We are committed to respecting the privacy and confidentiality of personal data and complying with data protection legislation. When we process personal data in:
- the United Kingdom we do so in compliance with the Data Protection Act 2018 and the UK GDPR;
- the European Economic Area we do so in compliance with the EU GDPR; and
- Australia we do so in compliance with the Privacy Act 1988.
2 About us
“Expat Tax Online”, “we,” “us” and “our” refers to each company in the Expat Tax Online Group as set out here:
Expat Tax Online LLC – 5900 Balcones Drive, Suite 5037, Austin, TX 78731, United States of America
Expat US Tax Limited – Blake House, 18 Blake Street, York, YO1 8QG, United Kingdom
Expat US Tax LLC – 5900 Balcones Drive, Suite 5037, Austin, TX 78731, United States of America
Expat Solutions India Pvt Ltd – EC-58, Sector 1, Salt Lake, Kolkata 700064, West Bengal, India
Expat Solutions India Pvt Ltd (Nepal branch) – Aarshiwad, 3rd Floor, Pulchowk, Lalitpur Metropolitan City, Kathmandu, Nepal
Expat Solutions Philippines Inc. – One West Aeropark Building, 8th Floor, Global City Clark, Clark Freeport Zone, Philippines
Expat US Tax – Box 1219, 116 74 Stockholm, Sweden
Each company in the Expat Tax Online group of companies is a separate legal entity and a separate controller of personal data. We may change the details in this section (2) from time to time.
3 How to contact us
If you wish to discuss any data protection matter please contact the Data Protection Officer:
The Data Protection Officer – Expat US Tax Limited, Blake House, 18 Blake Street, York, YO1 8QG, United Kingdom. Tel +44 (0)1904 211 005. Email email@example.com
4 Our role
Our role as a controller or a processor depends upon the nature of our engagement with you. If you are a client this will be defined in our contract with you. But generally:
- Where we decide the purpose and means of processing, we are a controller;
- Where we jointly decide the purpose and means of processing with you, we are a joint controller; and
- Where we process personal data according to your explicit written instructions, in a contract that satisfies Article 28 of the GDPR, we are a processor.
5 How we obtain personal data
Personal data is any information that could identify a living person. We only collect personal data that is necessary and we ask clients to only share personal data that is required. If you provide us with unnecessary personal data, we either return it to you or destroy it if you prefer.
|Types of personal data||Where we collect it from|
|Personal data that you provide to us||• When you fill in forms on any of our websites;
• When you correspond with us by telephone, email or letter;
• When you communicate with us by our secure portal;
• Using the Live Chat facility;
• From personal messaging services such as WhatsApp®, Facebook Messenger® and SMS;
• If you visit our offices, we may record your details in a visitors’ book, Covid register or electronic equivalent; and
• If you visit our offices, you may be recorded by CCTV systems owned by us or our landlord which are deployed for the prevention and detection of crime and to provide a safe working environment for employees and visitors.
|Publicly available sources we might use to collect personal data||• Credit reference agencies and other company information providers;
• National business administration authorities, such as Companies House in the UK;
• Social media such as LinkedIn®; and
• Our own research activities such as reviewing websites.
|Personal data that we receive from referrals||• We may receive unsolicited personal data in the form of a business-to-business referral; and
• We may receive personal data submitted as a referral from one of our employees.
If we receive personal data from the above sources we will seek your consent before we process it further.
6 The personal data that we process about you:
|Category||Data that we might process|
|Prospective clients||• Full name, company name and job title;
• Website address, email address and telephone number;
• Banking details and tax filing details (if relevant to the service); and
• Any further personal data that you choose to provide in your initial inquiry or during subsequent discussions whether by phone, email or letter.
|Personal or self-employed clients||• Your name, home address and date of birth;
• Name, home address and date of birth of any family members, advocates or other beneficiaries and connected parties;
• Employment status; and
• Financial details such as salary, other income and investments, tax status and debt level.
|Business clients, we also process the following||• Company name and registration number;
• Business type and industry sector; and
• Name, business address, job title, email address and telephone number(s) of all employees who may engage directly with us.
|Officers of the company, beneficial owners and persons of significant control||• Contact details (name, home address);
• Date of birth;
• PEP (Politically Exposed Persons) status; and
• SIP (Special Interest Person) status.
|Suppliers||• Company name and registration number, company address and telephone number;
• Business type and industry sector; and
• Name, address, job title, email address and telephone number(s) of all employees who may engage directly with us.
|If you, or a recruitment agency on your behalf, contact us concerning employment by any means of communication||• Your CV or resume containing personal data; and
• Further personal data in a covering letter.
|If you visit one of our websites, we collect information about your computer||• IP address (where available);
• Geographic location (if you allow this when prompted by your browser);
• Operating system;
• Browser type;
• Geographical location when you opened it; and
• Which parts of the email you interacted with.
If you use social media accounts which are registered using the same email address you have provided to us elsewhere, our systems enable us to link your social media accounts to your email address and therefore we process links to any social media accounts that you use. (You should check that you read and understand the privacy policies of all social media providers that you use).
7 Special category personal data
Unless we have a legal basis for doing so we do not collect special category personal data such as health, race or ethnic origin. For certain services or activities, and when required by law or with an individual’s consent this may be necessary.
8 Purpose for the processing and the legal basis for the processing
|1. Providing services to you||The wide range of services we provide usually require us to process personal data to provide advice and deliverables.||Processing necessary for the performance of a contract, or steps taken to enter into a contract with our clients, legitimate interests and
|2. Complying with any requirement of law, regulation or a professional body of which we are a member||If you wish to become our client (and periodically thereafter), we have a legal obligation to verify your identity. We are obliged to inform you that this will take place. We may do this by:|
performing a search with a credit reference agency and/or
an evaluation of traditional ID-check documents (passport, drivers’ license etc.) and the use of an electronic signature complying with the European Union Trusted Lists (EUTL).
|Legal or regulatory obligation and legitimate interests.|
|3. Administering, managing and developing our businesses and services||We use personal data for|
• managing our relationship with clients;
• developing our businesses and services)
• maintaining and using IT systems;
• hosting or facilitating the hosting of events; and
• administering and managing our websites, systems and applications.
|5. Business development and marketing||When sending electronic marketing messages to existing clients concerning similar products or services to those already purchased, we rely on the “soft opt-in” approved by the UK’s Information Commissioner and similar mechanisms in other European countries and Australia. Such mechanisms permit us to lawfully send marketing messages to existing clients provided that they contain an “opt out” mechanism.|
We retain personal data collected through our business development processes for as long as we believe our products and services may be of interest to prospective clients. Individuals and organizations can ask to be removed from our business development system at any time.
|Legitimate interests and consent|
|6. Procurement of services from suppliers||Legitimate interests|
9 Retention of personal data
We retain personal data in accordance with legal, regulatory and contractual requirements.
10 Data sharing
We only share personal data with other organizations when we have a lawful basis to do so and when we do so, we put contractual arrangements and security mechanisms in place to protect personal data and to comply with our data protection, confidentiality and security standards.
10.1 Data sharing within the Expat Tax Online group of companies
Personal data held by us may be transferred to, or disclosed to, other companies in our group of companies. We may do this where necessary for administrative purposes and to provide professional services to our clients. All companies in our group are bound by a Data Sharing Agreement which commits them to share personal data in a secure and lawful manner that respects the rights and freedoms of data subjects.
10.2 Data sharing with other controllers
Depending upon the nature of the service being provided to you we may lawfully share personal data with other organizations. This may change from time to time.
We use specialist organizations to provide certain services, such as data hosting. These organizations (data processors) are bound by a written contract which defines their tasks and responsibilities. We only employ processors that comply with data protection legislation and processors are subject to audit or certification review to ensure continuing compliance. The processors we use may change from time to time.
11 International transfers
We are part of a global association of tax consultants and we sometimes use organizations located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our clients are located.
We will not transfer or process personal data outside the country in which a client has contracted, or allow third parties to do so, unless it done in an approved manner in accordance with appropriate levels of security and data protection.
12 Profiling and automated decision-making
We do not perform any profiling based on personal data that has a legal or significant effect upon data subjects. We do not perform any automated decision-making involving personal data.
13 Your rights
You have the following rights concerning your personal data:
|Right to be informed||This Policy provides details of how we process your data, but if you have any further questions please contact our Data Protection Officer.|
|Right of access||You have the right to obtain confirmation as to whether or not we process your personal data, and, if we do, to have access to that personal data.|
|Right to rectification||You can tell us to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data corrected by providing a supplementary statement.|
|Right to erasure |
(right to be forgotten)
|You have the right in some circumstances to oblige us to erase personal data concerning you.|
|Right to restriction |
|You have the right in some circumstances to oblige us to restrict processing of your personal data.|
|Right to data portability||You have the right in some circumstances to oblige us to restrict processing of your personal data and to provide you with the personal data about you which you have provided in a structured, commonly used and machine-readable format. You also have the right to oblige us to transmit those data to another controller.|
|Right to withdraw consent||If the lawful basis for processing is consent, you have the right to withdraw that consent.|
|Right to object to |
|Where your personal data is processed for direct marketing purposes, you have the right to object to this.|
|Rights in relation to automated decision making and profiling||We do not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.|
14 Your right to lodge a complaint with a supervisory authority
If you would like to exercise any of your rights shown above, please contact the Data Protection Officer by post, telephone or by using the email address detailed in section 3.
If you are not satisfied with the response you receive, you have the right to lodge a complaint with the relevant supervisory authority for the territory in which you are contracted as shown in the table below:
|Contracted in||Supervisory authority|
|United Kingdom||Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: +44 (0) 1625 547 745 Email: firstname.lastname@example.org
|Sweden||Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten)
Drottninggatan 29, 5th Floor, Box 8114, 104 20 Stockholm
Tel: +46 8 657 6100 Email: email@example.com
|United States of America||Federal Trade Commission
600 Pennsylvania Avenue, NW, Washington, DC 20580
Tel: +1 (202) 326-2222
|Canada||Office of the Privacy Commissioner of Canada
30 Victoria Street, 1st Floor, Gatineau, QC K1A 1H3, Website: https://www.priv.gc.ca
|Philippines||National Privacy Commission
5th Floor Delegation Building, PICC Complex, Roxas Blvd, Pasay, Metro Manila 1308
Tel: +63 2 8234 2228 Email: firstname.lastname@example.org
© 2021 Expat Tax Online – This Policy is version 20210726 – Published 26 July 2021