English | 日本語
THIS IS THE DESKTOP VERSION OF THE PRIVACY POLICY.
IF EDITING, YOU ALSO NEED TO EDIT THE MOBILE VERSION AT THE BOTTOM OF THE PAGE!
PRIVACY POLICY
At Lewis Mathys Emmerson LLP, we are committed to protecting the data and privacy of our clients and individuals whom we work with.
This privacy policy explains how and why Lewis Mathys Emmerson LLP uses personal data and what we do to ensure that your information is kept safe and secure in accordance with applicable data protection and privacy laws including the UK Data Protection Act 2018, the UK GDPR (being the EU General Data Protection Regulation 2016/679 in the form retained in UK law after Brexit) and any other applicable data protection and privacy laws (Data Protection Laws).
This privacy policy covers the personal data of individual clients and suppliers, corporate representatives, job applicants, website users and other individuals whose personal data we collect and process in connection with our work.
CONTENTS
- About Lewis Mathys Emmerson LLP
- How we collect and process personal data:
– Client matters
– Business and professional contacts
– Recruitment
– CCTV - Client due diligence and identity checks
- Website visitors
- Recipients of personal data
- How long we store personal data for
- How we keep personal data safe
- International transfers
- Your rights as a data subject
- Updates to this policy
ABOUT LEWIS MATHYS EMMERSON LLP
We are Lewis Mathys Emmerson LLP (we, us or our), a law firm authorised and regulated by the Solicitors Regulation Authority (no. 623705). We are a limited liability partnership with registered number OC400109, having our registered office and main place of business at Lewis Mathys Emmerson LLP, One Pancras Square, London N1C 4AG.
You can contact us by writing to us at our office address, telephoning us on 020 7993 2161 or emailing [email protected]
We are regulated as a controller under Data Protection Laws in relation to the personal data (meaning information which relates to an identified or identifiable individual) we collect and process in connection with our work. This means that we are responsible for deciding how and why we use personal data and for keeping it safe. We are registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZA190067.
HOW WE COLLECT AND PROCESS PERSONAL DATA
CLIENT MATTERS
HOW WE COLLECT PERSONAL DATA
We collect and process personal data relating to our clients and other individuals involved with matters that we advise on. This will include representatives, employees and officers of corporate clients, counter-parties and other professional advisers. This information is typically:
- provided to us by our clients;
- collected during the course of providing legal services (such as through email correspondence and exchanging business cards);
- provided to us by third parties (such as other law firms and advisers involved with a matter); or
- obtained from external sources (such as Companies House or HM Land Registry).
THE TYPES OF PERSONAL DATA WE COLLECT
The categories of personal data we collect will vary, depending on the matter in question, but may include some or all of the following:
- contact information (such as name, address, telephone and email address);
- bank details (provided by a client or supplier, or which are collected when we receive a payment);
- if we hold money for a client (for example, in connection with a corporate or property transaction), we are legally required to collect and hold additional information (such as passport information, driving licence and bank statements or utility bills) to verify that client’s identity; and
- photographs, images, video and voice recordings (for example, in connection with client web meetings and conference calls).
We may process other types of personal data and, occasionally, this can include special category ‘sensitive’ personal data, such as information relating to someone’s health, racial or ethnic origin, religious or philosophical beliefs, sexuality, political opinions or trade union membership. This may be the case, for example, if we advise an employer on an unfair dismissal claim. Of course, the types of personal data we collect and process will depend on the nature of the matter in question, and any information we process will be protected to the high standards explained in this policy.
In some situations we will be required to carry out addition identity checks and due diligence on clients. For further information, please see section 3 below.
OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
We use personal data because we need to for one or more of the following reasons:
- to enter into a contract with, or perform a contractual obligation (i.e. provide legal services) owed to, the individual to whom that personal data relates;
- to comply with our legal obligations (including professional obligations imposed by the Solicitors Regulation Authority);
- to pursue our legitimate interests in operating and promoting the success of our firm, or to pursue the interests of our clients in receiving legal advice; or
- to conduct business remotely using video conference and conference call services.
If you do not provide the personal data which we need in order to enter into or to perform a contract with you, then we may not be able to contract with you or to provide the legal services which you have requested.
In limited circumstances, we may use personal data on the basis of your consent. If so, we will always clearly ask for your specific and informed agreement to this. You are, of course, free to refuse and we will inform you as to what (if any) consequences your refusal might have.
BUSINESS AND PROFESSIONAL CONTACTS
HOW WE COLLECT PERSONAL DATA
We process personal data about individual business and professional contacts. These people include individual (or representatives from corporate) intermediaries, service providers, other lawyers, organisations that have attended our events, and potential clients.
THE TYPES OF PERSONAL DATA WE COLLECT
The types of personal data we hold about these individuals typically relate to that person’s profession and consist of basic personal details and contact information, such as position title, name, work email, address, telephone and the person’s employer. Depending on the circumstances, and the nature of our relationship with the people involved, we may use this information to:
- fulfil our contractual obligations or exercise contractual rights;
- communicate with other organisations, professional advisers or intermediaries (for example, in relation to a matter we are advising on); or
- send marketing communications or legal updates (usually by email).
OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
We typically use this personal data because it is in our legitimate interests to provide and promote our services and to build business relationships.
If you receive news or marketing communications from us, it is because we think you might be interested in our firm or its services (usually on the basis of previous dealings with you or a recommendation from a third party).
You can unsubscribe from marketing at any time by clicking the “unsubscribe” link on any of our emails, or by emailing [email protected] with the subject line “unsubscribe.”
RECRUITMENT
HOW WE COLLECT PERSONAL DATA
We collect, store and use personal data about individuals who apply to join us.
THE TYPES OF PERSONAL DATA WE COLLECT
The information we collect about applicants may include information:
- you provide to us (such as in CVs, application forms, and through correspondence);
- you provide during an interview;
- obtained from previous employers and referees;
- provided to us by recruitment agencies; and
- received as a result of our carrying out background checks (such as checks for criminal convictions with the Disclosure and Barring Service).
The information we collect might include sensitive personal data, such as information about your health and sickness records.
If you apply for a position with us, we may carry out a check for criminal convictions in order to satisfy ourselves that there is nothing in your history which makes you unsuitable for the role. We do this because working with us involves a high degree of trust (as you may be dealing with client monies and will have access to confidential information). We are also legally required by the Solicitors Regulation Authority to carry out criminal record checks for certain roles within our firm.
We only carry out criminal records checks and ask for references at the last stage of the application process (when making an offer of employment) and always act in accordance with the specific requirements of Data Protection Laws and other applicable national laws when doing so.
OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
We use the personal data we collect about you to:
- assess your skills, qualifications, and suitability for a role;
- carry out background and reference checks;
- communicate with you about your application;
- keep records related to our hiring process; and
- comply with legal or regulatory requirements.
We do all of this because either it is a necessary part of entering into a contract of employment with you or because we have a legitimate interest in ensuring that you are suitable for a particular role.
If you fail to provide personal data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully.
If we need to process sensitive personal data about a job applicant, for example disability information in order to consider whether we need to provide appropriate adjustments during the recruitment process, we will ask for explicit consent to do this at the time at which we request the personal data or ensure that we satisfy another condition under Data Protection Laws for lawfully processing such personal data.
RETENTION OF APPLICANT INFORMATION
We normally retain personal data about unsuccessful candidates for no more than 6 months from the time we inform them of our hiring decision. We retain personal data for this period so that we can demonstrate, in the event of a legal claim, we have not discriminated against an applicant and that the recruitment process was fair and transparent. After this period, we will securely destroy the applicant’s personal data. If we wish to retain personal data on file, in case future opportunities arise, we will contact the applicant and ask for his or her consent to do so.
If you are successful, the personal data you provided in the application process will be stored as part of your personnel file.
CCTV
Any CCTV used in our London office is operated by the building landlord and not by us. We do not have access to CCTV footage and are not a controller in respect of any personal data included on such footage. CCTV inquiries should be directed to The Office Group Properties Limited at The Smiths Building, 179 Great Portland Street, London, W1W 5PL.
CLIENT DUE DILIGENCE AND IDENTITY CHECKS
In some situations we are required by law and by our professional regulatory obligations to take additional steps to verify the identity of clients (and, in the case of companies and legal entities, their owners). These additional steps, which typically involve due diligence and identification checks, are required to in order to combat money laundering and other illegal activity, and are mandatory where we are handling client money or advising on certain regulated matters.
In these cases we will carry out additional checks which may include some or all of the following:
- Asking for copies of identity documents such as passports, driving licence, bank statements or utility bills.
- Carrying out video interviews which are then stored for our records.
- Electronic searches, including electronic passport verification, checking name and address against records held by credit reference agencies and the electoral roll.
- Checking names and documents against international sanctions lists, stolen passport registers and other UK and global databases of individuals we are prohibited from dealing with.
- Searches for public information about individuals, including internet searches and searches with Companies House.
This information is processed because it is necessary for us to process in order to comply with a legal obligation (relating to the carrying out of mandatory identity checks and client due diligence). We will store this information securely for the duration of the matter and for a period of six years after its conclusion.
WEBSITE VISITORS
We do not collect personal data about visitors to our website unless they choose to provide such information when contacting us.
Our website may contain hyperlinks to third-party websites. We are not responsible for the content or functionality of any of those external websites. If an external website requests personal data from you, the information you provide will not be covered by this policy. We suggest you read the privacy policy of any website before providing any personal data.
RECIPIENTS OF PERSONAL DATA
Personal data you provide to us will be kept private and confidential in accordance with our obligations under Data Protection Laws and our professional obligations of confidentiality. We will only disclose or share personal data with other data controllers where this is required:
- in connection with our business of providing legal services and where it is in the legitimate interests of ourselves or related third parties to do so. For example, we may share your contact details with the parties to an actual or potential transaction that you and we are jointly involved in, or with other law firms and professional advisors advising in connection with that transaction;
- by law, such as where we are required to comply with a court order, to report suspected money laundering, or to share personal data with regulatory authorities (including the Solicitors Regulation Authority) in the event of an audit or investigation;
- where we have satisfied ourselves that we have another lawful basis for sharing your personal data; or
- in connection with a business reorganisation, merger, acquisition or other corporate transaction, in order to allow the parties to evaluate the transaction and to ensure that our clients continue to receive legal services without interruption.
We also share personal data with some of the third parties who provide services to our firm. This includes software providers, cloud service providers and IT support services. However, these third parties will only process personal data (which may include your information) on our behalf for specified purposes and in accordance with our (or our service provider’s) strict instructions.
We only use third party service providers who have provided sufficient guarantees, as required by Data Protection Laws, that your personal data will be kept safe. We always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to our firm, in accordance with Data Protection Laws.
HOW LONG WE STORE PERSONAL DATA FOR
We only retain personal data for as long as is necessary for the specific purposes it was collected for (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements). For example, the Solicitors Account Rules require us to retain records of transactions involving client monies for a period of at least 6 years.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In the event we process personal data in connection with a client matter, we will normally process that personal data for the duration of the matter. Once we are satisfied that the matter is complete, we will close the file and delete or destroy personal data which is no longer required (such as hard copies of documents which have been digitally archived). Any personal data we retain will be stored securely and only accessed if necessary in order for us to establish, exercise or defend against a legal claim or if another overriding legitimate ground arises (such as having to disclose information as part of an audit by our regulator).
HOW WE KEEP PERSONAL DATA SAFE
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed.
Our security includes physical security measures (such as keeping paper files in secure, access-controlled premises), electronic security technology (such as encrypted digital back-ups, multi-factor authentication and sophisticated anti-virus protection) and organisational measures (such as internal training, policies and procedures relating to information security, data breaches and disaster recovery).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.
We have put in place reporting procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.
INTERNATIONAL TRANSFERS
We normally only store personal data within the UK or European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based in other countries. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- ensuring the recipient is in a country which has been approved in accordance with Data Protection Laws as providing adequate protection for personal data;
- (if the recipient is based in the United States) ensuring the recipient is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework (EU-US DPF) and the transfer will be subject to the EU-US DPF Principles upon receipt by the recipient;
- implementing appropriate safeguards such as requiring the recipient to enter into standard data protection clauses approved in accordance with Data Protection Laws; or
- Data Protection Laws otherwise permit use to make the transfer.
If you would like more detailed information on the measures and safeguards which we implement for such data transfers, then please contact us using the details set out in section 1 above.
YOUR RIGHTS AS A DATA SUBJECT
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right to access your personal data. This gives you the right to receive a copy of the personal data we hold about you subject to certain exemptions.
- The right to request correction or completion of personal data. This gives you the right to have any incomplete or inaccurate personal data corrected.
- The right to request erasure of your personal data. This allows you to request us to delete or remove personal data. You also have the right to request us to delete or remove your personal data where you have exercised your right to object to processing (see below). In certain circumstances this right may not apply, such as where we have a good, lawful reason to continue using the information in question and, if so, we shall inform you of such reasons at the relevant time.
- The right to object to processing of your personal data. You can object to us processing your personal data for legitimate interests purposes or for direct marketing. We must then stop processing your data unless we have a strong reason to continue which overrides your objection. If your objection is to direct marketing, we must always stop.
- The right to restrict how your personal data is used. You can limit how we use your personal data in certain circumstances. Where this applies, any processing of your personal data (other than storing it) will only be lawful with your consent or where required for legal claims, protecting certain rights or important public interest reasons.
- The right to have a portable copy or transfer your personal data. You can request that we provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to personal data which we obtain from you and, using automated means, process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data then you have the right to withdraw that consent at any time.
RESPONDING
We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
FEES FOR MAKING A REQUEST
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
HOW TO MAKE A REQUEST
If you want to exercise any of the rights described above, please email [email protected] or write to Data Protection Requests, Lewis Mathys Emmerson LLP, One Pancras Square, London, England, N1C 4AG.
YOUR RIGHT TO COMPLAIN TO A SUPERVISORY AUTHORITY
You have the right to complain to the Information Commissioner’s Office if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.
UPDATES TO THIS POLICY
We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated on 4th October 2023.
THIS IS THE MOBILE VERSION OF THE PRIVACY POLICY.
PRIVACY POLICY
At Lewis Mathys Emmerson LLP, we are committed to protecting the data and privacy of our clients and individuals whom we work with.
This privacy policy explains how and why Lewis Mathys Emmerson LLP uses personal data and what we do to ensure that your information is kept safe and secure in accordance with applicable data protection and privacy laws including the UK Data Protection Act 2018, the UK GDPR (being the EU General Data Protection Regulation 2016/679 in the form retained in UK law after Brexit) and any other applicable data protection and privacy laws (Data Protection Laws).
This privacy policy covers the personal data of individual clients and suppliers, corporate representatives, job applicants, website users and other individuals whose personal data we collect and process in connection with our work.
CONTENTS
- About Lewis Mathys Emmerson LLP
- How we collect and process personal data:
– Client matters
– Business and professional contacts
– Recruitment
– CCTV - Website visitors
- Recipients of personal data
- How long we store personal data for
- How we keep personal data safe
- International transfers
- Your rights as a data subject
- Updates to this policy
ABOUT LEWIS MATHYS EMMERSON LLP
We are Lewis Mathys Emmerson LLP (we, us or our), a law firm authorised and regulated by the Solicitors Regulation Authority (no. 623705). We are a limited liability partnership with registered number OC400109, having our registered office and main place of business at One Pancras Square, London N1C 4AG.
You can contact us by writing to us at our office address, telephoning us on 020 7993 2161 or emailing [email protected]
We are regulated as a controller under Data Protection Laws in relation to the personal data (meaning information which relates to an identified or identifiable individual) we collect and process in connection with our work. This means that we are responsible for deciding how and why we use personal data and for keeping it safe. We are registered as a data controller with the Information Commissioner’s Office (ICO) under registration number ZA190067.
HOW WE COLLECT AND PROCESS PERSONAL DATA
CLIENT MATTERS
HOW WE COLLECT PERSONAL DATA
We collect and process personal data relating to our clients and other individuals involved with matters that we advise on. This will include representatives, employees and officers of corporate clients, counter-parties and other professional advisers. This information is typically:
-
- provided to us by our clients;
- collected during the course of providing legal services (such as through email correspondence and exchanging business cards);
- provided to us by third parties (such as other law firms and advisers involved with a matter); or
- obtained from external sources (such as Companies House or HM Land Registry).
THE TYPES OF PERSONAL DATA WE COLLECT
The categories of personal data we collect will vary, depending on the matter in question, but may include some or all of the following:
-
- contact information (such as name, address, telephone and email address);
- bank details (provided by a client or supplier, or which are collected when we receive a payment);
- if we hold money for a client (for example, in connection with a corporate or property transaction), we are legally required to collect and hold additional information (such as passport information, driving licence and bank statements or utility bills) to verify that client’s identity; and
- photographs, images, video and voice recordings (for example, in connection with client web meetings and conference calls).
We may process other types of personal data and, occasionally, this can include special category ‘sensitive’ personal data, such as information relating to someone’s health, racial or ethnic origin, religious or philosophical beliefs, sexuality, political opinions or trade union membership. This may be the case, for example, if we advise an employer on an unfair dismissal claim. Of course, the types of personal data we collect and process will depend on the nature of the matter in question, and any information we process will be protected to the high standards explained in this policy.
OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
We use personal data because we need to for one or more of the following reasons:
-
- to enter into a contract with, or perform a contractual obligation (i.e. provide legal services) owed to, the individual to whom that personal data relates;
- to comply with our legal obligations (including professional obligations imposed by the Solicitors Regulation Authority);
- to pursue our legitimate interests in operating and promoting the success of our firm, or to pursue the interests of our clients in receiving legal advice; or
- to conduct business remotely using video conference and conference call services.
If you do not provide the personal data which we need in order to enter into or to perform a contract with you, then we may not be able to contract with you or to provide the legal services which you have requested.
In limited circumstances, we may use personal data on the basis of your consent. If so, we will always clearly ask for your specific and informed agreement to this. You are, of course, free to refuse and we will inform you as to what (if any) consequences your refusal might have.
BUSINESS AND PROFESSIONAL CONTACTS
HOW WE COLLECT PERSONAL DATA
We process personal data about individual business and professional contacts. These people include individual (or representatives from corporate) intermediaries, service providers, other lawyers, organisations that have attended our events, and potential clients.
THE TYPES OF PERSONAL DATA WE COLLECT
The types of personal data we hold about these individuals typically relate to that person’s profession and consist of basic personal details and contact information, such as position title, name, work email, address, telephone and the person’s employer. Depending on the circumstances, and the nature of our relationship with the people involved, we may use this information to:
-
- fulfil our contractual obligations or exercise contractual rights;
- communicate with other organisations, professional advisers or intermediaries (for example, in relation to a matter we are advising on); or
- send marketing communications or legal updates (usually by email).
OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
We typically use this personal data because it is in our legitimate interests to provide and promote our services and to build business relationships.
If you receive news or marketing communications from us, it is because we think you might be interested in our firm or its services (usually on the basis of previous dealings with you or a recommendation from a third party).
You can unsubscribe from marketing at any time by clicking the “unsubscribe” link on any of our emails, or by emailing [email protected] with the subject line “unsubscribe.”
RECRUITMENT
HOW WE COLLECT PERSONAL DATA
We collect, store and use personal data about individuals who apply to join us.
THE TYPES OF PERSONAL DATA WE COLLECT
The information we collect about applicants may include information:
-
- you provide to us (such as in CVs, application forms, and through correspondence);
- you provide during an interview;
- obtained from previous employers and referees;
- provided to us by recruitment agencies; and
- received as a result of our carrying out background checks (such as checks for criminal convictions with the Disclosure and Barring Service).
The information we collect might include sensitive personal data, such as information about your health and sickness records.
If you apply for a position with us, we may carry out a check for criminal convictions in order to satisfy ourselves that there is nothing in your history which makes you unsuitable for the role. We do this because working with us involves a high degree of trust (as you may be dealing with client monies and will have access to confidential information). We are also legally required by the Solicitors Regulation Authority to carry out criminal record checks for certain roles within our firm.
We only carry out criminal records checks and ask for references at the last stage of the application process (when making an offer of employment) and always act in accordance with the specific requirements of Data Protection Laws and other applicable national laws when doing so.
OUR LAWFUL BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
We use the personal data we collect about you to:
-
- assess your skills, qualifications, and suitability for a role;
- carry out background and reference checks;
- communicate with you about your application;
- keep records related to our hiring process; and
- comply with legal or regulatory requirements.
We do all of this because either it is a necessary part of entering into a contract of employment with you or because we have a legitimate interest in ensuring that you are suitable for a particular role.
If you fail to provide personal data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we will not be able to process your application successfully.
If we need to process sensitive personal data about a job applicant, for example disability information in order to consider whether we need to provide appropriate adjustments during the recruitment process, we will ask for explicit consent to do this at the time at which we request the personal data or ensure that we satisfy another condition under Data Protection Laws for lawfully processing such personal data.
RETENTION OF APPLICANT INFORMATION
We normally retain personal data about unsuccessful candidates for no more than 6 months from the time we inform them of our hiring decision. We retain personal data for this period so that we can demonstrate, in the event of a legal claim, we have not discriminated against an applicant and that the recruitment process was fair and transparent. After this period, we will securely destroy the applicant’s personal data. If we wish to retain personal data on file, in case future opportunities arise, we will contact the applicant and ask for his or her consent to do so.
If you are successful, the personal data you provided in the application process will be stored as part of your personnel file.
CCTV
Any CCTV used in our London office is operated by the building landlord and not by us. We do not have access to CCTV footage and are not a controller in respect of any personal data included on such footage. CCTV inquiries should be directed to The Office Group Properties Limited at The Smiths Building, 179 Great Portland Street, London, W1W 5PL.
CLIENT DUE DILIGENCE AND IDENTITY CHECKS
In some situations we are required by law and by our professional regulatory obligations to take additional steps to verify the identity of clients (and, in the case of companies and legal entities, their owners). These additional steps, which typically involve due diligence and identification checks, are required to in order to combat money laundering and other illegal activity, and are mandatory where we are handling client money or advising on certain regulated matters.
In these cases we will carry out additional checks which may include some or all of the following:
- Asking for copies of identity documents such as passports, driving licence, bank statements or utility bills.
- Carrying out video interviews which are then stored for our records.
- Electronic searches, including electronic passport verification, checking name and address against records held by credit reference agencies and the electoral roll.
- Checking names and documents against international sanctions lists, stolen passport registers and other UK and global databases of individuals we are prohibited from dealing with.
- Searches for public information about individuals, including internet searches and searches with Companies House.
This information is processed because it is necessary for us to process in order to comply with a legal obligation (relating to the carrying out of mandatory identity checks and client due diligence). We will store this information securely for the duration of the matter and for a period of six years after its conclusion.
WEBSITE VISITORS
We do not collect personal data about visitors to our website unless they choose to provide such information when contacting us.
Our website may contain hyperlinks to third-party websites. We are not responsible for the content or functionality of any of those external websites. If an external website requests personal data from you, the information you provide will not be covered by this policy. We suggest you read the privacy policy of any website before providing any personal data.
RECIPIENTS OF PERSONAL DATA
Personal data you provide to us will be kept private and confidential in accordance with our obligations under Data Protection Laws and our professional obligations of confidentiality. We will only disclose or share personal data with other data controllers where this is required:
- in connection with our business of providing legal services and where it is in the legitimate interests of ourselves or related third parties to do so. For example, we may share your contact details with the parties to an actual or potential transaction that you and we are jointly involved in, or with other law firms and professional advisors advising in connection with that transaction;
- by law, such as where we are required to comply with a court order, to report suspected money laundering, or to share personal data with regulatory authorities (including the Solicitors Regulation Authority) in the event of an audit or investigation;
- where we have satisfied ourselves that we have another lawful basis for sharing your personal data; or
- in connection with a business reorganisation, merger, acquisition or other corporate transaction, in order to allow the parties to evaluate the transaction and to ensure that our clients continue to receive legal services without interruption.
We also share personal data with some of the third parties who provide services to our firm. This includes software providers, cloud service providers and IT support services. However, these third parties will only process personal data (which may include your information) on our behalf for specified purposes and in accordance with our (or our service provider’s) strict instructions.
We only use third party service providers who have provided sufficient guarantees, as required by Data Protection Laws, that your personal data will be kept safe. We always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to our firm, in accordance with Data Protection Laws.
HOW LONG WE STORE PERSONAL DATA FOR
We only retain personal data for as long as is necessary for the specific purposes it was collected for (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements). For example, the Solicitors Account Rules require us to retain records of transactions involving client monies for a period of at least 6 years.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In the event we process personal data in connection with a client matter, we will normally process that personal data for the duration of the matter. Once we are satisfied that the matter is complete, we will close the file and delete or destroy personal data which is no longer required (such as hard copies of documents which have been digitally archived). Any personal data we retain will be stored securely and only accessed if necessary in order for us to establish, exercise or defend against a legal claim or if another overriding legitimate ground arises (such as having to disclose information as part of an audit by our regulator).
HOW WE KEEP PERSONAL DATA SAFE
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed.
Our security includes physical security measures (such as keeping paper files in secure, access-controlled premises), electronic security technology (such as encrypted digital back-ups, multi-factor authentication and sophisticated anti-virus protection) and organisational measures (such as internal training, policies and procedures relating to information security, data breaches and disaster recovery).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.
We have put in place reporting procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.
INTERNATIONAL TRANSFERS
We normally only store personal data within the UK or European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based in other countries. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- ensuring the recipient is in a country which has been approved in accordance with Data Protection Laws as providing adequate protection for personal data;
- (if the recipient is based in the United States) ensuring the recipient is indicated on the Data Privacy Framework List as participating in the UK Extension to the EU-US Data Privacy Framework (EU-US DPF) and the transfer will be subject to the EU-US DPF Principles upon receipt by the recipient;
- implementing appropriate safeguards such as requiring the recipient to enter into standard data protection clauses approved in accordance with Data Protection Laws; or
- Data Protection Laws otherwise permit use to make the transfer.
If you would like more detailed information on the measures and safeguards which we implement for such data transfers, then please contact us using the details set out in section 1 above.
YOUR RIGHTS AS A DATA SUBJECT
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right to access your personal data. This gives you the right to receive a copy of the personal data we hold about you subject to certain exemptions.
- The right to request correction or completion of personal data. This gives you the right to have any incomplete or inaccurate personal data corrected.
- The right to request erasure of your personal data. This allows you to request us to delete or remove personal data. You also have the right to request us to delete or remove your personal data where you have exercised your right to object to processing (see below). In certain circumstances this right may not apply, such as where we have a good, lawful reason to continue using the information in question and, if so, we shall inform you of such reasons at the relevant time.
- The right to object to processing of your personal data. You can object to us processing your personal data for legitimate interests purposes or for direct marketing. We must then stop processing your data unless we have a strong reason to continue which overrides your objection. If your objection is to direct marketing, we must always stop.
- The right to restrict how your personal data is used. You can limit how we use your personal data in certain circumstances. Where this applies, any processing of your personal data (other than storing it) will only be lawful with your consent or where required for legal claims, protecting certain rights or important public interest reasons.
- The right to have a portable copy or transfer your personal data. You can request that we provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to personal data which we obtain from you and, using automated means, process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data then you have the right to withdraw that consent at any time.
RESPONDING
We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
FEES FOR MAKING A REQUEST
You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
HOW TO MAKE A REQUEST
If you want to exercise any of the rights described above, please email [email protected] or write to Data Protection Requests, Lewis Mathys Emmerson LLP, One Pancras Square, London, England, N1C 4AG.
YOUR RIGHT TO COMPLAIN TO A SUPERVISORY AUTHORITY
You have the right to complain to the Information Commissioner’s Office if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.
UPDATES TO THIS POLICY
We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated on 4th October 2023.