What is the purpose of this Notice?
We are committed to protecting the privacy and security of your personal information.
This Privacy Notice describes how we as a ‘Data Controller’ collect and use personal information about you during and after our acting for you, in accordance with the Data Protection Act 1998, the UK Data Protection Bill, and the General Data Protection Regulation (GDPR). This notice may be updated, and the latest edition can be found on our website or by asking us for a copy.
If you have any questions relating to your privacy that are not answered in this notice, then please discuss them with us or email firstname.lastname@example.org and we will respond within 48 hours.
What do we collect?
In the course of acting for you we may receive, store, and process your personal information, which may include (but is not limited to) the following types of information: your personal contact details such as name, title, addresses, telephone numbers, and personal email addresses, date of birth, gender, marital status and dependents, next of kin and emergency contact information, financial data such as bank account information, tax status, salary and other employment-related records and information, copies of ID documents such as your driving licence, passport, utility bills, photographs, etc.
We will also collect personal data in order to comply with our statutory client identification and anti-money laundering obligations. We use the credit reference agency TransUnion (formerly CallCredit), which is fully GDPR compliant, and whose Privacy Notice can be viewed at https://www.callcredit.co.uk/legal-information/bureau-privacy-notice.
Why do we process your personal data?
We will only ever process your personal data for one or more of the six legal reasons permitted by the GDPR. In virtually all cases this will include that such processing is necessary for the performance of our contract with you, i.e. for the provision of our legal services. In some circumstances, if you fail or refuse to provide relevant personal data we may not be able to proceed with contracting with you to provide our legal services. We would discuss such specific issues with you as appropriate. Other lawful grounds for processing may include: that the processing is in our legitimate business interests (i.e. the provision of legal and related services) having balanced your expectations and interests, to comply with our legal/regulatory obligations, and/or you have provided your explicit consent for us to do so.
We will only contact you with marketing and related communications if you have given your express consent for us to do so, or if prior to 25 May 2018 you gave your contact details in the course of our acting for you, we are marketing similar services (i.e. our legal services), and you were given an opportunity to opt-out of marking when we first collected your information and in every subsequent marketing communication. We do not conduct Automated Decision-Making (ADM).
Protecting your personal data
We have and will maintain effective physical, electronic, and managerial systems and safeguards to keep your personal data secure and protected. Such systems will be proportionate to the size and risk profile of our business, so can never be absolutely guaranteed.
In the course of acting for you, we may need to transfer your personal data to third parties, such as the providers of our document and file management and financial systems, and other professionals working on your matter (barristers, surveyors, accountants etc). We will also require any such third parties to comply with all relevant data protection legislation. We may transfer to, store, or process personal data for marketing activities on MailChimp servers which are located in the United States. MailChimp participates in and has certified its compliance with the EU-US Privacy Shield Framework.
We will never sell your personal data to any third party without your express prior consent, and at the time of this notice, we have no intention to do so.
Accessing, altering and deleting your personal data
You have the right to request a copy of the personal data we hold about you, in accordance with the GDPR. Please direct any such requests to email@example.com or in writing to our managing partner, and we will respond within one month.
Under certain circumstances, you also have the right to request correction and/or erasure of personal information that we hold about you, object to processing of your personal information, request the restriction of processing, and request the transfer of your information to a third party. Further information can be provided on request.
You have the right to withdraw consent to receiving marketing communications from us, and can do so either by contacting us or by clicking on the unsubscribe links provided on our communications.
Retention of your personal data
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. We will retain and securely destroy your personal information in compliance with data protection legislation.
Right to complain
If you have any concerns about how we process your personal data then please direct these to our managing partner in the first instance. You are also entitled to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ico.org.uk or 0303 123 1113.
Hatch Brenner LLP
Tel: 01603 660 811
17 May 2018