1.1 Enoch Evans LLP (also referred to in this document as “we”, “us” and “our”) respects your privacy and is committed to protecting your personal data. This privacy notice provides details of how we collect, use, share, process and look after your personal data and tells you about your privacy rights as well as how the law protects you.
1.2 We will in the course of providing and carrying out our services as a law firm collect, hold, use, share and otherwise process certain personal data. We will accordingly be a data controller in respect of that personal data.
1.3 It is important that the personal data we collect, use, store, transfer or otherwise process is accurate and current. You should therefore inform us as soon as possible if any changes occur to the information that we might hold.
1.4 We have appointed a Data Privacy Manager who is responsible for overseeing questions or issues that arise in connection with the matters covered by this privacy notice. If you have any questions about this privacy notice or if you wish to exercise any of your rights, please contact the Data Privacy Manager in the first instance in writing either by post to our address (Enoch Evans LLP, St Paul’s Chambers, 6-9 Hatherton Road, Walsall, West Midlands, WS1 1XS) or by email to the designated email address (DPM@enoch-evans.co.uk).
1.5 You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so if at all possible please contact us in the first instance.
1.7 We may update this privacy notice at any time and without notice. A copy of our current privacy notice will always be available via our website and a copy can be provided on request.
2.1 Personal data for the purposes of this privacy notice is defined by the relevant legislation and means any information about an individual from which that person can be identified. It does not include anonymous data namely data where the identity has been removed.
2.2 We may collect, use, store, transfer or otherwise process various different kinds of personal data from time to time including:
2.2.1 Identity Data for example names, titles, marital statuses, dates of birth, genders, passport details, driving licence details and national insurance details;
2.2.2 Contact Data for example postal addresses, email addresses and telephone numbers;
2.2.3 Financial Data for example bank account details and payment card details;
2.2.4 Transaction Data for example details about payments both received and made and details about the services which we have provided;
2.2.5 Technical Data for example internet protocol addresses and technical information relating to the means by which access has been gained to our website as well as information regarding the use of our website; and
2.2.6 Marketing and Communications Data for example details about preferences for receiving marketing from us and details of any communication preferences.
2.3 We may also collect, use, store, transfer or otherwise process the following more sensitive kinds of personal data (Sensitive Data) from time to time:
2.3.1 information about race or ethnicity, religious beliefs, sexual orientation and political opinions;
2.3.2 details of trade union membership;
2.3.3 information about health which may include details of medical conditions and copies of health and sickness records;
2.3.4 genetic information and/or biometric data; and
- How do we collect personal data?
3.1 We collect and/or obtain personal data directly from the individual to whom it relates either in connection with the provision of our services (whether to them or to a third party) or by some other means (eg in connection with an enquiry made about our services or a request made to us to provide information about our services or legal matters generally).
3.2 We also collect and/or obtain personal data from various third parties including:
3.2.1 clients to whom we are providing legal services;
3.2.2 professionals or other advisers who are involved in advising either our client or any other party in a matter on which we are providing advice or assistance to our client;
3.2.3 regulatory and legal authorities;
3.2.4 organisations with whom the individual concerned has had prior dealings and/or which are otherwise holding information about that individual; and
3.2.5 credit reference agencies, agencies providing identity verification services as well as publically available records and directories.
4.1 We process personal data, including personal data falling within the categories specifically identified in section 2 above, for a number of different purposes. This may entail some or all of the following:
4.1.1 providing services to our clients including advising them on or in connection with legal issues and problems; answering queries that arise; and providing such wider assistance as may be required in connection with legal issues and problems;
4.1.2 operating and running our business in an efficient and effective manner including maintaining appropriate records in connection with the work which we undertake; managing and operating our billing and debt collection processes; and dealing with other administration requirements that arise in connection with our business;
4.1.3 adhering to and complying with our legal and regulatory obligations including undertaking required “Know your Client” due diligence; carrying out sufficient and appropriate checks to avoid actual and potential conflicts of interest; taking steps to meet the requirements placed on us under anti-money laundering regulations; and taking such steps as are needed generally to meet the duties placed on us by the Law Society and the Solicitors Regulation Authority;
4.1.4 taking steps to market our services and to develop our business including sending out marketing literature; inviting individuals to and hosting marketing events; and producing and circulating legal updaters;
4.1.5 dealing with any claims that may arise against us and/or taking any action that we may need to take in order to protect our interests or those of our clients including dealing with any complaints that may arise; and
4.1.6 monitoring the use of our website.
4.2 We will only use personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal data for a purpose that is unrelated to the original purpose for which it was collected, we will provide notification of this fact and explain the legal basis which allows us to do so.
- What are the legal grounds on which we will process personal data?
5.1 We are only permitted to and will only collect, use, store, transfer or otherwise process personal data where the law allows us to do so.
5.2 We will rely on one or more of the following legal bases on each occasion where we process any personal data which is not Sensitive Data:
5.2.1 where we need to process the personal data to perform a contract that we are about to enter into or which we have entered into (regardless of whether that contract relates to the provisions of goods or services to or by us);
5.2.2 where the processing of the personal data is necessary for our legitimate interests (or those of a third party). We will only rely on this basis however where we have considered the potential impact (both positive and negative) that the proposed processing may have on the person to whom that personal data relates and have concluded that the interests and/or fundamental rights of that person do not override our legitimate interests;
5.2.3 where we need to process the personal data to comply with a legal obligation to which we are subject; and
5.2.4 where we have obtained consent for the proposed processing of the personal data from the person to whom that personal data relates.
5.3 We will rely on one or more of the following legal bases on each occasion where we process any personal data which is Sensitive Data:
5.3.1 where we have obtained explicit consent for the proposed processing of the personal data from the person to whom that Sensitive Data relates;
5.3.2 where the processing of the personal data is necessary for the establishment, exercise or defence of a legal claim being made by or otherwise involving the person to whom that Sensitive Data relates; and
5.3.3 where the processing of the personal data is necessary to protect the vital interests of the person to whom that Sensitive Data relates.
5.4 There may, accordingly, be more than one legal basis on which we rely for our processing of personal data and in particular we may process personal data without the knowledge or consent of the person to whom it relates, in compliance with the above statements, where this is required or is permitted by law.
- Who do we share personal data with?
6.1 We seek to restrict the circumstances and times when we need to share personal data with third parties but nevertheless there are occasions on which we need to do this in order to provide our services and operate our business.
6.2 We may, in particular, share personal data with the following third parties:
6.2.1 service providers who we engage, contract with or otherwise instruct to carry out services on our behalf including IT service providers; providers of digital dictation, transcription and document production services; archive and storage providers (including cloud based providers of data back-ups and data storage facilities); providers of credit and identity check services; and providers of virtual data room services;
6.2.2 professional advisers who are engaged in connection with services that we are providing for our clients whether they are acting for our client or for another party;
6.2.3 our accountants, auditors, bankers, insurers, solicitors and other professional advisers;
6.2.4 HM Revenue & Customs, regulatory authorities, government agencies, law enforcement agencies and other authorities to whom we are or may be required to provide information or otherwise report;
6.2.5 parties to whom we may wish to sell, transfer or merge parts of our business or our assets or from whom we are seeking to acquire other businesses or assets or with whom we are proposing to merge; and
6.2.6 persons to whom we have been instructed to disclose the personal data by the person on whose behalf we are holding the same.
6.3 We require all third parties with whom we share personal data to respect the security of that personal data and to treat it in accordance with the law. We do not allow any third party who is providing a service to us to use any personal data that we share with them for their own purposes and only permit them to process the personal data for specified purposes and in accordance with our instructions.
6.4 We do not transfer personal data outside the European Economic Area (EEA).
7.1 We have in place what we consider to be appropriate technical and operational security measures to prevent personal data from being accidentally lost; used or accessed in an unauthorised way; altered; or disclosed.
7.2 We also endeavour to limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know the same and have also provided training to our employees focusing in particular on their duty of confidentiality.
7.3 We have procedures in place to deal with any suspected personal data breaches and will notify affected parties as well as the applicable regulator if a breach arises where we are legally required to do so.
8.1 We will retain personal data in accordance with our retention policies; our terms of business; and our legal, regulatory, tax, accounting or reporting requirements.
8.2 We consider a number of factors when determining the period for which personal data should be held including:
8.2.1 the amount, nature and sensitivity of the personal data;
8.2.2 the potential risk of harm from unauthorised use or disclosure of the personal data;
8.2.3 the purposes for which we process or have processed the personal data;
8.2.4 the period within which someone could bring a claim against us; and
8.2.5 any applicable legal, regulatory, tax, accounting or other requirements.
9.1 Under certain circumstances, the person to whom personal data relates will have rights under data protection laws in relation to that personal data. These include the right to:
9.1.1 request access to the personal data which we process (commonly known as a “data subject access request”) but bear in mind that there may be circumstances where a competing legal obligation or duty may prevent us from complying with such a request;
9.1.2 request the correction of personal data that we hold but bear in mind that we may need to verify the accuracy of any changes that are requested;
9.1.3 request erasure of personal data where there is no good reason for us to continue to process the same or where the right to object to processing (see below) has been successfully implemented but bear in mind that there may be specific legal reasons which prevent us from complying with such a request;
9.1.4 object to processing the personal data in circumstances where we are relying on a legitimate interest (or those of a third party) but bear in mind that we may be able to demonstrate that we have compelling legitimate grounds to continue to process the personal data;
9.1.5 object to processing the personal data for direct marketing purposes;
9.1.6 request restriction of processing of the personal data in certain limited situations;
9.1.7 request the transfer of personal data to the person to whom it relates or to a third party in a structured, commonly used, machine-readable format; and
9.1.8 withdraw consent at any time where we are relying on consent as the legal basis for the processing of the personal data but bear in mind that the withdrawal of consent will not affect the lawfulness of any processing carried out before such withdrawal and that it may prevent us from being able to provide our services.
9.2 A fee is not generally payable to access personal data (or to exercise any of the other rights in connection with the same) but we may charge a reasonable fee or may refuse to comply with a request if a request is clearly unfounded; is repetitive; or is excessive. We could also refuse to comply with your request in those circumstances.
9.3 We will try to respond to all legitimate requests within one month of receipt but this may not be possible if a request is particularly complex or if a number of requests have been made in either case, we will provide notifications and updates as relevant and appropriate.
Dated: 6th June 2018
Enoch Evans LLP
St Paul’s Chambers
6-9 Hatherton Road