Listening and protecting

DRAPER LANG LLP - CLIENT PRIVACY NOTICE

We are committed to respecting your privacy and the privacy of any of your employees, workers, contractors or other business contacts (together referred to as “Individuals”).  

We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, Individuals’ rights in relation to Individuals’ personal information and on how to contact us in the event you or any Individual has a complaint.

This notice applies to our current and past clients and their Individuals who are living persons.

References to we, our or us in this privacy notice are to the “Group”, being Draper Lang LLP and the Employment Law Partnership Limited.  Details of our trading entities are as follows:

Draper Lang LLP is a limited liability partnership company incorporated in England and Wales. Registered Number: OC371676. Registered Office: 12A Hart Street, Henley on Thames, Oxon RG9 2AU

The Employment Law Partnership Limited is a limited company incorporated in England and Wales and regulated by the Royal Institution of Chartered Surveyors. Registered Number: 07912413.  Registered Office: 12A Hart Street, Henley on Thames, Oxon RG9 2AU

For the purposes of this notice the controller is the Group entity that you or your business has engaged. 

  1. Personal Information

 When you / Individuals interact with us in relation to our work, you / they may provide us with or we may obtain personal information about you / them (subjects).  The subjects may be you (if you have engaged us as an individual client), your Individuals, the living persons that you may wish to contract with or persons that you may have a dispute with.  The information we may obtain includes:

  • Any information related to your employment or their employment by you;
  • Information related to their personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
  • details of a dispute with the subject;
  • details of a contract or transaction involving the subject;
  • details of the advice that you require regarding the subject;
  • date of birth;
  • gender;
  • marital status and dependants;
  • credit history;
  • next of kin, details of family members and emergency contacts;
  • national insurance number and other tax or governmental identifiers;
  • bank accounts and tax status;
  • employment details and records (including job titles, work history, working hours, training records and professional memberships);
  • images in photographic or video form; and
  • shareholdings of the subject.

You may also provide us with or we may collect, store and use the following “special categories” of more sensitive personal information regarding subjects:

  • information about the subject’s race or ethnicity, religious beliefs, sexual orientation, trade union memberships, political opinions and or other protected characteristics;
  • information about the subject’s health, including any medical condition, health and sickness records; and
  • information about the subject’s criminal convictions and offences.

 We obtain the information regarding subjects from you, as part of our work for you and as a result of our investigations in pursuit of your instructions to us.  We may, instruct third parties (such as enquiry agents) to obtain personal information regarding subjects. 

If you are providing information regarding subjects to us, it is your responsibility to ensure that you have the right to provide the information to us. 

  1. Uses made of the information

 We will only use personal information regarding subjects in accordance with applicable data protection legislation, including the Data Protection Act 1998 and the EU General Data Protection Regulation and its UK implementing legislation (the Data Protection Act 2018).  

Most commonly, we will subjects’ personal information in the following circumstances:

  • where we need to perform the contract we have entered into with you (including but not limited to providing legal advice);
  • where we need to comply with a legal obligation; and
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 

We may also use subjects’ personal information in the following situations, which are likely to be rare:

  • where we need to protect your interests (or someone else’s interests); and
  • where it is needed in the public interest.

We need all the categories of information in the list in paragraph 1 above primarily to allow us to perform our contract with you and to enable us to comply with legal obligations. In some cases we may use subjects’ personal information to pursue legitimate interests of our own or those of third parties, provided your interests and fundamental rights do not override those interests.  These legitimate interests are to manage our relationship with you, determine our respective rights and obligations and to properly conduct our business.  There may be more limited circumstances where we process personal data pursuant to your or a subjects’ consent.

The situations in which we will process subjects’ personal information are listed below.

Purpose Personal information used Lawful basis
Performing client instructions All the personal information we collect  
We do this to perform our contract with clients.
 
Undertaking client management, including engagement letters, billing and billing management All the personal information we collect We have a legitimate interest to properly manage our business.
Management of payments on our client’s behalf All the personal information we collect  
We do this to perform our contract with clients.
 
 
Ensuring the security of our systems and information as well as client information
All the personal information we collect We have a legitimate interest to manage the security of our systems.
Perform credit checks Contact details and payment information We have a legitimate interest to ensure that we are likely to be paid for our services or products
 
Sale or takeover of our business All the personal information we collect We have a legitimate interest in relation to corporate transactions relating to us.
Business continuity All the personal information we collect We have a legitimate interest in making back-ups and providing for business continuity in the event of an occurrence which affects our ability to trade from one of our offices
Future Claims All the personal information we collect  
We do this to perform our contract with clients and in respect of our on-going contractual obligations to our clients and to ensure we can comply with legislative and regulatory requirements.
 

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of subjects’ personal information.

If you fail to provide certain information when requested, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

We will only use subjects’ personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.  If we need to use subject’s personal information for an unrelated purpose, we will (if required by law) notify the subject and explain the legal basis which allows us to do so.

Please note that we may process subjects’ personal information without the subject’s knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

“Special categories” of particularly sensitive personal information require differing levels of protection. We need to have further justification for collecting, storing and using this type of personal information. We may process special categories of personal information in the following circumstances: 

  • in limited circumstances, with explicit written consent;
  • where we need to carry out our legal obligations; and
  • where it is needed in the public interest.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where it is needed to protect the subject’s interests (or someone else’s interests) and the subject is not capable of giving consent, or where the subject has already made the information public.

We will use the subject’s personal information in the following special categories in the following ways: 

  • we will use information relating to the subject’s health insofar as it relevant to your instructions to us;
  • we will use information about criminal convictions to comply with law and in order to comply with your instructions to us;
  • we will use information about the subject’s trade union membership to comply with your instructions to us; and
  • we will use information about a subject’s race or national or ethnic origin, religious, philosophical or moral beliefs, sexual life, sexual orientation or other protected characteristics to comply with your instructions to us.

 Where you have given us your consent to use your personal information in a particular manner, you have the right to withdraw this consent at any time, which you may do by contacting us as set out in paragraph 8 below.  Please note however that the withdrawal of your consent will not affect any use of the data made before you withdrew your consent and we may still be entitled to hold and process the relevant personal information to the extent that we are entitled to do so on bases other than your consent.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

  1. Disclosure of your personal information

 We may share subjects’ personal information where it is necessary to administer the working relationship or we have a legitimate interest in so doing. We may also disclose subjects’ personal information to third parties if we are under a duty to disclose or share subjects’ personal information in order to comply with any legal obligation, or in order to enforce or apply such other terms as apply to our relationship, or to protect rights, property, or safety of our other employees, workers and contractors our customers, ourselves or others where we have a legitimate interest in doing so.  This includes exchanging information with other companies and organisations for the purposes of providing references and fraud protection.

”Third parties” includes third-party service providers (including consultants, Counsel and designated agents) and other entities within the Group.

The third parties we share subjects’ personal information with where required by law are courts and governmental agencies.

The third parties we share subjects’ personal information with where it is necessary to administer the working relationship with you include (where you are a consultant) the client of ours for whom you are ultimately providing services to.

All our third-party service providers and other entities in the group are required to take appropriate security measures to protect subjects’ personal information in line with our policies. We do not allow our third-party service providers to use subjects’ personal data for their own purposes. We only permit them to process subjects’ personal data for specified purposes and in accordance with our instructions.

We will share subjects’ personal information with other entities in the Group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.  All members of the Group are bound by this privacy policy.

We may share subjects’ personal information with other third parties, for example in the context of the possible restructuring of the business. We may also need to share subjects’ personal information with a regulator or to otherwise comply with the law.

In certain cases the disclosure of subjects’ personal information to a third party as described in this paragraph 3 may involve subjects’ personal information being transferred outside of the United Kingdom. This may be to:

  • a country in the European Economic Area or that is otherwise considered to have data protection rules that are equivalent to those in the United Kingdom; or
  • a country which is not considered to have the same standards of protection for personal data as those in the United Kingdom, in which case we will take all steps required by law to ensure sufficient protections are in place to safeguard your personal information, including where appropriate putting in place contractual terms approved by the relevant regulatory authorities.

 For more information about the circumstances in which subjects’ personal information may be disclosed to third parties and the safeguards we put in place to protect subjects’ your personal information when we do so, please contact us as described in paragraph 8.

  1. Data security

 We have put in place appropriate security measures to prevent subjects’ personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to subjects’ personal information to those employees, agents, consultants, contractors and other third parties who have a business need to know. They will only process subjects’ personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. 

  1. Your rights and retention, updating and removal of your personal information 

 The duration for which we retain subjects’ personal information will differ depending on the type of information and the reason why we collected it. However, in some cases personal information may be retained on a long term basis: for example, personal information that we need to retain for legal purposes will normally be retained in accordance with usual commercial practice and regulatory requirements.  Generally, where there is no legal requirement we retain all electronic records for a period of 15 years. 

It is important to ensure that the personal information we hold about you / subjects is accurate and up-to-date, and you should let us know if anything changes, for example if you /subjects move home or change phone number or email address. You can contact us using the details in paragraph 8 or via your usual Group contact.

Under certain circumstances, by law subjects have the right to:

  • request access to their personal information (commonly known as a “data subject access request”). This enables Subjects to receive a copy of the personal information we hold about them;
  • request correction of the personal information that we hold about them. This enables subjects to have any incomplete or inaccurate information we hold corrected;
  • request the erasure of personal information. This enables subjects to ask us to delete or remove personal information where there is no good reason for us continuing to hold or process it. Subjects also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about the particular situation which makes them want to object to processing on this ground;
  • request the restriction of processing of personal information. This enables subjects to ask us to suspend the processing of personal information about them, for example if they want us to establish its accuracy or the reason for processing it; and
  • request the transfer of personal information to another party.

 If you want to review, verify, correct or request erasure of your or any subjects’ personal information, object to the processing of such personal data, or request that we transfer a copy of such personal information to another party, please use the contact details in paragraph 8.

Subjects will not have to pay a fee to access their personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if any request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you or the subject to help us confirm your / their identity and ensure the right to access the information (or to exercise any other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

  1. Enquires, issues and complaints

 Your confidence in us is important and we would not wish to give you any cause for concern, however if you do have any concerns about how we use your or any subjects’ personal information, please contact us as described in paragraph 8 and we would be happy to discuss this with you further.  If necessary, you may make a complaint as set out in our terms of business.

If we are unable to resolve your complaint, you may make a complaint to the Information Commissioner’s Office. Please see https://ico.org.uk/for-the-public/raising-concerns/ for more information.

  1. Changes to this Privacy Notice

 We reserve the right to alter this privacy notice at any time. Such alterations will be posted on our website at http://www.draperlang.co.uk/footer/privacy-policy. You can also obtain an up-to-date copy of our privacy notice by contacting us as described in paragraph 8. Should you object to any alteration, please contact us. 

  1. Contacting us

 If you need to contact us about this notice or any matters relating to the personal information we hold on you, you can do so via your usual contact or via our Data Privacy Manager, David Blomfield by email at office@draperlang.co.uk

Further information

We hope that the contents of this privacy notice address any queries that you may have about the personal information we may hold about Subjects and what we may do with it. However, if you do have any further queries, comments or requests, please contact us as described in paragraph 8 above.

Whilst this privacy notice sets out a general summary of your legal rights in respect of personal information, this is a very complex area of law. More information about your legal rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-the-public/.

DRAPER LANG LLPMay 2018