Data protection principles
Subject access requests
The General Data Protection Regulation (GDPR) grants you (hereinafter referred to as the “data subject”) the right to access particular personal data that we hold about you. This is referred to as a subject to access request. We shall respond promptly, and certainly within one month from the point of receiving the request and all necessary information about you.
A&A Solicitors adheres to the following principles when processing your personal information as data controller:
- Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accuracy – data must be accurate and, where necessary, kept up to date.
- Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal information is processed.
- Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal information, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
Personal information we may collect depending on our relationship with you
Clients- where we are advising and/ or acting for you
We will require certain Personal Information to be able to provide our service to you. If you do not provide Personal Information we ask for, it may delay or prevent us from providing services to you.
If you are an individual
- Your name, address, telephone number, your National Insurance, your nationality, immigration status and information from related documents, such as your passport or other identification, immigration information employment status, details including salary and benefits, tax details, pension arrangements, details of your spouse/partner and dependants or other family members, your trade union membership, your medical records. Your bank and/or building society details and/ or your bank statements.
- Information to enable us to check and verify your identity, e.g. your date of birth or passport details.
- Electronic contact details, e. g. your email address and mobile phone number.
- Your financial details so far as relevant to your case if we will need to transfer money to you.
- Information about your use of our IT, communication and other systems, and other monitoring information, e. g. if you use our secure online client portals or leave a voicemail message.
- Your employment records including, where relevant, records relating to sickness and attendance.
- Your racial or ethnic origin, gender and sexual orientation, religious or similar beliefs, e. g. if you instruct us on a discrimination claim or if you provide medical or dietary information to us in connection with your attendance at a meeting or event.
- If you instruct us to incorporate a company for you, personal identifying information such as your hair or eye colour or your parents’ names, to answer security questions required by Companies House.
Sensitive categories of (“Sensitive”) personal data
We do not generally seek to collect sensitive personal information through our website. Sensitive personal information is information relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; health or sex life, sexual orientation; genetic or biometric information. If we do collect sensitive personal information, we will ask for your explicit consent to our proposed use of that information at the time of collection.
Our website is not intended for or directed at children under the age of 16 years, and we do not knowingly collect data relating to children under this age. If your Matter involves children, these children must be represented by their parents or guardians. In these circumstances we will explain to the parent or guardian why we need any Personal Information relating to the children and how it will be used, both when we first collect the data and as the particular matter progresses. Our website is not intended for children and, other than in connection with work experience applicants.
Visitors to our website
How and why, we use your personal information
Under data protection law, we can only use your Personal Information if we have a proper reason for doing so, for example:
- To comply with our legal and regulatory obligations
- For our legitimate interests (see below) or those of a third party
- For the performance of our contract with you or to take steps at your request before entering into a contract
- You have given consent.
What we use your Personal Information for:
- To provide legal services to you.
- Conducting checks to identify our clients and verify their identity.
- Screening for financial and other sanctions or embargoes to help detect and prevent financial crime.
- Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under health and safety regulation or rules issued by our professional regulator, the Solicitors Regulation Authority.
- Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies.
- Ensuring our business policies (and client requirements) are adhered to, e.g. policies covering security and internet use.
- Operational reasons, such as improving our business and services by undertaking analysis and research and assessing your satisfaction with our services, efficiency, insurance purposes, training and quality control.
- Ensuring the confidentiality of commercially sensitive information.
- To respond to any complaint or allegation of negligence made against us.
- Statistical analysis to help us manage our business or to provide information required by our clients, e.g. in relation to our financial performance, client base, work type or other efficiency measures or key performance indicators.
- Preventing unauthorised access and modifications to systems.
- Updating and maintaining client records.
- Statutory returns.
- Ensuring safe working practices, staff administration and assessments and to enforce or protect any of our rights, property or safety (or those of our members, employees or clients).
- To contact you about our services and events which we think may be of interest to you, and to provide you with legal updates and briefings.
- External audits for our Investors in People certification and the audit of our accounts.
- With your consent, external audits, and quality checks for our ISO certifications.
How long we keep your personal data
Your personal information will not be kept for longer than is necessary for the purposes for which it was collected and processed. We will retain your personal information for as long as your account is active or as needed to provide you with services or products you have requested.
The criteria we use for retaining different types of personal information, includes the following:
General queries – when you make an enquiry or contact us by email or telephone, we will retain your information for as long as necessary to respond to your queries. After this period, we will not hold your personal information for longer than two years if we have not had any active subsequent contact with you.
Direct marketing – where we hold your personal information on our database for direct marketing purposes, we will retain your information for no longer than two years if we have not had any active subsequent contact with you.
How is your personal information retained
Usually in computer or manual files, only for as long as necessary to fulfil the purposes for which the information was collected; or as required by law; or as long as is set out in any relevant contract you may hold with us. For Instance:
- As long as necessary to carry out your legal work
- For a minimum of 6 years from the conclusion or closure of your legal work; in case you, or we, need to re-open your case for the purpose of defending complaints or claims against us
- Some information or matters may be kept for 16 years – such as matrimonial matters (financial orders or maintenance agreements etc.)
- Personal injury matters which involve lifetime awards or PI Trusts may be kept indefinitely.
We only keep your Personal Information about your Matter for as long as is necessary to:
- Carry out our services for your Matter.
- Respond to any questions, complaints or claims made by you or on your behalf.
- Show that we treated you fairly.
- Keep records required by law to comply with our legal obligations and our duties to our regulator. Anti-money laundering legislation requires us to retain records, documents and information relating to a Matter, including a copy of your identity documentation, for five years from conclusion of your Matter or when our business relationship with you ends.
- For most types of Matters we retain your matter file, which will include your Personal Information, for up to six years from the date of your final bill although this may vary depending on the nature of your Matter. Further information about the likely retention period will be provided to you when your Matter concludes.
Who we share your data with
Suggested text: If you request a password reset, your IP address will be included in the reset email.
How long we retain your data
Suggested text: If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
Suggested text: If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Suggested text: Visitor comments may be checked through an automated spam detection service.