The European General Data Protection Regulations (GDPR) came into force on 25 May 2018 in order to give us more control over our personal data by unifying data regulations for businesses across the European Union (EU).
It applies to businesses that regularly monitor or process personal information of EU citizens. Saracens Solicitors already complies with the Data Protection Act 1998 and the SRA rules on confidentiality.
Saracens Solicitors is a Data Controller of Personal Data.
Personal Data is any information that relates to an identifiable individual including any data by which an individual can be identified.
This includes the individual’s name, personal details, economic, financial or social data, emails, IP or social media addresses
What Personal Data do we collect and hold?
We collect and hold personal data that relates to you and identifies you directly or indirectly by reference to other information we hold about you.
The data that we collect and the method of collection is dependent on what you have asked us to do or how you interact with us.
This data includes:
- Contact and identity information such as name, date of birth, gender, postal address, email address, telephone number, social media address, job title, employer’s details.
- Financial information including bank details, statements, payment card details, billing address and payment information.
- Logistical information provided for the purposes of attending events and meetings or information collected when you access our website.
- Marketing and communication preferences, identification and background information collected as part of our business engagement process.
- Personal information or any other information given by you to us or on your behalf or by third parties.
- Information created in the course of the legal work that we do for you.
How do we collect data?
We collect the personal data specified above via different methods:
Public Information: We collect data from public registers of individuals, companies, charities, professional bodies & other publicly available sources.
Electronically: We collect your data from any interaction you have with our website, other social media platforms or by emails sent to and from us. Our website uses Google analytics to place cookies onto your device but the information collected is anonymous and you can remove your consent for these cookies on the website itself.
Further details about cookies is available on our website.
Directly from you or third parties: We collect information about you from you or from third parties in person at our offices or over the telephone or internet to enable us to undertake legal work for you. This may include personal data necessary for us to carry out our ‘know your client’ or ‘anti money laundering’ processes or other background checks & information provided during the recruitment process.
Marketing material: We collect information when you interact with us in person or with our marketing material online or provide us with business cards or contact details at our offices, online, over the phone or at meetings, seminars or promotional events.
How do we use Personal Data?
We process data for a variety of reasons:
Legal Obligations: To fulfil legal, regulatory and professional obligations we are subject to. This includes conflict and anti-money laundering checks,
Performing a service for you: In order to fulfil your instructions to the firm as part of the legal service that we provide to you.
Improvements: To monitor and audit how you interact with our online platforms and marketing material in order to improve and secure them.
Promotion: To promote our services and to keep you informed of any upcoming events, changes in law, information about the firm or its activities. Also, in order to contact you about other services that may be of interest to you or that you have requested.
Complaints: To use in the investigation and processing of any complaints that you may make including any proceedings that arise out of that complaint.
We do not sell any of your information to third parties. Neither do we share your personal data with any third parties for marketing purposes.
We only disclose enough information as is necessary for us to fulfil your instructions to us.
Our Legal Bases for Collecting Personal Data:
We only process Personal Data in order to:
- Comply with our own legal & regulatory obligations
- To perform our obligations to you under our terms of business/ contract with you.
- In line with our following legitimate interests as follows:
- To communicate with you, verify your identity, source of funds and other background checks.
- For legitimate business purposes including providing client services, including but not limited to exchanging information on immigration, family law, property, commercial and corporate matters, litigating on your behalf, preparing documents, keeping financial records, instructing 3rd parties on your behalf, obtaining insurance policies on your behalf, giving you access to our website and working on your matter.
- To manage, accept and recover monies owed to us and by us
- To respond to any complaint or allegation of negligence
- To deliver visitor services to you.
- In line with any consent to process personal data that you give to us.
For suppliers of goods and services only:
We process personal data in order to check if we can take you on as a supplier of goods or services to the firm. This includes your identity data and any other data we gather about you through performing background and identity checks on you.
We also process your data to manage, accept and recover monies owed to us and by us.
We process your personal data by way of background checks where we give you access to our internal systems or confidential information.
How long do we retain your Personal Data for?
As a Data Controller we will retain your personal data in accordance with our data retention policy and only for as long as necessary to fulfil the purpose that we collated it for:
The personal data on these files is retained for the following periods:
- Trusts – These files will be retained for the duration of the Trust
- Wills – The original Will may be retained indefinitely.
- Probate – Where there is a surviving spouse / civil partner this may be retained for as long as the survivor is alive.
- Unregistered property deeds may be retained indefinitely
- Personal injury – Files that involve lifetime awards or Personal Injury trusts may be kept indefinitely
- All other legal work – These files will be retained for 7 years, 15 years or indefinite depending on the type of matter.
Who do we share your personal data with?
We insist that any party to which we disclose personal data to must comply with all applicable regulations to protect that data including GDPR.
We will only share your data with:
- Regulators (including the Solicitors’ Regulation Authority and The Law Society), law enforcement bodies, Tribunals, Her Majesty’s Court Services, Barristers & Chambers, auditors & government bodies as and when required to by law or regulation or by the nature of your instruction.
- Support services providers such as interpreters, transcribers, legal software suppliers or confidential waste disposal experts all of whom are subject to GDPR
- IT Providers
- Bodies who we interact with in the execution of your instructions in order to complete your legal work.
- Parties we interact with in order to provide you visitor services at our offices or at any marketing or networking event that you attend.
- In the event we transfer your personal data to a jurisdiction outside of the EU, we will ensure that this is done only with entities with which we have an agreement for them to securely protect that data in accordance with GDPR or to those countries who have been approved by the European Commission as providing adequate security and protection for that data.
How do we protect your personal data?
Your personal data is protected at our offices at 138-142 Strand, London WC2R 1HH. The offices operate in a modern, alarmed premises equipped with card reader access, receptionists, automated door locking systems, entry systems which only permit access with cards verifying your identity and CCTV.
Visitors to our offices cannot enter without invitation or purpose. All visitors are accompanied from the front reception to our (key card protected) office premises by a receptionist via a lift for which access is also protected by card readers. Saracens offices also operate our own internal CCTV systems.
Paper and confidential waste is disposed of by Restore Datashred, company number 9969408 a confidential disposal and shredding company who comply with GDPR.
Mobile devices such as ipads are kept secure in locked offices during the day and removed only for use. They are returned to those locked offices at the end of every working day where they remain secure overnight.
Saracens use various methods to protect your personal data.
We use a legal software management system to store your personal data. This software, known as LEAP carries ISO27001 certification means it is equivalent to ISO/IEC 27001:2013.
Your personal Data is stored with Microsoft which carries ISO27001 certification means it is equivalent to ISO/IEC 27001:2013 and ISO 27018.
We use Google Analytics to process your personal data. Google adheres to ISO27001 and ISO 27017 and Iso 27018.
We utilise a CRM system called Podio which complies with the EU-US and Swiss-US Privacy shield
What are your rights?
You have rights under GDPR and other data protection laws and regulations.
If you object to us processing your personal data, we will respect your wishes in accordance with all applicable regulations and laws. You may make any request of Saracens in line with your rights and we will not charge you a fee to exercise your rights.
If you have given your consent for the processing of personal data, we will provide you with marketing information in accordance with that consent. If you wish to withdraw that consent at any time, please inform us and we will comply with our obligations under the law. Please be aware that the withdrawal of consent may affect our ability to complete any work that we do for you.
GDPR provides you with the following rights:
- The right to be informed – You have the right to be informed as to how we use and process your personal data in clear intelligible language.
- The right of access – You have the right to access the personal data that we hold for you by making a subject access request to Saracens. We will respond to this request within a one-month time period.
- The right to rectification – You have the right to have any inaccurate data corrected or completed if it is incomplete. If you make this request, we will respond to this request within a one-month time period.
- The right to erasure – You have the right to have your personal data erased in line with “your right to be forgotten”. If you make this request, we will respond to that request within a one-month period. Please note that this right only applies in certain circumstances so please contact the Data Protection Officer at Saracens for more information or email us on firstname.lastname@example.org
- The right to restrict processing – You have the right to request that we restrict the personal data we hold for you so that we can store it but not use it. If you make this request, we will respond to that request within a one-month period. Please note that this right only applies in certain circumstances so please contact the Data Protection Officer at Saracens for more information or email us on email@example.com
- The right to data portability – You have the right to move, copy or transfer your personal data from one IT environment or data controller to another in a safe and secure way.
- The right to object – You have the right to object to Saracens processing your personal data. In the case of direct marketing, you have the absolute right to stop your data being used but in other cases, we may continue to process data if there is a compelling reason or us to do so. If you make this request, we will respond to that request within a one-month period. Please note that this right only applies in certain circumstances so please contact the Data Protection Officer at Saracens for more information or email us on firstname.lastname@example.org.
- Rights in relation to automated decision making and profiling – We do not use automated decision making and profiling tools to monitor you. If this situation changes in the future, we will inform you in writing and obtain your consent and advise you of your rights at that juncture.
Who controls your data at Saracens?
Your data is controlled by the Data Protection Officer (DPO) at Saracens.
The Data Protection Officer is Mr Nishtar Saleem.
He can be reached at Saracens offices located at Strand Bridge House,138-142 Strand, London WC2R 1HH
You can email the DPO at email@example.com for any information in relation to your personal data.