Data & Privacy Note

I. Introduction

  • Purpose of the Notice: To inform clients, potential clients, and related third parties about data processing practices in the context of legal services.
  • Scope: Covers data processing for clients, potential clients, and related third parties. Separate notices for staff and employees.
  • Legal Framework: Complies with Data Protection Act 2018, Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and UK GDPR.
  • Overview: Explains the types of personal data collected, how it’s stored and handled, and how it’s kept safe.
  • Contact Information: Encourages readers to reach out with questions.

II. Conditions for Processing Data

  • Legal Basis for Processing (Article 6 GDPR):
    • Contractual Obligations: Providing legal services, fulfilling agreements, meeting Legal Aid Agency obligations.
    • Legitimate Interests: Business operations, quality audits, regulatory requirements.
    • Legal Compliance: Responding to legal requirements, sharing data related to fraud or criminal activity.
    • Consent: Processing data with explicit consent, such as for newsletters.
  • Data Collection Points:
    • When provided directly by the data subject (email, web form, phone, in person, post).
    • When provided by third parties (opponent’s solicitors).
    • Automatically through website visits (technical information).

III. Types of Data Collected

  • Information Provided Directly:
    • Contact details (name, address, email, phone).
    • Passport/driving license copies, proof of address.
    • Date of birth.
    • Communication content.
    • Payment and financial information, bank details.
    • Demographic information (age, ethnicity, gender) if required by Legal Aid Agency.
    • Case/legal problem information.
    • Special category data (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sexual orientation) when necessary for legal claims (Article 9(2)(f) GDPR).
  • Information from Website/Third-Party Sources:
    • Technical information (traffic data, location data, IP address, logs).
    • Website usage information, arrival sources, links, ads, search terms.
    • Information collected through cookies or pixels.

IV. How Data is Used

  • Provision of Services:
    • Delivering legal services.
    • Managing client relationships and communication.
    • Providing advice and guidance.
    • Managing payments.
    • Responding to complaints.
    • Staff training and service quality measurement.
  • Regulatory Compliance:
    • Communicating with regulators and legislators.
    • Complying with laws, regulations, and codes of conduct.
    • Identity verification, fraud, credit, and anti-money laundering checks.
  • Consent-Based Usage: Notifying about other services (with consent).
  • Website Enhancement and Business Development:
    • Responding to feedback.
    • Enhancing online experience.
    • Conducting research and surveys.
    • Developing and managing services, including marketing.
    • Understanding website journeys and user behavior.
    • Website administration and security.
  • Cookies: Usage and consent for cookies.

V. Data Protection

  • Commitment to Data Protection: Treating data with care, recognizing sensitivity and confidentiality.
  • Security Measures: Data protection and information security policies, regular assessments, IT system protection, password protection, encryption, monitoring for vulnerabilities and attacks, penetration testing.

VI. Data Retention

  • Retention Periods:
    • Matter files: Six years after the case ends (unless longer retention is required).
    • Crime/fraud prevention data: Five years.
    • Enquiries (no case): 18 months.
    • Complaints files: Six years after the complaint is concluded.
    • Financial information: Seven years (except cardholder data, which is generally destroyed after the transaction).
  • Longer Retention: Possible in certain situations with notification.

VII. Data Sharing

  • Sharing with Trusted Third Parties: Only when necessary for legal services or practice operation.
  • Examples: Barristers, experts, translators, cost draftsmen, process servers, secure file storage, auditors, cloud storage providers.
  • Data Processor Policy: Providing only necessary information, specifying usage purposes, ensuring privacy protection, data deletion/rendering.

VIII. Data Processing Location

  • Data Storage and Processing: Within the United Kingdom (UK).
  • International Data Sharing: Requires specific consent.

IX. Data Subject Rights (UK GDPR)

  1. Right to be informed.
  2. Right of access (data subject access request).
  3. Right to rectification.
  4. Right to erasure (right to be forgotten, not absolute).
  5. Right to restrict processing.
  6. Right to data portability.
  7. Right to object.
  8. Rights related to automated decision making and profiling.
  • Information Commissioner’s Office (ICO) link provided for more details.

X. Contact Details

  • Contact for information, security, and rights exercise.
  • Data Protection Officer: Miahela Padure.
  • Contact email: [email protected]

XI. Links to Other Websites

  • Disclaimer: No control over external websites, not responsible for their privacy practices.

XII. The Regulator

  • Right to lodge a complaint with the Information Commissioner’s Office (ICO).
  • Contact details for ICO provided.

XIII. Changes to This Notice

  • Policy on Updating Notice: Changes will be posted on the website and provided directly to clients with ongoing instructions.
  • Continued instructions signify agreement to changes.
  • Version Information: Cookiebot 09.04.2024 / version 1.