Data Protection (GDPR)

Oakwood Cranleigh Limited

This policy applies to the following business:

  • Oakwood Cranleigh Limited, trading as Oakwood Business Consultants. Oakwood is a registered Private Limited Company. The nature of business is Accounting activities, Bookkeeping activities and Tax Consultancy. The registered trading address is The Old Forge, Smithbrook Barns, Horsham Road, Cranleigh, Surrey, GU6 8LH.

The privacy policy explains how we use any personal information we collect when carrying out the services we provide as a company.



  • Glossary of Terms
  • What information do we collect about you and how?
  • How will we use the information about you and why?
  • Security precautions in place for data collected
  • Profiling
  • Marketing
  • How long will we hold your data for?
  • Access to your information, correction, portability and deletion
  • Other websites
  • Complaints
  • Changes to our Privacy Policy
  • Risk Assessments
  • How to contact us
  • In the event of a breach

Glossary of Terms


What is personal data?

Personal data relates to any information about a person that makes them identifiable, which may include, but is not limited to:

  • Names and contact information i.e. emails and telephone numbers
  • National Insurance Numbers
  • Employment history
  • Employee numbers
  • Personal tax
  • Payroll and accounting data


What is sensitive personal data?

Sensitive personal data refers to the above but includes genetic data and biometric data. (We do not collect nor store any of these forms of sensitive personal data) For example:

  • Medical conditions
  • Religious or philosophical beliefs and political opinions
  • Racial or ethnic origin
  • Convictions
  • Biometric data (e.g. a photo in an electronic passport)
  • Sexual Orientation


What is a Data Controller?

For general data protection regulation purposes, the “data controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.

The data controller is Oakwood Cranleigh Limited, The Old Forge, Smithbrook Barns, Cranleigh, GU6 8LH.

The data protection officer for Oakwood Cranleigh Limited is Janet Poll, contactable via email and telephone, and 01483276100.


What is a Data Processor?

A “data processor” is a person or organisation which processes personal data for the controller.

The head “data processor” at Oakwood Cranleigh Limited is Jane Briggs.


What is Data Processing?

Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the text of the GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.


What do we mean by Business to Consumer?

Private clients, sole traders, unincorporated partnerships, trusts and foundations, Limited Companies and Charities.

What information do we collect about you and how?

Oakwood Business Consultants, as a Data Controller, is bound by the requirements of the General Data Protection Regulations (GDPR) set out by the European Union in 2018.

You agree that we are entitled to obtain, use and process the information you provide to us to enable us to discharge the Services (as defined in our Letter of Engagement) and for other related purposes including;

  • Updating and enhancing client records
  • Analysis for management purposes
  • Statutory returns
  • Legal and regulatory compliance

Analytics – how visitors use our website

We use Google Analytics to record information about how visitors use our website so that we may make improvements and give visitors a better user experience.

Google Analytics is a third-party information storage system that records information about the pages on our website you visit and the website in general, how you arrived at the site and what you clicked on when you were there. These cookies do not store any personal information about you e.g. name, address etc. and we do not share the data. You can view their privacy policy below:

Google –

IP addresses

An IP or Internet Protocol Address is a unique numerical address assigned to a computer as it logs on to the internet. Oakwood Cranleigh Limited does not have access to any personal identifiable information and will never seek this information. Your IP address is not logged when visiting our site, but our analytic software only uses this information to track how many visitors we have from particular regions.

Internet Based Advertising

We do not currently have any adverts or boosted posts on our website or Facebook page. Hence, no data is collected or stored with regards to internet based advertising.


How will we use the information about you and why?

At Oakwood Cranleigh Limited we take your privacy seriously and will only use personal information to provide the Services you have requested from us, detailed in your Letter of Engagement and as is identified above.  We will only use this information subject to your instructions, data protection law, this agreement and our Third Party Data Usage Agreement.

For Business to Consumer Clients and Contacts our lawful reason for processing your personal information will be “A contract with the individual” e.g. to supply goods and services you have requested, or to fulfill obligations under an employment contract.  This also includes steps taken at your request before entering into a contract.

We may receive personal data from you for the purposes of our money laundering regulation checks, such as a copy of your passport or drivers licence.  This data will only be processed for the purposes of preventing money laundering and terrorist financing, or as otherwise permitted by law or with your consent.

Our work for you does not require us to pass your information to any third-party service providers, agents, subcontractors and other associated organisation. We do however use PFP, a fee protection agency, with which your contact details will be shared so that they might contact you to share the uses and importance of Fee Protection. Our involvement with PFP is detailed more in of Third Party Data sharing agreement.

We do not collect information on our website to process inquiries. Via a link to an email address, directed to our data control officer, Janet Poll, you can contact Oakwood for any purpose regarding our services, policies and procedures or complaints.

We will not, under any circumstances, share your information for marketing purposes with companies so that they may offer you their products and services.

Transferring your information outside of Europe

We do not transfer, submit or provide any company/entity outside of Europe with any personal data, analytics or information regarding the work/services we provide, nor the information we store in order to carry out our the work assigned to us by you, the consumer.

Security precautions in place for data collected

When you give us personal information, we take steps to make sure that it’s treated securely. Any sensitive information (such as credit or debit card details) is protected securely by protected systems and an encrypted document server.

Non-sensitive details (your email address etc.) are sent normally over the Internet, and this cannot be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems.


We do not use profiling, with regards to any information collected, whether that may be analytics from our Facebook, web page or personal data given to us by you, the consumer.


We would like to send you information about our services, notably our quarterly information newsletter, ‘The Oakwood Reminder’, which may be of interest to you.  If you have consented to receive this newsletter you may opt out at any point as set out below.

You have a right at any time to stop us from contacting you for marketing purposes.  To opt out please email:

How long will we hold your data for?


  • Contracted Services: We have a data retention period of 7 years, in line with regulatory and legal requirements.
  • Newsletter: We will hold your data for as long as you remain an opted in member of the newsletter distribution list.


Access to your information, correction, portability and deletion


What is a Subject Access Request?

This is your right to request a copy of the information that we hold about you.  If you would like a copy of some or all your personal information, please email or write to us at the following address: Janet Poll, Secretary and Data Protection Officer, or Oakwood Business Consultants, The Old Forge, Smithbrook Barns, Cranleigh, Surrey, GU6 8LH.  We will respond to your request within one month of receipt of the request.

We want to make sure your personal information is accurate and up to date.  You may ask us to correct or remove information you think is inaccurate by emailing or writing to the above address.

Objections to processing of personal data

It is your right to lodge an objection to the processing of your personal data if you feel the “ground relating to your particular situation” applies. The only reasons we will be able to deny your request is if we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claim.

Data Portability

It is also your right to receive the personal data which you have given to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller without delay from the current controller if:

(a)    The processing is based on consent or on a contract, and

(b)    The processing is carried out by automated means.

Your Right to be ‘Deleted’

As a consumer of Oakwood Cranleigh Limited you have the right to be ‘Deleted’ at any point. We have certain legal obligations to store certain data. For more information and to request you data be deleted, contact our Data Protection Officer:

  • Email:, or
  • In Writing to: Janet Poll, Oakwood Business Consultants, The Old Forge, Smithbrook Barns, Cranleigh, Surrey, GU6 8LH

Other websites

Our website contains links to other websites.  This privacy policy only applies to this website so when you use links to other websites you should read their own privacy policies.


If you feel that your personal data has been processed in a way that does not meet the GDPR agreement set out on this page, you have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then tell you of the progress and outcome of your complaint. The supervisory authority in the UK is the Information Commissioner’s Office. For other forms of complaints please see our Complaints Procedure:

Changes to our Privacy Policy

We keep our privacy policy under regular review and we will place any updates on this web page.  This privacy policy was last updated on 21 January 2020 and the Version number is 1.0 in line with the new GDPR guidelines.

Risk Assessments

We commit to carrying out risk assessments for the entirety of our GDPR and complaints procedure every 6 months.

How to contact us

Please contact us if you have any questions about our privacy policy/GDPR Agreement or information we hold about you:

  • By email:
  • Or write to us at Janet Poll, Oakwood Business Consultants, The Old Forge, Smithbrook Barns, Cranleigh, Surrey, GU6 8LH

Data Protection Breach

According to the General Data Protection Regulation, a personal data breach is ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’

The data protection officer will report any relevant breach of Data protection to the ICO within 72 hours of discovery.

Where the impact of a breach represents a ‘high risk’ to the rights and freedoms of individuals, those individuals will also be promptly notified to allow the individuals to take suitable precautions.