Privacy Notice to clients
Privacy Notice to all clients
The European Union General Data Protection Regulation requires us (the data controller) to provide you (the data subject) with the information in bold at the beginning of each section below. The information is set out in the sections.
This Privacy Notice applies only to clients who are individuals in their capacity as clients and to individuals who are owners, directors or managers in organisations for which we do work. There are different Privacy Notices (on our website www.hart brown.co.uk) for marketing contacts in that capacity, for experts and specialists, for third parties involved in client matters, and for individuals within organisations with which we deal, some of which might also apply to you.
1. The identity and contact details of the controller and of our
Controller – Hart Brown LLP
Resolution House, Riverview, Walnut Tree Close, Guildford, Surrey GU1 4UX
Controller’s representative – David Wallace, Resolution House, Riverview, Walnut Tree Close, Guildford, Surrey GU1 4UX
01483 887589
2. Contact details of the data protection officer, where applicable.
Not applicable.
3. The purposes of the processing for which the personal data are intended and the legal basis for the processing.
3.1 When you seek our assistance we will record and store your full names, and contact details, and all personal data you give us then, to enable us to understand your need for our help, allocate it to the most suitable specialist, and set up a contract with you.
During your matter we will record and store all further personal data you give us (or we receive from anyone else – such as your medical records for a clinical negligence case) relevant or potentially relevant to our achieving your desired objective. We will use your personal data as necessary in that connection, such as running and presenting your case in court proceedings, preparing your will, running a trust for you, or assisting your house move.
The legal basis for all that processing is that it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
3.2 When we have completed the work you have instructed us to do, we will process all relevant personal data by storing and having it available for you. Paper storage is likely to be until the relevant limitation period for your matter expires in case this is relevant for a complaint or claim by you against us. Electronic storage is likely to be indefinite but (subject to the points below) your personal data stored electronically can be deleted at your request after the expiry of the limitation period. The reason for indefinite storage is principally that information from a closed matter can be useful to you in the future.
The legal basis for this processing is that it (for the limitation period) it is necessary for the purposes of the legitimate interests pursued by us.
3.3 When we have completed the work you have instructed us to do, we will process your name, contact details, and a sufficient summary of the matters on which we worked for you by storing and using these to check in connection with later enquiries whether we have a conflict of interests by reason of having acted for you in connection with those matters. There will be no time limit for that.
We will also process your identification documents by storing and reviewing them if and when you next instruct us.
The legal basis for the processing is that it is necessary for compliance with a legal obligation to which we are subject.
3.4 We will process all accounting records on matters on which you instruct us by creating and storing them for the purpose of each matter while it is current and, after each matter has been completed, by storing them for the period for which we are required by regulation to keep them (at present six years from the conclusion of the matter). After that, the accounting records will continue to be stored as they are part of an integrated accounts system and deleting them would undermine that integrity.
The legal basis for the processing is initially that it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract and then it is necessary for the purposes of the legitimate interests pursued by us and (for the period the regulation mentioned applies) necessary for compliance with a legal obligation to which we are subject.
3.5 We will process all information relevant to a complaint or claim (or a potential claim or complaint) by you against us by sharing it with our insurers and their solicitors and any barrister instructed in that connection by them or us, to be able to deal properly with the situation and correctly identify and fund any liability arising. We will process the relevant personal data by storing it (and referring to it appropriately) until there is no further possibility that it might be needed in connection with a complaint or claim. By doing that we are protecting your vital interests as well as our own.
The legal basis for the processing is that it is necessary to protect your vital interests or those of another natural person and it is necessary for the purposes of the legitimate interests pursued by us.
3.6 We will share personal information with law enforcement or other authorities if legally required.
The legal basis for the processing is that it is necessary for compliance with a legal obligation to which we are subject.
3.7 We will use your personal data, if and when necessary and to the necessary extent, to pursue any rights we may have against you.
The legal basis for this processing is that it is necessary for the purposes of the legitimate interests pursued by us.
3.8 While we have in hand for you a current matter, we will be in frequent contact with you and will be using your contact details for that purpose. We might send you hard copies of leaflets, magazines and brochures to draw some changes in the law to your attention, to provide comments on important issues, or to keep you up to date with changes in Hart Brown LLP.
We will use your contact details to seek your consent to our marketing our services and events to you and to our emailing to you electronic publications we issue. If you give that consent, we will use other information we have about you to try to ensure you only receive from us marketing material of any kind that is likely to be of interest to you. We do not send marketing material to all consenting clients. We do not share any of your personal data with anyone else for marketing purposes. You can withdraw your consent at any time – details will be given as to how to do that when we seek your consent. If you do not give consent or you withdraw it we will not market our services or events to you or email to you electronic publications we issue.
The legal basis for our using your contact details to contact you for a current matter is that it is necessary for the performance of a contract. The legal basis for our using your contact details to send you hard copies of leaflets, magazines and brochures and for our seeking your consent is that it is necessary for the purposes of the legitimate interests pursued by us. The legal basis for our marketing our services and events to you and to our emailing to you electronic publications we issue if you give your consent is that you will have given your consent.
3.9 As explained at 6 below, we process personal data by sharing it with others, and by arranging for others to process it.
The legal basis for all that processing is that it is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract, except as set out below in respect of the various sub-sections of section 6 listed below:-
6.2.4 Our external accreditation auditors, to the extent that they ask to see individual files or relevant accounts records, where the legal basis is that it is necessary for the purposes of the legitimate interests pursued by us.
6.2.5 Our external accountancy auditors, to the extent that they ask to see individual files or relevant accounts records, where the legal basis is that it is necessary for compliance with a legal obligation to which we are subject.
6.2.6 The Solicitors Regulation Authority, to the extent that we are obliged to report or explain an issue to them, where the legal basis is that it is necessary for compliance with a legal obligation to which we are subject.
6.2.7 The Legal Ombudsman, to the extent that a complaint is made to her office about us, where the legal basis is that it is necessary for compliance with a legal obligation to which we are subject.
6.2.8 The Information Commissioner’s Office when required to do so, where the legal basis is that it is necessary for compliance with a legal obligation to which we are subject.
6.2.9 Our I.T. support contractors, to the extent necessary for them to provide that support, where the legal basis is that it is necessary for the purposes of the legitimate interests pursued by us.
6.2.10 Our professional indemnity insurers and their (and, if different, our) professional advisers, to the extent appropriate if and when circumstances arise where there might be a claim against us and by us on that insurance policy, to enable us to achieve a fair outcome for you, where the legal basis is that it is necessary for the purposes of the legitimate interests pursued by us.
6.2.11 The relevant authorities whenever we are required by law to do so including if we suspect there might have been or there might be an offence or attempted offence whether against the Anti-Money Laundering Regulations or otherwise, where the legal basis is that it is necessary for compliance with a legal obligation to which we are subject.
3.10 We will keep a record of what data has been deleted and when. The record will not itself contain any of the deleted data, only a description of a category. The record will also record any requests for deletion and what we did in response and when. The record will have to include the name and address of the relevant person and a short description of the matter. The record will have to be maintained indefinitely.
The legal basis for the processing is that it is necessary to protect your vital interests or those of another natural person and it is necessary for the purposes of the legitimate interests pursued by us.
4. Where the processing is necessary for the purposes of the legitimate interests pursued by us what are those legitimate interests?
In respect of 3.2 and 3.5 the legitimate interests are to enable any complaint or claim to be investigated properly and a just result achieved.
In respect of 3.4 the legitimate interest is to enable us to maintain an integrated and testable accounting system.
In respect of 3.7 the legitimate interest is to enforce the relevant right.
In respect of 3.8 the legitimate interest is to send you hard copies of leaflets, magazines and brochures while we are working on a matter for you and (separately) to seek your consent to suitable marketing to you.
In respect of 3.9 re external auditing (6.2.4) the legitimate interest is to maintain high and recognisable standards.
In respect of 3.9 re our I.T. support contractors the legitimate interest is to ensure the I.T. systems we use to fulfil our contract with you operate smoothly at all times.
In respect of 3.9 re our actual or potential claims the legitimate interest is to ensure a fair outcome to us and to you and to ensure funds are available to meet any liability to you.
In respect of 3.10 the legitimate interest is to ensure and be in a position to demonstrate that personal data is deleted correctly and (subject to this privacy notice) when requested.
5. The categories of personal data involved.
For the purpose of creating a contract with us – your full names, all contact details, and all personal data necessary to enable us to understand enough about what you want us to do to enable us to assess the work, and provide you with an estimate and a letter of engagement.
For the purpose of doing the work for you – all personal data that are or could be relevant to the work being done successfully. Where relevant, that will include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership or data concerning health or your sex life or sexual orientation.
6. The possible recipients or category of recipients of the personal data.
6.1 We will not share any of your personal data with anyone or any organisation other than where it is appropriate or necessary to progress the matter on which you have instructed us or where we are required to do so for legal reasons or for compliance or accreditation purposes. Once we have released any personal data we will not be in control of or able to ensure its security. However, except in the context of the prevention, investigation, detection or prosecution of criminal offences, any organisation to which we release the personal data will itself be bound to keep your data secure and generally to comply with the requirements of the General Data Protection Regulation. Where, for the purposes of implementing your instructions, we need to release any of your personal data to a natural person in the course of a purely personal or household activity, that assurance of security will not apply. Any personal data we do release to a third party will be limited to what must be released for the relevant purpose to be achieved.
6.2 We will share your personal data In respect of all matters with:
6.2.1 The hosts running our software on their systems;
6.2.2 Our software suppliers;
6.2.3 The providers of our copying machines, which also act as scanners, to the extent that when a document is copied or scanned the machine automatically makes an electronic copy;
6.2.4 Our external accreditation auditors, to the extent that they ask to see individual files or relevant accounts records;
6.2.5 Our external accountancy auditors, to the extent that they ask to see individual files or relevant accounts records;
6.2.6 The Solicitors Regulation Authority, to the extent that we are obliged to report or explain an issue to them;
6.2.7 The Legal Ombudsman, to the extent that a complaint is made to her office about us;
6.2.8 The Information Commissioner’s Office when required to do so;
6.2.9 Our I.T. support contractors, to the extent necessary for them to provide that support;
6.2.10 Our professional indemnity insurers and their (and, if different, our) professional advisers, to the extent appropriate if and when circumstances arise where there might be a claim against us and by us on that insurance policy, to enable us to achieve a fair outcome for you;
6.2.11 The relevant authorities whenever we are required by law to do so including if we suspect there might have been or there might be an offence or attempted offence whether against the Anti-Money Laundering Regulations or otherwise;
6.2.12 The courts if a court action is necessary or relevant;
6.2.13 Generally as may be necessary to enable us to do the work you have instructed us to do.
6.3 In the cases of residential property (house moves) and commercial property work for an individual or individuals acting together as such we will share your personal data with:
6.3.1 The Land Registry, in respect of the personal data required to be provided to it to enable your purchase to be registered there;
6.3.2 HMRC, in respect of the personal data required to be provided to it to enable the Stamp Duty Land Tax requirements to be met;
6.3.3 Your existing lender, if any, in respect of the personal data required to be provided to it to redeem an existing loan and your intended lender, if any, in respect of the personal data required to be provided to it to enable a loan to be made;
6.3.4 Any intended surveyor, to the extent necessary to enable a survey appointment to be arranged and/or the surveyor to communicate with you;
6.3.5 The solicitor for the other party, to the extent necessary for the contract terms to be agreed;
6.3.6 The landlord of premises acquired by you, any managing agent, management company or solicitor employed by the landlord or management company, to the extent necessary to register the purchase with the landlord and/or management company and arrange any share transfer;
6.3.7 Insurance companies, to the extent necessary to obtain quotes for any relevant indemnity insurance policy and then put any policy selected in place;
6.3.8 Any estate agent involved in your sale/or purchase, to the extent necessary to enable the sale and/or purchase to proceed.
6.4 In the case of a civil court claim or other action for you or brought against you by another we will share your personal data with:
6.4.1 Your barrister, if any, for advice, drafting of court or similar documents, and the presentation of your case whether in court or otherwise;
6.4.2 Your insurers or potential insurers, if any, to enable insurance cover to be obtained or confirmed and in any event maintained and to enable the case to be run for you with the benefit of continuing insurance cover so far as possible;
6.4.3 Any relevant expert, in respect of the personal data required to enable the expert or potential expert to provide a report (and make all necessary arrangements for any relevant examination) and advise or act as an expert witness for you;
6.4.4 The court (or other tribunal), in respect of all personal data required to be provided to it, if court (or other tribunal) proceedings are to be started and/or pursued or defended;
6.4.5 The mediator or arbitrator, in respect of the personal data required to be given to a mediator or arbitrator if mediation or arbitration is agreed or obligatory;
6.4.6 The other party to the matter and their solicitors, to the extent necessary to pursue your matter for you;
6.4.7 An agency for sorting medical records, if you have a clinical negligence claim or potential claim, for your medical records to be sorted;
6.4.8 Your employer or former employer, to the extent necessary to enable us to implement your instructions in connection with your employment.
6.5 In the case of family work (such as divorce or associated financial arrangements) we will share your personal data with:
6.5.1 As 6.4.1. to 6.4.6. inclusive;
6.5.2 An actuary, to the extent necessary to obtain a valuation of pension rights;
6.5.3 An accountant or other tax adviser, to the extent necessary to obtain tax advice, if relevant;
6.5.4 The Land Registry in respect of the personal data required to be provided to it to enable any relevant registration to be effected there;
6.5.5 Any relevant insurance company, SIPP trustee, or financial adviser, to the extent necessary to correspond with them or any of them about your or your spouse’s pension or prospective share of pension and register any change ordered by the court;
6.5.6 The Children and Family Court Advisory and Support Service (CAFCASS);
6.6 In the case of trusts, wills, the administration of estates and similar work we will share your personal data with:
6.6.1 For Executors and Administrators – the Probate Registry, to the extent necessary to obtain a Grant of Probate or Letters of Administration;
6.6.2 For Deputies
6.6.3 For Attorneys (under a Power of Attorney);
6.6.4 Your financial adviser, if and to the extent relevant and appropriate, to enable best advice and assistance from him or her and from us.
6.7 In the case of company and commercial work for an individual or for individuals acting together as such we will share your personal data with:
6.7.1 Companies House, to the extent required to register you as a shareholder, director or officer;
6.7.2 The accountant or tax adviser, if any appointed by you or the company, to enable him or her to advise and assist as required in a matter in hand for you;
6.7.3 The other party to a transaction or matter and their solicitors, to the extent necessary and appropriate to enable the transaction or matter to be progressed and completed;
6.8 In the case of an individual (or individuals acting together as such) landlord or tenant involved in leasehold extension or a similar matter we will share your personal data with:
6.8.1 Any intended surveyor, to the extent necessary to enable a survey appointment to be arranged and/or the surveyor to communicate with you;
6.8.2 The other party to a matter and their solicitors, to the extent necessary and appropriate to enable the matter to be progressed and completed
6.8.3 The Lands Tribunal, if relevant, to the extent necessary to enable your case to be presented before and at any hearing ;
6.8.4 The Land Registry, to the extent appropriate to enable any change in the registration resulting from the matter to be registered.
7. Can we transfer your personal data to a third country or international organisation?
Hart Brown LLP does not usually transfer any information internationally. We can make an international transfer of personal data if it is necessary for the performance of a contract between you and us or for pre-contractual steps to be taken at your request. Otherwise, unless the country in question ensures an adequate level of protection or there are appropriate safeguards and effective legal rights and remedies are available for you, we will be obliged to explain all the risks to you before seeking your consent to make the data transfer. This will have to be addressed if the issue arises, and could delay or prevent progress.
8. What is the period for which your personal data will be stored?
See 3 above.
9. Is the provision of personal data a statutory or contractual requirement or a requirement necessary to enter into a contract, and are you obliged to provide personal data, and what are the possible consequences of failure to provide such data?
There is seldom, if ever, any requirement or obligation on you to provide personal data to Hart Brown LLP. However, if before a contract with us is made you do not provide the personal data essential for that purpose we will not be able to enter into a contract with you or therefore do the work for you at all; and if after the contract has been made you do not (on your initiative or at our request) provide us with personal data relevant or potentially relevant to your matter it is likely to undermine the prospects of a successful outcome and could prevent us from progressing or completing the work. Your failure to provide such data could entitle us to end our contract with you.
10. The existence of automated decision making, including profiling
Hart Brown LLP does not use automated decision making including profiling.
11. What is the source of your personal data not obtained from you and, if applicable, will this come from publicly accessible sources?
We make all appropriate checks in respect of all clients to verify their identity and (where relevant) their beneficial ownership, and the identity of the shareholders and officers of companies instructing us and anyone else with authority to instruct us on behalf of any organisation. We do so by making searches through organisations set up to provide that information and through Companies House. We also make checks with credit reference agencies when appropriate.
In a sale of your home, we will seek confirmation of your ownership, and details of all mortgages on it, from the Land Registry (a public source).
In a purchase with the benefit of a mortgage loan, we will ask the Land Charges Registry (a public source) to confirm that you are not bankrupt and have nothing pending against you, as required by the lender.
In a clinical negligence claim for you, we will seek all your medical records from your GP and any relevant hospital. They are not public sources.
In a clinical negligence claim for you, we will usually arrange for your medical records and you to be examined by a relevant expert (not a public source) and will be provided by the expert with personal data.
In a personal injury claim for you, we will usually arrange for you (and perhaps your medical records) to be examined by a relevant expert (not a public source) and will be provided by the expert with personal data.
In any other civil dispute, if an expert is used it is possible that he or she (not a public source) will provide personal data to us.
In all matters we are likely to be provided with some personal data (or allegations) by the other party (not a public source).
12. Your data protection rights
12.1 You have the right to request from us access to and rectification or (in certain circumstances) erasure of personal data or (in certain circumstances) restriction of processing concerning you.
12.2 Where the processing is carried out by us on the basis that it is necessary for the purposes of the legitimate interests pursued by us, you have the right to object to it continuing and we must stop the processing unless we demonstrate legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of civil claims.
12.3 Where the processing is based on consent or under or leading to a contract and the processing is carried out by automated means, you have the right to receive from us the personal data concerning you which you have provided to us and the right to transmit those data to another controller.
12.4 Where the processing is based on consent, you have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
12.5 You have the right to lodge a complaint with the Information Commissioner’s Office, who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113 but we invite you to tell us first if you have any complaint, so that we can attend to it as soon as possible.
If you would like to exercise any of those rights, please:
- email, call or write to David Wallace,
- let us have enough information to identify you,
- let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
- let us know the information to which your request applies.