Privacy Notice
HLB Ireland Unlimited
Reviewed: September 2025
Next review: September 2026
1. Introduction
HLB Ireland Unlimited respects your privacy and is committed to protecting your personal data.
This Privacy Notice outlines how we collect, use, and safeguard your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Data Protection Act 2018, and related applicable laws.
2. Who We Are
HLB Ireland is a professional accountancy and advisory firm based in Sandyford, Co. Dublin.
We act as a Data Controller when collecting and processing your data for our services. We may also act as a Data Processor in limited contexts, such as outsourced payroll services, under written agreement.
3. Data Protection Contact
We are not required to appoint a Data Protection Officer under Article 37 GDPR. However, we have appointed a Data Protection Lead to oversee our data protection practices.
Data Protection Contact
Email: [email protected]
Phone: (0)1 291 5265
4. Personal Data We Collect
We collect personal data through a range of methods depending on the nature of our relationship with you. These include:
-
Third-party sources and authorised representatives – e.g., legal, financial, or professional representatives, family members, and intermediaries.
-
Public and regulatory registers – e.g., Companies Registration Office (CRO), Register of Beneficial Ownership (RBO), and other statutory databases.
-
Technology and cloud-based systems – secure platforms provided by third-party IT and cloud service providers.
-
Secure client portals and online tools – e.g., uploads of documentation or compliance information.
-
Direct communication – e.g., emails, phone calls, meetings, or service engagements.
Categories of Data Subjects
We process personal data relating to:
-
Business partners or directors
-
Clients and members of their households (including AML data)
-
Employees of client organisations (e.g., payroll)
-
Former clients and staff (where required by law/contract)
-
Individuals interested in our services or marketing lists
-
Subcontractors and consultants
-
Current and past employees
-
Job candidates
-
Other enquirers or complainants
Client Data Processing Activities
We process personal data in connection with:
-
Customer Due Diligence (CDD) – e.g., passports, proof of address
-
Accounts Preparation & Bookkeeping – Corporate Clients – e.g., directors, employees, suppliers
-
Audit Services – e.g., directors, employees, fraud risk assessment
-
Accounts Preparation – Unincorporated Clients – treated as personal data
-
Corporation Tax Advisory – directors and employees
-
Personal Tax Services – PAYE, CGT, health-related data for tax entitlements
-
Payroll Services – directors and employees of client organisations
5. Lawful Basis for Processing
We process data under the following lawful bases:
| Type of Engagement | Lawful Basis for Processing |
|---|---|
| Accounts preparation & bookkeeping – corporate clients | Contractual Necessity, Legitimate Interests |
| Accounts preparation – unincorporated clients | Contractual Necessity, Legitimate Interests |
| Corporation tax compliance & advisory | Contractual Necessity, Legitimate Interests, Consent |
| Personal tax services | Contractual Necessity, Legal Obligation, Legitimate Interests, Consent |
| Payroll services | Contractual Necessity, Legal Obligation, Legitimate Interests |
For statutory audits, we also rely on Legal Obligation to retain documentation and demonstrate compliance.
6. Sharing of Personal Data
We share data only where necessary, lawful, and proportionate:
-
Regulatory and statutory bodies – e.g., Revenue Commissioners, CRO, RBO
-
IT and cloud service providers – secure processing under agreements
-
Professional advisers – e.g., legal, auditors
-
Subcontractors and outsourced providers – engaged under contracts with confidentiality clauses
6A. Subprocessors
We engage third-party subprocessors to provide services. These subprocessors process personal data under GDPR-compliant agreements.
Key Subprocessors
| Subprocessor | Service Provided | Data Categories Processed | Location | Sub-subprocessors |
|---|---|---|---|---|
| BrightPay | Payroll services | Employee data, salary, tax refs | Ireland | N/A |
| Microsoft Corporation | Azure & M365 (email, storage, collaboration) | Client and employee data, business communications | Ireland | N/A |
| ID Pal | AML ID verification | Identity, address, biometric, device logs | Ireland | N/A |
| AML HQ | AML compliance platform | Identification data, CDD, ownership info | Ireland | Veriff (ID verification, Ireland) |
| Xero | Cloud accounting software | Financial data, transactions, employee/director info | Ireland/EU | N/A |
| QuickBooks (Intuit) | Cloud accounting software | Financial data, transactions, employee/director info | Ireland/EU | N/A |
| Virtual Cabinet | Document management & storage | Client docs, financial, ID docs | Ireland | N/A |
Oversight Measures
-
Due diligence before engagement
-
Contractual safeguards in place
-
Periodic reviews of compliance
-
Subprocessors assist with Data Subject Rights requests
Changes
Clients will be notified of material subprocessor changes (min. 30 days in advance where required).
International Transfers
Where subprocessors transfer data outside the EEA, safeguards such as SCCs or adequacy decisions apply.
7. Special Categories and Criminal Data
We do not routinely process special category or criminal data. Where required (e.g., AML or health-related tax claims), processing is conducted under Article 9 GDPR with safeguards.
8. Indirect Data Collection
If we receive personal data from third parties or public sources, we will inform you within one month unless an exemption applies.
9. Purpose Limitation
We process data only for the purposes outlined in this Notice unless otherwise notified or legally required.
10. Automated Decision-Making
We do not use automated decision-making or profiling with legal or significant effects.
11. International Transfers
Where data is transferred outside the EEA, we use SCCs or adequacy decisions. Most processing occurs in Ireland, minimising transfer risks.
12. Data Retention
We retain data only as long as necessary:
-
Client files – 6 years post-engagement
-
Payroll records – 6 years post-employment
-
AML due diligence data – 5 years post-client relationship
-
Job applications (unsuccessful) – 12 months unless extended by consent
Data is securely deleted or anonymised once retention periods expire.
13. Your Rights Under the GDPR
You have the following rights:
-
Access – request a copy of your personal data
-
Rectification – correct inaccurate/incomplete data
-
Erasure – request deletion (“right to be forgotten”)
-
Restriction of processing – limit processing in certain cases
-
Object – to processing, including for direct marketing
-
Data portability – receive data in machine-readable format
-
Withdraw consent – withdraw at any time (without affecting prior processing)
To exercise your rights:
Email: [email protected]
Post: Suite 7, The Courtyard, Carmanhall Road, Sandyford Industrial Estate, Dublin 18
14. Data Security
We implement security measures including:
-
Encryption and secure backups
-
Role-based access controls
-
Staff training on data protection
-
Ongoing monitoring and reviews
We apply Data Protection by Design and by Default as required under Article 25 GDPR.
15. Data Breaches
Definition – a breach includes destruction, loss, alteration, unauthorised disclosure, or access to personal data.
If HLB Ireland is the Controller:
-
Notify the DPC within 72 hours (if notifiable)
-
Record all breaches (cause, scope, remediation)
-
Notification will cover categories, data types, consequences, and actions
If HLB Ireland is the Processor:
-
Inform the relevant client/controller without undue delay
Informing Individuals:
Where a high risk exists, we will inform affected individuals promptly with details and next steps.
Business Transfers:
If our business is sold, merged, or reorganised, personal data may transfer to the new entity with safeguards in place.
16. Supervisory Authority and Complaints
You may contact the Data Protection Commission if you are dissatisfied with our handling of your data:
Data Protection Commission
6 Pembroke Row
Dublin 2
D02 X963
Ireland
Phone: +353 1 765 0100 | 1800 437 737
Website: www.dataprotection.ie
17. Changes to This Notice
We may update this Privacy Notice from time to time to reflect legal, technical, or operational changes. The latest version will always be available on our website.
