Stone King LLP is committed to protecting the privacy and security of your personal data. This privacy notice contains important information about how we collect and use personal data about you
For the purposes of applicable data protection law (in particular, the UK General Data Protection Regulation (the "UK GDPR" Stone King LLP (an LLP incorporated in England and Wales, registered number OC315280), is a ‘data controller’, which means that we are responsible for deciding how we hold and use your personal data. When we say ‘we’, ‘us’ or ‘our’ in this notice, we are referring to Stone King LLP. We are registered as a data controller with the Information Commissioner’s Office as follows:
Stone King LLP, Upper Borough Court (UBC), Upper Borough Walls, Bath, BA1 1RG – Registration number: Z9301808
This privacy notice applies to everyone whose personal data we collect and process (excluding our existing and former workforce). This includes the following categories of individuals:
- Our current and prospective clients, including those who may submit new work enquiries via our website or by contacting a fee earner directly;
- Other professionals we may contact in the course of our business, including other lawyers and professional advisers;
- Individuals involved in connection with legal advice that we provide to our clients, e.g. parties on the other side of a dispute we are acting in;
- Prospective employees and applicants to our work experience programmes, such as our insight scheme;
- People whose details we process in connection with our marketing activities, including webinars and newsletters.
Personal data means any information relating to an identified or an identifiable individual. The type and amount of personal data we collect depends on the purposes for which we will need to use it and will include:
- Identity and contact details: this may include your name, title, date of birth, gender, marital status, addresses, telephone numbers, personal email addresses, professional or work contact details, as well as other information that enables us to verify your identity so that we may provide legal services to you (e.g. driving licence, utility bill, passport, identity card, and photographs).
- Information relevant to our legal advice: this will include personal data relevant to any dispute, investigation or other legal advice we have been asked to provide to our clients. Depending on the type of advice you require, this may include information about your spouse/partner, dependants, wider family and care givers; your employment details, including salary and benefits, misconduct, sickness, performance or grievance; your nationality and immigration status and information from related documents; details of your pension arrangements.
- Financial information: this may include your bank details, tax details and source of funds information and details of any relevant sanctions. For example, we may use this information in order to establish whether we can act for our clients or to process bills.
- Publicly available information: this may include information made publicly available via social media, for example, if you sign up for one of our webinars on LinkedIn, GoToWebinar and Learnworlds. Or our other social media platforms which include Twitter, Instagram and Facebook.
- Information you may provide when applying for a job with us or to take part in our insight scheme, which may include employment history, qualifications, references, equality and diversity monitoring information.
- Physical access data: we may collect information relating to details of your visits to our premises or attending virtual meetings with us. This may include audio, video and CCTV recordings.
- Technical data: this includes information gathered through the automated monitoring of our websites, computer networks, communication and phone systems and connections e.g. Google Analytics, Google Ad-words or Bing, Google Search Console and Wistia
- Marketing and communications data, including your marketing preferences and interests as well as any feedback you provide to us (for example, after an event). We also track when you receive and read marketing communications from us.
- ‘Special category data’: in the course of delivering client services, we may be required to collect and use special category data relevant to client matters, (that is, information relating to physical or mental health (including disabilities), racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life and sexual orientation, genetic data, and biometric data (where used for identification purposes). For example, in an employment case relating to alleged discrimination, information about medical conditions, race, religion and/or sexual orientation may be relevant.
- ‘Criminal offence data’: in the course of our client services, we may be required to collect and use personal data relating to criminal convictions and offences, or related security measures. For example, if we represent you in a criminal case, we will collect information about the alleged offence and relevant criminal history.
We collect your personal data in the following ways:
- Information you give us directly: you may voluntarily provide us with personal data, for example, when you contact us for legal advice or instruct us in connection with an ongoing matter, visit our offices, sign up to receive marketing communications or attend an event.
- Information shared by known third party organisations: we may receive information about you from third party sources, including:
- third parties (with your consent) such as your bank/building society, your employer and trade union, your doctors and other health professionals, consultants and other professionals with whom we may engage in relation to your matter;
- other professionals or individuals involved in matters that concern or involve you, for example, we will receive information about individuals on the other side of disputes from their legal representative; and
- systems to ensure the security of our premises, including security CCTV footage.
- Information collected when you use our website: when you use our website, some information about you is recorded and temporarily stored (please see our Cookies Policy for more details).
- Information available publicly: for example, online professional networking services such as LinkedIn, your company website, Companies House, or HM Land Registry.
We may use your data in the following ways:
- to create client and matter records and files to enable us to provide legal services;
- to conduct checks to identify our clients, verify their identity and determine a source of funds and wealth to satisfy our regulatory obligations;
- to respond to a request for or query about your personal data;
- to screen for financial and other sanctions or embargoes to satisfy our regulatory obligations;
- to process your application for employment;
- to process your request to provide services to us as a third-party supplier and monitor your contractual arrangement with us;
- to send you marketing information, including updates on products, services and details of events in which we believe you might be interested;
- to process it in accordance with our operational policies and to provide statistical analysis, including checking for conflicts of interests, monitoring client service delivery, recording complaints and claims information and creating archiving records;
- to gather and provide information required by or relating to financial returns, reports and audits;
- to respond to enquiries or investigations by regulatory bodies or law enforcement agencies;
- as part of any report required for external audits and quality checks; and/or
- for the purposes of complying with our professional, legal and regulatory obligations.
We do not use your personal data in automated decision-making, including profiling. In conjunction to this, we do use your data with your consent to electronically verify your identity, using a third-party e-verification service.
Subject to applicable law and the purpose for which we collect your information, we will only process your personal data where we have a lawful basis for doing so. Under the UK GDPR, there are six lawful bases, and we rely on one or more of the following legal bases to process your personal data:
- to decide whether to enter a contract with you or to perform that contract with you. We rely on this lawful basis to process your personal data to perform our contract for legal services with you;
- to comply with a legal obligation. We rely on this lawful basis where, for example, we are required to provide your personal data under a Court Order or as required by our regulator;
- where we have a legitimate interest to process your information, provided your interests and fundamental rights do not override those interests. For example, to provide legal advice, ensuring regulatory compliance and maintaining accreditations, promoting our services, processing feedback we may receive from attendees at an event, and in connection with the operation of our business.
- where processing is necessary to protect the vital interests of you or another individual (for example, providing your details to a medical professional in the case of a medical emergency when you are attending our premises).
- where you have given us your consent. In some cases, we will request your consent to process your personal data. For example, if you have signed up to receive direct marketing from us, or if we need to process your ‘special category data’ for any reason other than carrying out our contract for legal services for you.
When we collect personal data from you, we will make it clear whether you are required by law or under a contract, to provide your personal data, and what will happen if you do not provide that data.
Where we need to process special category data (for example information concerning health)criminal offence data, in addition to a lawful basis we also need to satisfy an appropriate condition for the processing, in accordance with Article 9 (for special category data) or 10 (for criminal offence data) of the UK GDPR and the Data Protection Act 2018 (the “DPA 2018”).
The following conditions are most relevant to how we process your special category data:
- Where processing is necessary for the establishment, exercise or defence of legal claims (or whenever courts are acting in their judicial capacity);
- We only process it where that processing is necessary to protect your vital interests or those of another natural person, where you are physically or legally incapable of giving consent (e.g. where we liaise with a third party under a power of attorney);
- We only process it where the personal data has been manifestly made public by the data subject (this means that you have deliberately taken steps to make information about you available in the public domain, e.g. when a Member of Parliament makes their political opinions public);
- Where processing is necessary for reasons of substantial public interest, in accordance with Part 2, Schedule 1 of the DPA 2018. For example: where processing is necessary to prevent fraud; to make a disclosure in relation to suspicions of money laundering or terrorist financing; or ensuring equality of opportunity or treatment between groups of people with a view to enabling equality to be promoted or maintained).
- In limited circumstances, where the above conditions do not apply, we may process your special category data or criminal offence data on the basis that you have provided explicit consent (such consent may be withdrawn at any time by emailing firstname.lastname@example.org
We may use your special category data in the following ways:
- To create client and matter records and files, and to enable us to provide legal services to you;
- To verify the identity of our clients through the use of Facial Recognition Software. This involves the processing of biometric data for the purposes of identification, and is carried out securely by our e-verification provider Smart Search (with your consent);
- To share with third parties in the course of your matter and in accordance with your instructions;
- To respond to requests from our regulator to provide, for example, information on equality and diversity;
- To respond to a request for your personal data; and/or
- To enable us to make reasonable adjustments to our premises, service delivery or events to accommodate any special requirements based on your special category data and in accordance with our Equality and Diversity Policy.
In the course of carrying out our work and your instructions we sometimes need to share your personal data with third parties, including but not limited to:
- professional advisers who we instruct on your behalf or refer you to, such as barristers, costs draftsmen, medical professionals, accountants, tax advisers, investment companies, architects, estate agents, case management companies or other experts;
- other third parties where necessary to carry out your instructions, e.g. where you have asked us to appoint a carer or driver on your behalf, pay bills etc.;
- Smart Search our e-verification provider
- our regulator, the Solicitors Regulation Authority;
- insurers and brokers;
- Government departments i.e. Companies House, the Legal Aid Agency, Land Registry, HMP HMRC, DWP, Inland Revenue, Legal Ombudsman;
- external auditors and accreditors (e.g. SRA, SQM, Chambers Directory);
- our bank; and/or
- our data processors, including but not limited to trustees, translators, third-party IT providers, and reprographics providers.
We only allow third parties to handle your personal data if we are satisfied they take appropriate measures to protect it. We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share personal data with other third parties, such as potential buyers of some or all of our business, or during a restructuring. Where personal data is to be shared for this purpose, we will anonymise wherever possible. The recipient of the information will be bound by confidentiality obligations.
In delivering our services to you, it is sometimes necessary for us to share your personal data outside the UK. This might arise where, for example, you are domiciled overseas, your matter has an international dimension or where our service providers are located outside the EEA. Any transfers of personal data outside the UK are subject to special rules under the UK GDPR. We will therefore put in place appropriate safeguards where we transfer your information outside of the EEA by either:
- ensuring that there is an adequacy decision by the European Commission in respect of those countries in place; and/or
- ensuring that information is treated by third parties in a way that is consistent with and which respects the EU and UK laws on data protection. Our standard practice is to use the standard contractual clauses which have been approved by the European Commission and satisfy all additional requirements.
If you would like more information about how we protect your personal data if it is transferred outside the UK please contact email@example.com.
The security of your personal data is of paramount importance to us. The majority of the personal data we hold is stored electronically, in our secure IT systems, or in hard copy, either at our secure office premises or at a secure offsite archive provider. It may also be stored by third parties processing your data on our behalf for example, our online e-verification service provider to verify our client’s identity to comply with our obligations under Anti Money Laundering Regulations but this will comply in accordance with a data processing agreement.
We retain your personal data in accordance with our Terms of Business. We do so for one (or more) of the following reasons:
- in accordance with regulatory, insurance or statutory requirements
- to respond to any enquiries, complaints or claims made by you or on your behalf; or
- where we have a legitimate interest in retaining your personal data (e.g. to prevent conflicts of interest or where you have indicated you would like to hear from us for marketing purposes).
Different retention periods apply for different types of data. If you would like further information about our retention periods, please contact firstname.lastname@example.org
Under the UK GDPR you can exercise a number of rights, as follows:
- Right to be informed – you have the right to be told about how we use your personal data. This notice is intended to provide you with this information.
- Right of access – you have the right to ask us to confirm what information we hold about you and to request a copy of that information.
- Right to rectification – if you believe we hold inaccurate personal data about you then you have the right to ask us to correct any mistakes in your personal data.
- Right to erasure – you have the right to require us to delete your personal data from our records, provided we do not have an overriding legitimate reason for retaining it (e.g. to comply with a legal obligation).
- Right to restrict processing – you have the right to require us to require us to restrict processing of your personal data if you are contesting the accuracy of the information we hold, or whether our use of your personal data is legitimate or not.
- Right to data portability – you may receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party in certain situations
- Right to object - you have the right to object to processing where we are: processing your personal information on the basis of the legitimate interests ground (see ‘Legal grounds for using your personal data’) above) and we have no compelling reason to continue with that processing; using your personal information for direct marketing, or using your personal information for statistical purposes.
- Rights related to automated decision-making – you have the right not to be subject to a decision based solely on automated processing
- Right to complain – you have the right to lodge a complaint with the relevant data protection authority if you think that we have infringed any of your rights (for further information, please see ‘How to complain’ below).
You will not have to pay a fee to exercise any of your rights, however, we may charge a reasonable fee or refuse to comply with a request in certain circumstances, e.g. if a request is manifestly unfounded or excessive. We will ask for proof of identity before we provide any personal data, to prevent any unauthorised access.
If you would like to exercise any of these rights, please contact email@example.com, or the firm’s Data Protection Officer (please see the ‘How to contact us’ section below).
We have security measures which strive to prevent personal data from being accidentally lost, or used or accessed unlawfully. We follow strict procedures as to how your personal data is processed, to prevent any unauthorised person obtaining access to it. All personal data you register on our website will be located behind a firewall and we will use our strict procedures and security features to try to prevent unauthorised access to our systems.
Unfortunately, the transmission of information via the internet is not completely secure and although we strive to protect your personal data, we cannot absolutely guarantee the security of your data. Those processing your information within our business and on our behalf, will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any identified or suspected personal data breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We use your personal data in connection with marketing communications. For example, if you sign up to receive newsletters from us or communications about new products and services that may be of interest to you. We want to ensure that we are only sending you relevant information, and so you can update your marketing preferences at any time by clicking ’update your preferences’ in any of our emails.
If you have consented to receive marketing communications from us, you can withdraw this consent at any time by clicking ‘unsubscribe’ or ‘preferences’ in any of our emails. Please note, if you have signed up for an event, we may still send you communications in connection with this event, even if you do not sign up to receive general marketing emails from us, e.g. to provide you with a joining link for a webinar.
We may process the data of children or young people for whom we act or where their data is relevant to a matter on which we are acting. For example, where we are advising an education establishment in connection with a pupil matter, or a matrimonial dispute involving children.
Any children or young people under the age of 18 have the same rights over their personal data as adults, however in some cases it may be appropriate or necessary for an adult (such as a parent, guardian or legal advisor) to exercise these rights on the child or young person’s behalf. If you are under 18 and would like further information about how we process your personal data, please contact firstname.lastname@example.org.
If you would like to contact us to discuss any aspect of this notice, please contact our Data Protection Officer (DPO), as follows:
DPO: Laura Wilson
Telephone: 01225 324402
Address: Stone King LLP, Upper Borough Court (UBC), Upper Borough Walls, Bath, BA1 1RG
We hope that our DPO can resolve any query or concern you may raise about our use of your information. However, the General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.
This notice will be regularly reviewed and updated.