We are a law firm called Stone King LLP and refer to ourselves in this policy as ‘we’, ‘us’ or ‘our’. We are a ‘data controller’, which means that we are responsible for deciding how we hold and use your personal data. We are registered as a data controller with the Information Commissioner’s Office (ICO), the supervisory authority for data protection in the UK, as:

Stone King LLP, Upper Borough Court, Upper Borough Walls, Bath, BA1 1RG. 

Our registration number is: Z9301808.

Back to top

We are committed to protecting the privacy and security of your personal data. This privacy policy contains important information about how we collect and use personal data about you, in accordance with the UK General Data Protection Regulation (UK GDPR). It also explains your rights in relation to your personal data and how to contact us or the ICO in the event that you have a complaint.

Back to top

This privacy policy applies to every individual whose personal data we collect and process. We refer to these categories of individuals as “you” and “your”, which includes:

  • Our current and prospective clients, or representatives of a client, including those who may submit new work enquiries via our website or by contacting a fee earner directly.
  • Other professionals we may contact in the course of our business, including other lawyers and professional advisers.
  • Individuals involved in connection with legal advice that we provide to our clients, e.g. parties on the other side of a dispute we are acting in.
  • Prospective employees and applicants to our work experience programmes, such as our insight scheme.
  • People whose details we process in connection with our marketing activities, including webinars and newsletters.
  • Visitors to our website and social media pages.

Please note that if you are a member of staff or are applying for a role at the firm, a different policy will apply, which will be provided to you.

Back to top

Personal data means any information relating to a living identified or identifiable individual. The type and amount of personal data we collect depends on the purposes for which we will need to use it and may include:

  • Identity and contact details: this may include your name, title, date of birth, gender, marital status, addresses, telephone numbers, personal email addresses, professional or work contact details, as well as other information that enables us to verify your identity so that we may provide legal services to you (e.g. driving licence, utility bill, passport, identity card, and photographs).
  • Information relevant to our legal advice: this will include personal data relevant to any dispute, investigation or other legal advice we have been asked to provide to our clients. Depending on the type of advice you require, this may include information about your spouse/partner, dependants, wider family and care givers; your employment details, including salary and benefits, misconduct, sickness, performance or grievance; your nationality and immigration status and information from related documents; details of your pension arrangements.
  • Financial information: this may include your bank details, tax details, source of funds information and details of any relevant sanctions. We may use this information in order to establish whether we can act for our clients or to process bills.
  • Publicly available information: this may include information made publicly available via social media, for example, if you sign up for one of our webinars on LinkedIn, GoToWebinar and Learnworlds. Or our other social media platforms which include Twitter, Instagram and Facebook.
  • Information relating to employment: Information you may provide when applying for a job with us or to take part in our insight scheme, which may include employment history, qualifications, references, equality and diversity monitoring information.
  • Physical access data: we may collect information relating to details of your visits to our premises or virtual meetings with us. This may include audio, video and CCTV recordings.
  • Technical data: this includes information gathered through the automated monitoring of our websites, computer networks, communication and phone systems and connections e.g. Google Analytics, Google Ad-words or Bing, Google Search Console and Wistia. 
  • Marketing and communications data: including your marketing preferences and interests as well as any feedback or reviews you provide to us (for example, after an event, or after receiving legal advice from us). We also track when you receive and read marketing communications from us.
  • ‘Special category data’: in the course of delivering client services, we may be required to collect and use special category data relevant to client matters. For example, in an employment case relating to alleged discrimination, information about medical conditions, race, religion and/or sexual orientation may be relevant.
  • ‘Criminal offence data’: in the course of our client services, we may be required to collect and use personal data relating to criminal convictions and offences, or related security measures. For example, if we represent you in a criminal case, we will collect information about the alleged offence and relevant criminal history.

Back to top

We collect your personal data in the following ways:

a. Information you give us directly 
You may voluntarily provide us with personal data, for example, when you contact us for legal advice or instruct us in connection with an ongoing matter, visit our offices, sign up to receive marketing communications or attend an event.

b. Information shared by known third party organisations
We may receive information about you from third party sources, including:

  • (With your consent,) your bank/building society, your employer and trade union, your doctors and other health professionals, consultants and other professionals with whom we may engage in relation to your matter.
  • Other professionals or individuals involved in matters that concern or involve you, for example, we will receive information about individuals on the other side of disputes from their legal representative.
  • Systems, to ensure the security of our premises, including security CCTV footage.

c. Information collected when you use our website
When you use our website, some information about you is recorded and temporarily stored. This can include information about the device you are using (such as a computer, mobile, tablet) and some technical information (such as your IP address, device ID). This information is used to improve the performance and use of the website. Please see our Cookies Policy for more details. 

d. Information available publicly
For example, social media platforms and online professional networking services such as LinkedIn; your company website, Companies House, or HM Land Registry.

Back to top

We may use your data in the following ways:

PROVIDING LEGAL SERVICES

  • Creating client and matter records and files to enable us to provide legal services.

REGULATORY AND COMPLIANCE REQUIREMENTS

  • Conducting checks to identify our clients and verify their identity (e.g. Know Your Client (KYC) checks), and determine sources of funds and wealth to satisfy our regulatory obligations (including Anti-Money Laundering (AML) checks.
  • Screening for financial information and other sanctions or embargoes to satisfy our regulatory obligations. 
  • Gathering and providing information required by or relating to financial returns, reports, and audits.
  • Responding to enquiries or investigations by regulatory bodies or law enforcement agencies. 
  • Including information as part of any report required for external audits and quality checks.
  • Complying with our professional, legal and regulatory obligations.

EMPLOYMENT MANAGEMENT

  • Processing applications for employment.
  • Processing requests from third-party suppliers and monitoring contractual arrangements with them.

MARKETING AND COMMUNICATIONS

  • Sending marketing information, including updates on products, services, and details of events we believe you might be interested in.
  • We sometimes run data analytics to find out, for example, how many marketing emails have been opened, clicked on if you’ve unsubscribed to emails. This is to improve the marketing services we provide. 

OPERATIONAL MANAGEMENT AND QUALITY ASSURANCE

  • Processing data in accordance with our operational policies and for statistical analysis.
  • Checking for conflicts of interest.
  • Monitoring client service delivery.
  • Recording complaints and claims information.
  • Creating and maintaining archiving records.

PERSONAL DATA

  • Responding to requests about your personal data.
  • Keeping our records updated in accordance with the law. 

Please note: We do not use your personal data for automated decision making, including profiling. We may use your personal data with your consent to electronically verify your identity using a third-party e-verification service. 

Back to top

Subject to applicable law and the purpose for which we collect your information, we will only process your personal data where we have a lawful basis for doing so. Under the UK GDPR, Article 6, there are six lawful bases, and we rely on one or more of the following lawful bases to process your personal data:

  • Contract: the processing of your personal data is necessary if we are entering a contract with you or deciding whether to enter a contract with you.
  • Legal obligation: the processing of your personal data is necessary to ensure we are complying with the law, for example, we are required to provide your personal data under a Court Order or as required by our regulator.
  • Legitimate interests: the processing of your personal data is necessary for your legitimate interests, provided your fundamental rights do not override those interests. Examples of legitimate interests include providing legal advice, ensuring regulatory compliance and maintaining accreditations, promoting our services, processing feedback we may receive from attendees at an event, and in connection with the operation of our business.
  • Vital interests: the processing of your personal data is necessary to protect your vital interests or another individual, for example, providing your details to a medical professional in the case of a medical emergency when you are attending our premises. 
  • Consent: where you have given us your clear consent to process your personal data for a specific purpose. In some cases, we will request your consent to process your personal data. For example, if you have signed up to receive direct marketing from us, or if we need to process your ‘special category data’ for any reason other than carrying out our contract for legal services for you.

When we collect personal data from you, we will make it clear whether you are required by law or under a contract, to provide your personal data, and what will happen if you do not provide that data.

Back to top

Special category data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic data.

Where we need to process special category data or criminal offence data, in addition to a lawful basis, we also need to satisfy an appropriate condition for the processing, in accordance with Article 9 (for special category data) or Article 10 (for criminal offence data) of the UK GDPR, and the Data Protection Act 2018 (the “DPA 2018”).

The following conditions are most relevant to how we process your special category data:

  • Where processing is necessary for the establishment, exercise or defence of legal claims (or whenever courts are acting in their judicial capacity).
  • We only process it where that processing is necessary to protect your vital interests or those of another natural person, where you are physically or legally incapable of giving consent (e.g. where we liaise with a third party under a power of attorney).
  • We only process it where the personal data has been manifestly made public by the data subject (this means that you have deliberately taken steps to make information about you available in the public domain, e.g. when a Member of Parliament makes their political opinions public).
  • Where processing is necessary for reasons of substantial public interest, in accordance with Part 2, Schedule 1 of the DPA 2018. For example: where processing is necessary to prevent fraud; to make a disclosure in relation to suspicions of money laundering or terrorist financing; or ensuring equality of opportunity or treatment between groups of people with a view to enabling equality to be promoted or maintained).
  • In limited circumstances, where the above conditions do not apply, we may process your special category data or criminal offence data on the basis that you have provided explicit consent (such consent may be withdrawn at any time by emailing data@stoneking.co.uk).

We may use your special category data in the following ways:

  • To create client and matter records and files, and to enable us to provide legal services to you.
  • To verify the identity of our clients using Facial Recognition Software. This involves the processing of biometric data for the purposes of identification and is carried out securely by our e-verification provider, Smart Search (with your consent).
  • To share with third parties during your matter and in accordance with your instructions.
  • To respond to requests from our regulator to provide, for example, information on equality and diversity.
  • To respond to a request for your personal data; and/or to enable us to make reasonable adjustments to our premises, service delivery or events to accommodate any special requirements based on your special category data and in accordance with our Equality and Diversity Policy.

Back to top

While carrying out our work and your instructions we sometimes need to share your personal data with third parties, including but not limited to:

  • Professional advisers who we instruct on your behalf or refer you to, such as barristers, costs draftsmen, medical professionals, accountants, tax advisers, investment companies, architects, estate agents, case management companies or other experts.
  • Other third parties where necessary to carry out your instructions, e.g. where you have asked us to appoint a carer or driver on your behalf, pay bills, etc.
  • Our regulator, the Solicitors Regulation Authority (SRA).
  • Insurers and brokers.
  • Government departments, i.e. Companies House, the Legal Aid Agency, Land Registry, HMP HMRC, DWP, Inland Revenue, Legal Ombudsman.
  • External auditors and accreditors (e.g. SRA, SQM, Chambers Directory).
  • Our bank and/or our data processors, including but not limited to trustees, translators, third-party IT providers, and reprographics providers.

We only allow third parties to handle your personal data if we are satisfied that they take appropriate measures to protect it. If we share personal data with them, they will process that data as a data controller or a data processor, dependent upon how they will process that data, and in accordance with the data sharing requirements of the GDPR. We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share personal data with other third parties, such as potential buyers of some or all our business, or during a restructuring. Usually, information will be anonymised, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

Back to top

In delivering our services to you, it is sometimes necessary for us to share your personal data outside the UK. This might arise where, for example, you are domiciled overseas, your matter has an international dimension or where our service providers are located outside the EEA. Any transfers of personal data outside the UK are subject to special rules under the UK GDPR. We will therefore put in place appropriate safeguards where we transfer your information outside of the EEA by either:

  • ensuring that there is an adequacy decision by the European Commission in respect of those countries in place; and/or
  • ensuring that information is treated by third parties in a way that is consistent with, and which respects the EU and UK laws on data protection. Our standard practice is to use the standard contractual clauses which have been approved by the European Commission and satisfy all additional requirements.

If you would like more information about how we protect your personal data if it is transferred outside the UK, please, contact data@stoneking.co.uk

Back to top

The security of your personal data is of paramount importance to us. Much of the personal data we hold is stored electronically, in our secure IT systems, or in hard copy, either at our secure office premises or at a secure offsite archive provider. It may also be stored by third parties processing your data on our behalf for example, our online e-verification service provider, to verify our client’s identity to comply with our obligations under Anti-Money Laundering Regulations, but this will comply in accordance with a data processing agreement.

We retain your personal data in accordance with our Terms of Business. We do so for one (or more) of the following reasons:

  • In accordance with regulatory, insurance or statutory requirements.
  • To respond to any enquiries, complaints or claims made by you or on your behalf.
  • Where we have a legitimate interest in retaining your personal data (e.g. to prevent conflicts of interest or where you have indicated you would like to hear from us for marketing purposes).

Different retention periods apply for different types of data and is based on requirements such as: statutory requirements, legal obligations and client agreements. If you would like further information about our retention periods, please contact data@stoneking.co.uk.

We have security measures which strive to prevent personal data from being accidentally lost or used or accessed unlawfully. We follow strict procedures as to how your personal data is processed, to prevent any unauthorised person obtaining access to it. All personal data you register on our website will be located behind a firewall and we will use our strict procedures and security features to try to prevent unauthorised access to our systems.

Unfortunately, the transmission of information via the internet is not completely secure and although we strive to protect your personal data, we cannot absolutely guarantee the security of your data. Those processing your information within our business and on our behalf, will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any identified or suspected personal data breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Back to top

Under the UK GDPR you can exercise a number of rights, as follows:

  • Right to be informed: you have the right to be told about how we use your personal data. This notice is intended to provide you with this information.
  • Right of access: you have the right to access and receive a copy of your personal data
  • Right to rectification: if you believe we hold inaccurate personal data about you then you have the right to ask us to correct any mistakes in your personal data.
  • Right to erasure: you have the right to require us to delete your personal data from our records, provided we do not have an overriding legitimate reason for retaining it (e.g. to comply with a legal obligation).
  • Right to restrict processing: you have the right to require us to require us to restrict processing of your personal data if you are contesting the accuracy of the information we hold, or whether our use of your personal data is legitimate or not.
  • Right to data portability: you may receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party in certain situations.
  • Right to object: you have the right to object to processing where we are: processing your personal information on the basis of the legitimate interests (see ‘Legal grounds for using your personal data’) and we have no compelling reason to continue with that processing; using your personal information for direct marketing, or using your personal information for statistical purposes.
  • Rights related to automated decision-making including profiling: you have the right not to be subject to a decision based solely on automated processing.

You also have the right:

  • To withdraw your consent to our processing of your personal data (where that is relevant) at any time.
  • To complain to the Information Commissioner’s Office about our processing or our response to your requests and objections. To do so, go to https://ico.org.uk/make-a-complaint .
  • You will not have to pay a fee to exercise any of your rights, however, we may charge a reasonable fee or refuse to comply with a request in certain circumstances, e.g. if a request is manifestly unfounded or excessive. We will ask for proof of identity before we provide any personal data, to prevent any unauthorised access.

If you would like to exercise any of these rights, please contact data@stoneking.co.uk, or the firm’s Data Protection Officer (please see the ‘How to contact us’ section below).

Back to top

We use your personal data in connection with marketing communications. For example, if you sign up to receive newsletters from us or communications about new products and services that may be of interest to you. We want to ensure that we are only sending you relevant information, and so you can update your marketing preferences at any time by clicking ‘update your preferences’ in any of our emails.

If you have consented to receive marketing communications from us, you can withdraw this consent at any time by clicking ‘unsubscribe’ or ‘preferences’ in any of our emails. Please note, if you have signed up for an event, we may still send you communications in connection with this event, even if you do not sign up to receive general marketing emails from us, e.g. to provide you with a joining link for a webinar.

Back to top

We may process the data of children or young people for whom we act or where their data is relevant to a matter on which we are acting. For example, where we are advising an education establishment in connection with a pupil matter, or a matrimonial dispute involving children.

Any children or young people under the age of 18 have the same rights over their personal data as adults, however in some cases it may be appropriate or necessary for an adult (such as a parent, guardian or legal advisor) to exercise these rights on the child or young person’s behalf. If you are under 18 and would like further information about how we process your personal data, please contact data@stoneking.co.uk.

Back to top

If you would like to contact us to discuss any aspect of this policy, or have questions on how we process your data, please email our Data Protection Officer.  

DPO: LauraWilson@stoneking.co.uk

Telephone: 01225 324402

Address: Stone King LLP, Upper Borough Court, Upper Borough Walls, Bath, BA1 1RG  

Back to top

We hope that our DPO can resolve any query or concern you may raise about our use of your information. However, the General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.

Back to top