This privacy notice applies to the personal data of our Clients, Employees, Potential Clients, Consultants, Contractors, Suppliers and any Potential Employee.

For the purposes of the General Data Protection Regulations we confirm that the proprietor and operator of the website at (the ‘Website’) is Smith Scott Mullan Associates, 10 Rutland Square, Edinburgh, EH1 2AS (‘we’, ‘us’, ‘our’ or ‘SSM’) who can be contacted via

We respect the privacy of each user accessing the Website (‘you’, ‘your’) and are committed to protecting your privacy. We have structured the Website so that, you can visit and browse the Website without identifying yourself or revealing any personal information. We ensure that any personal information provided by you will be processed in accordance with the principles of the GDPR and the Privacy Policy set out below.

This privacy notice is effective from 25 May 2018.

What kind of personal data do we store?

Client Data

To provide the high-quality services we aspire to we require to process certain information. We will only ask for details that will assist us in the delivery of our service, such as name, job role, and contact details; including but not limited to: telephone number, email address, first and last name and a work address details. If a private client, then we may also ask for a home address.

Consultant/Contractors/Supplier Data

We collect a minimum amount of data from our consultants/contractor/suppliers to ensure that we can easily communicate and process transactions. We will collect contact details for the main contact and any associate contacts within the business that we feel will assist us in processing transactions, delivering projects and submitting tenders. Other information such as bank details so that we can pay for the services provided (if this is part of the contractual arrangements between us) will also be obtained.

Potential Employees Data

We collect a minimum amount of data from potential employees to ensure that we can easily communicate and process transactions. We require information such as your name, job role, and contact details; including but not limited to: telephone number, email address, first and last name and your work address details.

How do we collect personal data?

We collect client data directly from our Clients, Consultants/Contractors/Suppliers and Potential Employees.

How will we use your personal data?

Client Data

The main reasons for retaining our clients’ personal details are to keep them informed of their project, keep them advised on any potential projects and to keep them informed about our business.

Consultant/Contractor/Supplier Data

The main reasons for retaining consultant/contractor/supplier personal data is to ensure that we can fulfil any contractual arrangements between parties, keep them advised on any potential projects and to keep them informed about our business.

Website Users

If a potential employee sends us an application form, a CV or contacts us with personal information for employment purposes, we may store that information for 6 months. We do not share that information with any third parties and would only contact the potential employee within that 6 month period should a suitable post arise. Thereafter the information be removed from the system.

How do we safeguard personal data?

Protecting personal information is important to us which is why we put in place appropriate measures that are designed to prevent unauthorised access to, and misuse of, personal data. These processes include but are not limited to; encrypted server access, laptop devices are encrypted, all antivirus and gateway security settings are up to date and monitored and any online systems are protected by secure passwords and two stage authentication.

How long do we retain the data?

If we have not had meaningful contact with you for a period of six years, we will remove your data from our systems unless we believe another processing requirement, such as legal or contractual regulation requires us to retain it.


Who has access to the data?

Basic data (such as contact details) are accessible to all our staff for the purposes of assisting the flow of communications between our parties.  Financial data is accessible to our Directors, Practice Manager and Financial Assistant only with secure access available to our Chartered Accountants for accounting purposes. We assure you that we do not share any information with any other parties unless you specifically request this or we are legally obliged to do so.

Our legal basis for processing your data


Legitimate interests

Article 6(1)(f) of the GDPR states that we can process personal data where it “is necessary for the purposes of the legitimate interests pursued by [us] or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of [you] which require protection of personal data.”

Client data

We think it reasonable that if the individual has communicated with us in the past or we have had meaningful contact with the individual within the past 6 years that there is legitimate interest that the individual will continue to benefit from our continued communication.  We want to provide potential clients with the opportunity to hear about our services and to have the ability to request additional information from ourselves.

Contractor/Contractor/Supplier data

We store and process the personal information of individuals within interested organisations to facilitate the receipt of services from them as one of our consultants/contractors/suppliers. We may also hold financial details, so that we can pay for services provided. We deem all such activities to be necessary within legitimate interests.


Article 6(1)(b) gives us lawful basis for processing personal data where; “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”

In this context, a contract does not have to be a formal signed document, or even written down, if there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value).

Customer data

Where we have entered into a contractual agreement to deliver services we will process the appropriate and required information to do so. i.e. address details of the business.

Security of Personal Data

Transmission of data and information via the Website or by email is not a secure or encrypted transmission method for sending your personal data, unless otherwise indicated on the Website or otherwise arranged between us. Accordingly, your attention is drawn to the fact that any information and personal data carried over the Internet is not secure. Information and personal data may be intercepted, lost, redirected, corrupted, changed and accessed by other people.

We set security standards to prevent any unauthorised access to your personal data once we have received it and wherever possible we will use adequate software and working procedures to ensure the security of your personal data. To prevent unauthorised access, maintain accuracy, and ensure proper use of personal data, we have employed physical, electronic, and managerial processes to safeguard and secure the information we hold.

Your Rights

Should you wish to be removed from our database you have the write to request this at any point by writing to the Practice Manager, Smith Scott Mullan Associates, 10 Rutland Square, Edinburgh, EH1 2AS or emailing us at We will process the changes/removal of the personal information within 30 days.