Edward Hands & Lewis is committed to being transparent about how it collects and uses that data and to meeting its data protection obligations.
Edward Hands & Lewis is committed to being transparent about how it handles your personal information, to protecting the privacy and security of your personal information and to meeting its data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information both during and after your working relationship with the Company. We are required under the GDPR to notify you of the information contained in this privacy notice.
This privacy notice applies to all current and former clients
The Company collects and processes a range of information about you; this includes:
We may collect personal information about you in a variety of ways. It is collected during the course of your instructions, either directly from you or sometimes from a third-party such as a credit agency.
Whilst some of the personal information you provide to us is mandatory and/or is a statutory or contractual requirement, some of it you may be asked to provide to us on a voluntary basis. We will inform you as to whether you are required to provide certain personal information to us or if you have a choice in this.
Your personal information may be stored in different places, including in your file, in the Company’s case management system and in other IT systems, such as the e-mail system.
The Company needs to process data for contractual purposes to enter into an agreement with you and to meet its obligations.
In some cases, the Company needs to process data to ensure that it is complying with its legal obligations.
We may also occasionally use your personal information where we need to protect your vital interests (or someone else’s vital interests).
We will only collect and use your sensitive personal information, which includes special categories of personal information and information, when the law allows us to.
Some special categories of personal information, i.e. information about your health or medical conditions and information about criminal convictions and offences, is processed so that we can perform or exercise our obligations or rights and in line with our Data Protection Policy.
We may also process these special categories of personal information, and information about any criminal convictions and offences, where we have your explicit written consent. In this case, we will first provide you with full details of the personal information we would like and the reason we need it, so that you can properly consider whether you wish to consent or not. It is entirely your choice whether to consent. Your consent can be withdrawn at any time.
Where the Company processes other special categories of personal information, i.e. information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation, this is done only for the purpose of equal opportunities monitoring and in line with our Data Protection Policy. Personal information that Edward Hands & Lewis uses for these purposes is either anonymised or is collected with your explicit written consent, which can be withdrawn at any time. It is entirely your choice whether to provide such personal information.
We may also occasionally use your special categories of personal information, and information about any criminal convictions and offences, where it is needed for the establishment, exercise or defence of legal claims.
Your personal information will be shared internally within Edward Hands & Lewis, including with members of the department in which your work will be undertaken and IT staff if access to your personal information is necessary for the performance of their roles.
We may also share your personal information with third-party service providers (and their designated agents), including:
We may also share your personal information with other third-parties in the context of a potential sale or restructuring of some or all of its business. In those circumstances, your personal information will be subject to confidentiality undertakings.
We may also need to share your personal information with a regulator or to otherwise comply with the law.
We may share your personal information with third-parties where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third-party).
We will not transfer your data to countries outside the European Economic Area.
The Company has put in place measures to protect the security of your personal information. It has internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to those employees, workers, agents, contractors and other third-parties who have a business need to know in order to perform their job duties and responsibilities. You can obtain further information about these measures from our Compliance Department.
Where your personal information is shared with third-party service providers, we require all third-parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
We also have in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
We will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.
The periods for which your data is held after the end of your matter are set out in our Data Protection Retention Policy which forms part 2 of our Data Protection Policy and also contained in Record of Personal Data Processing Activities available from the Data Controller’s representative.
As a data subject, you have a number of rights. You can:
If you would like to exercise any of these rights, please contact firstname.lastname@example.org
If you believe that the Company has not complied with your data protection rights, you can complain to the Information Commissioner.
We do not take automated decisions about you using your personal data or use profiling. However, you will be notified if this position changes.
We reserve the right to update or amend this privacy notice at any time, including where the Company intends to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new privacy notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.
If you have any questions about this privacy notice or how we handle your personal information, please contact email@example.com and/or refer to our full Data Protection Policy.
1.1 This policy is intended to meet the requirements of the Data Protection Act 2018 (the 2018 Act) and the EU General Data Protection Regulation (GDPR) and comply with our legal obligations in respect of data privacy and security under the 2018 Act and the GDPR.
1.2 This policy is divided into three parts: Part 1 containing the Principal Policy, Part 2 containing the Data Retention Policy and Part 3 containing the Data Security Policy.
1.3 Edwards Hands & Lewis is a ‘Data Controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
1.4 Edwards Hands & Lewis has appointed Hayley McAllister (Compliance Manager) as the person with responsibility for data protection compliance within the Company. Hayley McAllister should be contacted at firstname.lastname@example.org concerning questions or requests for further information, about this policy.
1.5 This policy explains how Edward Hands & Lewis will hold and process your information. It explains your rights as a data subject. It also explains our obligations when obtaining, handling, processing or storing personal data in the course of your instructions of Edward Hands & Lewis.
1.6 This policy does not form part of your contract with Edward Hands & Lewis (or contract for services if relevant) and can be amended by Edward Hands & Lewis at any time. It is intended that
this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, the Company intends to comply with the 2018 Act and the GDPR.
2.1 Edward Hands & Lewis takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We have a duty to notify you of the information contained in this policy.
2.2 This policy applies to current and former clients. You are a ‘data subject’ for the purposes of this policy. You should read this policy alongside any other notice we issue to you from time to time in relation to your data.
2.4 We hold data for specified periods of time appropriate to the type of data. These periods of time are contained in Part 2 of this policy in the Data Retention Policy. We will only hold data for as long as necessary for the purposes for which we collected it.
2.5 We have measures in place to protect the security of your data in accordance with our Data Security Policy. These security measures are contained in Part 3 of this policy.
3.1 Personal data must be processed in accordance with six ‘Data Protection Principles’. It must:
We are accountable for these principles and must be able to show that we are compliant.
4.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
4.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
4.3 This personal data might be provided to us by you, or someone else (such as a credit reference agency), or it could be created by us. It could be provided or created during the course of your instructions. or after its conclusion.
4.4 We will collect and use the following types of personal data about you:
5.1 ‘Special categories of personal data’ are types of personal data consisting of information as to:
Any criminal convictions and offences.
We may hold and use any of these special categories of your personal data in accordance with the law.
6.1 ‘Processing’ means any operation which is performed on personal data such as:
This includes processing personal data which forms part of a filing system and any automated processing.
We take the security of client-related personal data seriously. Edward Hands & Lewis have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or
disclosure, and to ensure that data is not accessed except by employees in the proper performance of their duties. A Data Security Policy is contained in Part 3 of this Data Protection Policy.
Where the Company engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
8.1 Edward Hands & Lewis process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
8.2 We will use your personal data on a lawful basis for:
We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
If you choose not to provide us with certain personal data you should be aware that we might not be able to carry out certain parts of the contract between us. It might also stop us from complying with certain legal obligations and duties which we have.
9.1 We have to process your personal data in various situations during your instructions of this firm.
9.2 We might process special categories of your personal data.
9.3 We will only process special categories of your personal data (see above) in certain situations in accordance with the law. For example, we can do so if we have your explicit consent. If we asked for your consent to process a special category of personal data then we would explain the reasons for our request. You do not need to consent and can withdraw consent later if you choose by contacting email@example.com
9.4 We do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:
9.5 Automated decision-making
We do not take automated decisions about you using your personal data or use profiling in relation to you or your instructions. However, you will be notified if this position changes.
10.1 Sometimes we might share your personal data with group Companies or our contractors and agents to carry out our obligations under our contract with you or for our legitimate interests.
10.2 We require those Companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions.
10.4 Transfer of Data outside the European Economic Area
We will not transfer your data to Countries outside the European Economic Area. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained.
11.1 Edward Hands & Lewis has responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Company’s Data Security and Data Retention Policies.
11.2 The person named in sub-clause 1.4 of this policy is responsible for reviewing this policy and updating the Board of Directors on the Company’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.
11.3 We will only access personal data covered by this policy if needed for the work carried out on behalf of the Company and only if they are authorised to do so. The Company should only use the data for the specified lawful purpose for which it was obtained.
11.4 We will not share personal data informally.
11.5 We will keep personal data secure and not share it with unauthorised people.
11.6 We regularly review and update personal data which we have to deal with for work.
11.7 We will not make unnecessary copies of personal data and should keep and dispose of any copies securely.
11.8 Personal data will be encrypted/password protected before being transferred electronically to authorised external contacts.
11.9 Personal data will never be transferred outside the European Economic Area except in compliance with the law and authorisation of the person responsible for data protection compliance.
12.1 We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else) then we
must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.
12.2 If you are aware of a data breach you must contact Compliance at firstname.lastname@example.org immediately and keep any evidence you have in relation to the breach.
13.1 Data subjects can make a ‘subject access request’ (SAR) to find out the information we hold about them. This request must be made in writing. If you wish to make a Subject Access Request you should forward it to the person responsible for data protection compliance at email@example.com who will coordinate a response.
13.2 We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
13.3 There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.
14.1 You have the right to information about what personal data we process, how and on what basis as set out in this policy.
14.2 You have the right to access your own personal data by way of a subject access request (see above).
14.3 You can correct any inaccuracies in your personal data. To do this you should contact the Fee Earner responsible for your matter.
14.4 You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact firstname.lastname@example.org
14.5 While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact email@example.com
14.6 You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.
14.7 You have the right to object if we process your personal data for the purposes of direct marketing.
14.8 You have the right to be notified of a data security breach concerning your personal data.
14.9 In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact firstname.lastname@example.org
14.10You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The Company will therefore:
Discarding data too soon would be likely to disadvantage Edward Hands & Lewis and quite possibly, inconvenience the people the information is about as well.
Personal data will be regularly reviewed and anything no longer needed will be deleted. Information that does not need to be accessed regularly, but which still needs to be retained, will be safely archived or put offline.
In retaining data, we will take account of any professional rules or regulatory requirements that apply. The retention periods will be regularly reviewed to consider whether it is being held too long or conversely if it is being deleted prematurely. However, if any records are not being used, consideration will be given to whether they need be retained.
At the end of the retention period, or the life of a particular record, it will be reviewed and deleted, unless there is some special reason for keeping it.
Where appropriate a record may not be permanently deleted and it may be archived instead. If a record is archived or stored offline, this will reduce its availability and the risk of misuse or mistake. However, a record will only be archived (rather than deleted) if it is considered essential to retain it. In order to comply with data protection principles subject access to it will still be permissible. If a record is deleted from a from a live system, it will also be deleted from any back-up of the information on that system.
We will only hold data for as long as necessary for the purposes for which we collected it and will hold data for specified periods of time appropriate to the type of data.
18.1 Statutory Retention Periods
The main UK legislation regulating statutory retention periods is summarised below. If the Company is in doubt, it will retain records for at least 6 years (5 in Scotland), to cover the time limit for bringing any civil legal action.
18.2 Recommended (Non-Statutory) Retention Periods
For many types of records, there is no definitive retention period, therefore it is up to the Company to decide how long to keep them. The Company has therefore considered the necessary retention period for them, depending on the type of record.
The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So, where documents may be relevant to a contractual claim, the Company will retain them for at least a corresponding 6-year period.
This policy outlines behaviours expected of Edward Hands & Lewis when dealing with data and provides a classification of the types of data with which they should be concerned.
We must protect personal, restricted, confidential and sensitive data and ensure it is processed in accordance with the data protection principles contained in the Principal Data Protection Policy and further detailed below.
Any employee, contractor or individual with access to Company systems and personal data. The definition of data to be protected is defined as all data that is described in Part 1 of this policy,