where we act as a data processor as defined in DPA 2018, we will delete or return all personal data to the data controller as agreed with the controller at the termination of the contract.


Requesting personal data we hold about you (subject access requests)

You have a right to request access to your personal data that we hold. Such requests are known as ‘subject access requests’ (“SARs”).

Please provide all SARs in writing marked for the attention of Jonathan Freeman.

To help us provide the information you want and deal with your request more quickly, you should include enough details to enable us to verify your identity and locate the relevant information. For example, you should tell us:
• your date of birth
• previous or other name(s) you have used
• your previous addresses in the past five years
• personal reference number(s) that we may have given you, for example your national insurance number, your tax reference number or your VAT registration number
• what type of information you want to know

If you do not have a national insurance number, you must send a copy of:
• the back page of your passport or a copy of your driving licence
• a recent utility bill.

DPA 2018 requires that we comply with a SAR promptly and in any event within one month of receipt. There are, however, some circumstances in which the law allows us to refuse to provide access to personal data in response to a SAR (e.g. if you have previously made a similar request and there has been little or no change to the data since we complied with the original request).

We will not charge you for dealing with a SAR.

You can ask someone else to request information on your behalf – for example, a friend, relative or solicitor. We must have your authority to respond to a SAR made on your behalf. You can provide such authority by signing a letter which states that you authorise the person concerned to write to us for information about you, and/or receive our reply.

Where you are a data controller and we act for you as a data processor (e.g. by processing payroll), we will assist you with SARs on the same basis as is set out above.


Putting things right (the right to rectification)

You have a right to obtain the rectification of any inaccurate personal data concerning you that we hold. You also have a right to have any incomplete personal data that we hold about you completed. Should you become aware that any personal data that we hold about you is inaccurate and/or incomplete, please inform us immediately so we can correct and/or complete it.


Deleting your records (the right to erasure)

In certain circumstances you have a right to have the personal data that we hold about you erased. Further information is available on the ICO website (www.ico.org.uk). If you would like your personal data to be erased, please inform us immediately and we will consider your request. In certain circumstances we have the right to refuse to comply with a request for erasure. If applicable, we will supply you with the reasons for refusing your request.


The right to restrict processing and the right to object

In certain circumstances you have the right to ‘block’ or suppress the processing of personal data or to object to the processing of that information. Further information is available on the ICO website (www.ico.org.uk). Please inform us immediately if you want us to cease to process your information or you object to processing so that we can consider what action, if any, is appropriate.


Obtaining and reusing personal data (the right to data portability)

In certain circumstances you have the right to be provided with the personal data that we hold about you in a machine-readable format, e.g. so that the data can easily be provided to a new professional adviser. Further information is available on the ICO website (www.ico.org.uk).

The right to data portability only applies:

• to personal data an individual has provided to a controller
• where the processing is based on the individual’s consent or for the performance of a contract
• when processing is carried out by automated means

We will respond to any data portability requests made to us without undue delay and within one month. We may extend the period by a further two months where the request is complex or a number of requests are received but we will inform you within one month of the receipt of the request and explain why the extension is necessary.


Withdrawal of consent

Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.

Please note:
• the withdrawal of consent does not affect the lawfulness of earlier processing
• if you withdraw your consent, we may not be able to continue to provide services to you
• even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data).


Automated decision-making

We do not intend to use automated decision-making in relation to your personal data.


Electronic Approval of Documents

Unless we are told otherwise, you have given consent to electronically approve documents uploaded to your Iris OpenSpace account.



If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with the GDPR or DPA 2018 in some other way, you can complain to us. Please send any complaints to enquiries@freemanco.net

If you are not happy with our response, you have a right to lodge a complaint with the ICO (www.ico.org.uk).

Freeman & Co.


An Introduction to how GDPR impacts the Envestnet | Yodlee Platform and Services

GDPR Impact and Posture

Is Yodlee GDPR Compliant?

Yodlee’s Services and the Yodlee Platform will comply, as your data processor, with the EU General Data Protection Regulation (GDPR) on or before 25 May 2018. Yodlee will have the required technical and organizational safeguards to ensure that the personal data of your customers are protected and that, through you, their rights over their data are satisfied.


How does Yodlee fit into the current regulatory requirements?

Yodlee has operated in Europe since 2002 as a data processor under the EU Data Protection Act (DPA). Yodlee’s privacy data handling program has consistently received independent validation by TrustARC (formerly TRUSTe) for US-EU Safe Harbour, US-Swiss Safe Harbour and now EU and Swiss Privacy Shield. Yodlee has, and will continue to execute EU Standard Contract Clauses with clients who desire that additional level of assurance. The Yodlee Platform and the processes that we use to develop, deliver and support our services have mature safeguards and governance overseen by an independent security, privacy, risk and compliance function, as well as receives regular certification by independent assessors and clients.


What is Yodlee’s current GDPR compliance posture?

As a responsible member of the global financial ecosystem, Yodlee tracks all emerging global regulations, standards and practices to ensure adherence to applicable requirements. We have been very active with PSD2 and GDPR to ensure that we continue to be a reliable service provider to our EU clients. Specifically:

  • Yodlee’s internal compliance, security, privacy and legal teams have engaged with outside experts to conduct updated privacy impact assessments of Yodlee’s services, to conduct a data protection impact assessment and to determine how each requirement of GDPR applies to our services.
  • We have engaged an expert EU-based firm to guide us in the role of Data Protection Officer (DPO) and fulfill those responsibilities in a DPO-as-a-Service capacity.
  • We have engaged expert outside counsel to provide us with legal opinions on how GDPR impacts our aggregation and analyses services, as well as any contract modifications that may be required to existing and new client engagements.


Protecting Your Customers

As your data processor, we support you by powering your solutions and protecting your customers. Here’s some things we think you’d like to know.



You need to tell your customers what data you’re collecting, with whom you are sharing it, where it’s stored and for how long. Using Yodlee’s APIs, you can manage this data collection and storage though-out the customer journey. We also provide you transparent access to the information you need to communicate with your customers about Yodlee’s processing role.



Yodlee’s Services are 100% customer permissioned. We provide you with clear guidelines for crafting consent flows to comly with GDPR and PSD2.


Access & Portability

It’s your customers’ data. Using our APIs, you can allow them to access and download their data when they want it.


Warnings and Breach Notifications

Our contract with you requires that we notify you of a data breach or any unauthorized access to your customers’ data. We have robust security incident detection and management programs that meet rigorous financial industry standards.



We do not market to your customers. In fact, we are prohibited from doing so per our contract with you.



If you are using Yodlee’s Services for processing applications for loans or making other decisions, we have additional safeguards and governance controls to support these compliance requirements. It’s imporant to let us know this when you sign-up so we can guide you appropriately.



Yodlee maintains bank-grade security safeguards for our entire Platform to provide your customers’ data from external and internal threats. Please see Yodlee’s Security FAQ for more information about these programs.


Data Transfer

Clients who deploy in Yodlee’s US data centres, may rely on our Privacy Shield compliance status or may request Controller-to-Processor Standard Contract Clauses.


Right to be Forgotten

Customers’ information may be updated or deleted using Yodlee’s APIs from within your application or as separate administrative functions. As the data controller, your customers’ personal data is fully under your control.


Data Classification and Scope

What data is in scope for GDPR

The Yodlee data model is organized by a set of layered data classification schemes. From a GDPR perspective, there are three data classifications in scope:

Customer Data: Information provided by the client as part of user registration and the information gathered from external sites at the request of the user. Customer Data may contain Personal Data of our clients’ EU customers, and is therefore in scope for GDPR.

Usage Data: Data about the client’s use of the Yodlee Platform. Usage Data does not contain Personal Data of our clients’ EU customers, and is not in scope for GDPR.

Aggregated Data: De-identified (i.e. pseudo- anonymised) account and transaction data from across the Yodlee Network. Aggregated Data is in scope for certain requirements of GDPR, notably consent from the data subject for this secondary processing.


How is Customer Data in scope for GDPR?

Customer Data is defined as the data our clients provide to register their customers on the Yodlee Platform, as well as the data we retrieve on their behalf, and with the customer’s explicit permission, about the customer’s financial accounts. Customers are registered on the Platform by the data controller (i.e. the Yodlee client) using generic indirect identifiers (GUIDs) that are not Personal Data. As customers link their external accounts, they entrust their access credentials (e.g. passwords or tokens) for each institution. These credentials are Personal Data as they identify the account holder. The data

Yodlee retrieves on their behalf may contain direct  identifiers  that  are   Personal   Data (e.g. account holder name, full name or email address in a credit card transaction description). Accordingly, Yodlee has enacted safeguards and governance over the transmission, storage and processing of Customer Data to comply with the current DPA and the GDPR.


Why is Usage Data not in scope for GDPR?

Usage Data is information about our clients’ use of the Yodlee Platform, such as API calls, performance metrics and other technical details. As such, there is no Customer Data and therefore no Personal Data contained in Usage Data. Furthermore, the usage is of the data controller, not the data subject.


What is Aggregated Data and how might it be in scope for GDPR?

Aggregated Data is derived from Customer Data from across the Yodlee network. As part of the derivation process, Yodlee removes attribution to the source (i.e. controller) and the customer (i.e. subject) as part of a comprehensive de- identification process, as well as direct identifiers (i.e. Personal Data) and known indirect identifiers (e.g. transaction IDs). The resultant end product meets the standard of “protected de-identified” which requires that the data has all direct and all known indirect identifiers removed or transformed and there are technical, organization and administrative controls over the handling of the data to prevent re-identification of the users. In DPA/GDPR terms, the data is pseudo-anonymized. We adhere to this standard rather than full anonymization to strike the right balance between consumer protection (i.e. negligible risk of re-identification) and usefulness of the data (i.e. ability to remove bias in the data set for accuracy in analytics.)


How does Yodlee use Aggregated Data?

Yodlee uses Aggregated Data for analytical research of consumer spending, saving, borrowing and investment behaviors at the aggregate level. We also perform behavior and trend analysis for clients, as well as license Aggregated Data panels to clients so they can conduct their own behavior and trend  research. This processing and use is under the oversight of our compliance, risk, privacy and security programs, including independent 3rd party assessments.


Data Location and Access

Where does Yodlee store the data of its EU clients?

Yodlee operates from data centres around the globe, including the US, Canada, Australia, India and the UK. Clients are deployed in the data centre in their region or, at their request, in the US data centres.


Is there cross-border data transfer of client data?

No, the Yodlee Platform is designed with localization controls so that cross-border data transfer is neither required nor allowed without instructions from our client. To deliver and support the services, Yodlee does conduct cross- border data access under technically enforced role-based access controls that enforce the prohibition of transfer of Personal Data. These controls are described in more detail in the Yodlee Security FAQ.


What’s Next?

In early 2018, Yodlee will complete the engagements with outside experts to finalize our compliance posture so that we may update our safeguards, governance, contracts and processes. We will provide an update to our clients and prospects no later than 1 April 2018 to ensure full readiness by 25 May 2018 when GDPR enforcement begins.