Privacy Notice
About Us
Geldards LLP is a law firm with offices in Cardiff, Derby, Nottingham and London. We are a limited liability partnership registered in England and Wales (partnership number OC313172). Our registered office is at 4 Capital Quarter, Tyndall Street, Cardiff, CF10 4BZ. You can find our contact details here.
We are regulated by the Solicitors Regulation Authority (“SRA”). We are also registered with the UK’s data protection regulator, the Information Commissioner’s Office (“ICO”).
We have appointed an Information Officer, who oversees our compliance with data protection law. His contact details are set out below:
Ben JohnsonGeldards LLP
The Arc
Enterprise Way
Nottingham
NG2 1EN
Email: Information.compliance@geldards.com
Telephone: 0115 983 3650
If you have any questions about the information set out in this privacy notice or how we handle personal information, please contact our Information Officer or email us at information.compliance@geldards.com.
If you wish to download a hard copy of this privacy notice, please click here.
What’s The Purpose Of This Privacy Notice?
This privacy notice sets out information about our use of personal information relating to individuals we have dealings with, including our clients, individuals who use our website and individuals who subscribe to our newsletters and updates. It also sets out details of the rights individuals have in relation to our use of their personal information and various other information which we are required to provide under data protection law.
In particular, this privacy notice provides information to individuals about how they can object to our use of their personal information (see here), how they can withdraw any consent they have given to us to enable us to process their personal information (see here) and how they can make a complaint (see here).
We may provide additional privacy information to individuals on specific occasions when we are collecting personal information. This is to ensure that we are being transparent about why and how we are using personal information. This privacy notice supplements any other such notices and is not intended to override them.
Who Does This Privacy Notice Apply To?
This privacy notice applies to:
- our clients;
- other individuals who contact us (for example, to make an enquiry about legal services);
- individuals (other than clients) whose personal information we obtain in connection with a legal matter;
- individuals who use our website (https://www.geldards.com);
- individuals who subscribe to our updates;
- individuals who engage with us on social media; and
- individuals who access our premises or the surrounding areas and who may be captured on our CCTV system. We refer to such individuals in this privacy notice using the terms “you” or “your”.
What Is Our Approach To Privacy?
We take your privacy extremely seriously and want you to feel confident that your personal information is safe in our hands. We will only use your personal information in accordance with data protection law applicable to England and Wales from time to time and the SRA rules of professional conduct we are subject to as a law firm.
Under data protection law, when we use your personal information, we will be acting as a data controller. Essentially, this means that we are responsible for your personal information and will be making decisions about how it is used and why.
Below, we summarise the main rules that apply to us as a data controller under data protection law:
- We must be upfront about how we intend to use your personal information and must use it fairly. Providing privacy information to individuals (such as in this privacy notice) is one aspect of using personal information fairly.
- We must only use your personal information if we have a legal basis to do so under data protection law. The legal bases available are set out in data protection law and include that:
- We need to use your personal information to perform a contract between you and us (or to take steps at your request before entering into such a contract);
- We (or someone else) have a legitimate reason (such as a business or commercial reason) for needing to use your personal information, so long as this is not overridden by your rights and interests; and
- We need to use your personal information to comply with laws or regulations that we are subject to.
- We must only use certain types of sensitive personal information (such as information relating to your health, racial or ethnic origin or religion) if we can satisfy one of the conditions set out in data protection law or if an exemption applies to us. This type of personal data is known as “special category personal data”.
The conditions that apply to the use of special category personal data include that:- We need to use the information for the purposes of establishing, exercising or defending legal claims; and
- That you have given us your explicit consent to use it.
- Generally, we must not share your personal information with others unless we have a legal basis for doing so and have provided you with information about our intention. However, there are certain circumstances in which we can share your personal information with a third party without first informing you (e.g. for the prevention of a criminal offence or fraud).
- Generally, we must only use your personal information for the specific purposes we told you about when we collected or obtained it. If we want to use your personal information for other purposes, we need to contact you to tell you about this.
- We must not hold more personal information about you than we need for the purposes we have told you about and must not retain your personal information for longer than is necessary for those purposes (known as the “retention period”). We must also dispose of any information that we no longer need securely.
- We must ensure that we have appropriate security measures in place to protect your personal information.
- We must act in accordance with your rights under data protection law.
- We must not transfer your personal information outside the European Economic Area (“EEA”) unless certain safeguards are in place. One such safeguard is that the personal data will only be transferred to a country that has been approved by the European Commission as having adequate data protection laws.
HOW WILL WE USE YOUR PERSONAL INFORMATION?
How we will use your personal information and the legal bases we will rely upon, will depend upon the nature of our relationship with you and our reasons for obtaining or collecting your personal information in the first place. This section provides you with specific privacy information relating to the different categories of individuals that this privacy notice applies to.
Our Clients
What personal information will we use?
- Your name and contact details (e.g. postal address, email address and telephone number(s));
- Proof of identity;
- Your bank or credit card details (if you make payment by card);
- Your financial details (so far as relevant to your instructions);
- Personal information relevant to the legal matter(s) you have instructed us to advise upon. The type of personal information we will need you to provide to us will depend upon the nature of the legal matter we are handling. Such personal information may include special category personal information;
- Personal information relating to any complaint you may make. How will we obtain it?
- The majority of the personal information listed above will be provided by you to us when you instruct us or during the course of a matter;
- Sometimes we may need to obtain information about you from a third party, for example:
- from publicly accessible sources (such as Companies House or HM Land Registry);
- or – from third parties with your consent (such as your bank, other professional advisers, your employer or medical professionals). What purposes will we use it for and what legal bases will we rely upon to do so?
- We will use the personal information listed above to provide legal services to you, to contact you about those legal services and to take payment. Our legal basis for doing so will be that our use of your personal information is necessary for the performance of the contract between you and us (or to take steps at your request before entering into that contract);
- We will use personal information that you provide to us to verify your identity, for the purposes of credit control, to prevent fraud and to carry out checks prescribed by law. Our legal bases for doing so will either be (i) compliance with our legal and regulatory obligations or (ii) our legitimate interests in protecting our business;
- In the event that you make a complaint, we will use your personal information to the extent necessary to deal with your complaint (in accordance with our contractual and regulatory duties). Our legal bases for doing so will either be (i) that such use is necessary to enable us to perform the contract between you and us or (ii) to enable us to comply with our regulatory obligations;
- We will also use your personal information to comply with other professional, legal and regulatory obligations that apply to our business (e.g. rules issued by the SRA);
- In addition, we will use your personal information to send you marketing material. Further details of when and how we will do this, our legal basis for doing so and the marketing material we will send to you are set out here.
- We will also use your personal information for a variety of internal purposes (such as those listed below). Our legal basis for doing so will be our legitimate interests in ensuring that our business is run effectively and efficiently and to the highest standards so that we can deliver the best service possible to you:
- To operate and maintain our internal IT systems, such as our document management system;
- For the purposes of internal record keeping;
- For the purposes of complying with our internal policies and procedures;
- For the purposes of external audits and quality checks;
- For the purposes of training and quality control;
- To ensure confidentiality and the security of personal data;
- To create and update client records; and
- To carrying out statistical analysis. The conditions we will generally rely upon to use any special category personal data
- If we need to obtain or collect any special category personal data about you, the legal bases we will rely upon to use such personal data will generally either be:
- that the processing is necessary for the purpose of establishing, exercising or defending a legal claim on your behalf; or
- your explicit consent. Important consequences if you do not provide or permit us to obtain the personal information we require
- If you do not permit us to collect or provide us with the personal information we require, this may delay or prevent the provision of legal services to you.
Other Individuals Who Contact Us
What personal information will we use?
- Your name;
- Your contact details (such as your telephone number or email address);
- Details of your enquiry/communication. How will we obtain it?
- Provided by you (or someone acting on your behalf) when you (or they) contact us (e.g. by making a phone call or emailing us or enquiring at our premises).
- What purposes will we use it for and what legal bases will we rely upon to do so?
- We will use the personal information listed above to deal with your enquiry/communication. The legal bases we will rely upon when doing so will either be
- your consent or
- our legitimate interests in ensuring that all enquiries/communications received by us are satisfactorily dealt with;
- We may also make a record of your enquiry/communication for internal administrative purposes. The legal bases that we will rely upon when doing so will either be
- compliance with our legal and regulatory obligations or
- our legitimate interest in being able to refer back to your enquiry/communication if you have further dealings with us.
- In addition, we may use your personal information to send you marketing materials. Further details of when and how we will do this, our legal basis for doing so and the type of marketing materials we will send to you are set out here.
Individuals (Other Than Clients) Whose Personal Information We Obtain In Relation To A Legal Matter
What personal information will we use?
- Your name;
- Your contact details (e.g. postal address, email address and telephone number(s));
- Personal information about you relevant to the legal matter we are handling on our client’s behalf. The nature of such information will vary depending on the nature of our instructions and may include special category personal data (including medical information). How will we obtain it?
- The personal information listed above may be provided by you or by a third party. What purposes will we use it for and what legal bases will we rely upon to do so?
- We will use such personal information in relation to the legal matter we are handling on behalf of our client;
- The legal bases we will rely upon to obtain, store and use your personal information will either be:
- that such use of your personal information is necessary for the purposes of a legitimate interest pursued by our client (namely, to obtain legal advice) or
- in the case of any special category personal data, that such use is necessary for the establishment, exercise or defence of a legal claim.
Individuals Who Use Our Website
What personal information will we use?
- Technical information about the devices you use to access our website, including your internet protocol address, browser type and version, time zone setting and location, browser plug in type and version, operating system and platform;
- Usage data about how you use our website, including the full Uniform Resource Locators (“URL”), clickstream to, through and from our website (including date and time, services you viewed or searched for, page response times, download errors, length of visit to certain pages, page interaction information (such as scrolling clicks and mouse-overs), form submissions, accessing other content (e.g. video content) and methods used to navigate away from the page. How will we obtain it?
- The above information will be obtained by us automatically using cookies, server logs and other similar technologies whenever you use our website;
- Further information about the cookies we use and the purposes for which we use them can be found in our Cookie Policy. What purposes will we use it for and what legal bases will we rely upon to do so?
- The above information will be used by us to:
- enable us to run our website;
- help us to improve our website;
- track usage of our website;
- ensure that our website meets our customers’ needs and in the other ways described in our Cookie Policy.
- The legal basis we rely upon to collect and use your personal information in this way is our legitimate interest in
- ensuring that our website functions effectively and
- in relation to certain cookies used by us or third parties, promoting our business services or similar services.
- Information relating to your ability to accept or reject/disable certain cookies is set out in our Cookie Policy. Important consequences if you do not permit us to obtain such personal information
- If you reject/disable any of our cookies, you may be unable to use certain parts of/functions on our website;
- Further information about this can be found in our Cookie Policy.
Individuals Who Subscribe To Our Updates
This section deals with how we will use personal information collected from individuals who subscribe to our legal updates, client bulletins, client newsletters, Geldards’ news and events communications (“Updates”). What personal information will we use?
- Your name and contact details;
- Details of the organisation you work for and your position in it; and
- Your delivery preferences. How we will obtain it?
- Provided by you when you subscribe to Updates. What purposes will we use it for and what legal bases will we rely upon to do so?
- To provide you with Updates;
- Our legal basis for doing so will be your consent. Important consequences if you do not provide the personal information we ask for
- Unless we have your contact details, we will not be able to provide you with Updates;
- You can opt-out of receiving Updates at any time. Information about how to do this is set out here.
Individuals Who Engage With Us On Social Media
What personal information will we use?
- Your name/user name;
- Your location data;
- Personal information contained in your posts. How we will obtain it?
- From the relevant social media site/your posts. What purposes will we use it for and what legal bases will we rely upon to do so?
- To interact with you on the relevant social media site;
- We won’t use the above information for any other purpose.
- The legal basis that we will rely upon to do so will be the consent provided by you when you agreed to the terms and conditions of use relating to the relevant social media site.
Individuals Captured On Our Cctv System
What personal information will we use?
- Your image;
- The dates and times you accessed our premises. How we will obtain it?
- Automated CCTV recordings. What purposes we will use it for and what legal bases will we rely upon to do so?
- We will use the personal information referred to above for security purposes;
- Our legal basis for doing so is our legitimate interest in ensuring that our premises are secure.
When Will We Send Marketing Information To You?
If you are a client or prospective client of the firm, we may use your personal information to send you (by post or email) Updates (as defined earlier) that we think may be of interest to you. Our legal basis for doing so will usually be that we have a legitimate interest in using your personal information for the purposes of direct marketing in order to expand our client base (for example, by telling you about the range of legal services that we provide and/or our areas of expertise). This means that we do not usually need your consent to send this sort of information to you. However, your consent will be required in certain circumstances. Where this is the case, we will ask you for your consent separately and clearly and will not send you Updates without your consent. We will not cross sell your personal information to other organisations without your consent. You have the right to opt out of receiving Updates from us at any time. You can do this by:
- contacting us using the details set out here;
- using the opt-out link in marketing emails we send to you; or
- using the unsubscribe option on our website (www.geldards.com/sign-up.aspx) We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future or if there are changes in the law, regulation or the structure of our business.
How Long Will We Retain Your Personal Information And Why?
How long we will need to hold on to your personal information and the reasons for this will vary depending upon the nature of the personal information and the purpose of the processing. Below, we have set out brief details of the retention periods (and related reasons) that apply to some of the personal information we hold. You can find out more about the retention periods that will apply to your personal information here. Unless you have asked us (and we have agreed) to store your personal information for a longer period, we won’t hold on to your personal information longer than is necessary for the relevant purpose and once we no longer require it, we will ensure that it is disposed of securely.
Category Retention Period And Reasons
Personal information relating to our clients
- We will retain your personal information after we have finished acting for you for one or more of the following reasons:
- To respond to any questions, complains or claims made by you or on your behalf;
- So that we can evidence how we have compiled with our contractual, legal and regulator obligations;
- To enable us to comply with our legal and regulatory obligations.
- We will generally retain your personal information for a period of 6 years. CCTV recordings
- CCTV images are stored on a hard drive for 30 days for reference purposes.
- In the event that any CCTV imagery is required in connection with a security incident, it is copied on to a disk and retained until the relevant incident has been dealt with (whether internally or externally by law enforcement agencies). Contact details for direct marketing purposes • We will retain and use your contact details until such time as you tell us that you no longer wish to receive marketing communications from us.
Who Will We Share Your Personal Information With And Why?
Both in the course of providing legal services to our clients and as a necessary part of running our business, we will often need to share your personal information with third parties. The general position under data protection law is that we should only share your personal information with third parties if we have told you that we intend to do so and have a valid reason for doing so. We must also put safeguards in place to ensure that we share your personal information securely. This section provides you with information about the third parties we will share your personal information with and our reasons for doing so. In some cases, we only describe the category of third party with whom we will share your personal information. This is because:
- when handling matters on behalf of clients, the identity of such third parties will vary from matter to matter; and
- the identity of third parties we use to provide business related services to us (and who may have access to your personal information) will change from time to time. If you would like more information about any of the third parties with whom we share your personal information or the steps we take to ensure that your personal information is secure, please contact us using the details set out here.
Identity Of Third Party Category Of Personal Information Reason For Sharing
Professional advisers such as barristers, medical professionals, accountants, tax advisors and other experts
- Client personal information
- Personal information relating to claimants For the purposes of obtaining professional advice/opinion or information relating to a matter Organisations such as HM Land Registry and Companies House Client personal information In connection with the provision of legal services to you Third parties that we use in the provision of our legal services (for example, couriers, providers of copying and document services) Client personal information In connection with the provision of legal services to you Third parties we use to provide essential business services to us (such as marketing agencies and providers of IT services)
- Client personal information
- Personal information relating to other individuals who contact us In connection with obtaining services that are essential to the running of our business Our insurers and brokers
- Client personal information
- Information relating to individuals who make complaints/claims
- For the purposes of obtaining insurance and making claims under our insurance policies
- For the purpose of dealing with complaints Subsidiary or holding companies Client personal information For internal administrative purposes Our external auditors (i.e. financial, quality and information security)
- Client personal information
- Personal information relating to other individuals who contact us For auditing purposes Our bank and our accountants Client personal information
- For payment purposes
- For regulatory purposes
- For business administration purposes Credit reference agencies Client personal information For carrying out credit checks/searches Law enforcement agencies and regulatory bodies (such as the police, the National Crime Agency, the courts, the SRA and HMRC)
- Client personal information
- Personal information relating to other individuals who contact us
- Information relating to persons who use our website
- Information relating to individuals captured on CCTV
- To comply with our legal and regulatory obligations
- To prevent the commission of offences
- For the administration of justice Potential buyers of some or all of our business or shares in our business Client personal information
- Required information as part of any restructuring, acquisition or sale
- We will ensure that your personal information is subject to confidentiality obligations and/or encrypted
Transferring Your Personal Data Outside The Eea
To deliver services to our clients and conduct our business, we sometimes need to transfer personal information outside the European Economic Area (EEA). The main situations in which we will need to do so are:
- if you are located outside the EEA;
- if any third parties we are using to provide legal services to you are located outside the EEA (for example, experts or other professional advisers);
- where there is an international dimension to the matter on which we are advising you. As non-EEA countries may not offer the same protection to personal information as the United Kingdom and EEA law, transfers of personal information outside the EEA are subject to special rules. Generally speaking, we must only transfer your personal information outside the EEA if:
- the country in question is included on a list of countries published by the European Commission as having adequate data protection laws. You can view a list of those countries here; or
- an appropriate safeguard is put in place (there are various options under data protection law). Our usual practice is to use standard data protection contract clauses which have been approved by the European Commission. You can obtain a copy of those clauses and find out more about them here. If you would like more information about situations in which your personal information may be transferred outside the EEA and/or how we will seek to ensure that your personal data remains secure, please contact us.
Where Is Your Personal Information Held?
Your personal information will be held at our offices and by the third party agencies, service providers, representatives and agents used by us (as referred to here). Some of these third parties may be based outside the European Economic Area. For more information, including on how we safeguard your personal data when this occurs, see here.
How Do We Keep Your Personal Information Secure?
We take the protection of your personal information extremely seriously and we have a number of measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. For example:
- electronic document security which operates on a number of different levels, including:
- access to our IT network is username and password protected;
- once logged on to our network, documents may only be accessed through our document management system;
- every action applied to a document is logged by date, user, device and type of activity;
- encryption of moveable media (e.g. laptops and mobile phones);
- next generation anti-virus software is implemented across all devices;
- emails are sent using TLS encryption where possible;
- staff receive data protection and information security awareness training and are required to adhere to our internal data protection policies and procedures;
- multi-factor authentication is used for externally accessible systems; and
- implementation of physical security measures at all of our offices (including restricted access and CCTV). We also limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. In addition, we have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
What Rights Do You Have Under Data Protection Law?
Under data protection law, you have a number of different rights relating to the use of your personal information. The table below contains a summary of those rights and our obligations. More information about your rights and our obligations can be found on the ICO website https://ico.org.uk/.
Your Rights What This Involves What Our Obligations Are
A right of access This is a right to obtain access to your personal information as well as supplementary information
- Generally, we cannot make a charge if you want to exercise this right
- However, we can make a reasonable charge in certain circumstances (such as if your requests are repetitive) A right to have personal data rectified This is a right to require us to correct any mistakes/omissions in your personal information As well as correcting your personal information, if we have disclosed your personal information to third parties, we must also contact the recipients to inform them that your personal information requires rectification A right to erasure
- This is a right to have your personal information deleted
- This right only applies in specific circumstances and is subject to a number of exceptions and exemptions
- If this right applies, we must delete or remove your personal information
- If we have disclosed your personal information to third parties, we must also contact the recipients to inform them that your personal information must be erased A right to data portability
- This is a right to obtain and re-use your personal information for your own purposes
- It includes a right to ask that your personal information is transferred to another organisation (where technically feasible)
- This right only applies in limited circumstances
- If this right applies we must provide your personal information to you in a structured, commonly used and machine reasonable form
- We cannot charge you for doing so A right to object
- This is a right to object to the use of your personal information
- You can use this right to challenge our use of your personal information based on our legitimate interests
- You have an absolute right to object to our use of your personal information for direct marketing
- If you object to us using your personal information for direct marketing, we must stop using your personal information for this purpose straightaway
- If you object to the use of your personal information on other grounds, whether we are required to stop using your personal information will depend on the particular circumstances A right to object to automated decision making
- This is a right not to be subject to a decision which is made solely on the automated processing of your personal information
- This right only applies where the decision in question will have a legal impact on you or a similarly significant effect We do not make automated decisions using your personal information A right to restrict processing
- This is a right to block or suppress processing of your personal information
- This right applies in various circumstances, including where you contest the accuracy of your personal information
- If we are required to restrict our processing of your personal information, we will be able to store it but not otherwise use it
- If we have disclosed your personal information to third parties, we must contact the recipients to tell them about the restriction on use For further information relating to any of the above rights or to exercise any of your rights, please contact us using the details set out here. You can also find more information about your rights on the ICO’s website (see Individuals’ rights under GDPR). If you request the exercise of any of your rights, we are entitled to ask you to provide us with any information that may be necessary to verify your identity. Generally, we must deal with your request within 28 days of receiving it. However, it may take us longer than this to respond to you if your request is particularly complex or if you have made a number of requests. In this situation, we will let you know when we envisage being able to meet or fully deal with your request.
Your Right To Withdraw Consent
If you have given us your consent to use any of your personal information, you can withdraw your consent at any time. To do so, please contact us using the details set out here.
How You Can Get In Touch With Us
You can get in touch with us in the following ways:
- Cardiff
Geldards LLP
4 Capital Quarter
Tyndall Street
Cardiff
CF10 4BZ
+44 (0)29 2023 8239 - Derby
Geldards LLP
Number One Pride Place
Pride Park
Derby
DE24 8QR
+44 (0)1332 331 631 - Nottingham
Geldards LLP
The Arc
Enterprise Way
Nottingham
NG2 1EN
+44 (0)115 983 3650 - London
Geldards LLP
80 Coleman Street
London
EC2R 5BJ
+44 (0)20 7620 0888 - Email: information.compliance@geldards.com
Your Right To Complain To The Ico
If we are unable to deal with a complaint to your satisfaction or if you are unhappy with the way we are using your personal information, you have the right at any time to make a complaint to the ICO. You can contact the ICO at https://ico.org.uk/concerns or by telephoning 0303 123 1113.
Changes To Our Privacy Notice
This privacy notice was published on 25th May 2018. We may update this privacy notice from time to time. If we make any substantial changes to it, we will notify you.