Privacy Notice

Your privacy matters to us

Policy document last updated: June 2026

The Purpose of this Notice

DNA Ltd trading as DNA Ltd Chartered Accountants (“DNA”, the “Company”, “we” or “us”) is committed to maintaining the accuracy, confidentiality and security of your Personal Data in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (the “DP Law”), together with any other relevant laws, regulations and secondary legislation as amended from time to time.

This Privacy Notice explains how DNA collects, uses, stores, shares and otherwise processes Personal Data relating to its clients, prospective clients, directors, employees (including temporary staff), suppliers, business contacts and other individuals whose Personal Data we handle in the course of our business.

It describes how Personal Data is collected, handled, retained, shared and protected so that we meet our data protection obligations and uphold our internal standards.

The DP Law applies regardless of whether Personal Data is stored electronically, on paper or on other materials.

What is Personal Data?

For the purposes of this Privacy Notice, Personal Data is any information about an identifiable individual, other than the person’s business title or business contact information when used or disclosed for the purpose of business communications. Personal Data does not include anonymous or non-identifiable information (i.e. information that cannot be associated with or tracked back to a specific individual).

Personal Data we collect, process, and hold includes (amongst other):

Name and residential address
Date of birth
Contact details in relation to proposed services or the provision of services we provide or your preferred method of our communications with you
Details of any services you may have received from us or continue to receive from us
Identification numbers and documents (i.e. TIN’s and passport numbers)
Various financial information including assets, liabilities, and transactions
Tax Information
Bank statements
Citizenship
Occupation
Information received from research or other sources, such as publicly available information
Information relating to requirements set out in the Guernsey Financial Services Commission’s Handbook on Countering Financial Crime and Terrorist and Proliferation Financing
Information received from background or criminal record checks as appropriate
Information provided by you in our dealings with you including employment data, professional qualifications, payroll data, expense claims, accounting and tax records and other items such as these which may contain Personal Data

Why we collect and use this information:

DNA will collect Personal Data for the purpose of conducting our contracted services such as the provision of accounting, bookkeeping and tax related services.

DNA also collects and uses Personal Data to meet its legal and regulatory obligations, including anti-money laundering, countering financial crime, terrorist financing and proliferation financing requirements, client due diligence, screening, monitoring and record-keeping obligations.
Depending on the circumstances, we process Personal Data because it is necessary to perform a contract, to comply with legal or regulatory obligations, for our legitimate interests or, where appropriate, with your consent.

We usually collect Personal Data directly from you. In some cases, we may collect it from third parties, for example from a previous accountant with your authority, from professional advisers, from employers or counterparties, from compliance and identity verification providers, or from publicly available sources where this is lawful and appropriate.
Where we obtain Personal Data indirectly, we will provide relevant transparency information in accordance with the DP Law unless an exemption applies.

We do not use automated means to collect Personal Data.
We will not collect any personal information that identifies a visitor to our website individually unless you choose to identify yourself by completing a contact form. We will only hold this Personal Data for the purpose of replying to your query.
We do not intend to process your Personal Data for a purpose other than that for which it was collected, however, if circumstances change, we will provide you with information on the intended purpose and any other relevant information.

Storing this information

We may hold your Personal Data both in hard copy files and on IT systems. All Personal Data obtained will be retained securely and only used for the purposes set out in the DP Law and in accordance with the purposes for which it was collected. DNA has a Data Retention policy, and all hard copy documentation and electronic documentation will be stored securely and returned or erased from the company records following a set period after the termination of our relationship with you.

Retention Period:

We retain Personal Data for as long as is reasonably necessary for the purposes described in this notice and to meet our legal, regulatory, tax, accounting and reporting obligations.
In many cases this means retaining records for up to 7 years after the end of our relationship with you, although longer or shorter periods may apply depending on the nature of the data and the legal or regulatory requirement that applies.

Backups:

In addition to our live IT system we also retain backups in order to protect the security and integrity of your data.
Backups are essential for data integrity and disaster recovery.
Personal Data stored in backups will normally be retained until those backups are overwritten or securely deleted in line with our backup retention schedules.
Following the termination of our relationship, we may not be able to remove specific information immediately from backup systems. However, we will ensure backup data remains protected and subject to strict access controls until it is overwritten or securely deleted in the normal course of business.

Data held on linked software:

DNA will use various software in order to provide our services to you
All software used by DNA is subject to a robust supplier onboarding process whereby we check data security and compliance with industry standard policies
Data held on third party software will typically be held until the subscription service ends
When a client relationship ends DNA implements a robust closure process which involves cancelling or transferring linked subscriptions (to the client or to the new accountant).
Where data is held in third party software it is archived or deleted. A hard delete is typically enacted by the software supplier at no more than 7 years after the service has ended. This period can be shorter but can be up to 7 years to comply with legal or accounting purposes.
Software we use aligns with standard data protection guidelines which includes the right to be forgotten. This means that for third party software a request can be lodged to request data deletion which varies but typically can then take 10 to 30 days.

Who we share this information with?

Personal Data and relevant information may be shared with staff members of DNA and will only be shared with external trusted service providers where a contract is in place with us, such as:

Information technology providers and specialist software providers that support our operations and service delivery, including cloud hosting, practice management, bookkeeping and document management systems
Third party service providers relevant to our work (such as compliance / IT/ cyber security / legal advisors)
Subcontractors under contract

A full list of service providers used in relation to your Personal Data can be provided on request.

Any request for Personal Data made by a financial services regulator or public authority or governmental body with jurisdiction over DNA will be complied with.

Contractors and sub-processors will only be used by us to process Personal Data where they meet the requirements of the DP Law and DNA shall take reasonable steps to ensure the reliability of any employee, agent or contractor of DNA or any such approved contractor or sub-processor who may have access to Personal Data, ensuring that all such individuals are subject to confidentiality agreements or other professional or statutory obligations of confidentiality.

Data protection and privacy laws vary between jurisdictions. Where Personal Data is transferred outside the Bailiwick of Guernsey, we will assess the transfer and use an appropriate transfer mechanism or safeguard where required under the DP Law.

We do not routinely transfer Personal Data outside the Bailiwick of Guernsey and the European Economic Area. Where a service provider or other recipient is located in, or stores data in, another jurisdiction, we will take steps to ensure the transfer is permitted under the DP Law. Depending on the destination, this may include transferring to a jurisdiction recognised as providing an adequate level of protection or putting in place contractual and other supplementary safeguards where required.

No information collected will be disclosed to any third party, other than in accordance with the terms set out below:

where we (or any third party acting on our behalf) are legally compelled to do so;
where there is a duty to the public to disclose;
where our interests require disclosure; (where we receive a legal request to disclose)
where disclosure is made at your request or with your consent
where disclosure forms part of our contractual agreement

Data Security

We will take appropriate security measures to safeguard Personal Data against unlawful or unauthorised Data Processing and against accidental loss or damage, misuse or disclosure, and to ensure that it is not accessed except by our employees in the proper performance of their duties. We will put in place procedures and technologies to maintain the security of all Personal Data from the point of collection to the point of destruction.
Personal Data will only be transferred to a Data Processor if that Data Processor agrees to comply with those procedures and policies or if he or she puts in place adequate measures themselves.
We have put in place procedures to deal with any suspected Personal Data security breaches and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
In the event of a Personal Data breach, we will investigate the incident, take steps to contain and remediate it, and make any notifications required by law.

Complaints

Should you wish to complain to DNA, please do so in writing to the address stated in the “Contact us” Section below.

Section 67 of the DP Law provides a right for you to complain directly to the Office of the Data Protection Authority for the Bailiwick of Guernsey. Sections 82 and 83 of the DP Law provides for rights of appeal. Where that complaint relates to the processing of your Personal Data by DNA, specific procedures can be found on the Authority’s website www.odpa.gg.

Your Rights

Under the DP Law, you have specific legal rights in relation to your Personal Data. These rights are summarised in Appendix 1.

Data protection lead is the person at DNA responsible for oversight and administration of this notice. This person is currently: Danielle Bennett (Director).

Contact us at:

Registered Office Address: Normandie House, Rue a Chiens, St Sampson, GY2 4AE

Telephone: +(01481) 254748

Email: [email protected]

APPENDIX 1

Right to information for Personal Data collected from Data subject	You have a right to be given various information about the Personal Data we hold about you along with a statement as to whether the provision of your Personal Data is a statutory or contractual requirement.
Right of Access	You have the right to request a copy of the Personal Data that we hold about you and why, by submitting a ‘subject access request’.
Right to Personal Data Portability	You may also ask us to move, or ‘port’, your Personal Data to another organisation electronically. We will only port Personal Data that you have provided to us, that we have processed based on your consent or in the performance of a contract. We will port your Personal Data without charge and within one month, where technically feasible.
Exception to right of portability or access involving disclosure of another individual’s Personal Data.	Where we are unable to comply with a request made by you without disclosing information relating to another individual who is identified or identifiable from that information, we have the right to refuse provision or transmission.
Rights to Object	You have the right to object to certain types of processing, including processing for direct marketing and, in some circumstances, processing based on legitimate interests, public interest, scientific or historical research, or statistical purposes.
Right to Rectification	We want to make sure that your Personal Data is accurate, complete and up to date. You have the right to ask us to rectify or change the Personal Data, you think is inaccurate or incomplete, and we ask that you inform us promptly of any changes to your circumstances.
Right to Erasure	You may also ask us to erase your Personal Data from our systems, in certain circumstances. There are some specific circumstances where the right to erasure does not apply and we are permitted to hold your Personal Data. We will explain the reason for this at the time if this should occur. If a data subject exercises this right we will ensure that live data is deleted promptly (backups will continue to exist until overwritten but backups are locked down with director access only).
Right to Restriction of Processing	You have the right to ask us to restrict the processing of your Personal Data in certain circumstances, for example while a concern about accuracy or lawfulness is being considered. We will inform relevant recipients where required and tell you before any restriction is lifted.
Right not to be subject to decisions based on automated processing	You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal effects concerning you or similarly significantly affects you, except where permitted by law.