top of page

PRIVACY POLICY
 

PRIVACY POLICY
Effective 2 June 2026 - V2.6

 

1. DEFINITIONS

 

In this Privacy Notice the following definitions shall apply:

Client Personal Data” means any personal data provided to us by you, or on your behalf, for the purpose of providing our services to you, pursuant to our engagement letter with you;

Controller” means a person or body that, alone or jointly with others, determines the purposes and means of the processing of personal data;

 

Data Protection Legislation” Data Protection Legislation means all applicable privacy and data protection legislation including the General Data Protection Regulation (EU) 2016/679, the UK GDPR, the Data Protection Act 2018 (Ireland), the Data Protection Act 2018 (UK), and all related legislation and regulatory guidance in force from time to time.

Data Subject” means an individual to whom personal data relates;

Joint Controller” means, where two or more controllers jointly determine the purposes and means of the processing of personal data, the controllers referred to as “joint controllers” per the Data Protection Act 2018, who shall determine their respective responsibilities for compliance in a transparent manner by means of an agreement in writing between them;

Personal Data” means information relating to an identified or identifiable living individual;

Processing” of or in relation to personal data, means an operation or a set of operations performed on personal data, whether or not by automated means, including the collection, recording, organisation, structuring, storage, alteration, retrieval, use, disclosure, transmission, alignment, restriction, erasure or destruction of the data;

Processor” means an individual, legal person, public authority, agency or other body that processes personal data on behalf of a controller, other than an employee of a controller acting in the course of his or her employment;

 

Special Categories of Personal Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying an individual, data concerning health, or data concerning an individual’s sex life or sexual orientation.

 

2. WHO WE ARE

 

This Privacy Notice is issued jointly by two related practices that operate together under the trading name “Ryan & Co”:

  • Thomas F. Ryan, trading as Ryan & Co — a sole practitioner regulated by the Association of Chartered Certified Accountants (ACCA) under firm registration number 1294112, which is also his supervisory authority for Anti-Money Laundering (AML) purposes. Thomas F. Ryan holds the Firm’s audit registration and holds the Firm’s audit registration and is the sole provider of audit services within the Firm.

  • Proules Consultants Limited — a company registered in Ireland under CRO number 451086, with its registered office at Proules House, Shercock Road, Carrickmacross, Co. Monaghan, Carrickmacross, Monaghan, Ireland. Also trading as Ryan & Co, regulated by ACCA under firm registration number 2021343 and by the Irish Taxation Institute, and supervised by ACCA for AML purposes. Proules Consultants Limited provides the full range of services described in this Notice with the exception of audit, and employs the staff who support both practices.

 

Both entities are based at Proules House, Shercock Road, Carrickmacross, Co. Monaghan, A81 H016. Together, in this Notice, we refer to both entities as “the Firm”, “we”, “us” or “our”.

 

For the purposes of the General Data Protection Regulation and the Data Protection Act 2018, each of Thomas F. Ryan and Proules Consultants Limited is a separate Data Controller in respect of the personal data it processes about you. Where both entities process your personal data in the course of delivering services to you, they do so as independent controllers (not joint controllers within the meaning of Article 26 GDPR).

Our clients are also Data Controllers (referred to as “the Client”, “You” or “Yours” in this Privacy Notice). The Firm and our client are not Joint Controllers.

 

Data sharing between the two practices

 

Because we operate under a single trading name and a shared client base, personal data may be shared between Thomas F. Ryan and Proules Consultants Limited on a controller-to-controller basis where this is necessary to deliver the services you have engaged us to provide — for example, where audit work is carried out by Thomas F. Ryan and other related services are carried out by Proules Consultants Limited. Such sharing is subject to confidentiality obligations and is restricted to what is necessary for the agreed services.

Contact details

Our email address is: info@cmx.ie

 

Our postal address is: Proules House, Shercock Road, Carrickmacross, Co. Monaghan, A81 H016

 

Our telephone number is: 042 966 1770

 

Our firm’s GDPR Owner is Thomas F. Ryan.

 

We are not required to appoint a Data Protection Officer. If you have any questions about this Privacy Notice, including any requirements to exercise your legal rights, please contact Thomas F. Ryan.

 

It is very important that the information we hold about you is accurate and up to date. Please let us know if at any time your personal information changes by emailing us at info@cmx.ie.

 

3. THE DATA THAT WE COLLECT ABOUT YOU, THE PURPOSE FOR WHICH WE COLLECT IT AND THE GROUNDS UPON WHICH WE PROCESS IT

 

Personal data means any information capable of identifying an individual. It does not include anonymised data.

For the purposes of this Privacy Notice the Firm provides the following services:

  • Accounts Preparation

  • Bookkeeping

  • Audit Assignments

  • Taxation compliance and advisory services

  • Payroll Services

  • Business Advisory Services

  • VAT compliance and advisory services

 

You shall only disclose Client Personal Data to us where:

  • you have provided the necessary information to the relevant data subjects regarding its use (and you may use or refer to this Privacy Notice for this purpose);

  • you have a lawful basis upon which to do so; and

  • you have complied with the necessary requirements under the Data Protection Legislation to enable you to do so.

 

We shall only process your personal data:

  • in order to provide our services to you and perform any other obligations in accordance with our engagement with you (the lawful basis being performance of a contract);

  • in order to comply with our legal and regulatory obligations — in particular, our obligations under the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2021, the Taxes Consolidation Act 1997, the Companies Act 2014, and our obligations to our professional bodies (the lawful basis being compliance with a legal obligation); and

  • where it is necessary for the purposes of our legitimate interests — namely, communicating with you, maintaining accurate records, defending legal claims, providing the services we have been engaged to provide, and growing our business — and those interests are not overridden by the data subjects’ own privacy rights (the lawful basis being legitimate interests).

Some of the personal data we collect from you is required by law (for example, identification data we must obtain under AML legislation). If you do not provide this data, we will not be able to act for you. Other data is required under our contract with you (for example, financial records needed to prepare accounts or similar work). If you do not provide this data, we may not be able to perform some or all of the services for which we have been engaged. We will notify you at the time if this is the case.

We may process the following categories of personal data about you:

Engagement Data

Information you provide to enable us to assess whether we can act for you, and to deliver the services for which we are engaged. This includes identification data required for our AML obligations under the Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010 to 2021, and information generated during the engagement itself. Where required for tax compliance and Revenue filings, Engagement Data also includes statutory identifiers such as your PPS number, which we process in accordance with our obligations under the Taxes Consolidation Act 1997 and applicable Revenue requirements.

 

Communication Data

Correspondence between you and the Firm, whether by email, telephone, letter, web form, or messaging service.

 

Personal Contact Data

Your name, title, address, email, telephone numbers, date of birth, marital status and similar identifiers.

 

Marketing Data

Your preferences regarding marketing communications from the Firm and any responses to them.

 

Website Data

Data collected when you visit our website, including via cookies. Non-essential cookies are only set with your consent in accordance with S.I. 336/2011.

 

Recruitment Data

Information you provide if you apply for a position with the Firm, including your CV, cover letter, and references. 

 

Special Categories of Data

In certain circumstances, the services we provide require us to process Special Categories of Personal Data, as defined in Article 9 GDPR. For example:

  • Trade union membership of employees may be processed for the purposes of calculating payroll deductions;

  • Health information may be processed in the context of payroll, statutory sick pay, or related compliance matters;

  • Information regarding employees, spouses, children and dependent relatives may form part of personal tax credit or allowance calculations.

Where we process Special Category Data, we do so only where strictly necessary for the agreed services and on a lawful basis under Article 9(2) GDPR (typically performance of obligations in the field of employment and social security law, or with explicit consent where required).

Where we are required to collect personal data by law, or under the terms of the contract between us, and you do not provide us with that data when requested, we may not be able to perform the agreed service for which we have been engaged. If you don’t provide us with the requested data, we may have to cease to act for you but if we do, we will notify you at the time.

We will only use your personal data for a purpose it was collected for, or a reasonably compatible purpose, if necessary. If we propose to use your personal data for a new purpose that is not compatible with the purposes set out in this Notice, we will provide you with information about that new purpose and the lawful basis for the processing before doing so. We may communicate this information by updating this Notice, by notice on our website, by email, or as part of our routine correspondence with you.

We may process your personal data without your knowledge or consent where this is required or permitted by law.

 

We do not make decisions about you based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you, within the meaning of Article 22 GDPR. Where we use automated tools (including AI) to support our work, such use is subject to meaningful human review and we retain full professional responsibility for the outcome.

4. HOW WE COLLECT YOUR PERSONAL DATA

 

We may collect data about you by you providing the data directly to us (for example by filling in forms on our website or in our offices, by sending us emails and correspondence by post, or by speaking with us on the telephone and in meetings). We may collect data from third parties who you authorise us to obtain the data from on your behalf (for example the Revenue Commissioners, the Companies Registration Office, financial institutions or another professional adviser).

We may also obtain data from publicly available sources (including statutory registers) and from identity verification providers used to meet our AML obligations.

Where you are not the person who provided your personal data to us (for example, you are an employee, director, beneficial owner, dependant, or subcontractor of one of our clients, and your data was provided to us by that client in connection with the services we provide to them), we are still required to inform you about our processing of your data. We obtained your data from our client, who acts as a separate Data Controller and is required to have a lawful basis for sharing it with us. The categories of data we hold, the purposes for which we process it, the recipients, the retention period, and your rights are all set out in this Notice.

 

5. USE OF TECHNOLOGY AND ARTIFICIAL INTELLIGENCE TOOLS

 

We use approved third-party software and technology providers to support the efficient delivery of our services. This includes cloud-based productivity, accounting, payroll and document management software, and may also include artificial intelligence (“AI”) tools and large language models used to assist with tasks such as drafting, research, summarisation, analysis, and document review.

Where such tools are used:

  • we engage only providers who offer contractual data protection safeguards, including written Data Processing Agreements and EU Standard Contractual Clauses where applicable;

  • such providers do not use your data to train their underlying models;

  • we apply internal policies and controls governing what information may be processed using these tools;

  • we retain full professional responsibility for all work product, with appropriate human review.

A current list of our material processors is maintained internally and is available to clients on reasonable request.

In addition to technology providers, we may engage trusted third-party professional outsourcing providers to support the delivery of any of our services. Such providers may process any category of personal data necessary to perform the work allocated to them, including Special Category Data where required for payroll, employment or tax-related services. Outsourcing providers act as our processors under written Data Processing Agreements compliant with Article 28 GDPR, process personal data only on our documented instructions, and are subject to confidentiality obligations equivalent to those applicable to our own staff. We retain full professional responsibility for all work product, with appropriate review and oversight by our own personnel.

 

6. MARKETING COMMUNICATIONS

 

Our lawful ground for processing your personal data to send you marketing communications is either your consent or our legitimate interests (namely to grow our business).

Under the Data Protection Legislation, we may send you electronic marketing communications from us if (i) you have previously availed of, or enquired about, our services or (ii) you agreed to receive marketing communications, and in each case you have not opted out of receiving such communications since.

 

We will not share your personal data with any third party for their own marketing purposes without your express consent.

You can request us to stop sending you electronic marketing messages at any time by following the opt-out links on any marketing message sent to you.

 

You can request us to stop sending you marketing messages at any time by emailing us at info@cmx.ie, by writing to us at Ryan & Co, Proules House, Shercock Road, Carrickmacross, Co. Monaghan A81 H016, or by telephoning us at 042 966 1770.

 

If you opt out of receiving marketing communications, this opt-out does not apply to personal data provided in connection with a matter on which we are acting or have acted on your behalf, and which we are obliged to retain for the purposes of complying with our legal obligations.

7. DISCLOSURES OF YOUR PERSONAL DATA

We may have to share your personal data with the parties set out below:

  • the other entity within the Firm — i.e. between Thomas F. Ryan and Proules Consultants Limited — as described in Section 2 above;

  • technology service providers, including providers of cloud-based software, communications platforms, and artificial intelligence tools, who process data on our instructions under written Data Processing Agreements;

  • outsourced professional service providers engaged to support the delivery of our services, acting as our processors under written Data Processing Agreements compliant with Article 28 GDPR;

  • service providers who provide business administration services, including third-party dictation, typing and transcription services and external file storage and archiving services;

  • professional advisers, including other accountants, solicitors, bankers, auditors and insurers who provide consultancy, banking, legal, insurance, accounting services and regulatory support and compliance services;

  • risk management auditors and quality control reviewers, including those engaged by our professional bodies;

  • the Revenue Commissioners, the Association of Chartered Certified Accountants (ACCA), the Irish Taxation Institute, Chartered Accountants Ireland, and other professional bodies of which the Firm or its principals are members;

  • the Data Protection Commission, the Central Statistics Office, IAASA, the Companies Registration Office, and other regulators or authorities entitled by law to receive the data;

  • third parties to whom we sell, transfer or merge parts of our business or our assets.

 

We require all third parties to whom we transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

 

8. DATA SECURITY

 

Some of our technology service providers and outsourcing partners are located, or process data, outside the European Economic Area ("EEA") — principally in the United States, the United Kingdom, and India. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with the GDPR, including:

  • European Commission adequacy decisions, where available (for example, in respect of the United Kingdom);

  • Standard Contractual Clauses approved by the European Commission for transfers to other third countries; and

  • where appropriate, supplementary technical and organisational measures.

  • a documented Transfer Impact Assessment in respect of transfers to non-adequacy countries (including India), addressing local law and supplementary safeguards.

Further information regarding the safeguards we apply is available on request.s.

 

9. DATA SECURITY

 

We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and are subject to a duty of confidentiality.

 

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so under Articles 33 and 34 GDPR.

 

Where we engage third-party providers (whether technology or outsourcing partners), we apply contractual safeguards, due diligence on their information security certifications (such as ISO 27001), and ongoing monitoring of their compliance.

 

10. DATA RETENTION

 

We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure; the purposes for which we process the data and whether we can achieve those purposes through other means; and the applicable legal requirements.

Specifically:

  • Engagement records are retained for a minimum of seven years following the conclusion of the engagement, in line with the Firm’s legal, regulatory and professional obligations, and to enable us to establish, exercise or defend legal claims;

  • AML records are retained for a minimum of five years from the end of the business relationship, in line with the Criminal Justice (Money Laundering and Terrorist Financing) Acts;

  • Unsuccessful job application data is retained for up to twelve months unless you consent to longer retention;

  • Marketing data is retained for as long as you remain a contact and have not opted out.

In some circumstances you can ask us to delete your data: see below for further information.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for legal know-how, research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

11. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include:

  • The right to Access — to request a copy of the personal data we hold about you, together with other information about our processing of that personal data.

  • The right to Rectification — to request that any inaccurate data held about you is corrected, or that incomplete information is updated.

  • The right to Erasure — to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.

  • The right to Object and Restrict processing — to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.

  • The right to Data Portability — to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used, machine-readable format.

  • The right to Withdraw Consent — where processing is based on consent, at any time (without affecting the lawfulness of prior processing).

If we are processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.

You can see more about these rights at: www.dataprotection.ie.

 

Should you require any further details regarding our treatment of personal data, please contact Thomas F. Ryan.

 

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

 

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

 

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12. COMPLAINTS

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Data Protection Commission (DPC), the Irish supervisory authority for data protection issues. Please contact us first if you do have a complaint so that we can try to resolve it for you.

The Data Protection Commission may be contacted as follows:

  • Website: www.dataprotection.ie

  • Postal address: 6 Pembroke Row, Dublin 2, D02 X963 

  • Telephone: +353 (0)761 104 800 or 1800 437 737

Data subjects in the United Kingdom may also lodge a complaint with the UK Information Commissioner's Office:

  • Website: ico.org.uk

  • Postal address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

  • Telephone: +44 (0)303 123 1113

13. UPDATES TO THIS NOTICE

We keep this Privacy Notice under regular review and may update it from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The version and effective date are shown at the top of this document. Where we make material changes, we will draw these to your attention by appropriate means.

© 2025 Ryan & Company

Need more details? Contact us

Contact us by phone or email.

bottom of page