This section provides details of any minor amendments we have made to our terms of business.
April 2025 Update
Following the recent divestment of Johnston Carmichael Wealth to Partners Wealth Management, we have updated our Standard Terms & Conditions of Business to reflect the resulting changes. These changes predominantly affect:
- Section 6, “Association with Johnston Carmichael Wealth”;
- Section 11, “Data Protection”, and
- Section 22, “Investment Advice (including insurance mediation services)”
January 2022 Update
There are two main changes to the Terms and Conditions of Business and these are:
- An express the right to subcontract.
- References to our Member network have been updated from PKF International Limited to reflect our membership of the Moore Global Network Limited (effective from 1st January 2022).
March 2021 Update
Privacy Notice
In relation to sub-processors used by Johnston Carmichael, the following sub-processors have been engaged:
- Stone Group - Recycling of old IT equipment in a secure and environmentally safe manner
- Zoho - CRM software allowing us to manage prospects
- Hellosign - Cloud based software to apply digital signatures to documents
- Glasscubes - A secure web portal allowing us to share documented and collaborate with you
- Highlander International Shredding – for secure on site destruction of paperwork. This sub-processor replaces our previous supplier, Shredit.
Star Payroll Professional have been renamed as Iris Payroll
Where we use a 3rd party processor we will ensure that we implement a written contract to set out the same data protection obligations as are set out between our two organisations.
October 2020 Update
Privacy Notice
In relation to sub-processors used by Johnston Carmichael, the following sub-processors have been engaged:
- PayCircle payroll software – This is a cloud based payroll system hosted in the UK
- Microsoft Office 365 – we use an EEA data centre to host our email system and other communication and collaboration systems on the Office 365 platform
Where we use a 3rd party processor we will ensure that we implement a written contract to set out the same data protection obligations as are set out between our two organisations.
January 2020 Update
Privacy Notice
We confirm that we will comply with the provisions of the UK GDPR legislation when processing personal data about you and your family and that we have appropriate security measures in place.
Your personal data may be processed by third parties for the purposes of:
- Specialist financial analysis
- Secure document storage and disposal
As part of our client identity verification process, Johnston Carmichael LLP employs third party suppliers to provide services including utilising the services of credit reference agencies such as Experian or Transunion (https://www.transunion.co.uk/legal-information/bureau-privacy-notice). A record of these searches will be retained.
In relation to these organisations, we have in place a written contract which only permits them to use your data for specified purposes and in accordance with our instructions. The contract also requires that the organisation has in place appropriate security measures in relation to your personal data which are in line with our policies.
December 2018 Update
Pension Scheme clients – GDPR and Data protection terminology
In relation to all pension scheme clients, the standard terms are amended as follows:
The following text has been inserted after paragraph 1 in Clause 10:
“Unless the context requires otherwise, terms defined in GDPR have the same meaning when used in these terms.”
And the following text has been added at the start of Clause 11 (which has been renamed “Data Protection terms”):
“Where we act as a data controller in relation to personal data that you have provided to us, we will process such personal data in accordance with data protection requirements under GDPR and the Data Protection Act 2018 and will require any service provider that processes personal data on our behalf to adhere to such requirements. We agree not to deliberately or negligently put you in breach of your obligations under GDPR or the Data Protection Act 2018 through our acts or omissions.”
June 2018 Update
Data Protection “Processor” terms
Dependant on the type of engagement we carry out for you, we may be occasionally classed as a “Processor” as well as a “Controller” under GDPR and the Data Protection Act 2018. Where this is the case, the terms of this section apply.
We will implement appropriate technical and organisational measures to comply with the current version of the Regulation and Act to ensure security of processing.
At least 30 days before we engage a new sub-processor we will publish their details in the “Privacy Notice” section on our website. If you object in good faith to the appointment of the processor, we will work with you to consider how we may provide our services without using them. If we cannot agree a compromise to suit both parties within 30 days of your objection, then you may terminate the provision of the services under this engagement.
We currently use the following sub-processors:
- Star Payroll Professional – we run a bureau system with the data held on our IT systems. There is a cloud based component based in the UK, used for storing e-payslips.
- Sage (Payroll) – we occasionally share backup data for support purposes.
- Paygate – System used to transmit payroll payments using BACS.
- Egress – We outsource the encryption of email. All cloud based systems are based in the UK.
- Wolters Kluwer – This organisation hosts a secure client portal allowing us to confidentially share documents with yourself. The client portal is based in the EEA.
- Shreddit – for secure on site destruction of paperwork.
- Cloud based software solutions – We use cloud based accounting systems to assist us in our engagement. Where we use such a provider, multiple members of the team may have access to the system outwith the core team who provide the services you engage with us on.
Where we use a 3rd party processor we will ensure that we implement a written contract to set out the same data protection obligations as are set out between our two organisations.
We will:
11.1 Process the personal data supplied to us only on your written instructions (including transfers to a third country or international organisation) for the period of this engagement, unless required to do so by European Union or UK law. In such a case we will inform you of the legal requirement before processing unless we are prohibited from doing so by law or due to our professional obligations.
11.2 Ensure that all persons who process personal data on our authority have confidentiality clauses in their contracts of employment.
11.3 Implement appropriate technical and organisational measures to ensure a level of security appropriate to the level of risk involved in the processing that we are carrying out.
11.4 Assist you as per your obligations under Chapter III to respond to requests for exercising the rights of data subjects.
11.5 Assist you as per obligations under articles 32 to 35 taking into consideration the nature of the processing and information available to us.
11.6 At the end of our engagement we will delete or return all personal data on your instruction, unless we are required to retain it as per our legal obligations under European Union or UK law.
11.7 Provide information to you upon request to demonstrate compliance with the Regulation.
11.8 Allow for and contribute to audits or inspections conducted by you, or a 3rd party mandated by you.
11.9 We will immediately inform you, if an instruction infringes the General Data Protection Regulation or other European Union or Member State data protection law.
11.10 Maintain a written record of the personal data processing carried out on your behalf.
11.11 We shall be entitled to charge for the time of our personnel in assisting you with the exercise of clauses 11.4, 11.5 and 11.8.
