We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information from clients and other members of the public. It also sets out your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
WHO WE ARE
PETERS MAY LLP (trading as Peters May) collects, uses and is responsible for certain personal data about clients and members of the public. We are regulated under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 and we are a controller of that personal information for the purposes of those laws. We are registered with the Information Commissioner’s Office with registration number ZA451402.
We have opted to appoint Juliette Peters, Partner, as our Data Protection Officer (DPO). If you have any questions about this notice or if you want to exercise any of your rights under data protection laws you should contact Juliette by email at email@example.com
THE PERSONAL INFORMATION WE COLLECT AND USE FROM OUR CLIENTS
In the course of the provision of legal services (the Services) we collect some or all of the following personal data from our clients:
the names of children (if any);
residential and address and business address;
contact details, for example telephone number and email address;
date of birth;
copies of passport, national identity card, driving licence, utility bills, bank statements and similar documents;
business and professional qualifications and experience;
immigration status and work permits;
data from our building access controls; and
data from our IT and communications monitoring system.
THE PERSONAL INFORMATION WE COLLECT FROM VISITORS TO OUR WEBSITE
We will collect information that you voluntarily provide to us if you fill in a form in our website or apply for a vacancy through the website. This information may include the following personal data:
residential and business address;
contact details, for example email and telephone number;
and, where you provide it, some categories of personal data, for example ethnic origin and gender.
REASONS WE COLLECT AND USE PERSONAL DATA
We will only process personal data for the following purposes:
responding to your queries, requests and other communications;
providing legal services;
enabling suppliers and service providers to carry out certain functions on our behalf in order to provide legal services, including webhosting, data storage, identity verification, technical, logistical, courier or other functions, as applicable;
allowing you to use features on our website, when you choose to do so;
sending you personalised marketing communications requested by you;
ensuring security and preventing or detecting fraud;
administration, including complaints’ resolution, troubleshooting of our website, data analysis, testing of new features, research, statistical and survey purposes;
developing and improving the legal services we offer; and
complying with applicable law, including anti-money laundering legislation, guidelines and regulations or in response to a lawful request from a court or regulatory body.
The legal basis for our processing of personal data for the purposes described above will typically include:
processing necessary to fulfil a contract that we have in place with you or other data subjects, such as processing for the purposes set out in paragraphs
4.1.1, 4.1.2 and 4.1.4;
your consent, such as processing for the purposes set out in paragraph
processing necessary for our or a third party’s legitimate interests, such as processing for the purposes set out in paragraphs 4.1.1, 4.1.2, 4.1.3, 4.1.6, 4.1.7 and 4.1.8, which is carried out on the basis of our legitimate interests to ensure that legal services are properly provided, our security and our clients security and our proper administration;
processing necessary for compliance with a legal obligation to which we are subject, such as processing for the purposes set out in paragraph 4.1.9; and
any other applicable legal grounds for processing from time to time.
SPECIAL CATEGORIES OF (SENSITIVE) PERSONAL DATA
You may also supply us with, or we may receive, special categories of (or sensitive) personal data. This is defined by data protection laws to include personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health. We process these special categories of personal data on the basis of one or more of the following:
where you have given explicit consent to the processing of the personal data for one or more specified purpose(s);
where the processing relates to personal data which is manifestly made public by you;
where the processing is necessary for the establishment, exercise or defence of legal claims;
where the processing is necessary for reasons of substantial public interest, in accordance with applicable law. Such reasons include where the processing is necessary:
(a) for the purposes of the prevention or detection of an unlawful act or for preventing a fraud;
(b) for the provision of confidential advice.
DATA RELATING TO CRIMINAL CONVICTIONS AND OFFENCES
We collect and store personal data relating to criminal convictions and offences (including the alleged commission of offences) only where necessary for the purposes of:
the prevention or detection of an unlawful act and it is necessary for reasons of substantial public interest;
providing or obtaining legal advice; or
establishing, exercising or defending legal rights.
We use your personal data to notify you by email, telephone, post or SMS about important legal developments and services which we think you may find valuable, for sending you newsletters, invitations to seminars and similar marketing.
In this connection we may disclose personal data to third parties providing marketing services to us, or with whom we are conducting joint marketing exercises.
You have the right to opt out of receiving direct marketing communications from us at any time by contacting our DPO, Juliette Peters, using the contact details set out above, or using the unsubscribe link in emails.
Email which you sent to us or which we send to you may be monitored by us to ensure compliance with professional standards and our internal compliance policies. Monitoring is not continuous or routine, but may be undertaken on the instruction of a partner where there are reasonable grounds for doing so.
WHO WE SHARE YOUR PERSONAL INFORMATION WITH
We routinely share personal data from our clients with third party experts, barristers engaged on a case, the court and the other party’s legal representatives. This data sharing enables us to provide legal services to our clients and to manage the case. We will share personal information with law enforcement or other authorities if required by applicable law. We will not share personal information with any other party.
WHETHER INFORMATION HAS TO BE PROVIDED BY YOU, AND IF SO WHY
If clients do not provide the personal data that we ask for and that we need to enable us to carry out their instructions, it may delay or prevent us from providing legal services to them.
The provision of name and address and information on identity documents is required from clients to enable us to comply with our obligations under anti-money laundering legislation.
HOW LONG PERSONAL INFORMATION WILL BE KEPT
We will hold the information we hold for our anti-money laundering checks on our clients for five years from the end of our relationship with the client. We will hold all other personal information on clients for six years from the conclusion of their case. We hold the information visitors to our website give us for six months.
TRANSFER OF YOUR INFORMATION OUT OF THE EUROPEAN ECONOMIC AREA (EEA)
We will not routinely transfer personal data outside of the EEA or to any organisation governed by public international law or which is set up under any agreement between two or more countries. If we do propose to transfer personal data outside of the EEA, we will check that the data subject’s privacy rights are adequately protected by appropriate technical, organisational, contractual or other lawful means.
Under the GDPR data subjects have a number of important rights. Those include rights to:
fair processing of information and transparency over how we use your personal information;
access your personal information;
require us to correct any mistakes in your information;
require the erasure of personal information concerning you in certain situations;
receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
object at any time to processing of personal information concerning you for direct marketing;
object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
object in certain other situations to our continued processing of your personal information;
otherwise restrict our processing of your personal information in certain circumstances.
If you would like to exercise any of those rights, please:
Email, call or write to our DPO, Juliette Peters, at firstname.lastname@example.org or 020 3036 0058;
Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and
Let us know the information to which your request relates.
KEEPING YOUR PERSONAL INFORMATION SECURE
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify the data subject and any applicable regulator of a suspected data security breach where we are legally required to do so.
HOW TO COMPLAIN
We hope that our DPO, Juliette Peters, can resolve any query or concern raised about our use of personal information.
The General Data Protection Regulation also gives a right to lodge a complaint with a supervisory authority, in particular in the European Union (or EEA) state where you work, normally live or where any alleged infringement of data protection laws has occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/
or telephone 0303 1231113.
CHANGES TO THIS PRIVACY NOTICE
This privacy notice was published on 24th September 2018.
We may change this privacy notice from time to time, and when we do we will update the copy on our website.