Privacy Notice

At Murray, Taylor (Scotland) Limited, we are committed to keeping your personal data safe and secure. We are registered as a data controller with the Information Commissioner’s Office (ICO).

This notice explains why we use your personal data, describes the types of personal data we ask you for and the conditions under which we may share it with others. We are committed to collecting and using your personal data fairly and in accordance with requirements of the General Data Protection Regulations (GDPR).

We may change this Notice from time to time so please check this page occasionally to ensure that you are happy with any changes. By engaging with our services, you are agreeing to be bound by this Policy.

This privacy notice supplements our other notices and is not intended to override them.

Our Privacy Promise

We promise:

  • To keep your personal data secure and confidential.
  • Not to sell your personal data.
  • To give you ways to manage and review the personal data we hold for you.

Any questions regarding this Notice and our privacy practices should be sent by email to:


Who we are. 1

How we collect personal data. 1

How we use your personal data. 1

Who we share your personal data with. 3

Data Processor – payroll services. 3

Information security. 4

Cookies. 4

If you choose not to give personal data?. 4

Transfers outside the UK. 4

How long we keep your personal data for. 5

Marketing. 5

Other data we hold. 6

Individual rights and how to access them.. 6

Complaints. 8

Changes to this Privacy Policy. 8

Who we are

Murray, Taylor (Scotland) Limited (“Murray Taylor”, “we”, “us”, “our”) is the Data Controller. We are a Limited Company registered in Scotland under registration no. SC239643. The registered office is 10 Murray Lane, Montrose, Angus, DD10 8LF. Murray Taylor comprises of additional trading entities – Murray Taylor LLP & Murray Taylor (Holdings) Limited. We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice and who is contactable at

How we collect personal data

Personal data, or personal information, means any information about an individual from which that person can be identified either directly or indirectly.

We primarily collect personal data from you which you provide to us directly when instructing us (or contemplating instructing us) either by email, telephone or face to face. However, in some instances we may collect personal data about you from third parties e.g.HM Revenue & Customs or Companies House. We also obtain personal data about you when you use our website or app, for example, when you use our online general enquiries form.

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients, and prospective clients, only to share personal data where it is strictly needed for those purposes.

Where we need to process personal data about third parties connected with you to provide our services, we ask our clients to provide the privacy notice to other data subjects concerned, such as family members, regarding its use.

Given the diversity of the services we provide to clients, we process many categories of personal data, and some special categories of personal data as appropriate for the services we are providing. These include, but are not limited to:

  • Contact details;
  • Business activities;
  • Family information;
  • Income, taxation and other financial-related details;
  • Investments and other financial interests;
  • Criminal convictions to comply with Anti-Money Laundering legislation; and
  • Health data where it is necessary e.g. HMRC enquiry appeal.

Generally, we collect personal data from our clients or from a third party acting on the instructions of the relevant client.

How we use your personal data

To engage you with our services, we need to know your name, date of birth, contact details, financial and employment details and investment data.

Our legal basis

We only use your personal data where permitted by the laws that protect your privacy rights. We only use personal data where:

  • We have your consent (if consent is needed)
  • We need to use the information to comply with our legal obligations
  • We need to use the information to perform a contract with you
  • It is in our legitimate interests, where there is no disadvantage to you – this includes where it is in our interests to contact you about services and programmes, market to you, or collaborate with others to improve our services.
What we use your personal data for: Our Legal Basis Our legitimate interests
• To provide our services to you. •  Fulfilling contracts.

•  Our legitimate interests

•  Our legal and professional duties.

•  Consent where this involves special category data such as information about your health.

• Keeping our records up to date.

• Delivering services requested of us.

• Being efficient about how we fulfil our legal duties.

• To manage our relationship with you or your business. • Fulfilling contracts.
• Our legitimate interests.
• To operate as an efficient and effective business.
• To manage client payments and accounts.
• To collect and recover money that is owed to us.
• Fulfilling contracts.
• Our legitimate interests.
• Our legal and professional duties.
• To operate as an efficient and effective business
• Complying with regulations that apply to us.
• To obey laws and regulations that apply to us. • Our legitimate interests.
• Our legal duty.
• Complying with regulations that apply to us.
• Being efficient about how we fulfil our legal and contractual duties.
• To run our business in an efficient and proper way. • Our legitimate interests.
• Our legal and professional duties.
• Complying with regulations that apply to us.
• Being efficient about how we fulfil our legal and contractual duties.
• To respond to complaints and seek to resolve them. • Our legitimate interests. • Complying with regulations that apply to us.

• Resolving complaints to improve client service.

•  Holding your contact details and marketing preferences for marketing purposes.

•  To market and develop our services.

•  To develop new ways to meet our client’s needs and to grow our business.

• Your consent.
• Our legitimate interests.
• Keeping our records up to date, determining which of our services may interest you and telling you about them with a view to business growth.

We take all reasonable steps to ensure that your personal data is processed securely.

Who we share your personal data with

  • Staff who we employ to help deliver our services;
  • The Murray Taylor group;
  • HM Revenue & Customs, regulators and other authorities;
  • Independent Financial Advisors (when you request it);
  • Banks and Mortgage Advisors (when you request it);
  • Insurers;
  • Fraud Prevention Agencies in accordance with current legislation;
  • Government and law enforcement agencies;
  • Debt collection agencies;
  • Organisations who introduce you to us (when you request it);
  • Organisations that we introduce you to (when you request it);
  • Organisations you ask us to share your data with; and
  • Where we are required by law or other regulatory obligation.

We may also share your personal data with our suppliers who in supplying us with services, require to process personal data that we hold (for example:- accountancy software, IT service providers, hosting systems, marketing platforms). Where our suppliers process our personal data on our behalf, we require them to put in place appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes, in accordance with our instructions and under a GDPR compliant processing agreement.

In all instances where we disclose your personal data to third parties, we will ensure that your data is appropriately protected.

Data Processor – payroll services

If you instruct us to provide payroll services, you acknowledge you are the Data Controller of any personal data you provide to us for such service and we are the data processor.

The types of personal data processed will vary depending on the data you require Murray Taylor to process in order to deliver to you with the requested service(s) and in accordance with our engagement terms with you (which shall include any statutory imposed terms under GDPR). You may ask us to process both personal data, and special category personal data.

Generally, it will be your responsibility as the Data Controller to ensure you provide us with data for processing activities for which you have identified a legal basis for such processing. We will not accept responsibility for you providing to us personal data without a legal basis for doing so.

We will process personal data on your behalf for so long as you instruct us to do so. At the cessation of our processing activities on your behalf, it is your choice as to what happens to the personal data you have provided to us. We will work with you to carry out your reasonable instructions.

Personal data we collect for our own purposes will be managed in accordance with our Data Retention Policy which reflects current legal obligations.

Information security

We take the security of your personal data seriously. We have put in place appropriate security procedures to protect our paper based systems and computerised databases from loss and misuse. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Where a password is required to access certain areas of our digital platforms, you are responsible for keeping your password secure and confidential. Please do not share or disclose your password to any other person.

If you think that any part of our process is not secure, please email us at

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted to us via the internet; any transmission is at your own risk.

Our website may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy notices and that we do not accept any responsibility or liability for these notices or for any personal data that may be collected through these websites or services, such as contact and location data. Please check these notices before you submit any personal data to these websites or use these services.


We use standard technology called ‘cookies’ on our website. Cookies are small pieces of information that are stored by your browser on your computer’s hard drive and they are used to record how you navigate on our website.

For more detailed information on how we use cookies, please refer to our Cookie Policy on our website.

If you choose not to give personal data?

We may need to collect personal data by law, or under the terms of a contract we have with you.

If you choose not to give us this personal data, it may prevent us from engaging you in our services. It could mean that we disengage a service you have with us. We will notify you if this is the case at the time.

Any data collection that is optional will be made clear at the point of collection.

Transfers outside the UK

We will only send your data outside of the European Economic Area (‘EEA’) to:

  • Follow your instructions;
  • Work with our suppliers who help us provide our services; and
  • Comply with a legal duty.

If we do transfer information outside of the EEA, we will make sure that it is protected in the same way as if it was being used in the EEA. We’ll only do this if it necessary to perform your contract with us or if we have your explicit consent. Otherwise, we’ll use one of these safeguards:

  • Transfer it to a non-EEA country with privacy laws that give the same protection as the EEA. Learn more on the European Commission Justice website.
  • Put in place a contract with the recipient that means they must protect it to the same standards as the EEA. Read more about this here on the European Commission Justice website,
  • Transfer it to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for data sent between the US and EU countries. It makes sure those standards are similar to what is used within the EEA. You can find out more about data protection on the European Commission Justice website.

How long we keep your personal data for

We will keep your personal data for as long as you are an active client of Murray Taylor.

After you cease to be an active client, we may keep your personal data for up to 7 years for one of these reasons:

  • To respond to any questions or complaints.
  • To show that we treated you fairly.
  • To maintain records according to rules that apply to us.

We may keep your personal data for longer than 7 years if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that your privacy is protected.

As a prospective client, your personal data will be held for 6 months and then destroyed if you choose not to engage with our services.

As an applicant, your personal data will be held for 6 months post-campaign.


We may use your personal data to tell you about relevant services and opportunities. This is what we mean when we talk about ‘marketing’.

The personal data we have for you is made up of what you tell us, and data we collect when you use our services, or from third parties we work with.

We study this to form a view on what we think may be of interest to you. This is how we decide which services may be relevant for you.

We can only use your personal data to send you marketing messages if we have either your consent or a ‘legitimate interest’- this is when we believe it is within your reasonable expectations and wouldn’t have an unwarranted impact on you.

You can ask us to stop sending you marketing messages by contacting us at any time. Please contact to do this.

Whatever you choose, you will still receive correspondence, and other important information specific to the service(s) you engage with.

We may ask you to confirm or update your choices, if you engage in any new services with us in future. We will also ask you to do this if there are changes in the law, regulation, or the structure of the company.

If you change your mind you can update your choices at any time by contacting us.

Other data we hold

Visitors to our Office

We have building access controls in place at our offices for fire safety and you will be asked to put your name and time of visit in our Visitors Book. These records are held securely and are kept for 6 months.


We collect and process personal data about our suppliers, subcontractors, and individuals associated with them. The data is held to manage our relationship, to contract and receive services from them, and in some cases to provide professional services to our clients.

We will hold supplier’s names, contacts names, and contact details and we will retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected.

Individual rights and how to access them

Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights.  Where we decide how and why personal data is processed, we are a data controller and include further information about the rights that individuals have and how to exercise them below.

Access to Personal Data

You have a right of access to personal data held by us as a data controller.  This right may be exercised by emailing us at We will aim to respond to any requests for information promptly, and in any event within the legally required time limits. You can also write to us at:

Information Request
Murray Taylor
10 Murray Lane
DD10 8LF

We may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Amendment of Personal Data

To update personal data submitted to us, you may email us at

When practically possible, once we are informed that any personal data processed by us is no longer accurate, we will make corrections (where appropriate) based on your updated information.

It is important to us that the information we hold for our clients is current and accurate.

Withdrawal of Consent

Where we process personal data based on consent, individuals have a right to withdraw consent at any time. We do not generally process personal data based on consent (as we can usually rely on another legal basis). To withdraw consent to our processing of your personal data please email us at or, to stop receiving an email from a Murray Taylor marketing list, please click on the unsubscribe link in the relevant email received from us. Please note that if you withdraw your consent, this does not effect the legality of our processing prior to that date.

Right to Object

You can object to us processing your personal data where we are relying on legitimate interest and we will cease processing for the purpose you object to. An exception to this would be where we have compelling legitimate grounds for processing which override your interests, rights and freedoms or where it is necessary for the establishment, exercise or defence of legal claims. You can also object to our processing your personal data for direct marketing, after which we will stop immediately.

Right to Erasure or ‘Right to be Forgotten’

In certain circumstances you have the right to ask us to erase the personal data we hold about you. Such circumstances include (a) where we no longer need your personal data for the purposes set out above; (b) if you withdraw your consent to our processing; (c) if you object to our processing based on our legitimate interest and we have no overriding legitimate grounds to continue processing your personal data; (d) if we process the data unlawfully; or (e) where the personal data has to be erased to comply with legal obligation to which we are subject. We will consider any such request in line with GDPR. Please note this is not an absolute right and there may be circumstances where we choose not to delete all of the personal data we hold about you. More information about your right of erasure can be found on the ICO website.

‘Right to Restrict’ our use of your Personal Data

We may sometimes be able to restrict the use of your data. This means that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted.

You can ask us to restrict the use of your personal information if:

  • It is not accurate.
  • It has been used unlawfully but you don’t want us to delete it.
  • It is not relevant anymore, but you want us to keep it for use in legal claims.
  • You have already asked us to stop using your data but you are waiting for us to tell you if we are allowed to keep on using it.

If you want to object to how we use your data, or ask us to delete it or restrict how we use it, please contact us.


We hope that you won’t ever need to, but if you do want to complain about our use of personal data, please send an email with the details of your complaint to We will look into and respond to any complaints we receive.

You also have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”) (the UK data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website.

Changes to this Privacy Policy

We recognise that transparency is an ongoing responsibility so we will keep this privacy policy under regular review.

This privacy policy was last updated on 24 May 2018.