Privacy Policy

This privacy notice sets out information about our use of personal information relating to individuals we have dealings with, including our clients, individuals who use our website and individuals who subscribe to our newsletters and updates. It also sets out details of the rights individuals have in relation to our use of their personal information and various other information which we are required to provide under data protection law.

In particular, this privacy notice provides information to individuals about how they can object to our use of their personal information, how they can withdraw any consent they have given to us to enable us to process their personal information and how they can make a complaint.

We may provide additional privacy information to individuals on specific occasions when we are collecting personal information. This is to ensure that we are being transparent about why and how we are using personal information. This privacy notice supplements any other such notices and is not intended to override them.

Geldards LLP is a law firm with offices in Cardiff, Derby, Nottingham and London. We are a limited liability partnership registered in England and Wales (partnership number OC313172). Our registered office is at 4 Capital Quarter, Tyndall Street, Cardiff, CF10 4BZ.

We are regulated by the Solicitors Regulation Authority (“SRA”). We are also registered with the UK’s data protection regulator, the Information Commissioner’s Office (“ICO”).

We have appointed an Information Officer, who oversees our compliance with data protection law. Her contact details are set out below:

Name:
Elizabeth Bray

Address:
Geldards LLP, 4 Capital Quarter, Tyndall Street, Cardiff, CF10 4BZ

Email:
information.compliance@geldards.com

Telephone:
0844 736 0006

If you have any questions about the information set out in this privacy notice or how we handle personal information, please contact our Information Officer or email us at information.compliance@geldards.com.

This privacy notice sets out information about our use of personal information relating to individuals we have dealings with, including our clients, individuals who use our website and individuals who subscribe to our newsletters and updates. It also sets out details of the rights individuals have in relation to our use of their personal information and various other information which we are required to provide under data protection law.

In particular, this privacy notice provides information to individuals about how they can object to our use of their personal information, how they can withdraw any consent they have given to us to enable us to process their personal information and how they can make a complaint.

We may provide additional privacy information to individuals on specific occasions when we are collecting personal information. This is to ensure that we are being transparent about why and how we are using personal information. This privacy notice supplements any other such notices and is not intended to override them.

This privacy notice applies to:

  • Our clients;
  • Other individuals who contact us (for example, to make an enquiry about legal services);
  • Individuals (other than clients) whose personal information we obtain in connection with a legal matter;
  • Individuals who use our website
  • Individuals who subscribe to our updates and newsletters;
  • Individuals who engage with us on social media; and
  • Individuals who access our premises or the surrounding areas and who may be captured on our CCTV system.

We refer to such individuals in this privacy notice using the terms “you” or “your”.

We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands. We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time and the SRA rules of professional conduct we are subject to as a law firm.

Under data protection law, when we use your personal information, we will be acting as a data controller. Essentially, this means that we are responsible for your personal information and will be making decisions about how it is used and why.

Below, we summarise the main rules that apply to us as a data controller under data protection law:

  1. We must be upfront about how we intend to use your personal information and must use it fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly.
  1. We must only use your personal information if we have a legal basis to do so under data protection law. The legal bases available are set out in data protection law and include that:- We need to use your personal information to perform a contract between you and us (or to take steps at your request before entering into such a contract);- We (or someone else) have a legitimate reason (such as a business or commercial reason) for needing to use your personal information, so long as this is not overridden by your rights and interests; and- We need to use your personal information to comply with laws or regulations that we are subject to.
  1. We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion) if we can satisfy one of the conditions set out in data protection law or if an exemption applies to us. This type of personal data is known as “special category personal data”.The conditions that apply to the use of special category personal data include that:- We need to use the information for the purposes of establishing, exercising or defending legal claims; and- That you have given us your explicit consent to use it.
  1. Generally, we must not share your personal information with others unless we have a legal basis for doing so and have provided you with information about our intention. However, there are certain circumstances in which we can share your personal information with a third party without first informing you (e.g. for the prevention of a criminal offence or fraud).
  1. Generally, we must only use your personal information for the specific purposes we told you about when we collected or obtained it. If we want to use your personal information for other purposes, we need to contact you to tell you about this and will generally need to obtain your consent.
  1. We must not hold more personal information about you than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (known as the “retention period”). We must also dispose of any information that we no longer need securely.
  1. We must ensure that we have appropriate security measures in place to protect your personal information.
  1. We must act in accordance with your rights under data protection law.
  1. We must not transfer your personal information outside the United Kingdom unless we can satisfy certain conditions. One such condition is that the personal data will only be transferred to a country that has been approved by the United Kingdom as having adequate data protection laws.

How we will use your personal information and the legal bases we will rely upon, will depend upon the nature of our relationship with you and our reasons for obtaining or collecting your personal information in the first place.

OUR CLIENTS
What personal information will we use?
  • Your name and contact details (e.g. postal address, email address and telephone number(s));
  • Proof of identity;
  • Your bank or credit card details (if you make payment by card);
  • Your financial details (so far as relevant to your instructions);
  • Personal information relevant to the legal matter(s) you have instructed us to advise upon. The type of personal information we will need you to provide to us will depend upon the nature of the legal matter we are handling. Such personal information may include special category personal data; and
  • Personal information relating to any complaint you may make.
How will we obtain it? The majority of the personal information listed above will be provided by you to us when you instruct us or during the course of a matter.

Sometimes we may need to obtain information about you from a third party, for example:

  • from publicly accessible sources (such as Companies House or HM Land Registry); or
  • from third parties with your consent (such as your bank, other professional advisers, your employer or medical professionals).
What purposes will we use it for and what legal bases will we rely upon to do so? We will use the personal information listed above:

  • To provide legal services to you, to contact you about those legal services and to take payment. Our legal basis for doing so will be that our use of your personal information is necessary for the performance of the contract between you and us (or to take steps at your request before entering into that contract);
  • To verify your identity for money laundering purposes, for the purposes of credit control, to prevent fraud and to carry out checks prescribed by law. Our legal bases for doing so will either be (i) compliance with our legal and regulatory obligations or (ii) our legitimate interests in protecting our business;
  • If you make a complaint, to deal with your complaint (in accordance with our contractual and regulatory duties). Our legal bases for doing so will either be (i) that such use is necessary to enable us to perform the contract between you and us or (ii) to enable us to comply with our regulatory obligations;
  • To comply with other professional, legal and regulatory obligations that apply to our business (e.g. rules issued by the SRA);
  • To send you marketing material. Further details of when and how we will do this, our legal basis for doing so and the marketing material we will send to you are set out in this policy;
  • For a variety of internal administrative purposes (such as those listed below). Our legal basis for doing so will be our legitimate interests in ensuring that our business is run effectively and efficiently and to the highest standards so that we can deliver the best service possible to you:
    • To operate and maintain our internal IT systems, such as our document management system;
    • For the purposes of internal record keeping;
    • For the purposes of complying with our internal policies and procedures;
    • For the purposes of external audits and quality checks;
    • For the purposes of training and quality control;
    • To ensure confidentiality and the security of personal data;
    • To create and update client records; and
    • To carry out statistical analysis.
The conditions we will generally rely upon to use any special category personal data If we need to obtain or collect any special category personal data about you, the legal bases we will rely upon to use such personal data will generally either be:

  • That the processing is necessary for the purpose of establishing, exercising or defending a legal claim on your behalf; or
  • Your explicit consent.
Important consequences if you do not provide or permit us to obtain the personal information we require If you do not permit us to collect or provide us with the personal information we require, this may delay or prevent the provision of legal services to you.
OTHER INDIVIDUALS WHO CONTACT US
What personal information will we use?
  • Your name;
  • Your contact details (such as your telephone number or email address); and
  • Details of your enquiry/communication.
How will we obtain it? The information will be provided by you (or someone acting on your behalf) when you (or they) contact us (e.g. by making a phone call or emailing us or enquiring at our premises).
What purposes will we use it for and what legal bases will we rely upon to do so?
  • We will use the personal information listed above to deal with your enquiry/communication. The legal bases we will rely upon when doing so will either be (i) your consent or (ii) our legitimate interests in ensuring that all enquiries/communications received by us are dealt with appropriately.
  • We may also make a record of your enquiry/communication for internal administrative purposes. The legal bases that we will rely upon when doing so will either be (i) compliance with our legal and regulatory obligations or (ii) our legitimate interest in being able to refer back to your enquiry/communication if you have further dealings with us.
  • In addition, we may use your personal information to send you marketing materials. Further details of when and how we will do this, our legal basis for doing so and the type of marketing materials we will send to you are set out in this policy.
INDIVIDUALS (OTHER THAN CLIENTS) WHOSE PERSONAL INFORMATION WE OBTAIN IN RELATION TO A LEGAL MATTER
What personal information will we use?
  • Your name;
  • Your contact details (e.g. postal address, email address and telephone number(s);
  • Personal information about you relevant to the legal matter we are handling on our client’s behalf. The nature of such information will vary depending on the nature of our instructions and may include special category personal data (including medical information)..
How will we obtain it? The personal information listed above may be provided by you, by our client or by a third party.
What purposes will we use it for and what legal bases will we rely upon to do so?
  • We will use your personal information in relation to the legal matter we are handling on behalf of our client;
  • The legal basis we will rely upon to obtain, store and use your personal information will either be (i) that such use of personal information is necessary for the purposes of a legitimate interest pursued by our client (namely, to obtain legal advice) or (ii) in the case of any special category personal data, that such use is necessary for the establishment, exercise or defence of a legal claim.
INDIVIDUALS WHO USE OUR WEBSITE
What personal information will we use?
  • Technical information about the devices you use to access our website, including your internet protocol address, browser type and version, time zone setting and location, browser plug-in type and version, operating system and platform; and
  • Usage data about how you use our website, including the full Uniform Resource Locators (“URL”), clickstream to, through and from our website (including date and time, services you viewed or searched for, page response times, download errors, length of visit to certain pages, page interaction information (such as scrolling clicks and mouse-overs), form submissions, accessing other content (e.g. video content) and methods used to navigate away from the page).
How will we obtain it?
  • The above information will be obtained by us automatically using cookies, server logs and other similar technologies whenever you use our website.
  • Further information about the cookies we use and the purposes for which we use them can be found in our Cookie Policy.
What purposes will we use it for and what legal bases will we rely upon to do so?
  • The above information will be used by us to:
    • enable us to run our website;
    • help us to improve our website;
    • track usage of our website;
    • ensure that our website meets our customer’s needs;
    • and in other ways described in our Cookie Policy.
  • The legal bases we rely upon to collect and use your personal information are either: (i) our legitimate interest in ensuring that our website functions effectively; and (ii) in relation to certain cookies used by us or third parties, with your consent;
  • Information relating to your ability to accept or reject/disable certain cookies as set out in our Cookie Policy.

If you are a client or prospective client of the firm, we will only send you Updates if you provide us with your consent to do so. Our legal basis for doing so will usually be that we have a legitimate interest in using your personal information for the purposes of direct marketing in order to expand our client base (for example, by telling you about the range of legal services that we provide and/or our areas of expertise).

This means that we do not usually need your consent to send this sort of information to you. However, your consent will be required in certain circumstances. Where this is the case, we will ask you for your consent separately and clearly and will not send you Updates without your consent.

You have the right to withdraw your consent to receiving updates from us at any time. You can do this by:

  • contacting us using the details set out on our Contact page;
  • using the opt-out link in marketing emails we send to you; or
  • using the unsubscribe option on our website on our Insights in your inbox page.

How long we will need to hold on to your personal information and the reasons for this will vary depending upon the nature of the personal information and the purpose of the processing.

Below, we have set out brief details of the retention periods (and related reasons) that apply to some of the personal information we hold.

Unless you have asked us (and we have agreed) to store your personal information for a longer period, we won’t hold on to your personal information for longer than is necessary for the relevant purpose and once we no longer require it, we will ensure that it is disposed of securely.

CATEGORY RETENTION PERIOD AND REASONS
Personal information relating to our clients We will retain your personal information after we have finished acting for you for one or more of the following reasons:

  • To respond to any questions, complaints or claims made by you or on your behalf;
  • So that we can evidence how we have complied with our contractual, legal and regulatory obligations; and/or
  • To enable us to comply with our legal and regulatory obligations.

We will generally retain your personal information for a minimum period of 6 years.

CCTV recordings CCTV images are stored on a hard drive for 30 days for reference purposes.

In the event that any CCTV imagery is required in connection with a security incident, it is copied onto a disk and retained until the relevant incident has been dealt with (whether internally or externally by law enforcement agencies).

Contact details for direct marketing purposes We will retain and use your contact details until such time as you tell us that you no longer wish to receive updates from us.

Both in the course of providing legal services to our clients and as a necessary part of running our business, we will often need to share your personal information with third parties. The general position under data protection law is that we should only share your personal information with third parties if we have told you that we intend to do so and have a valid reason for doing so. We must also put safeguards in place to ensure that we share your personal information securely.

This section provides you with information about the third parties we will share your personal information with and our reasons for doing so.

In some cases, we only describe the category of third party with whom we will share your personal information. This is because:

  • when handling matters on behalf of clients, the identity of such third parties will vary from matter to matter; and
  • the identity of third parties we use to provide business-related services to us (and who may have access to your personal information) will change from time to time.

If you would like more information about any of the third parties with whom we share your personal information or the steps we take to ensure that your personal information is secure, please contact us using the details set out in our Contact page.

IDENTITY OF THIRD PARTY  CATEGORY OF PERSONAL INFORMATION REASON FOR SHARING
Professional advisers such as barristers, medical professionals, accountants, tax advisors and other experts Client personal information

Personal information relating to claimants

For the purposes of obtaining professional advice/opinions or information relating to a matter
Organisations such as HM Land Registry and Companies House Client personal information In connection with the provision of legal services to you
Third parties that we use in the provision of our legal services (for example, couriers, providers of copying and document services) Client personal information In connection with the provision of legal services to you
Third parties we use to provide essential business services to us (such as marketing agencies and providers of IT services) Client personal information

Personal information relating to other individuals who contact us

 In connection with obtaining services that are essential to the running of our business
Our insurers and brokers Client personal information

Information relating to individuals who make complaints/claims

For the purposes of obtaining insurance and making claims under our insurance policies

For the purpose of dealing with complaints

 Subsidiary or holding companies Client personal information For internal administrative purposes
Our external auditors (i.e. financial, quality and information security) Client personal information

Personal information relating to other individuals who contact us

 For auditing purposes
 Our bank and our accountants Client personal information For payment purposes

For regulatory purposes
For business administration purposes

 Credit reference agencies Client personal information  For carrying out credit checks/searches
Law enforcement agencies and regulatory bodies (such as the police, the National Crime Agency, the courts, the SRA and HMRC) Client personal information
Personal information relating to other individuals who contact us.Information relating to persons who use our website.Information relating to individuals captured on CCTV
To comply with our legal and regulatory obligations

To prevent the commission of offences

For the administration of justice

Potential buyers of some or all of our business or shares in our business  Client personal information Required information as part of any restructuring, acquisition or sale

We will ensure that your personal information is subject to confidentiality obligations and/or encrypted

To deliver services to our clients and conduct our business, we sometimes need to transfer personal information outside the United Kingdom. The main situations in which we will need to do so are:

  • if you are located outside the United Kingdom;
  • if any third parties we are using to provide legal services to you are located outside the United Kingdom (for example, experts or professional advisers in other jurisdictions); and/or
  • where there is an international dimension to the matter on which we are advising you.

As  countries outside the United Kingdom may not offer the same protection to personal information as the United Kingdom, transfers of personal information outside the EEA are subject to special rules. Generally speaking, we must only transfer your personal information outside the United Kingdom if:

  • the United Kingdom has approved or made a finding of adequacy in relation to the relevant country;; or
  • an appropriate safeguard has been put in place and enforceable data subject rights and effective legal remedies for data subjects are available. The appropriate safeguard we rely upon most often is the use of standard contractual clauses (as approved by the ICO).

If you would like more information about situations in which your personal information may be transferred outside the United Kingdom and/or how we will seek to ensure that your personal information  continues to be protected, please contact us using the contact information provided in this privacy notice.

Your personal information will either be held at our offices or by the third party agencies, service providers, representatives and agents used by us.

Some of these third parties may be based outside the United Kingdom.

We take the protection of your personal information extremely seriously and we have a number of measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. For example:

  • electronic document security which operates on a number of different levels, including:
    • access to our IT network is username and password protected;
    • once logged on to our network, documents may only be accessed through our document management system;
    • every action applied to a document is logged by date, user, device and type of activity;
    • encryption of moveable media (e.g. laptops and mobile phones);
    • next generation anti-virus software is implemented across all devices;
  • emails are sent using TLS encryption where possible;
  • staff receive data protection and information security awareness training and are required to adhere to our internal data protection policies and procedures;
  • multi-factor authentication is used for externally accessible systems; and
  • implementation of physical security measures at all of our offices (including restricted access and CCTV).

We also limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

In addition, we have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Under data protection law, you have a number of different rights relating to the use of your personal information. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the ICO website.

YOUR RIGHTS  WHAT THIS INVOLVES WHAT OUR OBLIGATIONS ARE
A right of access This is a right to obtain access to your personal information as well as supplementary information Generally, we cannot make a charge if you want to exercise this right

However, we can make a reasonable charge in certain circumstances (such as if your requests are repetitive)

A right to have personal data rectified This is a right to require us to correct any mistakes/omissions in your personal information  As well as correcting your personal information, if we have disclosed your personal information to third parties, we must also contact the recipients to inform them that your personal information requires rectification
A right to erasure This is a right to have your personal information deleted

This right only applies in specific circumstances and is subject to a number of exceptions and exemptions

If this right applies, we must delete or remove your personal information

If we have disclosed your personal information to third parties, we must also contact the recipients to inform them that your personal information must be erased

A right to data portability This is a right to obtain and re-use your personal information for your own purposes

It includes a right to ask that your personal information is transferred to another organisation (where technically feasible)

This right only applies in limited circumstances

If this right applies, we must provide your personal information to you in a structured, commonly used and machine reasonable form

We cannot charge you for doing so

A right to object This is a right to object to the use of your personal information

You can use this right to challenge our use of your personal information based on our legitimate interests

You have an absolute right to object to our use of your personal information for direct marketing

If you object to us using your personal information for direct marketing, we must stop using your personal information for this purpose straightaway

If you object to the use of your personal information on other grounds, whether we are required to stop using your personal information will depend on the particular circumstances

A right to object to automated decision making This is a right not to be subject to a decision which is based solely on  automated processing

This right only applies where the decision in question will have a legal impact on you or a similarly significant effect

We do not make automated decisions using your personal information
A right to restrict processing This is a right to block or suppress processing of your personal information

This right applies in various circumstances, including where you contest the accuracy of your personal information

 If we are required to restrict our processing of your personal information, we will be able to store it but not otherwise use it

If we have disclosed your personal information to third parties, we must contact the recipients to tell them about the restriction on use

For further information relating to any of the above rights or to exercise any of your rights, please contact us using the details set out on our Contact page.

You can also find more information about your rights on the ICO’s website.

If you request the exercise of any of your rights, we are entitled to ask you to provide us with any information that may be necessary to verify your identity.

Generally, we must deal with your request within 28 days of receiving it. However, it may take us longer than this to respond to you if your request is particularly complex or if you have made a number of requests. In this situation, we will let you know when we envisage being able to meet or fully deal with your request.

If you have given us your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact us using the details set out on our Contact page.

You can get in touch with us in the following ways:

Cardiff  Geldards LLP
4 Capital Quarter
Tyndall Street
Cardiff
CF10 4BZ
+44 (0)29 2023 8239
 Derby Geldards LLP
Number One Pride Place
Pride Park Derby
DE24 8QR
+44 (0)1332 331 631
 Nottingham Geldards LLP
The Arc
Enterprise Way
Nottingham
NG2 1EN
+44 (0)115 983 3650
London  Geldards LLP
80 Coleman Street
London
EC2R 5BJ
+44 (0)20 7620 0888
 Email information.compliance@geldards.com

If we are unable to deal with a complaint to your satisfaction or if you are unhappy with the way we are using your personal information, you have the right at any time to make a complaint to the ICO. You can contact the ICO here at or by telephoning 0303 123 1113.

We may update this privacy notice from time to time.

This privacy notice was last updated on 1 August 2021.

Like to talk to us?