For the purposes of the General Data Protection Regulations (GDPR) we will be a ‘data controller’ and ‘data processor’ in respect of any personal information and data we hold about you.
This policy is intended to set out our standards of confidentiality when we collect, use and disclose to others any such personal information while providing you with legal advice, representation and other services.
We have appointed Chris Cann as Data Protection Officer (DPO) to oversee our compliance with Data Protection Law. If you have any problems or complaints relating to this policy please contact our DPO at Sale Point, 125-150 Washway Road, Sale, M33 6AG or call him on 0161 832 6972, or email him at email@example.com. If you remain dissatisfied, you may lodge a complaint with the Information Commissioner’s Office (ico.org.uk).
We are committed to respecting your privacy. This notice is to explain how we may use personal information we collect before, during and after your relationship with us. This notice explains how we comply with the law on data protection and what your rights are and for the purposes of data protection we will be the controller of any of your personal information.
This policy is subject to change from time to time.
This policy applies to everyone from whom we collect and process personal information but not limited to, our clients, our referrers of work, barristers and expert witnesses/consultants we employ, other solicitors and their clients or people acting in person, the courts or tribunals, mediators, our regulators, insurance companies, cost draftsmen/lawyers, accountants, auditors
In addition, the employees of all such entities.
We are a multi-service law firm and it would not be possible to list every type of personal information we gather during our business relationships and which are necessary for us to deliver our services. Some of the categories of data we collect include, but are not limited to, contact data (addresses, email addresses, telephone numbers), Identity data (names, marital status, date of birth, gender, NI number, family relationships, employment status, job title), Financial data (bank accounts, credit and debit card details, business accounts, salary), Transaction data (retainers, contracts, deeds and documents, evidence, photographs, diary entries, emails records), Medical data (records, reports).
As part of our general legal practice but specifically in our family, employment, Mental Health, Crime and bodily injury departments we may well process special categories of data such as, racial or ethnic origin, religious or philosophical beliefs, trade union membership, data concerning health, and data concerning a client’s sex life or sexual orientation.
The data we receive comes from many sources including, but not limited to, our direct interactions with our clients, contacts, introducers.
It is kept in paper files within the filing system, practice and case management systems, Word, Excel, Outlook and other document management systems, audit records, sub-contractor registers, management records, complaints and claims registers.
We may transfer data out of the EU where there was an international legal transaction or court action requiring that transfer.
On what basis are we allowed to process your personal data?
Under Data Protection law we are only allowed to process your personal data if we have a proper reason to do so. This includes sharing it outside the Group. The law allows us to process your data for one or more of the following reasons;
- to fulfil a contract we have with you
- when it is our legal duty
- when it is in our legitimate interest
- when you consent to it
A legitimate interest is when we have a business or commercial reason to use your information. This reason must not unfairly go against what is right and best for you.
The table below shows the ways we may use your personal information and why;
We use your personal information to
Why we use your personal information
Where we process special categories of personal data it will be in respect of your legal case only and will be done under Article 9 (2), although not limited to these exceptions, with your explicit consent, or where it is necessary for the establishment, exercise or defence of legal claims on your behalf.
This might be done by mail, email, telephone, fax or other communication media.
We only share personal information where we are reasonably certain that the data will be protected. The categories of people and organisations that we might share data with include, but are not limited to, internal third parties (consultants, contractors, agents, lawyers and employees from other offices, or companies within a Group of companies), External third parties (barristers, experts, outsourced IT and other service providers, professional advisers, regulators and other UK authorities, fraud prevention agencies, satisfaction survey companies), External businesses ( negotiate for sale, transfer or merger of all or part of our business).
We are committed to data security and have put in place reasonable physical, electronic and managerial security measures to protect personal data we hold and prevent it being lost, stolen, or used in unauthorised ways. We have procedures to deal with any data breaches and will notify you and our regulator where we are legally required to do so.
We will hold personal data, whether in electronic or paper form for as long as necessary to fulfil the purposes we collected it for but for a minimum of 6 years after it was collected.
We recognise the rights of individuals under the data protection laws where we process their data. They may request a copy of the data we hold, object to our processing of the personal data or request restriction of our processing of the data, request correction of data, request erasure or transfer of the personal data, and withdraw consent to processing. You should not have to pay a fee to exercise any of these rights unless the request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.
We try to respond to all legitimate requests within one month.