Privacy notice: clients
Summary
- We keep to a minimum the information we hold about you
- We use your data to provide our services to you, meet our legal obligations, and improve our website
- We delete your data when it is no longer needed for these things
- Generally, we do not give your information to third parties, but there are some exceptions
- You have lots of privacy rights
- We take security seriously
- We record calls
- We are happy to answer your questions about any of this
This page was last updated on 22nd Feburary 2021, to change references to the EEA to the UK
📄 What data we hold
As our client, we will hold the following information about you:
- Your name, identity and contact information
- Information about your business activities
- Information and documents about your matters or enquiries, including communications with you *Billing and payment information
We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access. All our client-facing platforms are accessible via Tor, and you can access this site within Tor. If you do not want us to see your actual IP address, feel free to visit us via Tor.
Using your information
References to the basis of processing (e.g. "(Basis: Art. 6(1)(f).)") are a reference to the article of the General Data Protection Regulation under which we undertake the processing in question.
Giving you legal advice
We use the information we hold about you and your business — both personal and otherwise — to give you the best legal advice and service we can.
For example, we will add your contact details to our internal address book and, if you have one, add your GPG/PGP public key to our keychains.
We also use your information to bill you, and keep track of payments that you make.
(Basis: Art. 6(1)(b): this is necessary to deliver the service to you.)
ID checks
We will have done an ID check on you before you become a client. If you do not instruct us for a while, we may need to do another ID check. We will do what we can to make this as painless as possible. If you would prefer not to provide these information, we will not be able to act for you.
We retain identity verification information for as long as you are our client, and then five years.
(Basis: Art. 6(1)(c): we have to do this processing to comply with legal and regulatory obligations.)
Sources of money
We may need to ask questions about the source of your money, to discharge our regulatory obligations relating to proceeds of crime and terrorist funding. If you would prefer not to provide these information, we will not be able to act for you.
(Basis: Art. 6(1)(c): we have to do this processing to comply with legal and regulatory obligations.)
Fulfil our legal and regulatory obligations
As solicitors in a regulated law firm, we have a whole host of professional regulatory obligations. If we have to process personal data to fulfil them — for example, if our regulator, the Solicitors Regulation Authority, demanded information — we will do so.
(Basis: Art. 6(1)(c): we have to do this processing to comply with legal and regulatory obligations.)
Technical data
We may use the logs from our servers to assist in our firm's security, as well as to determine visitor behaviour and help us plan our strategy (e.g. such as working out which pages on the site are most popular, or whether particular events have caused an increase in traffic).
(Basis: Art. 6(1)(c): we have legal and regulatory obligations to protect our clients and their information. Art. 6(1)(f): strategy planning is a legitimate, indeed sensible, thing for a business to do.)
Your data and the UK
We do not transfer or process data outside the UK unless we have your specific consent or where the nature of the processing requires it (for example, where we are emailing a party to your matter who is based outside the UK, or because you have chosen to use an email or other communications service which routes data outside the UK).
Occasionally, to provide a high quality of service, we may work on your matters when we are outside the UK (for example, when on business or even if we are on holiday) — if this might be a problem for you, please let us know, and we can discuss.
Your rights
You have lots of rights in respect of our processing of your personal data. The relevant rights are:
- get access to your personal data and information about our processing of it
- in some circumstances, restrict our processing of your data for strategy planning purposes, and compel us to erase the bits we do not use for security purposes object to our processing for strategy planning purposes
If you want to exercise any of these rights, please just contact us.
You also have the right to lodge a complaint about our processing with a supervisory authority — you probably want the UK's Information Commissioner's Office.
Third parties
As a general principle, we will not transfer your personal data to third parties without your permission.
There are three exceptions to this:
- If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. We've never done this, but we want to keep this option open to us.
- It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate.
- As solicitors, we have professional duties, including to to co-operate with our regulator, the Solicitors Regulation Authority, as well as to report suspicious transactions or money laundering. We may not even be able to tell you of our suspicions if, in doing so, we would be committing the offence of tipping off. We will still try to minimise any sharing of your personal data.
We also have a small number of companies providing services to us. We use telephony services, which would get to see your phone number if we call you, and a broadband supplier which could see your email address if your own email server does not support opportunistic TLS (but not the content of what you send us, if you encrypt it). We also use an external accountancy service but, unless you are a sole trader or a partnership, they are unlikely to see any personal data relating to you.
🎤 Call recording
We record our calls, as we find that it can be useful to listen again to conversations, particularly the more technical ones, to help understand what we have been told. By being able to do this automatically, we save you having to repeat yourself. That way, we can hopefully ask more relevant and useful questions.
Calls are recorded and stored on our own systems.
We delete each recording as soon as we have decided that we will no longer need to listen to it again. In most cases, this is immediately after the call takes place.
Occasionally — for example, a call with an insurance provider, or with a party who is not a client — we may retain a recording, as evidence that a particular conversation took place, or of what was said.
If we have a phone call relating to a client's matter where the client is not present, we may share the call recording with that client by their preferred communications mechanism (which may include unencrypted email).
Here's our legitimate interests assessment for our call recording.
Retention periods
Data about clients: duration of your relationship with us, then seven years
Client ID verification: duration of your relationship with us, then five years
Data about specific matters: duration of the matter, then seven years
Server logs: up to one year