GDPR
COMPLIANCE.

1. Our Commitment to GDPR

MOIZ AFC is committed to:

• Processing all personal data lawfully, fairly, and transparently
• Collecting data only for specified, explicit, and legitimate purposes
• Limiting data collection to what is strictly necessary for those purposes
• Maintaining accurate and up-to-date records
• Retaining data only for as long as legally required or necessary
• Implementing appropriate technical and organisational security measures
• Taking full accountability for all data processing activities

These commitments reflect the seven principles of UK GDPR as set out in Article 5 of the regulation.

2. Scope & Applicability

This GDPR Compliance Statement applies to all personal data processed by MOIZ AFC in connection with:

• Current, prospective, and former clients across all service lines
• Employees, directors, and beneficial owners of client businesses
• Subcontractors and employees processed under our payroll and CIS services
• Visitors to our website at moizafc.com who submit enquiry forms
• Suppliers and professional contacts

Although MOIZ AFC serves clients in the USA, Canada, UAE, and GCC, this statement is issued under UK GDPR. Where EU GDPR obligations arise (e.g. for EU-based clients), equivalent standards are applied under the EU GDPR framework.

3. Data Controller Details

MOIZ AFC acts as the data controller for all personal data it collects and uses for its own business purposes (e.g. managing client relationships, issuing invoices, and maintaining business records).

MOIZ AFC acts as a data processor when processing personal data on behalf of clients — for example, when managing payroll records, processing employee data, or submitting HMRC returns. In these cases, the client is the data controller and MOIZ AFC processes data strictly on their documented instructions.

4. Lawful Bases for Processing

MOIZ AFC identifies and documents a lawful basis before processing any personal data. The bases we rely on are:

• Contract (Article 6(1)(b)): The primary basis for processing client data. Processing is necessary to perform the services agreed under the Engagement Letter — including bookkeeping, VAT, payroll, management accounts, and tax compliance.
• Legal obligation (Article 6(1)(c)): Processing required to comply with HMRC obligations, the Companies Act 2006, employment law, pension auto-enrolment regulations, and other applicable statutory requirements.
• Legitimate interests (Article 6(1)(f)): Processing for our own legitimate business purposes such as maintaining records, fraud prevention, improving service delivery, and business administration — where these are not overridden by your rights.
• Consent (Article 6(1)(a)): Where you have explicitly provided consent, such as when submitting a contact form enquiry on our website. You may withdraw consent at any time by contacting info@moizafc.com.

Where we process special category data (e.g. health information relevant to payroll or occupational sick pay), we rely on Article 9(2)(b) — processing necessary for employment law obligations.

5. Categories of Data We Process

In the course of delivering our services, MOIZ AFC processes the following categories of personal data:

For all clients:

• Names, contact details, and business information
• Financial records, bank statements, and transaction data
• Tax reference numbers (UTR, VAT registration, company registration)

For payroll clients (employees of our clients):

• National Insurance numbers, dates of birth, and addresses
• Salary, pension contributions, tax codes, and payment records
• P45, P60, and starter/leaver documentation
• TRONC and tip distribution records (hospitality sector)

For CIS clients (subcontractors):

• Subcontractor names, UTRs, and verification status
• Payment and deduction records submitted to HMRC

Website enquiries:

• Name, email address, phone number, and message content from the contact form

6. Data Subject Rights

MOIZ AFC respects and upholds all data subject rights under UK GDPR. These rights apply to all individuals whose personal data we process, including employees of client businesses:

• Right of access (Article 15): Request a copy of all personal data we hold about you. We will respond within 30 days at no charge.
• Right to rectification (Article 16): Request correction of inaccurate or incomplete personal data. We will act on verified corrections promptly.
• Right to erasure (Article 17): Request deletion of personal data where it is no longer needed. Note: statutory retention obligations (HMRC, Companies Act) may require us to retain certain data regardless of this request.
• Right to restrict processing (Article 18): Request that we limit processing of your data in specific circumstances, such as where accuracy is contested.
• Right to data portability (Article 20): Receive your data in a structured, commonly used, machine-readable format (e.g. CSV or PDF) where processing is based on consent or contract.
• Right to object (Article 21): Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
• Rights related to automated decision-making (Article 22): MOIZ AFC does not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any right, submit a written request to info@moizafc.com. We will verify your identity before processing the request and respond within 30 calendar days. Where requests are complex, we may extend this by a further two months with written notice.

7. Data Processors & Sub-Processors

MOIZ AFC engages the following categories of data processors and has Data Processing Agreements (DPAs) in place with each:

• Cloud accounting platforms: Xero, QuickBooks, Sage, SAP, Zoho Books, FreshBooks — used to deliver bookkeeping and financial reporting services
• HMRC digital services: Government Gateway — for VAT, PAYE, RTI, CIS, and corporation tax submissions
• Pension providers: Auto-enrolment pension platforms used for payroll compliance
• Web hosting: Hostinger — hosts our website and contact form submission data
• Email services: Used for secure client communication

All processors are selected on the basis of their GDPR compliance, security certifications, and ability to provide adequate contractual guarantees. We do not engage sub-processors without documented authorisation.

8. International Data Transfers

Where personal data is transferred outside the UK (including to cloud platforms with servers in the USA or EU), MOIZ AFC ensures one of the following safeguards is in place:

• UK adequacy regulations: Transfers to countries with a UK adequacy decision (e.g. EEA countries post-Brexit, under retained adequacy)
• International Data Transfer Agreements (IDTAs): The UK equivalent of Standard Contractual Clauses, used for transfers to the USA and other non-adequate countries
• Binding Corporate Rules (BCRs): Where applicable for multinational processors

Major platforms we use (Xero, QuickBooks, SAP) are certified under frameworks that support GDPR-compliant international transfers and provide IDTAs upon request.

9. Retention & Deletion

We maintain a data retention schedule aligned with statutory and regulatory requirements:

• HMRC accounting records: 6 years minimum from the end of the accounting period
• VAT records: 6 years from the date of the return
• PAYE and payroll records: 6 years from the end of the tax year
• CIS records: 3 years from the end of the tax year
• Companies House filings: As required under the Companies Act 2006
• Contact form data (no engagement): 12 months, then securely deleted
• Prospective client records: 24 months from last contact

Data beyond its retention period is securely deleted from all systems, including cloud platforms. Where deletion is requested under Article 17 but retention is legally required, we will restrict processing and inform you of the obligation preventing full erasure.

10. Technical & Organisational Security Measures

MOIZ AFC implements the following measures to ensure the security of personal data (Article 32 UK GDPR):

Technical measures:

• HTTPS encryption on all website communications
• Encrypted cloud storage on all accounting platforms
• Multi-factor authentication (MFA) on all client-facing systems
• Role-based access controls — staff access data only on a need-to-know basis
• Secure, encrypted document sharing for financial records
• Regular software and security updates on all operational systems

Organisational measures:

• Internal data protection training for all staff handling personal data
• Data Processing Agreements in place with all processors
• Regular review of access permissions for all client accounts
• Clear desk policy for any physical documents containing personal data
• Documented incident response and breach notification procedure

11. Data Breach Procedure

In the event of a personal data breach, MOIZ AFC will:

• Identify, contain, and assess the breach as quickly as possible
• Notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware, where the breach is likely to result in a risk to individuals' rights and freedoms (Article 33 UK GDPR)
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Article 34 UK GDPR)
• Document all breaches in our internal breach register, regardless of whether notification is required
• Implement remedial measures to prevent recurrence

Clients who are data controllers will be notified promptly so they can fulfil their own breach notification obligations.

12. Children's Data

MOIZ AFC's services are directed exclusively at businesses and business owners. We do not intentionally collect or process personal data relating to children under the age of 16, and our website is not directed at children.

If we become aware that personal data of a child has been submitted to us, we will delete it promptly. Please contact us at info@moizafc.com if you believe we hold any such data in error.

13. ICO Registration

As a data controller processing personal data, MOIZ AFC complies with the requirement to register with the UK Information Commissioner's Office (ICO) where applicable under the Data Protection (Charges and Information) Regulations 2018.

For any regulatory or supervisory matters regarding data protection, the relevant supervisory authority is:

14. Contact & Data Protection Queries

For all GDPR-related queries, data subject access requests, or concerns about how your personal data is handled, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint directly with the ICO at ico.org.uk. We would, however, appreciate the opportunity to resolve your concern before you contact the ICO.