We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands. We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time and the SRA rules of professional conduct we are subject to as a law firm.
Under data protection law, when we use your personal information, we will be acting as a data controller. Essentially, this means that we are responsible for your personal information and will be making decisions about how it is used and why.
Below, we summarise the main rules that apply to us as a data controller under data protection law:
- We must be upfront about how we intend to use your personal information and must use it fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly.
- We must only use your personal information if we have a legal basis to do so under data protection law. The legal bases available are set out in data protection law and include that:
- We need to use your personal information to perform a contract between you and us (or to take steps at your request before entering into such a contract);
- We (or someone else) have a legitimate reason (such as a business or commercial reason) for needing to use your personal information, so long as this is not overridden by your rights and interests; and
- We need to use your personal information to comply with laws or regulations that we are subject to.
- We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion) if we can satisfy one of the conditions set out in data protection law or if an exemption applies to us. This type of personal data is known as “special category personal data”.
The conditions that apply to the use of special category personal data include that:
- We need to use the information for the purposes of establishing, exercising or defending legal claims; and
- That you have given us your explicit consent to use it.
- Generally, we must not share your personal information with others unless we have a legal basis for doing so and have provided you with information about our intention. However, there are certain circumstances in which we can share your personal information with a third party without first informing you (e.g. for the prevention of a criminal offence or fraud).
- Generally, we must only use your personal information for the specific purposes we told you about when we collected or obtained it. If we want to use your personal information for other purposes, we need to contact you to tell you about this.
- We must not hold more personal information about you than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (known as the “retention period”). We must also dispose of any information that we no longer need securely.
- We must ensure that we have appropriate security measures in place to protect your personal information.
- We must act in accordance with your rights under data protection law.
- We must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that the personal data will only be transferred to a country that has been approved by the European Commission as having adequate data protection laws.