PRIVACY AND TRANSPARENCY NOTICE
Conybeare Solicitors respects your privacy and is committed to protecting your personal data. This privacy and transparency notice (Notice) informs you how we capture your personal data, how and why we use your personal data, and how we store, disclose and transfer your personal data.
It is important that you read this Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.
- 1. Purpose of this Notice
- 2. Types of Personal Data
- 3. Sources of Personal Data
- 4. Purposes of capturing, storing and processing Personal Data
- 5. Our website
- 6. Changes to Personal Data
- 7. Personal Data storage, Personal Data security and Personal Data retention
- 8. Personal Data Communications
- 9. Personal Data Disclosure
- 10. Personal Data Transfer
- 11. Business Service Providers
- 12. Data Controller
- 13. Changes to this Notice
- 14. Your rights
1. Purpose of this Notice
This Notice applies to:
- Our individual clients as well as the individual contacts of corporate clients or client organisations by whom we are instructed to provide our services;
- Personal data collected in the engagement of new clients, the performance of our services, during the course of any continuing client relationship and on termination of such relationship;
- Personal data of employees, officers, agents and other advisers of corporate clients or client organisations whose details we may receive during the performance of our services. We rely on our principal contact(s) at such clients for ensuring that all affected individuals are made aware that their personal data may be provided to us for the purpose(s) set out in this Notice and we recommend a copy of this Notice is provided to them;
- Individuals, including individual contacts at corporate entities or organisations, which are prospective clients or former clients and their personal data; Individuals, including individual contacts at corporate entities or organisations, who expressly consent to receive our communications via email and/or those who choose to attend any events hosted or arranged by us or on our behalf and their respective personal data;
- Individuals, including individual contacts at corporate entities or organisations, with whom we contract to provide us with services for our business and their personal data;
- Personal data of any third party individuals with whom we may liaise or work with during the performance of our services for any client;
- Our employees, associates, co-operating or associated solicitors, attorneys, paralegals and their respective law firms as well as other professional advisers contracted by us or engaged by you and their respective personal data.
2. Types of Personal Data
In this Notice, we refer to personal data, or personal information, to mean any data or information about an individual from which that person can be identified. Personal data therefore includes:
- Identity Data includes given names, maiden name, last name, username or similar identifier, marital status, title, date and place of birth, gender, nationality, occupation, country of residence, passport, birth/marriage certificate, tax reference or identification number, national identity card, social security or national insurance number, driving license, bank account details, bank statement, utility bill, insurance certificate, land registry ownership title or residential tenancy agreement.
- Contact Data includes billing address, correspondence address, email addresses, telephone and facsimile numbers and other electronic messaging service addresses.
- Financial Data includes your bank account details.
- Transaction Data includes details about payments to and from you and other details of services provided by us.
- Technical Data includes internet protocol (IP) address, user login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
- Profile Data includes your username and password for our website, types of services provided to you, your interests, preferences, feedback and survey responses.
- Usage Data includes information about how you use our services, including our website.
- Marketing and Communications Data includes your communication preferences including areas of interest for marketing and business development purposes.
- Special Category Data includes personal data from which it is possible to determine or infer an individual’s racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition (including biometric and genetic data), sexual life/orientation, or judicial data (including information concerning the commission or alleged commission of a criminal offence and any sentence or penalty imposed).
- Anonymous Data is personal data where the person’s identity has been removed so it is not possible to identify that individual.
Please note we will only collect Special Category Data if and when it is necessary for one or more of the purposes described below.
Our services are not intended for children and we do not knowingly collect any personal data relating to children.
3. Sources of Personal Data
We use different methods and sources to capture personal data, including from:
- you directly or indirectly on your behalf both before and during our provision of services, including information provided as part of our procedures to determine whether or not to accept a client, information provided on our formal engagement to provide legal services and information collected and/or generated during the provision of our services, such as about employees, officers, agents and other advisers of clients;
- contacts made by us during the course of our business as well as contacts made by us during the performance of our services for you;
- third parties appropriately authorised to share your data with us such as credit reference agencies;
- publicly available sources such as Companies House;
- our connections on social media applications and information provided or made available to us via them;
- your use of our website including information submitted to us via our website or by email;
- solicited and/or unsolicited applications for employment, co-operation or business opportunities;
- specific consent and/or requests from individuals to be added to our contacts database;
- responses received to invitations to seminars, events and social functions; and/or
- you when you visit us and/or attend any events, when you may be required to sign in and provide Identity Data and Contact Data, and your image may be captured on CCTV systems and building access control systems may record the time and date of your entry and exit.
4. Purposes of capturing, storing and processing Personal Data
We are committed to capturing, storing and using only the personal data that is lawful and necessary for the legitimate operation of our business, namely the provision of legal services pursuant to a contract.
However, we use your personal data for a variety of purposes, as outlined in the following sections, but most commonly we use your personal data on one or more of the following bases:
- to perform a contract we are about to enter into or have entered into with you; for our legitimate interests;
- for compliance with a legal or regulatory obligation; and/or
- with your specific consent.
In summary we use personal data:
- as part of our procedures for accepting new clients;
- for the provision of services to clients;
- to establish and/or maintain our client relationships;
- to establish and/or maintain relationships with interested parties such as prospective clients and former clients;
- to keep clients informed of relevant services and events; and/or
- to keep individuals informed of relevant services and events for which they have expressly consented to receive such information.
Personal data is not subject to automated decision-making.
4.2 Accepting new clients
As part of our process whether or not to accept a new client, we are obliged to undertake certain procedures for legal, regulatory and/or business reasons.
These include checking that we have no conflict of interest in acting for a new client, verification of the identity of a new client and, in some cases, the source of the funds to be provided in connection with a relevant transaction for which a client seeks to contract with us.
These procedures require us to request and receive a variety of personal data, including Identity Data, Contact Data and Special Category Data, about prospective clients and individual contacts, as well as making and storing copies of any documents provided pursuant thereto.
Our procedures include some or all of the following:
- Conflict of interest checks
- Identity verification
- Identification of ultimate beneficial ownership of corporate entities
- Anti-money laundering, proceeds of crime and terrorist financing checks
- Politically exposed persons checks
- Sanctions list checks
These checks are made for legal, regulatory or business reasons and may need to be repeated during the course of our engagement. It is important that we receive all necessary information and documents as otherwise we may be unable to provide or we may be prohibited from providing our services.
We may use third party sources to obtain some of this information and/or to undertake some of these checks.
4.3 Provision of services to clients
We use your personal data to provide our services and to administer and maintain our contractual relationship including:
- To issue invoices and to collect payment
- To comply with our legal and regulatory obligations
- To establish, exercise or defend legal claims or rights
- For accounting, tax and regulatory purposes
- For marketing and business development purposes
- For professional indemnity insurance purposes
- For the prevention and detection of crime
4.4 General conduct of business
During the general conduct of our business activities, we may collect or generate details about you and/or other people associated with any services being provided or prospective services which may be in the future be provided.
We may use such personal data in connection with the performance of our services, planning future services and pursuing business opportunities, as well as to establish and/or maintain non-client relationships, for accounting and tax purposes and to comply with our legal and regulatory obligations.
Where permitted by applicable laws and in accordance with those laws and regulations, we may record and/or monitor telephone calls made and received and electronic communications sent or received by us in order to protect our business and verify compliance with our policies and relevant legal requirements.
In order to communicate efficiently, we will correspond with you using your Contact Data by unencrypted email and we will use voice communication systems which rely on the internet and/or mobile telephone networks, none of which are guaranteed as secure forms of communication.
4.6 Business Development
We collect personal data for promoting and developing our business to clients, prospective clients and former clients, and as part of the general administration of our client relationships.
We use your personal details to send you information about our services and legal updates, as well as our brochures and invitations to selected events. You may update your preferences or opt out at any time. Such information is usually sent by email, electronic messaging services and/or via social networking sites.
If you attend an event hosted by us or on our behalf, we or the third party event organiser will collect contact details as part of the event registration and management. This information may include dietary requirements and details of any health issues or disabilities which may impact upon your attendance at or participation in the event. Where an event is run in association with a third party or hosted at an external venue, we may need to share your personal details with that third party event organiser or venue. Only the minimum information will be shared as necessary for the purposes of hosting and management of the event.
5. Our website
Although there is no obligation to provide any personal data when visiting our website, we may capture and use your Technical Data when you visit our website. We do this to administer our website and to improve your browsing experience by personalising it and to facilitate your use of any online services we may make available on our website, including the supply of goods and/or services purchased from our website, as well as to protect and defend our rights and property.
A cookie consists of information sent by a web server to a web browser, and stored by the browser on your computer. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
We may use session and functionality cookies, performance and analytics cookies as well as persistent cookies on our site.
Session and functionality cookies help us to keep track of you whilst you navigate our site in order to enable us to evaluate and improve our website. They help us remember the choices you make, such as language options or the region you are in. These cookies help to make your visit more personal and should be automatically deleted automatically when you close your browser or the session expires..
Performance and analytics cookies (including Google Analytics) help us to track the pages you visit and the content you access, so we can determine which content is most popular and improve the performance of our website. These cookies record only anonymous statistical data and do not collect any personal information that could identify an individual visitor.
Persistent cookies help our site to recognise you when you visit. We may use this information to compile statistical data on the use of our website either independently or using third party analytical services. Information obtained is on an anonymous, aggregated basis and you cannot be identified from this. Persistent cookies will remain stored on your computer until deleted by you, or until they reach a specified expiry date.
5.2 Third party links and websites
Our website may contain links to other third-party websites and applications which are outside of our control and which are not covered by this notice. We are not responsible for the privacy policies or practices of such third party websites and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
6. Changes to Personal Data
It is important that the personal data we hold about you is accurate and current. Whilst we will periodically contact you to ensure that your data is up-to-date and correct, we ask you to inform us if your personal data changes. Where we have obtained your specific consent to use your personal data for business development purposes, we will offer you the opportunity to review your specific consent at least once every 6 months.
7. Personal Data storage, Personal Data security and Personal Data retention
We use appropriate data storage and security techniques to protect personal data we hold. Personal data is primarily stored electronically in one or more databases which we maintain and/or which are maintained for us by contracted business service providers, such as Rackspace (email and cloud storage applications), Microsoft (email, calendar, contacts and cloud storage applications) and Mailchimp (client relationship management application).
We take reasonable technical and organisational precautions to prevent unauthorised access to your personal information, including its improper use or disclosure, unauthorised modification or unlawful destruction.
We retain your personal data only for so long as necessary to fulfil the purposes for which we collected it, including satisfying any legal, accounting, fiscal or other reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and all applicable legal requirements.
However, please note we may need to retain your information for significant periods of time in order to establish, exercise or defend our legal rights, including in respect of any claims made by you, as well for archiving purposes, but we do not keep your personal data for longer than necessary.
The retention period for client files is detailed in our contract with you, but it will usually be between 6 and 12 years from when we have completed our services. Special Category Data must be retained for 5 years after completion of our services. In some circumstances we use Anonymous Data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
8. Personal Data Communications
In order to communicate efficiently:
- We customarily use unencrypted email to send and receive correspondence and documents. This is not guaranteed to be a secure and uninterrupted method of communication.
- We customarily use voice communication applications routed over the internet (VoIP) as well as mobile telephones. These are not guaranteed to be secure and uninterrupted methods of communication.
If you would prefer us not to use unencrypted email, VoIP or mobile telephone communications you must tell us, but this may have an adverse effect on the efficient provision of our services to you or on your behalf.
9. Personal Data Disclosure
We may disclose your personal data:
- where necessary for the provision of our services, including by sharing that information internally with our employees and associates, as well as externally with co-operating or associated legal counsel and/or their associated law firms and their respective employees and associates, and our contracted business service providers;
- if required by applicable law;
- to third parties in connection with a potential purchase, sale, transfer, or merger of all or part of our business or our assets. If a change of ownership occurs, then the new owners may use your personal data in the same way as set out in this Notice.
- to enforce, protect or defend our rights arising out of our contract with you, our contracts with third parties including our service providers and/or otherwise to protect and defend our rights, property or safety;
- to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry; and/or
- with your specific consent.
We have a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under anti-money laundering, terrorist financing, insider dealing or related legislation. we may also report suspected criminal activity to the police and other law enforcement bodies. We may not be permitted to inform you about this in advance of the disclosure, or at all.
Third party recipients of personal data may include:
- HMRC or equivalent tax and customs & excise authorities
- Regulatory and other professional bodies
- Stock exchange and listing authorities
- Public registries, such as HM Land Registry and Companies House in the UK
- Providers of identity verification services
- Credit reference agencies
- The courts, police and law enforcement agencies
- Government departments and agencies
- Auditors and professional advisers (including professional indemnity insurers and advisers)
We will use reasonable efforts to disclose the minimum personal data necessary in each case and ensure appropriate levels of confidentiality are maintained.
10. Personal Data Transfer
Whilst we are a UK law firm, we have a representative office in Hungary, and we provide services to clients located globally. Accordingly, there are circumstances when some or all of your personal data is transferred outside of the United Kingdom (UK) including outside of the European Economic Area (EEA). Where we collect any data outside of the UK, including within the EEA, then such data will be transferred to the UK. As a result, your personal data may be transferred outside the country in which it was collected (which includes transfers outside the EEA) and it may be accessed by us on a global basis.
We share your personal data with our employees, associated or contracted attorneys and their law firms as well as our and your other retained advisers who may be located outside of the UK and/or EEA and we share your data for the purposes of providing our services.
Where our instructions relate to issues or transactions outside of the UK and/or EEA, your personal data will need to be made available to those persons who are engaged by us and/or by you in connection with those instructions, as well as any other third parties, including counterparties and their advisers, as well as governmental and regulatory agencies, who may be located outside of the UK and/or outside of the EEA.
Your personal data may be stored and accessed by our contracted business service providers who may be located in the United States of America (USA) and other jurisdictions outside of the UK and/or outside of the EEA.
Whenever we transfer your personal data, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
11. Business Service Providers
We contract with third party businesses to provide us with services to help us operate and manage our business (service providers). We ensure our contracts with service providers meet the requirements of applicable privacy laws. Service providers are required to use appropriate security measures to protect your personal data and they are prohibited from using personal data other than in accordance with our instructions.
Service providers who process personal data on our behalf may be located outside of the UK and outside of the EEA, including in the USA. We ensure that our service providers are obliged to comply with applicable legal requirements for transferring personal data outside the jurisdiction in which it was originally collected.
12. Data Controller
Steven Conybeare trading as Conybeare Solicitors is the controller and responsible for your personal data (referred to as “Conybeare Solicitors”, “we”, “us” or “our” in this Notice).
Steven Conybeare is our appointed data protection officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your rights, please contact the DPO using the details set out below.
Full name of legal entity: Conybeare Solicitors Data Protection Officer: Steven Conybeare Email address: email@example.com (optional subject line: GDPR) Postal address: Level 1, Devonshire House, One Mayfair Place, London W1J 8AJ Telephone number: +44 (0) 870 753 0925
13. Changes to this Notice
We may update this Notice from time-to-time. We will notify you of this by email, by publishing a new version on our website and/or providing you with a copy.
14. Your rights
You have the following rights in relation to your personal data which we hold:
- to access your personal data;
- to correct your personal data;
- to opt out of receiving marketing or non-client communications at any time;
- to request a restriction or an objection to the processing of your personal data;
- to request your personal data is erased, subject to applicable laws;
- to request a transfer of your personal data in a structured, commonly used machine-readable format;
- to withdraw your consent where you have provided personal data voluntarily or consented to its use;
- to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).