Privacy Notice
HLB Ireland Unlimited
Reviewed: September 2025
Next review: September 2026
1. Introduction
HLB Ireland Unlimited respects your privacy and is committed to protecting your personal data.
This Privacy Notice outlines how we collect, use, and safeguard your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Data Protection Act 2018, and related applicable laws.
2. Who We Are
HLB Ireland is a professional accountancy and advisory firm based in Sandyford, Co. Dublin.
We act as a Data Controller when collecting and processing your data for our services. We may also act as a Data Processor in limited contexts, such as outsourced payroll services, under written agreement.
3. Data Protection Contact
We are not required to appoint a Data Protection Officer under Article 37 GDPR. However, we have appointed a Data Protection Lead to oversee our data protection practices.
Data Protection Contact
Email: [email protected]
Phone: (0)1 291 5265
4. Personal Data We Collect
We collect personal data through a range of methods depending on the nature of our relationship with you. These include:
-
Third-party sources and authorised representatives – e.g., legal, financial, or professional representatives, family members, and intermediaries.
-
Public and regulatory registers – e.g., Companies Registration Office (CRO), Register of Beneficial Ownership (RBO), and other statutory databases.
-
Technology and cloud-based systems – secure platforms provided by third-party IT and cloud service providers.
-
Secure client portals and online tools – e.g., uploads of documentation or compliance information.
-
Direct communication – e.g., emails, phone calls, meetings, or service engagements.
Categories of Data Subjects
We process personal data relating to:
-
Business partners or directors
-
Clients and members of their households (including AML data)
-
Employees of client organisations (e.g., payroll)
-
Former clients and staff (where required by law/contract)
-
Individuals interested in our services or marketing lists
-
Subcontractors and consultants
-
Current and past employees
-
Job candidates
-
Other enquirers or complainants
Client Data Processing Activities
We process personal data in connection with:
-
Customer Due Diligence (CDD) – e.g., passports, proof of address
-
Accounts Preparation & Bookkeeping – Corporate Clients – e.g., directors, employees, suppliers
-
Audit Services – e.g., directors, employees, fraud risk assessment
-
Accounts Preparation – Unincorporated Clients – treated as personal data
-
Corporation Tax Advisory – directors and employees
-
Personal Tax Services – PAYE, CGT, health-related data for tax entitlements
-
Payroll Services – directors and employees of client organisations
5. Lawful Basis for Processing
We process data under the following lawful bases:
| Type of Engagement | Lawful Basis for Processing |
|---|---|
| Accounts preparation & bookkeeping – corporate clients | Contractual Necessity, Legitimate Interests |
| Accounts preparation – unincorporated clients | Contractual Necessity, Legitimate Interests |
| Corporation tax compliance & advisory | Contractual Necessity, Legitimate Interests, Consent |
| Personal tax services | Contractual Necessity, Legal Obligation, Legitimate Interests, Consent |
| Payroll services | Contractual Necessity, Legal Obligation, Legitimate Interests |
For statutory audits, we also rely on Legal Obligation to retain documentation and demonstrate compliance.
6. Sharing of Personal Data
We share data only where necessary, lawful, and proportionate:
-
Regulatory and statutory bodies – e.g., Revenue Commissioners, CRO, RBO
-
IT and cloud service providers – secure processing under agreements
-
Professional advisers – e.g., legal, auditors
-
Subcontractors and outsourced providers – engaged under contracts with confidentiality clauses
6A. Subprocessors
We engage third-party subprocessors to provide services. These subprocessors process personal data under GDPR-compliant agreements.
Key Subprocessors
| Subprocessor | Service Provided | Data Categories Processed | Location | Sub-subprocessors |
|---|---|---|---|---|
| BrightPay | Payroll services | Employee data, salary, tax refs | Ireland | N/A |
| Microsoft Corporation | Azure & M365 (email, storage, collaboration) | Client and employee data, business communications | Ireland | N/A |
| ID Pal | AML ID verification | Identity, address, biometric, device logs | Ireland | N/A |
| AML HQ | AML compliance platform | Identification data, CDD, ownership info | Ireland | Veriff (ID verification, Ireland) |
| Xero | Cloud accounting software | Financial data, transactions, employee/director info | Ireland/EU | N/A |
| QuickBooks (Intuit) | Cloud accounting software | Financial data, transactions, employee/director info | Ireland/EU | N/A |
| Virtual Cabinet | Document management & storage | Client docs, financial, ID docs | Ireland | N/A |
Oversight Measures
-
Due diligence before engagement
-
Contractual safeguards in place
-
Periodic reviews of compliance
-
Subprocessors assist with Data Subject Rights requests
Changes
Clients will be notified of material subprocessor changes (min. 30 days in advance where required).
International Transfers
Where subprocessors transfer data outside the EEA, safeguards such as SCCs or adequacy decisions apply.
7. Special Categories and Criminal Data
We do not routinely process special category or criminal data. Where required (e.g., AML or health-related tax claims), processing is conducted under Article 9 GDPR with safeguards.
8. Indirect Data Collection
If we receive personal data from third parties or public sources, we will inform you within one month unless an exemption applies.
9. Purpose Limitation
We process data only for the purposes outlined in this Notice unless otherwise notified or legally required.
10. Automated Decision-Making
We do not use automated decision-making or profiling with legal or significant effects.
11. International Transfers
Where data is transferred outside the EEA, we use SCCs or adequacy decisions. Most processing occurs in Ireland, minimising transfer risks.
12. Data Retention
We retain data only as long as necessary:
-
Client files – 6 years post-engagement
-
Payroll records – 6 years post-employment
-
AML due diligence data – 5 years post-client relationship
-
Job applications (unsuccessful) – 12 months unless extended by consent
Data is securely deleted or anonymised once retention periods expire.
13. Your Rights Under the GDPR
You have the following rights:
-
Access – request a copy of your personal data
-
Rectification – correct inaccurate/incomplete data
-
Erasure – request deletion (“right to be forgotten”)
-
Restriction of processing – limit processing in certain cases
-
Object – to processing, including for direct marketing
-
Data portability – receive data in machine-readable format
-
Withdraw consent – withdraw at any time (without affecting prior processing)
To exercise your rights:
Email: [email protected]
Post: Suite 7, The Courtyard, Carmanhall Road, Sandyford Industrial Estate, Dublin 18
14. Data Security
We implement security measures including:
-
Encryption and secure backups
-
Role-based access controls
-
Staff training on data protection
-
Ongoing monitoring and reviews
We apply Data Protection by Design and by Default as required under Article 25 GDPR.
15. Data Breaches
Definition – a breach includes destruction, loss, alteration, unauthorised disclosure, or access to personal data.
If HLB Ireland is the Controller:
-
Notify the DPC within 72 hours (if notifiable)
-
Record all breaches (cause, scope, remediation)
-
Notification will cover categories, data types, consequences, and actions
If HLB Ireland is the Processor:
-
Inform the relevant client/controller without undue delay
Informing Individuals:
Where a high risk exists, we will inform affected individuals promptly with details and next steps.
Business Transfers:
If our business is sold, merged, or reorganised, personal data may transfer to the new entity with safeguards in place.
16. Supervisory Authority and Complaints
You may contact the Data Protection Commission if you are dissatisfied with our handling of your data:
Data Protection Commission
6 Pembroke Row
Dublin 2
D02 X963
Ireland
Phone: +353 1 765 0100 | 1800 437 737
Website: www.dataprotection.ie
17. Changes to This Notice
We may update this Privacy Notice from time to time to reflect legal, technical, or operational changes. The latest version will always be available on our website.
18. Cookies and Similar Technologies
HLB Ireland uses cookies and similar tracking technologies on our website to ensure proper functionality, enhance your browsing experience, and improve our services.
What are cookies?
Cookies are small text files placed on your device when you visit a website. They enable the website to recognize your device and remember information about your visit, such as your preferred settings and how you use the site.
Types of cookies we use
Strictly Necessary Cookies
These cookies are essential for our website to function properly and cannot be disabled. They enable core functionality including security, network management, accessibility features, and session management. These cookies do not collect information that could be used to identify you and are set automatically when you visit our site.
Analytics and Performance Cookies
With your consent, we use analytics cookies to understand how visitors interact with our website, which pages are most frequently visited, and whether users encounter any errors. This information is aggregated and anonymized, and helps us improve our website's content, structure, and user experience. We use [specify provider, e.g., Google Analytics] for this purpose.
Functional Cookies
These cookies enable enhanced functionality and personalization, such as remembering your cookie preferences and other choices you have made. These are only set with your consent.
Your choices and control
You have the right to accept or reject non-essential cookies. When you first visit our website, you will see a cookie banner providing options to accept all cookies, reject non-essential cookies, or manage your preferences.
You may change your cookie preferences at any time by:
- Selecting "Cookie Settings" available in the footer of our website
- Adjusting your web browser settings to block or delete cookies (note that blocking strictly necessary cookies may impact website functionality)
Managing cookies through your browser
Most web browsers allow you to control cookies through their settings preferences. You can typically set your browser to refuse cookies or to alert you when cookies are being sent. Please refer to your browser's help section for specific instructions on managing cookies.
Cookie duration
Cookies may be either session cookies (which expire when you close your browser) or persistent cookies (which remain on your device for a set period or until you delete them). We regularly review our cookie retention periods to ensure we only retain cookies for as long as necessary.
Third-party cookies
Some cookies on our website may be set by third-party service providers that perform services on our behalf, such as analytics providers. These third parties may collect information about your online activities over time and across different websites. We carefully select our third-party providers and ensure they process data in accordance with applicable data protection laws.
Changes to our cookie practices
We may update our use of cookies from time to time. Any changes will be reflected in this Privacy Notice, and where appropriate, we will notify you and seek your consent for any new cookie types.
Further information
If you have questions about our use of cookies or wish to exercise your rights regarding the data collected through cookies, please contact us at [email protected]
