Privacy & Legal


This policy applies to: Merry Mullen, Chartered Accountants and Statutory Auditors, whose place of business is 18 Westland Square, Pearse Street, Dublin 2

The privacy policy explains how we use any personal information we collect about you when you use this website and our wider services to be able to provide everyone with a user experience that is safe and secure.


What is personal data?

Personal data relates to any information about a natural person that makes you identifiable which may include (but is not limited to):

  • Names and contact information i.e. emails and telephone numbers
  • Personal Public Service (PPS) Number
  • Employment history
  • Employee numbers
  • Credit History
  • Personal tax
  • Payroll and accounting data

What is sensitive personal data?

Sensitive personal data refers to the above but includes genetic data and biometric data.  For example:

  • Medical conditions
  • Religious or philosophical beliefs and political opinions
  • Racial or ethnic origin
  • Convictions
  • Biometric data (e.g. photo in an electronic passport)

What is a Data Controller?

For general data protection regulation purposes, the “Data Controller” means the person or organisation who decides the purposes for which and the way in which any personal data is processed.

What is a Data Processor?

A “Data Processor” isa person or organisation which processes personal data for the controller.

What is Data Processing?

Data processing is any operation or set of operations performed upon personal data, or sets of it, be it by automated systems or not. Examples of data processing explicitly listed in the context of GDPR are: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.

Company Status as Data Controller or Data Processor

In respect of our website ( and any personal data processed via its usage, Merry Mullen considers that it generally acts as the Data Controller.

This Privacy Policy sets out the basis on which any personal data is collect from you, or that you provide to us, will be processed by us and your rights in relation to your personal data. If you are a Client, this Privacy Policy supplements any data protection provisions contained in our Engagement Letter with you and is not intended to override them. In accordance with the following summarised table below are the types of engagement the Company considers that it generally acts as a Data Controller or Data Processor in respect to personal data:

Type of EngagementData Controller or Processor
Accounts preparation for corporate clientsJoint Controller
Book keeping assignments for corporate clientsProcessor
Audit assignments for corporate clientsJoint Controller
Accounts preparation assignments for unincorporated clientsController
Corporation tax compliance & advisory assignmentsJoint Controller
Personal TaxController
Payroll ServicesProcessor
Website Usage and EnquiresController

What information do we collect about you and how?

Merry Mullen, is bound by the requirements of the General Data Protection Regulations (GDPR) in respect to Data Collection about you.

When engaging with Merry Mullen as a client or browsing or engagement with us via the Website, we have identified that we hold personal data for the following categories of Data Subjects:

  • Business Partners/Directors in the firm who are living natural persons
  • Current clients and their family members who are living natural persons (includes their Anti- Money Laundering customer due diligence data)
  • Employees of clients for whom we process outsourced payroll etc.
  • Former clients and their former employees for whom we have processed payroll etc. in the past
  • Prospective clients (on a Mailing List for example)
  • Sub-Contractors of the Company
  • Existing staff and former staff of the Company
  • Job applicants to the Company
  • General Enquiries made via our website

By using the Merry Mullen Website and/or Services you acknowledge the collection and use of your personal data as outlined above

In respect to Website usage information is collected using cookies to help us provide users with a better experience each time they visit. We do not use cookies to gather any personal data for storage on our systems. The user can delete the cookie and the information that it gathers at any time using the settings in their internet web browser.

Cookies – are text files put on your computer to collect standard internet log information and visitor behaviour information.  This information is then used to track visitor use of the website and to create statistical reports on website activity. Certain cookies are necessary in order for you to use our website. These are used ‘in-session’ each time you visit and then expire when you leave the site. They’re not stored on your computer and they don’t contain any personal data. However, you can delete them via your browser if you wish to, but this will restrict the functions that you’re able to carry out on our sites.

For more information about how to disable cookies in your browser please visit

Analytics – this refers to how visitors use our website. We use Google Analytics to store information about how visitors use our website so that we may make improvements and give visitors a better user experience.

Google Analytics is a third-party information storage system that records information about the pages you visit, the length of time you were on specific pages and the website in general, how you arrived at the site and what you clicked on when you were there. These cookies do not store any personal information about you and we do not share the data. You can view Googles privacy policy below:

Google –

IP Addresses – an IP or Internet Protocol Address is a unique numerical address assigned to a computer as it logs on to the internet. Merry Mullen do not have access to any personal identifiable information and we would never seek this information. Your IP address is logged when visiting our site, but our analytic software only uses this information to track how many visitors we have from particular regions.

Internet Based Advertising – we use LinkedIn, Facebook and Twitter advertising services and as such from time to time there may be tracking codes installed on our website so that we can manage the effectiveness of these campaigns.  We do not store any personal data within this type of tracking.

How will we use the information about you and why?

At Merry Mullen we take your privacy seriously we will only use this information subject to your instructions, data protection law and our duty of confidentiality.

By using the Merry Mullen Website and/or Services our lawful reason for processing your personal information will be “legitimate interests”.  Under “legitimate interests” we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests.

In respect to Clients, our work for you may require us to pass your information to our third-party service providers, agents, subcontractors, Government Agencies and other associated organisations for the purposes of completing tasks and providing the Services to you on our behalf.  However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the Services and we have contracts in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.

Merry Mullen does not share your information for marketing purposes with companies so that they may offer you their products and services.

Transferring your information outside of Europe

Merry Mullen does not transfer any of your personal data outside the European Economic Area (EEA) in respect to the usage of this Website.

Security precautions in place about data collected

When you give us personal information, we take steps to make sure that it’s treated securely.

Non-sensitive details (such as your email address) are sent normally over the Internet can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us via the website and you do so at your own risk.

Once we receive your information, we do make every effort to ensure its security on our systems. We have put in place commercially reasonably and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know such data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.


From time to time we send marketing information about our services which may be of interest to you.  You can request us to stop sending you electronic marketing messages at any time by following the opt-out links on any marketing message sent to you.

You can also request for us to stop sending you marketing messages:

How long will we hold your data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

By law we have to keep Client data for six years after the conclusion of any engagement in order to comply our and your regulatory and tax obligations. In order to be in a position to establish, exercise and defend our legal rights, the firm has a policy of retaining all documentation in relation to the following assignments for a minimum of seven years from the date that the documentation was first received or created by the firm, or the completion date of the agreed service for which we have been engaged.

  • Audit files and papers containing personal data – statutory audit regulations;
  • Tax files – Revenue Commissioner/HMRC regulations;
  • Criminal cases (e.g. anti-money laundering – legal requirements & required firm policy);
  • Contracts – for the life of the contract; and
  • Employee details –statutory requirements.

It is our policy to carry out an annual review of all the data it holds and on what grounds the data is held (by category). Following on from this review, decisions are made whether the firm continues to need the data that it holds.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for legal know-how, research or statistical purposes in which case we may use this information indefinitely without further notice to you.

Access to your information, correction, portability and deletion

By consenting to this privacy notice you are giving us permission to process your personal data for the purposes identified. If we are processing personal data based on your consent, you may withdraw that consent at any time. This does not affect the lawfulness of processing which took place prior to its withdrawal.

In certain circumstances, you have rights under data protection laws in relation to your personal data. These include:

Data Subject Access Request (DSAR)

This is your right to request a copy of the information that we hold about you.  Data subjects have the right to make a DSAR. The DSAR may be for all personal data of that data subject held by the Company or a subset of the data. The Company must respond to the request within 1 month, unless the Company can show that the request is manifestly unfounded or excessive, or where the request is sufficiently complex or one of a number of requests (in which case the response time may be extended to 3 months).

Any DSAR requests should be sent to  . Where the firm receives a DSAR, the firm will first conduct due diligence to confirm the identity of the data subject. The firm will not comply with DSARs made by anyone other than the data subject him/herself.

We also want to make sure your personal information is accurate and up to date.  You may ask us to correct or remove information you think is inaccurate by also emailing the above email address.

Objections to processing of personal data

It is your right to lodge an objection to the processing of your personal data if you feel the “ground relating to your particular situation” apply.  The only reasons we will be able to deny your request is if we can show compelling legitimate grounds for the processing, which override your interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claims.

Data Portability

Data Portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means they should be able to move, copy or transfer personal data easily from one IT environment to another, and from one service provide to another, in a safe and secure way. The right to Data Portability applies:

(a)       to personal data an individual has provided to a controller;

(b)       where processing is based on consent or on a contract; and

(c)       the processing is carried out by automated means.

The Company considers that, because it does not generally process personal data by purely automated means, it does not hold data which would be subject to a data portability request. In the event that the firm determines that it holds data relevant to a data portability request, it will review the personal data held. The firm will then determine the electronic format in which the data has been requested to be transferred.

Your Right to be Forgotten

Data subjects have the right to request erasure of their personal data where the Company does not have a legitimate reason for retaining such data. This is sometimes referred to as ‘The right to be forgotten’.

Where the Company receives a request for erasure from a data subject, then the Company will assess all personal data held on the Data Subject, including data held on:

  • The firm’s central data server;
  • Laptops and personal computers in the firm;
  • Stored emails and other electronic messaging systems; and
  • Paper files

All personal data deemed as not held for a legitimate, legal or contractual purpose will be deleted/destroyed in line with our Data Protection Policy.

Other websites

Our website sometimes may contain links to other websites.  This privacy policy only applies to this Website, therefore when you link to other Websites and leave we recommend you read the Privacy Policy of the website you are accessing.


If you feel that your personal data has been processed in a way that does not meet with GDPR, you have a specific right to lodge a complaint.  Please contact Merry Mullen immediately at   if you have a complaint so that we take all appropriate steps to resolve this for you.

The Irish supervisory authority for data protection issues and to lodge a complaint is with the Data Protection Commissioner (

Changes to our Privacy Policy

We keep our privacy policy under regular review and we will place any updates on this web page. Any changes to our Privacy Policy are fully reviewed and approved by our Partners before being published.

This privacy policy was last updated on 14 August 2018 and the version number is 1.0, the recent updates to this policy reflect additional changes in line with the new GDPR guidelines.

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you: