1.Who is the controller of your personal data
The controller of your personal data is the Azets legal entity with which you have one of the following relationships:
- The legal entity that is providing you with services, if you are a customer;
- The legal entity to which you are providing services, if you are a supplier; or
- The legal entity to which you have applied for employment, if you are a job seeker.
Each company in the Azets group of companies is a separate legal entity and a separate controller of personal data. Some of these companies trade under a trading name that does not include the word “Azets” in the company title, for example, Blick Rothenberg, or Ensors. A full list of Azets legal entities to which this policy applies is available at https://www.azets.com/en/privacy/companies-in-the-azets-group-of-companies.
In this policy, “Azets” (and “we”, “us”, or “our”) refers to the relevant Azets legal entity as described above.
2. Introduction
We are committed to respecting confidentiality of personal data and complying with data protection legislation. When we process personal data in the UK we do so in compliance with the UK GDPR and the Data Protection Act 2018. When we process personal data in the European Economic Area we do so in compliance with the EU GDPR and the appropriate national implementing legislation (analogous to the UK Data Protection Act 2018). Any reference in this policy solely to “GDPR” should be construed as either the UK GDPR as applies in the United Kingdom or the EU GDPR as applies in the European Economic Area. Some countries outside the UK and EEA have data protection laws which offer data subjects broadly similar protection to the GDPR. We apply the same rigorous compliance to the GDPR whichever country we conduct business in.
This privacy policy describes why and how we collect and use personal data and provides information about individuals’ rights. It applies to personal data provided to us, both by individuals themselves or by others. We may process personal data provided to us for any of the purposes described in this privacy policy or as otherwise stated at the point of collection.
3. How to contact us - Data Protection Officer, EU representative and UK Representative
If you wish to discuss any data protection matter please contact our Data Protection Officer as described below.
Data Protection Officer for all Azets companies
The Data Protection Officer
Azets Opco Limited
2nd Floor, Regis House
45 King William Street
London EC4R 9AN
United Kingdom
Tel +44 (0) 20 7403 1877
DPO@azets.co.uk (in the United Kingdom)
Data.protection@ensors.co.uk (for Ensors)
DPOBR@blickrothenberg.com (for Blick Rothenburg)
Dublin.dataprotection@azets.ie (in Ireland)
Privacy@azets.com (in the rest of the European Economic Area)
If you are based in the European Economic Area but serviced by one of our UK entities and wish to discuss our compliance with the EU GDPR please contact our EU representative as described below (all of our UK entities have appointed the following as their EU Representative in writing as required by EU GDPR Article 27).
EU Representative for Azets companies in the United Kingdom
The EU Representative
Azets AS
Postboks 342 Sentrum
0101 Oslo
Norway
Tel +47 40 10 40 18
Email privacy@azets.com
If you are based in the United Kingdom but serviced by one of our EEA entities and wish to discuss our compliance with the UK GDPR please contact our UK representative as described below (all of our EEA entities have appointed the following as their UK Representative in writing as required by UK GDPR Article 27).
UK Representative for Azets companies in the European Economic Area
The UK Representative
Azets Holdings Limited
2nd Floor, Regis House
45 King William Street
London EC4R 9AN
United Kingdom
Tel +44 (0) 20 7403 1877
Email DPO@azets.co.uk
4. Our Role
Our role as a controller or a processor depends upon the nature of our engagement with you. If you are a customer this will be defined in your letter of engagement and associated schedules and Terms of Business which form our contract with you. But generally:
- Where we decide the purpose and means of processing, we are a controller.
- Where we jointly decide the purpose and means of processing with you, we are a joint controller.
- Where we process personal data according to your explicit written instructions, in a contract that satisfies Article 28 of the GDPR, we are a processor.
5. How we obtain personal data
Personal data is any information relating to an identified or identifiable living person. We only collect such personal data that is necessary for us to perform our services or inform you about our services and we ask customers only to share such personal data as required for that purpose. Where we identify that a customer has provided us with unnecessary personal data, we either return that information to its source or destroy it, considering the customer’s preference wherever possible.
5.1 Personal data that you provide to us by:
- Filling in forms on our websites www.azets.com,www.azetswealthmanagement.co.uk, www.blickrothenberg.com, www.idur.se, www.azets.com/no-no, www.azets.com/no-no/tjenester/consulting, www.azets.com/sv-se, www.azets.com/da-dk, www.azets.com/fi-fi, www.azets.com/ro-ro, www.gorillaaccounting.com, www.ensors.co.uk, or www.sagakl.no(including the subdomains of these websites);
- Corresponding with us by telephone;
- Corresponding with us by email;
- Corresponding with us by letter;
- Communicating with us by our secure portal “Cozone”;
- Using the Live Chat facility;
- Personal messaging services such as WhatsApp®, Facebook Messenger® and SMS (although we do not recommend using such services);
- If you visit our offices, you may record your details in a visitors’ book or electronic equivalent or we may do that for you;
- If you visit our offices, you may be recorded by CCTV systems owned by us (or our landlord) which are deployed for the prevention and detection of crime and to provide a safe working environment for employees and visitors.
5.2 Personal data that we collect from publicly available sources
- From credit reference agencies and other company information providers;
- From national business administration authorities, such as Companies House in the UK, Companies Registration Office Ireland and the Swedish Companies Registrations Office;
- From social media such as LinkedIn®;
- From our own research activities such as reviewing websites;
- From information websites and databases providing information about individuals, such as judgements, PEP, sanctions etc., which we use for our “Know Your Client” checks.
5.3 The personal data that we receive from referrals
We may receive unsolicited personal data in the form of a business-to-business referrals. We will seek consent before processing such personal data any further;
We may receive personal data submitted as a referral from one of our own employees. We will seek consent before processing such personal data any further.
6. The personal data that we process about you
If you are a prospective customer, we process the following:
- First name;
- Last name;
- Job title;
- Company name;
- Web site address;
- Email address;
- Telephone number;
- Dietary requirements (if you are attending an event where food is provided);
- Banking details (if relevant to the service);
- Tax filing details (if relevant to the service);
- Any further personal data that you choose to provide in your initial enquiry;
- Any further personal data that you choose to provide during subsequent discussions whether by phone, email or letter.
If you are a personal or sole trader customer, we may process the following:
- Your name, home address and date of birth;
- Name, home address and date of birth of any family members, advocates or other beneficiaries and connected parties;
- Employment status;
- Financial details such as salary, other income and investments, tax status and debt level.
If you are a business customer, we also process the following:
- Company name and registration number;
- Business type and industry sector;
- Name, business address, job title, email address and telephone number(s) of all employees who may engage directly with us;
- For officers of the company, beneficial owners and persons of significant control:
- Contact details (name, home address);
- Date of birth;
- PEP (Politically Exposed Persons) status;
- SIP (Special Interest Person) status.
If we are providing payroll services or tax return services for your employees, we will process the following personal data concerning your employees:
- Contact details (name and address);
- Unique identification number such as National Insurance (NI) number, Unique Taxpayer Reference (UTR) or social security number;
- Salary, tax and deduction information.
If you are a supplier, we process the following:
- Company name and registration number;
- Business type and industry sector;
- Company address(es);
- Company telephone number(s);
- Name, address, job title, email address and telephone number(s) of all employees who may engage directly with us.
If you contact us concerning employment whether by letter, email, LinkedInTM or via our careers pages you may provide:
- Your Curriculum Vitae (CV) containing personal data;
- Further personal data in a covering letter.
If you use our secure portal Cozone we collect the following information from you:
- User ID;
- IP address.
If you visit one of our websites, we collect information about your computer:
- IP address (where available);
- Geographic location (if you allow this when prompted by your browser);
- Operating system;
- Browser type;
- To enable our systems to recognise your device and to provide features to you, we use cookies. For more information about cookies and how we use them, please read our Cookie Policy.
If you receive marketing emails from us and interact with them, we collect:
- Time you received the email;
- Time you opened the email;
- Device you used to open the email;
- Geographical location when you opened the email;
- Which parts of the email you interacted with.
If you use social media accounts which are registered using the same email address you have provided to us elsewhere our systems enable us to link your social media accounts to your email address and so we process:
- Links to any social media accounts that you use.
7. Special Category Personal Data
We do not normally collect special category personal data such as health, race or ethnic origin. However, for certain services or activities (such as wealth management or HR consultancy), and when required by law or with an individual’s consent this may be necessary. We always seek to minimise our processing of special category personal data.
8. Purpose for the processing and the lawful basis for the processing
We provide a wide range of business services. Most of these services require us to process personal data to provide advice and deliverables. The lawful basis for processing personal data for the purpose of providing services to our customers depends upon the context. We use one or more of the following lawful bases for processing:
- Where you have provided your consent;
- Processing necessary for the performance of a contract, or steps taken to enter into a contract with our customers;
- To address our legitimate interests;
- To satisfy a legal obligation.
In addition, certain Azets companies may have additional processing activities specific to their jurisdiction or the nature of their services. Where applicable, these additional processing activities are set out in the jurisdiction-specific sections of this policy.
8.1 Complying with any requirement of law, regulation or a professional body of which we are a member
As with any provider of professional services, we are subject to legal, regulatory and professional obligations. We keep records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data. For example, when conducting customer due diligence measures to comply with anti-money laundering regulations we carry out searches to identify politically exposed persons and heightened risk individuals and organisations, and to check that there are no issues that would prevent us from working with a particular customer, such as sanctions, criminal convictions (including in respect of company directors and beneficial owners), conduct or other reputational issues. Where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory obligations.
If you wish to become our customer (and periodically thereafter), we have a legal obligation to verify your identity. We do not need to obtain your consent to do this because it is a legal obligation imposed upon us. However, we are obliged to inform you that this will take place. We may achieve this by:
Purpose | Lawful basis |
|---|---|
Performing a search with a credit reference agency. This will leave a footprint on your credit file as evidence that the check has taken place. This footprint is not the same as a credit check footprint and has no impact at all on your credit rating. It just leaves a footprint that proves we have satisfied the legal obligation to verify your identity. Even when these identity checks are performed periodically their repetition has no impact on your credit rating. | Legal obligation |
Evaluation of traditional ID-check documents (passport, driver’s licence etc) and the use of an electronic signature complying with the European Union Trusted Lists (EUTL): https://ico.org.uk/for-organisations/guide-to-eidas/what-is-the-eidas-regulation/ | Legal obligation |
8.2 Administering, managing and developing our businesses and services
We process personal data to run our business. This processing is necessary to administer, manage and develop our business and services. Such processing includes:
Purpose | Lawful basis |
|---|---|
Managing our relationship with customers. | Performance of a contract |
Communicating with customers regarding their enquiries and support requests. | Performance of a contract |
Processing orders and transactions for us to take payment for our services, in accordance with our engagement letter. | Performance of a contract |
Conducting Customer satisfaction surveys. This includes inviting you to participate in surveys, analysing your responses and collating the results to measure overall satisfaction levels. We use these findings to identify areas for improvement, enhance the quality of our offerings and tailor them to better meet your needs. | Legitimate interest |
Developing our businesses and services (such as identifying customer needs and improvements in service delivery). We process your personal data to gain insights into how our offerings are used and to identify opportunities for improvement in service delivery. This includes analysing trends in customer preferences, assessing the success of existing features, and gathering feedback from various interaction points (such as customer surveys or product usage data). | Legitimate interest |
Maintaining and using IT systems. We process your personal data primarily to ensure the smooth and secure operation of our IT systems. This includes installing updates, performing routine maintenance, diagnosing and resolving technical issues, and implementing safeguards to protect against unauthorised access or data breaches. Monitoring and logging system usage also helps us analyse performance, troubleshoot potential issues, and optimise the efficiency and stability of our platforms. | Legitimate interest |
Administering and managing our websites. We process your personal data to ensure our websites function smoothly, remain secure, and are continually optimised. This involves monitoring traffic, diagnosing and resolving technical issues, applying updates, and safeguarding against unauthorised access or other malicious activities. | Legitimate interest |
8.3 Recruitment
When an applicant becomes an employee, their personal data is processed subject to our Internal Privacy Policy. However, we process your personal data for the following purposes during the recruitment process:
Purpose | Lawful basis |
|---|---|
To run recruitment and promotional processes, such as candidate evaluation of personal data shared through our online job application systems, via application forms, CV or from references from former employers. | Performance of a contract |
Arranging and conducting interviews. To coordinate interviews, assess candidate suitability, and communicate interview outcomes. | Legitimate interest |
Verifying references and qualifications. To confirm candidates hold valid qualifications and have the necessary experience or skills for the employment opportunity at hand. | Legitimate interest |
Performing necessary background checks if we have a legal obligation to do so. | Legal obligation |
Administering future employment (pre-contractual steps). To facilitate the necessary arrangements before finalising an employment contract, which may include gathering bank details for payroll or preparing workplace access. | Performance of a contract |
Maintaining a talent pool / keep track of candidates for future opportunities. To keep applicants’ data on file for future job openings or positions that may arise. We only keep applicant files with the consent of the candidate. | Consent of the data subject |
8.4 Business Development and marketing
We process personal data for undertaking sales and marketing activities.
We retain personal data collected through our business development processes for as long as we believe our products and services may be of interest to prospective customers. Individuals and organisations can ask to be removed from our business development system at any time.
Purpose | Lawful basis |
|---|---|
Using cookies to track and analyse website usage and visitor behaviour (for more information please read our Cookies policy). | Consent of the data subject, except for strictly necessary cookies which rely on legitimate interest |
Managing social media interactions and campaigns. We also use social media buttons and/or plugins on our website that allow you to connect with your social network in various ways. We process your personal data to communicate with you through social media platforms, respond to enquiries or comments, and maintain a consistent and engaging online presence. This includes monitoring and measuring the performance of social media campaigns, identifying key areas of interest, and tailoring our content to align with your preferences. | Consent of the data subject |
Sending newsletters and promotional emails to existing customers. We process your personal data to keep you up to date with the latest products, services, offers, and events that are relevant to you. This may involve sending emails featuring informative articles or relevant news. | Legitimate interest under GDPR and Regulation 22 (“soft opt in”) under PECR. |
Hosting or facilitating the hosting of events for current and prospective customers, including webinars. We process your personal data in order to organise and manage both in-person and virtual events, such as workshops, conferences, or online webinars. | Consent of the data subject |
8.5 Procurement of services from suppliers
We process personal data for procurement of services from suppliers. This includes the following purposes:
Purpose | Legal basis |
|---|---|
Collecting and evaluating bids/proposals. To identify and select suitable suppliers, evaluate technical competencies, and compare costs or services. | Legitimate interest |
Processing payments and invoicing to suppliers. To facilitate accurate and timely payments, keep records of financial transactions, and manage account reconciliations. | Legitimate interest |
Maintaining supplier records for auditing and dispute resolution. To support internal or external audits, address billing or service disputes, and enhance accountability. | Legitimate interest |
8.6 Audit and Assurance Services
We process personal data when providing audit and assurance services, which may include verification of financial information, compliance assessments, and other attestation services .
Processing of personal data for audit and assurance services include the following purposes:
Purpose | Legal basis |
|---|---|
Complying with documentation requirements under national accounting legislation. We process personal data to meet our legal obligations under national accounting legislation. This involves recording, storing, and reviewing relevant documentation (including invoices, transaction records, and other financial data) that may contain personal data. The objective is to maintain accurate financial records, ensure auditability of our accounts, and comply with statutory retention periods set out under national law. Where necessary, such data may also be shared with external auditors or governmental bodies to confirm our compliance. | Legitimate interest |
When conducting customer due diligence measures to comply with anti-money laundering regulations, we carry out searches to identify politically exposed persons and heightened risk individuals and organisations, and to check that there are no issues that would prevent us from working with a particular customer, such as sanctions, criminal convictions (including in respect of company directors and beneficial owners), conduct or other reputational issues. | Legal obligation |
Verification of financial information. In some instances, we process personal data to confirm the accuracy and completeness of financial records, such as verifying that payment and transaction details are consistent across different systems. This may include comparing records from various sources (e.g., invoices, bank statements) to ensure that data is reliable and up to date. By verifying this information, we maintain the integrity of our financial processes and help protect against errors, fraud, or misappropriation of funds. | Legitimate interest |
Mandatory reporting of certain findings to authorities. Where national law or other applicable regulations require us to report specific activities or findings, we will share the relevant personal data with the authorities. We only disclose the personal data that is strictly necessary for fulfilling these mandatory reporting obligations. | Legal obligation |
9. Retention of Personal Data
The retention period for the personal data we process is always in accordance with legal, regulatory and contractual requirements.
10 Data Sharing
10.1 Data sharing - Introduction
We only share personal data with other organisations when we have a lawful basis to do so. When we share data with other organisations, we put contractual arrangements and security mechanisms in place to protect personal data and to comply with our data protection, confidentiality and security standards.
10.2 Data sharing within the Azets group of companies
Personal data held by us may be transferred to, or disclosed to, other companies in the Azets group of companies: https://www.azets.com/en/privacy/companies-in-the-azets-group-of-companies and our ultimate parent companies Hg Capital and PAI Partners. We may share personal data with other Azets companies where necessary for administrative purposes and to provide professional services to our customers.
All companies in the Azets group are bound by an Intra Group Data Sharing Agreement which commits them to share personal data in a secure and lawful manner that respects the rights and freedoms of data subjects.
10.3 Data sharing with other controllers
Depending upon the nature of the service being provided to you we may lawfully share personal data with other organisations. This may change from time to time, so for the latest information please refer to the following:
- Data sharing in the UK
- Data sharing in Azets Wealth Management
- Data sharing in Ireland
- Data sharing in Sweden
10.4 Processors
We use specialist organisations to provide certain services, such as data hosting. These organisations (defined as processors in data protection legislation) are bound by a written contract which defines their tasks and responsibilities. Azets only employs processors that comply with data protection legislation and processors are subject to audit or certification review to ensure continuing compliance.
The processors used by Azets group companies may change from time to time, so for the latest information please refer to the following:
10.5 Data sharing in the event of a sale of all or part of the business
In the event of a potential sale of all or part of the Azets Group business, we may disclose personal data to the potential purchaser as a necessary part of a due diligence process. Such disclosure would be subject to strict confidentiality obligations on the recipient and would be in full compliance with data protection legislation. In the event of an actual sale of all or part of the Azets Group, personal data would be transferred to the acquirer. If this were to occur you will be notified by email and/or a prominent notice on our websites describing any change of ownership and /or use of your personal data, as well as choices you may have regarding your personal data.
11 International Transfers
We are part of a global association of accountants and in common with other professional service providers, we sometimes use organisations located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our customers are located.
We will neither transfer nor process personal data outside the country in which a customer has contracted, nor will we permit personal data to be so transferred or processed by a third party, unless it is under one of the following conditions:
- With your consent;
- the territory into which the data are being transferred has an adequacy decision issued by the European Commission (under EU GDPR) or an adequacy regulation made under DPA2018 section 17A by the Secretary of State (under UK GDPR);
- the transfer is made under the unaltered terms of the standard contractual clauses issued by the European Commission (under EU GDPR) or the Secretary of State (under UK GDPR);
- the transfer is made under the provision of binding corporate rules which have been approved and certified by the European Commission (under EU GDPR) or the Information Commissioner (under UK GDPR);
- the transfer is made in accordance with one of the exemptions set out in GDPR Article 49.
Notwithstanding the assurances above, in the interest of full transparency for our customers in Sweden, transfers of personal data made under the conditions listed above may be to the following countries:
- United Kingdom: The UK is considered to have an adequate level of protection for personal data under the European Commission’s adequacy decision. This means that your personal data transferred to the UK receives protection consistent with EU data protection standards.
- United States of America (see more information on the adequacy decision below).
11.1 International Transfers to United States of America
Some of our processors, such as Microsoft, are ultimately US-owned, but our contracts are with their UK or EU entities, subject to UK GDPR and EU GDPR legislation respectively. We have risk-assessed our continued usage of such US-owned service providers in compliance with European Data Protection Board guidance. We continually keep under review the requirements which are imposed by applicable legislation.
Some of our processors who host personal data in the United States of America comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. See here for a list of participating organisations.
12 Profiling and automated decision-making
We do not perform any profiling based on personal data that has a legal or significant effect upon data subjects.
We do not perform any automated decision-making involving personal data.
13 Artificial intelligence
To enhance the efficiency and effectiveness of our services, we may employ artificial intelligence (AI) tools and technologies for tasks such as, but not limited to, data analysis, document processing, and report generation. All AI-generated outputs are reviewed and verified by our qualified staff to ensure accuracy and compliance with professional and regulatory standards.
14 Information relevant solely to our insolvency and restructuring practices
For information relating to our insolvency and restructuring practice in the UK please click here.
For information relating to our insolvency and restructuring practice in Ireland please click here.
15 Your Rights
You have the following rights concerning your personal data:
Right to be informed | This privacy policy is designed to satisfy your right to be informed about the processing of personal data, but if you have any further questions please contact the Data Protection Officer shown at the top of this notice. |
Right of access | You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to a copy of that personal data. |
Right to rectification | You have the right to oblige us to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement. |
Right to erasure (right to be forgotten) | You have the right (under certain circumstances, but not all) to oblige us to erase personal data concerning you. |
Right to restriction of processing | You have the right (under certain circumstances, but not all) to oblige us to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you. |
Right to data portability | You have the right (under certain circumstances, but not all) to oblige us to provide you with the personal data about you which you have provided in a structured, commonly used and machine-readable format. |
Right to withdraw consent | If the lawful basis for processing is consent, you have the right to withdraw that consent. |
Right to object to direct marketing | Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing. |
Rights in relation to automated decision making and profiling | We do not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you. |
16 Your right to lodge a complaint with a supervisory authority
If you would like to exercise any of your rights shown above, please contact the Data Protection Officer by post, telephone or by using one of the email addresses at the top of this notice.
If you are not satisfied with the response you receive, you have the right to lodge a complaint with the relevant supervisory authority for the territory in which you are contracted as shown in the table below.
Contracted in | Supervisory authority |
|---|---|
Denmark | Datatilsynet / The Danish Data Protection Agency |
Estonia | Andmekaitse Inspektsioon / Republic of Estonia Data Protection Inspectorate |
Finland | Tietosuojavaltuutetun Toimisto / Office of the Data Protection Ombudsman |
Guernsey | Office of the Data Protection Authority |
Isle of Man | Barrantagh Fysseree (Information Commissioner) |
Jersey | Jersey Office of the Information Commissioner |
Norway | Datatilsynet / The Norwegian Data Protection Authority |
Romania | Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter personal / The National Supervisory Authority for personal data Processing |
Sweden | Integritetsskydds myndigheten (IMY) / Swedish Authority for Privacy Protection (IMY) |
United Kingdom | Information Commissioner's Office |
This Privacy Policy is version 20260413 and was published 13th April 2026.