Privacy policy
6 June 2024
As a member and or customer of AAT, there are many ways you can use the services we offer, some of which require you to share your personal data with us. In these instances, we act as the data controller, making us responsible for deciding the purpose and means for dealing with your personal data.
AAT (Association of Accounting Technicians), a company limited by guarantee (No. 1518983) and registered charity (No. 1050724), (“AAT”,“we”, “us”, “our”) is committed to the privacy of your personal data.
Our privacy policy explains:
- what personal data we collect about you in the course of your engagement with our services, why we collect it, who it goes to and how long we keep it
- how we use your personal data
- how we protect your personal data
- your legal rights in respect of your personal data, including how to access and update the information we hold about you.
You can navigate to the relevant sections of the policy by clicking the links in the sidebar.
By continuing to use our services, you agree to our use of your personal data on the terms outlined in this policy.
About the policy
This policy provides you with information on how we’re using your information and the actions we take to protect your privacy.
On specific occasions, we may provide you with additional information when we collect your personal data. This policy is designed to supplement any specific notices and they should always be read in conjunction with each other, so you’re fully aware of how and why we’re using your data.
It’s important that your personal data is accurate and up to date, so we can effectively provide our services to you. You can check and update your details in your MyAAT account.
The data we collect
We collect personal data, meaning data that can be used to identify you. This can include, among other things, any personal data you provide to us through our website, aat.org.uk, and via your communications with us through phone and email and in person.
Some of the services you receive from us may require the collection, storage and transfer of different kinds of personal data. To find out more about the ones that relate to you, select the relevant category from the section “Specific information about your data” below.
Like with most other websites, we use cookies to gather limited information about how you use our website, how you reached it and what sort of device you were using. To find out more, read our cookies policy.
Why we collect your data
We can only process your personal data if we have a legal basis to do so. In addition to the specific instances where you’ve provided your consent, we may also process your personal data when it’s necessary for one or more of the following:
- meeting our legal obligations
- our legitimate interests
- performing our contract with you.
To find out what we mean by each of these legal bases, and to see which purposes and legal bases concern you, select the relevant category from the section “Specific information about your data” below.
On occasion, it may be necessary to process your data for reasons unrelated to those outlined in this policy. On these occasions, we’ll notify you and explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Who we share your personal data with
In general, we don’t sell or share your personal data with third parties. However, it might be necessary for us to do so on occasion, to deliver the required service to you or to comply with our legal obligations.
For more information on who we might share your data with, select the relevant category from the “Specific information about your data” section below.
When we do share your personal data with third parties, they will be required to follow our privacy policy to ensure your personal data is only used and processed for the specified purposes, to process your data in accordance with our instructions and to adhere to the technical requirements and other regulations required by law.
We take your email and communication privacy seriously and will not pass your contact details to third parties for marketing purposes without your prior consent. You can check and change your communication preferences at any time through your MyAAT account.
How long we keep your data
We keep your data for as long as it’s necessary to meet the relevant purposes for which we’ve collected the data, including for the purpose of satisfying any legal, accounting or reporting requirements.
To determine the appropriate length of time for holding your data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm, from unauthorised use or disclosure of your personal data, the purpose for which we process your data and whether we can achieve those purposes through other means, along with the applicable legal requirements.
We may need to keep different types of information about you for different time periods, depending on your circumstances. For more details on how long we keep your data, select the relevant category from the “Specific information about your data” section below.
We will retain information relating to complaints and disputes for up to seven years following the resolution of the complaint or dispute. This information may include data about the complainant and the subject of the complaint, and anyone else who is involved, such as a witness, as well as the details of the complaint and the outcome.
And in all cases, data may be retained for longer for research and archiving purposes or if it cannot be deleted for legal, regulatory, verification of achievements, statistical or technical reasons. In these cases, steps will be taken to ensure that data is held securely and processing is restricted.
Where we get your data from
In general, you provide your personal data to us directly, when you communicate with us through various channels, such as our website, phone, email or face-to-face meetings with our representatives. The instances when you might provide us with your personal data include when you:
- make an application for membership or renewal
- create a MyAAT account on our website
- contact us to resolve an enquiry.
We may also receive your personal data from various third parties, such as your training provider or accredited employer. For more details on how else we might receive your personal data, select the relevant category from the “Specific information about your data” section below.
Specific information about your data
The reasons and methods for collecting, using and transferring your personal data varies depending on why and how you’re using our services. Please select the relevant category from the below list to see more specific information regarding how we process your personal data in connection with the services you receive from us.
Are you:
- studying as a student with AAT?
- one of our professional members (AATQB, MAAT and FMAAT)?
- one of AAT’s training providers?
- interested in joining AAT?
- registering for/attending an AAT event?
- one of our licensed members?
- an employer?
- providing us with references as part of someone’s application?
- applying for a bursary?
- applying to be on the judging panel for the AAT Bursary Scheme?
- taking a remotely invigilated assessment?
- purchasing an online finance course with AAT Store?
- an apprentice taking an End Point Assessment?
- a member applying for a reduced membership fee?
- an AAT case study?
- a representatives of an organisation with whom we have a working relationship, such as an individual contractor, a supplier of goods and services, or an organisation to which we provide a service?
- a contracted AAT employee or candidate for employment with us?
- nominating yourself or someone else for an AAT award?
- submitting a complaint or feedback?
Transferring your data overseas
If you are a UK-based member of our services, we will generally only process your personal data within the EEA. However, some of the external parties we work with to provide our services to you are based outside of the European Economic Area (“EEA”). Such parties include external chief examiners, training providers, external verifiers, our global branches, foreign embassies and high commissions, third party service providers, overseas supervisory bodies, overseas regulators and certain international partners.
This may require us to occasionally transfer some of your personal data outside the EEA (including to countries which may not be subject to equivalent standards of data protection laws). We’ll ensure that any such international transfers are made subject to appropriate safeguards (including the use of EU Commission approved standard contractual clauses) as required by data protection laws to ensure a similar degree of protection is afforded to your personal data.
You may request further information on the specific recipient countries of your personal data or the legal rules and copies of the model clauses in use for transferring data outside the EEA by contacting us at the details below.
How we protect your data
We’re committed to protecting the security of your personal data, and as such we’ve put in place appropriate measures to:
- prevent your data from being accidentally lost, used or accessed in any unauthorised way, altered or disclosed
- deal with, and notify you and any applicable regulators, of any suspected personal data breaches where we’re legally required to do so
- limit access to your personal details to only those employees, agents, contractors and other third parties who have a business need. They will only be able to process your personal data on our instructions and will be subject to a duty of confidentiality.
We’re also security accredited by Cyber Essentials Plus. Cyber Essentials is a government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats.
Your rights
You may have the following rights.
- Request access to your personal data. You’ll be able to request a copy of the personal data we hold about you and check that we’re processing it legally.
- Request correction of your data. You’ll be able to correct and update any incomplete or inaccurate data we hold about you. However, we may need to verify the accuracy of the new data you provide.
- Request erasure of your personal data. You’ll be able to ask that we delete or remove your personal data where there is no good reason for continued processing. You’ll also have the right to ask that we delete or remove your personal data where an objection to processing has been successful, where we may have processed your data unlawfully or where we’re required to delete data to comply with local law.
- Object to processing of your data. You’ll be able to request that we stop using your personal data:
- for direct marketing purposes
- which is being processed on the basis of legitimate interest (see your relevant category in the "Specific information about your data" section) above, when you feel the processing impacts on your fundamental rights and freedom. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which would override your request.
- Request restriction of processing your personal data. This enables you to ask us to suspend processing your personal data in the following scenarios:
- if you want us to establish the data’s accuracy
- where our use of the data is unlawful but you don’t want us to delete it
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend a legal claim
- you’ve objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
- Request transfer of your personal data to you or a third party. You can request that we transfer your data in a suitably accessible format to you and or a third party, where the data was provided with your consent.
- Withdraw consent, where we’re relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out prior to your request. If you withdraw your consent, we may not be able to provide certain products or services to you. We’ll advise you if this is the case when you request to withdraw your consent.
Requirements and consequences of making a request
Requests relating to changes to our handling of your personal data will generally be free of charge, and we’ll aim to respond to all requests within one month. However, please note:
- we may need you to supply additional information to confirm your identity and ensure your right to access your personal data (or exercise your rights). This is to ensure that personal data is not disclosed unlawfully
- we may need to contact you to help speed up the resolution of your request
- an administrative fee may be charged for any unfounded, repetitive or excessive requests, or for additional copies of personal data you request
- occasionally, it may take longer than one month to resolve your request, but in these cases we’ll notify you and keep you updated on timing
- any requests to restrict or delete your data will limit your ability to access our services and products, and/or result in ending your relationship with us.
Please note that these rights apply by law, only to certain types of personal data and processing, and may not be applicable to your circumstances.
If you have any concerns about how we handle your data, please contact us. If you are not satisfied after we’ve tried to resolve your issue, you’ll be entitled to lodge a complaint with our data protection regulator, the Information Commissioner’s Office (ICO). Please see the ICO website for further details: www.ico.org.uk.
If you wish to exercise any of the above rights, you can do this through any of our AAT professional channels or alternatively you can contact us in writing.
Third party websites and services
Our website includes links to external, third party websites. Clicking on these links may allow the collection or sharing of your personal data in ways which will differ to those detailed in our privacy policy. We’d encourage you to read the privacy policies of the external websites you visit from our website.
Find an accountant or bookkeeper
Our Find an accountant or bookkeeper directory enables you to find details of AAT licensed members and enquire with some members directly. We will not retain any of the details you supply as part of your enquiry.
By submitting your enquiry, you are contacting an external third party. Their data handling, which includes the way they collect or share your personal data, will differ to those processes detailed in our privacy policy. We’d encourage you to read the privacy policies of the external parties by visiting their website or requesting a copy of their privacy policy.
Contact us
If you have any queries related to this privacy policy, including requests to access or modify the use of your personal data, please contact our Data Protection Office by email to dataprotection@aat.org.uk or by writing to us at:
AAT, Data Protection
30 Churchill Place
London
E14 5RE
We reserve the right to make changes to or update the terms of this policy from time to time. If there are any significant changes made to the policy we’ll let you know.
All personal information held by us will be governed by the most recent privacy policy posted on this website.
We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our representative at eurep@itgovernance.eu. Please ensure to include our company name in any correspondence you send to our representative.