Sumer Privacy Policy

Introduction
This privacy notice is issued by Sumer Group Holdings Limited on its behalf, and on behalf of its subsidiaries (each a "member of the Sumer Group" and together, "Sumer", the "Sumer Group", "we", "us" or "our"). Sumer is committed to protecting the privacy of individuals whose data we process and complying with our obligations under applicable data protection laws ("Data Protection Laws").

This privacy notice provides you with information on how we process personal data which we collect about you in connection with the provision of accounting, tax, audit, advisory and/or other business services, including if you are a potential, current or former client or business contact of Sumer, if you are a contractor or service provider to Sumer, if you are applying for employment or work experience with us, and/or if you use our website. In addition, it outlines your rights under Data Protection Laws.

We may from time to time update this privacy notice at our discretion.

If you have any queries in relation to our processing of your personal data please contact us at compliance@sumer.co.uk.

Your guide to our privacy notice

This privacy notice is provided in a layered format to allow you to navigate it easily. The privacy notice is split into the following sections:

• Section One, The Controller of Your Personal Data: This section provides details of the Sumer Group so you can identify the controller of your personal data.
• Section Two, How We Process Your Personal Data: This section provides information on how we process your personal data, including the purposes for which we process personal data (and the legal bases on which we rely to process it). How we process your personal data will depend on the nature of your engagement/relationship with Sumer, so this section is split into parts:
  • Part One, Clients: If you are a current, potential or former client of Sumer, this section provides details of how we process your personal data.
  • Part Two, Business Contacts: If you are a business contact of Sumer but are not a current, potential or former client, this section provides details of how we process your personal data. This includes if you have provided us with a business card, if you have corresponded with us and/or if you have attended events run by Sumer. It may also include persons who are connected to our clients (for example, family members) where it is relevant in connection with the advice and services we are providing to the relevant client.
  • Part Three, Contractors and Service Providers: If you are a contractor or provide services to Sumer, this section provides details of how we process your personal data.
  • Part Four, Job Applicants: If you have applied for a job or work experience with a member of the Sumer Group, this section provides details of how we process your personal data.
  • Part Five, Website Users: If you are a user of a Sumer website, this section provides details of how we process your personal data.
• Section Three, Other Information: This section applies to all persons about whom we process personal data, and provides information about our data protection practices, including information about our data security and retention policies, details of our arrangements for disclosing personal data to third parties and transferring personal data outside of the UK and EEA and information on your rights under Data Protection Laws.

SECTION ONE – THE CONTROLLER OF YOUR PERSONAL DATA

The controller of your personal data is the entity which, alone or jointly with others, determines the purposes and means of the processing of your personal data.

The member(s) of the Sumer Group which act as a controller of your personal data will depend on the circumstances for which you engage with Sumer and/or provide your personal data to Sumer. For example, if you apply for a job with, receive advice from, visit the website of or otherwise engage with Monahans Limited, then Monahans Limited will be the controller of your personal data. Similarly, if you apply for a job with, receive advice from, visit the website of or otherwise engage with EQ Accountants Limited, then EQ Accountants Limited will be the controller of your personal data.

There may be circumstances where more than one member of the Sumer Group is a controller of your personal data. A list of all of the members of the Sumer Group is available at Members of the Sumer Group. This list may be updated from time to time. If you would like further information on who the specific controller(s) of your personal data are, then please contact us at compliance@sumer.co.uk.

SECTION TWO – HOW WE PROCESS YOUR PERSONAL DATA

PART ONE - CLIENTS

This section of our privacy notice sets out how we may process personal data about our clients (including potential, current and former clients). In this section, "you" and "your" refers to a person whose personal data is held by us, where that data has been provided to us by a client or (if our client is an organisation) by its employees, agents or representatives on its behalf, or has been collected by us, in each case, in the context of the operation of our business, including the provision by us of accounting, tax, audit, advisory and/or other business services.

The data we may hold
We may hold various kinds of personal data about you, which you (or, if our client is a business) our client provide to us from time to time or which we otherwise obtain in the course of our relationship with you (for example, from third parties including background check providers), and which we have grouped together as follows:

• Identity data may include names, gender, date of birth, pronoun preferences, and country of residence;
• Contact data may include addresses, work email addresses, personal email addresses and telephone numbers;
• Employment data may include places of work and job titles, employment history and qualifications;
• Correspondence data includes any personal data which you share with us when you correspond with us (including over email, during telephone calls and/or in meetings);
• KYC and other background data may include copies of passports, driving licences, utility bills and information which may be revealed by an anti-money laundering search conducted on you (including details of your directorships, your electoral registration, your political exposure, insolvency proceedings against you, criminal convictions and/or any adverse media in relation to you), credit checks/references and other information from third party publicly accessible sources including Companies House;
• Financial and tax related data may include details of your salary, investments and savings and bank account details, together with details of your tax residency and other tax related information;
• Family data may include details of your marital status and dependants;
• Technical data may include internet protocol (IP) address, mail server URL, MIME version, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use when you correspond with us; and
• CCTV data may include image and sound recordings.

We will not usually collect any special categories of personal data about you, except in limited circumstances where: (i) this is relevant to any services that we are providing to the client or you; or (ii) this is revealed as part of our anti-money laundering checks; or (iii) you volunteer the information to us in writing.

What we use your personal data for
We will only use your personal data for the following purposes:

• To administer and manage our relationship with you or (where our client is an organisation) with our client.
• To provide, or facilitate the provision of, accounting, tax, audit, advisory and/or other business services to you or (where our client is an organisation) to our client.
• To instruct bank transfers and other payments required as part of accounting, tax, audit, advisory and/or other business services which we have provided.
• To conduct our business, including in relation to accounting, tax, audit, advisory and/or other business services.
• To comply with our legal and regulatory requirements, such as anti-money laundering laws, the rules of the Financial Reporting Council, the requirements of the Financial Conduct Authority and the rules and requirements of the Institute of Chartered Accountants in England and Wales ("ICAEW") and the Association of Chartered Certified Accountants ("ACCA").
• To send you updates, news items, articles or other material which we think may be of interest to you, including in certain circumstances marketing material.
• To send you invitations to events and seminars and the like which we think may be of interest to you.
• To monitor emails sent to us (including attachments) for viruses or malicious software.
• To protect and manage email traffic.
• To detect, prevent and/or investigate fraud and crime such as monitoring office CCTV.
• To manage and analyse data, including in connection with our data warehouse.
• To share personal data with third parties in certain circumstances as detailed in Section Three (including in certain circumstances with third parties based outside of the UK and/or EEA).
• Generally to manage the activities of our business, including monitoring and recording electronic communications (including telephone calls and emails).

Legal basis for processing your personal information
We will only use your personal information as the law permits. The legal bases we principally rely upon when processing your personal data are as follows:

• It is necessary for the performance of a contract between us and you for the provision of accounting, tax, audit, advisory and/or other business services or in order to take steps at your request prior to entering into such a contract.
• It is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.
• It is necessary for us to comply with a legal obligation on us.

We have set out in the table below a description of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Where your consent is required
Other than (in certain circumstances) to enable us to send you marketing communications (as described below), we do not anticipate being required to obtain your consent for the processing of your personal data as listed above. If we consider it necessary to use your personal data for other purposes which do require your consent we will contact you to request this consent. In such circumstances, we will provide you with details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent, please contact us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Processing of information about criminal convictions
We may process information about criminal convictions as part of and/or in connection with the provision of services to our clients. We may process information about criminal convictions relating to clients' staff and/or directors including in connection with an audit to verify whether relevant Disclosure and Barring Service Checks have been undertaken. We will only collect and use information about criminal convictions where we have a lawful basis to do so. For example, we may use information relating to criminal convictions in relation to legal claims or where regulatory requirements relating to unlawful acts and dishonesty apply.

Marketing
We may send to you from time to time, by electronic means or post, marketing communications:

• if you have specifically requested that information from us;
• if you have specifically consented to receiving marketing communications from us;
• which relate to matters connected to those on which we have previously provided services to you, provided you have not opted out of receiving that marketing (which you may do at any time by contacting us); or
• if it is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.

We will only send you marketing communications if we have a lawful basis to do so.

Please note, you can ask us to stop sending you marketing messages at any time by following the opt-out or unsubscribe links on any marketing message sent to you.

If you fail to provide personal information requested
Where we need to collect personal data by law or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (and accordingly may be unable to provide you with accounting, tax, audit, advisory and/or other business services). We will notify you if this is the case at that time.

PART TWO - BUSINESS CONTACTS

This section of our privacy notice sets out how we may process personal data in relation to business contacts such as if you have provided us with your business card, or have corresponded with a director or employee of Sumer and/or have attended Sumer events. It may also include persons who are connected to our clients (for example, family members) where it is relevant in connection with the advice and services we are providing to our client.

In this section you and your means a person who is a business contact of Sumer (who is not a client) and whose personal data has been provided to or collected by us, in the context of our business and our work in the provision of accounting, tax, audit, advisory and/or other business services.

The data we may hold
We may hold various kinds of personal data about you which you provide to us from time to time, or which we otherwise obtain in the course of our relationship with you, and which we have grouped together as follows:

• Identity data may include names, gender, date of birth, pronoun preferences, country of residence;
• Contact data may include addresses, work email addresses, personal email addresses and telephone numbers;
• Employment data may include places of work and job titles, employment history and qualifications;
• Correspondence data includes any personal data which you share with us when you correspond with us (including over email, during telephone calls and/or in meetings);
• KYC and other background data may include copies of passports, driving licences, utility bills and information which may be revealed by an anti-money laundering search conducted on you (including details of your directorships, your electoral registration, your political exposure, insolvency proceedings against you, criminal convictions and/or any adverse media in relation to you), credit checks/references and other information from third party publicly accessible sources including Companies House;
• Financial and tax related data may include details of your salary, investments and savings and bank account details, together with details of your tax residency and other tax related information;
• Family data may include details of your marital status and dependants;
• Technical data may include internet protocol (IP) address, mail server URL, MIME version, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use when you correspond with us; and
• CCTV data may include image and sound recordings.

We will not usually collect any special categories of personal data about you, except where: (i) you are invited to attend certain Sumer social events where this may be relevant; or (ii) you volunteer the information to us in writing.

What we use your personal data for
We will only use your personal data for the following purposes:

• To administer and manage our relationship or potential relationship with you.
• To provide, or facilitate the provision of, services or advice to our client(s) (where you are connected to the client and it is relevant for the purposes of providing our services and/or advice).
• To comply with our legal and regulatory requirements, such as anti-money laundering laws, the rules of the Financial Reporting Council, the requirements of the Financial Conduct Authority and the rules and requirements of the Institute of Chartered Accountants in England and Wales ("ICAEW") and the Association of Chartered Certified Accountants ("ACCA").
• To send you updates, news items, articles or other material which we think may be of interest to you, including in certain circumstances marketing material.
• To send you invitations to events and seminars and the like which we think may be of interest to you and to facilitate your attendance at such events.
• To monitor emails sent to us (including attachments) for viruses or malicious software.
• To protect and manage email traffic.
• To detect, prevent and/or investigate fraud and crime such as monitoring office CCTV.
• To share personal data with third parties in certain circumstances as detailed in Section Three (including in certain circumstances with third parties based outside of the UK and/or EEA).
• Generally to manage the activities of the business, including monitoring and recording electronic communications (including telephone calls and emails).

Legal basis for processing your personal information
We will only use your personal information as the law permits. The legal bases we principally rely upon when processing your personal data are as follows:

• It is necessary for the performance of a contract between us and you or in order to take steps at your request prior to entering into such a contract.
• It is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.
• It is necessary for us to comply with a legal obligation on us.

We have set out in the table below a description of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Where your consent is required
Other than (in certain circumstances) to enable us to send you marketing communications (as described below), we do not anticipate being required to obtain your consent for the processing of your personal data as listed above. If we consider it necessary to use your personal data for other purposes which do require your consent we will contact you to request this consent. In such circumstances, we will provide you with details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent, please contact us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Marketing
We may send to you from time to time, by electronic means or post, marketing communications:

• if you have specifically requested that information from us;
• if you have specifically consented to receiving marketing communications from us;
• which relate to matters connected to those on which we have previously provided services to you, provided you have not opted out of receiving that marketing (which you may do at any time by contacting us); or
• if it is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.

We will only send you marketing communications if we have a lawful basis to do so.

Please note, you can ask us to stop sending you marketing messages at any time by following the opt-out or unsubscribe links on any marketing message sent to you.

If you fail to provide personal information requested
Where we need to collect personal data by law or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (and accordingly may be unable to continue our business relationship with you). We will notify you if this is the case at that time.

PART THREE - CONTRACTORS & SERVICE PROVIDERS

This section of our privacy notice sets out how we may process personal data about contractors and service providers to Sumer. In this section:

• contractor or service provider means an individual or organisation providing services to Sumer; and
• you and your means a person whose personal data is held by us, where that data has been provided to us by you directly or by a contractor or service provider or by its directors, partners, employees, agents or representatives on its behalf, or has been collected by us, in each case, in the context of the provision of services to Sumer by that contractor or service provider.

The data we may hold
We may hold various kinds of personal data about you which the contractor or service provider or you provide to us from time to time, or which we otherwise obtain in the course of our relationship with you, and which we have grouped together as follows:

• Identity data may include names, gender, date of birth, pronoun preferences and country of residence;
• Contact data may include addresses, work email addresses, personal email addresses and telephone numbers;
• Employment data may include places of work and job titles, employment history and qualifications;
• Correspondence data includes any personal data which you share with us when you correspond with us (including over email, during telephone calls and/or in meetings);
• Financial data may include bank account details;
• Technical data may include internet protocol (IP) address, mail server URL, MIME version, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use when your correspond with us; and
• CCTV data may include image and sound recordings.

We will not usually collect any special categories of personal data about you, except where (i) this is relevant to any services that you are providing to Sumer, or (ii) you volunteer this information to us in writing.

What we use your personal data for
We will only use your personal data for the following purposes:

• To administer and manage our relationship with you and/or the contractor or service provider.
• To comply with our obligations under the terms of a contract between the contractor or service provider and Sumer.
• To assess your skills and qualifications, your suitability for the role and to decide whether to enter into a contract with you, the contractor or service provider or to permit access to our offices.
• To assess and to monitor the standard of services being provided or offered to us.
• To allow us to process payments in relation to any goods and services provided to Sumer.
• To update and maintain our records including details of people that have accessed our offices.
• To detect, prevent and/or investigate fraud and crime such as monitoring office CCTV.
• To comply with our legal and regulatory requirements.
• To monitor emails sent to us (including attachments) for viruses or malicious software.
• To protect and manage email traffic.
• To share personal data with third parties in certain circumstances as detailed in Section Three (including in certain circumstances with third parties based outside of the UK and/or EEA).
• Generally to manage the activities of Sumer, including monitoring and recording electronic communications (including telephone calls and emails).

Legal basis for processing your personal information
We will only use your personal information as the law permits. The legal bases we principally rely upon when processing your personal data are as follows:

• It is necessary for the performance of a contract between Sumer and you or in order to take steps prior to entering into such a contract.
• It is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.
• It is necessary for us to comply with a legal obligation on us.

We have set out in the table below a description of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Where your consent is required
We do not anticipate being required to obtain your consent for the processing of your personal data as listed above. If we consider it necessary to use your personal data for other purposes which do require your consent we will contact you to request this consent. In such circumstances, we will provide you with details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent, please contact us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

If you fail to provide personal information requested
Where we need to collect personal data by law or under the terms of a contract we have with the contractor or service provider or you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with the contractor or service provider or you. We will notify you if this is the case at that time.

PART FOUR - JOB APPLICANTS

This section of our privacy notice sets out how we may process personal data about applicants for jobs, students applying for or attending work experience with Sumer and/or in relation to other potential employees of Sumer.

In this section you and your means a person who is an applicant for work, or work experience, with Sumer.

The data we may hold
In connection with your application for work or work experience with us, we may hold various categories of personal data about you, which you provide to us from time to time, or which we otherwise obtain in the course of our relationship with you, and which we have grouped together as follows:

• Identity data may include your name, title, date of birth, pronoun preferences and country of residence;
• Contact data may include addresses, work email addresses, personal email addresses, and telephone numbers;
• Right to work data may include copies of your passport, driving licence, utility bills, details of unspent criminal convictions and other information which may be revealed by background checks on you;
• Financial data may include bank account details and details of your salary;
• Equal opportunities data may include your gender, gender identity, ethnicity, age, sexual orientation, religion and beliefs, physical or mental impairments, and native language;
• Career data may include your current and former places of work and job titles, as well as details of your employment history, qualifications and CV;
• Correspondence data includes any personal data which you share with us when you correspond with us (including over email, during telephone calls and/or in meetings (including interviews));
• Technical data may include internet protocol (IP) address, mail server URL, MIME version, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you when you correspond with us; and
• CCTV data may include image and sound recordings.

Please note that we may collect personal data about you from you directly and/or from recruitment agencies and/or background check providers, which may include reports from the disclosure and barring service (namely unspent criminal convictions), and from third party publicly accessible sources including Companies House records and social media.

We may hold special categories of personal data about you if this is necessary for Sumer to comply with its legal and regulatory obligations and for equal opportunities monitoring (see further details below). We may also collect special category data if you volunteer the information to us in writing.

What we use your personal data for
We will only use your personal data for the following purposes:

• To assess your skills and qualifications, to consider your suitability for the position, to decide whether to enter into a contract with you and to take steps prior to entering into a contract with you.
• To carry out background and reference checks.
• To communicate with you about the recruitment process.
• To keep records related to our hiring processes.
• To comply with our legal and regulatory requirements, including the requirements of the Financial Conduct Authority and the rules and requirements of the Institute of Chartered Accountants in England and Wales ("ICAEW") and the Association of Chartered Certified Accountants ("ACCA").
• To consider whether we need to provide appropriate adjustments during our recruitment process.
• To be able to undertake equal opportunity monitoring and reporting.
• To monitor emails sent to us (including attachments) for viruses or malicious software.
• To protect and manage email traffic.
• To detect, prevent and/or investigate fraud and crime such as monitoring office CCTV.
• To share personal data with third parties in certain circumstances as detailed in Section Three (including in certain circumstances with third parties based outside of the UK and/or EEA).
• Generally to manage the activities of Sumer, including by monitoring and recording electronic communications (including telephone calls and emails).

Once we receive your CV and covering letter or your application form, we may process that information to decide whether we have any suitable vacancies and if you meet the basic requirements to be shortlisted for the relevant role. If you do, we will decide whether your application is strong enough to invite you for an interview. If we decide to call you for an interview, we will use the information you provide to us at the interview to decide whether to offer you the work. If we decide to offer you the work, we will then take up references and we may carry out criminal record or other checks before confirming your appointment.

Legal basis for processing your personal information
We will only use your personal information as the law permits. The legal bases we principally rely upon when processing your personal data are as follows:

• It is necessary in order to take steps at your request prior to entering into a contract between you and Sumer.
• It is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.
• It is necessary for us to comply with a legal obligation on us.

In relation to our processing of special category data, we rely on an additional basis as set out below.

We have set out in the table below a description of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Where your consent is required
We do not anticipate being required to obtain your consent for the processing of your personal data as listed above. If we consider it necessary to use your personal data for other purposes which do require your consent we will contact you to request this consent. In such circumstances, we will provide you with details of the personal data that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you decide to provide your consent, you have the right to withdraw your consent at any time, although that will not affect the lawfulness of processing based on consent before its withdrawal. To withdraw your consent, please contact us. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Potential employment information
We may send to you from time to time, by email or post, information about employment opportunities with us. You can ask us to stop providing any such information to you at any time.

If you fail to provide personal information requested
If you fail to provide information when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application. For example, if we require references for a role and you fail to provide us with the relevant details, we will not be able to take your application further.

Data retention periods in relation to job applications
If your application is successful, the information you provide during the application process will be retained by us as part of your employee file and held in accordance with applicable laws and Sumer's employee privacy notice (copies of which will be available).

If your application is unsuccessful, we may retain and use your personal data to consider you for other positions in the future. Details of the criteria we use to determine the period for which your data will be retained are in Section Three.

PART FIVE – WEBSITE USERS

This section of our privacy notice sets out how we may process personal data about persons who use a Sumer Group website. Some members of the Sumer Group have supplementary privacy notices available on their website(s), which outline in more detail how the relevant member of the Sumer Group will process your personal data in connection with their website. Please refer to the privacy notice on each Sumer Group website you visit for further information.

Our website(s) are not intended for children and we do not knowingly collect personal data about children in connection with our website(s).

In this section, "you" and "your" refers to a person whose personal data is held by us, where that data has been provided to us through your use of our website(s).

The data we may hold
We may hold various kinds of personal data about you, which you may provide to us from time to time or which we otherwise obtain in the course of your use of our website(s) and which we have grouped together as follows:

• Identity data may include names, gender, date of birth, pronoun preferences, country of residence;
• Contact data may include addresses, work email addresses, personal email addresses and telephone numbers;
• Correspondence data includes any personal data which you share with us when you correspond with us;
• Technical data may include your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website(s); and
• Usage data may include information about how you use our website(s), products and services, and any communications we may receive from you.

We will not usually collect any special categories of personal data about you through the use of our website(s). If we do collect any special categories of data, we will make clear the reason to you, and we will ensure we have a lawful basis to process this type of information.

What we use your personal data for
We will only use your personal data for the following purposes:

• To manage our relationship with you and to provide you with the use of our website(s).
• Creating and managing an account with you via our website(s) and website portals.
• Conducting checks to identify you and verify your identity or to help prevent and detect fraud against you or us.
• To obtain information about the number of visitors and their use of our website(s).
• Retaining and evaluating information on your recent visits to our website(s) and how you move around different sections of our website(s) for analytics purposes to understand how people use our website(s) so that we can make them more intuitive or to check our website(s) are working as intended.
• To ensure that our website(s) are secure.
• To address any issues you may experience with our website(s).
• To share personal data with third parties in certain circumstances as detailed in Section Three (including in certain circumstances with third parties based outside of the UK and/or EEA).

Legal basis for processing your personal information
We will only use your personal information as the law permits. The legal bases we principally rely upon when processing your personal data are as follows:

• It is necessary for the purposes of our legitimate interests, where such interests are not overridden by your rights or interests.
• It is necessary for us to comply with a legal obligation on us.

We have set out in the table below a description of the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

Where your consent is required
If we consider it necessary to obtain your consent in relation to a certain planned use of your personal data, we will contact you or prompt you (via our website(s)) specifically to request this consent. In such circumstances, we will provide you with details of the personal data that we would like to process and the reason we need to process it, so that you can carefully consider whether you wish to consent. Where you do consent and we rely on consent to process your personal information, you may withdraw that consent at any time by contacting us. We may rely on your consent to use non-essential cookies on our website(s) for the purposes described above. Further information relating to our use of cookies is below.

Cookies
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Using cookies and collecting this information is for our legitimate interests to ensure our website(s) work and to learn more about the use of our website(s). In some cases (in relation to the use of non-essential cookies), we will ask for your consent. For information on how we use cookies, please see the cookies policy on the website you are visiting.

Third Party Websites
Our website(s) may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy notices/statements. When you leave our site, we encourage you to read the privacy notice of every website you visit.

If you fail to provide personal information requested
If you fail to provide information when requested, we may not be able to provide you with full access to, and use of, our website.

SECTION THREE – OTHER INFORMATION

This section of our privacy notice provides information about our data protection practices, including information about our data security and retention policies, details of our arrangements for disclosing personal data to third parties and transferring personal data outside of the UK and EEA and information about your rights under Data Protection Laws.

Data security
We have put in place security measures to seek to prevent your personal data from being accessed by or disclosed to unauthorised persons but we cannot guarantee the security of any data we collect and store. We have put in place procedures to deal with any actual or suspected personal data breach and will notify you and any applicable regulator of such a breach where we are legally required to do so.

Disclosures of your personal data
We may share your data with third parties, including third-party service providers, regulatory bodies and other authorities, and other entities in our group, including where required by law, where it is necessary to administer our relationship with you or where we have another legitimate interest in doing so.

• Intra-group: We may share your personal data with other members of the Sumer Group in the ordinary course of our business, including as part of our regular reporting activities on Sumer's performance, in the context of a business reorganisation or group restructuring exercise, as part of intra-group service arrangements, in order to consolidate services and systems on a group-wide basis (including for efficiencies), and in connection with the hosting, management and analysis of data to support business activities (including our data warehouse).
• Third parties: We will disclose personal information we hold about you to third parties who are providing services to us (or to you), which may include the following:

• • IT service providers.
  • Software and software-as-a-service (SaaS) providers.
  • Providers of artificial intelligence products and tools (and related services);
  • Event management businesses.
  • PR and marketing service providers.
  • Background, compliance, anti-money laundering and/or credit reference services.
  • Recruitment service providers.
  • Insurance service providers.
  • Printers.
  • Telephone service providers.
  • Document storage providers.
  • Backup and disaster recovery service providers.
  • Other professional services providers, such as lawyers, accountants and tax advisers.
  • CCTV providers.
• Regulatory and other authorities: We may share your information in order to comply with legal and regulatory obligations to which we are subject.

We may also disclose your information to third parties (including professional advisers) in connection with the actual or potential acquisition of some or all of our business or assets.

Where such data is provided to third parties to process it on our behalf, we will enter into agreements with such third parties which impose processing obligations.

International transfers
In some circumstances, your personal data may be transferred outside of the UK or the European Economic Area ("EEA"). In particular, members of the Sumer Group from time to time may be based outside of the UK or the EEA. In addition, some of the external service providers used by Sumer may be based (or carry on processing of personal data) outside of the UK or EEA so their processing of your personal data may involve a transfer of personal data outside of the UK or EEA.

Where we transfer your personal data outside the UK or EEA we will ensure that it is protected in a manner that is consistent with how your personal data will be protected by us in the UK or EEA. Please contact us if you would like further information on the specific safeguards we use when transferring your personal data out of the UK or EEA.

Data retention periods
We retain personal data in accordance with our retention policy. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we process that personal data and whether we can achieve those purposes through other means as well as the applicable legal and regulatory requirements (including the requirements of the ICAEW and ACCA).

Automated decision-making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

Your legal rights
In certain circumstances, you have the right to:

• access your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you.
• ask us to correct the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• require erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• object to us processing your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• request the transfer of your personal information to another party.

If you wish to exercise any of the rights set out above, please contact us at compliance@sumer.co.uk

Where you have given consent to the processing of your personal data, you may withdraw that consent at any time. Withdrawing your consent will not affect the lawfulness of processing based on consent before its withdrawal or the lawfulness of continued processing not based on consent. To withdraw your consent to processing by Sumer, please contact us at compliance@sumer.co.uk.

You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Complaints
You have the right to make a complaint to the applicable supervisory data protection authority which, if you are based in the UK, is the Information Commissioner's Office. If you would like further information on who to contact to submit a complaint, please contact us at compliance@sumer.co.uk. We would, however, appreciate the chance to deal with your concerns before you approach the applicable data protection authority so please contact us in the first instance.