Stone King LLP, is a ‘data controller’, which means that we are responsible for deciding how we hold and use your personal information. When we say ‘we’, ‘us’ or ‘our’ in this policy, we are referring to Stone King LLP. We are registered as a data controller with the Information Commissioner’s Office as follows:
Stone King LLP, 13 Queen Square , Bath, BA1 2HJ – Z9301808
Please be aware our Notary Services are offered entirely separately from Stone King, for these services please find the privacy notice here.
- Personal data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). There are ‘special categories’ of more sensitive personal data which require a higher level of protection. The personal data about you which we collect, store, and use may include but is not limited to the following categories:
- personal contact details such as name, title, addresses, telephone numbers, and personal email addresses;
- work contact details;
- date of birth;
- information to enable us to verify your identity, such as driving licence, utility bill or passport;
- a copy of your signature including copies of documents you sign in your name or on behalf of a business;
- financial information such as bank details, tax details and source of funds information and details of any relevant sanctions;
- details of your professional social media presence, such as LinkedIn;
- details of your spouse/ partner, dependants, wider family and care givers;
- your employment details, including salary and benefits, misconduct, sickness, performance or grievance;
- your nationality and immigration status and information from related documents;
- details of your pension arrangements;
- any other personal data relevant to our clients’ matters or the operation of our business;
- job application details, e.g. date of birth, employment history, qualifications, references, equality and diversity monitoring information;
- ‘Special category data’, including data relating to health (including disabilities), ethnicity, race, religious beliefs, trade union membership and genetic information and biometric data;
- information about criminal convictions and offences;
- audio, video and CCTV recordings; and/or
- information gathered through the automated monitoring of our websites, computer networks, communication and phone systems and connections e.g. Google Analytics, Google Adwords or Bing.
- How your personal data is collected
We collect most of your personal data from you direct. However, we may also collect information via / from third party sources. Those third party sources include but are not limited to:
- publically accessible sources such as Companies House or HM Land Registry;
- third parties (with your consent) such as your bank / building society, your employer and trade union, your doctors and other health professionals, consultants and other professionals with whom we may engage in relation to your matter;
- networking and social events;
- correspondence we may receive from third parties about you or your matters;
- third parties relevant to an application for employment (e.g. referees);
- cookies on our website - see our cookies policy;
- online client portals;
- case management systems;
- automated monitoring of our websites, computer networks, communications systems and connections; and/or
- systems to ensure the security of our premises, including security CCTV footage
- Legal grounds for using your personal information
We will only process your personal information where we have a lawful basis for doing so. Under the General Data Protection Regulation, there are six lawful bases, four of which are applicable to our business and the processing of your personal information. We have given some examples of where each basis applies, as follows:
- to decide whether to enter a contract with you or to perform that contract with you. We rely on this lawful basis to process your personal information to perform our contract for legal services with you;
- to comply with a legal obligation. We rely on this lawful basis where, for example, we are required to provide your personal data under a Court Order or as required by our regulator;
- where we have a legitimate interest to process your information, provided your interests and fundamental rights do not override those interests. We may market our services to you on the grounds of legitimate interest, but we will always give you the option to opt-out of those communications; and/or
- where you have given us your consent. Where we cannot rely on any other lawful basis, we will request your consent to process your personal information. This might be relevant if we need to process your ‘special category data’ for any reason other than carrying out our contract for legal services for you.
Some of the above grounds for processing can overlap and there may be several grounds which justify our use of your personal information.
- How we use your personal information
We may use your data in the following ways:
- to create client and matter records and files to enable us to provide legal services;
- to conduct checks to identify our clients, verify their identity and determine a source of funds and wealth;
- to respond to a request for or query about your personal information;
- to screen for financial and other sanctions or embargoes;
- to process your application for employment;
- to process your request to provide services to us as a third party supplier and monitor your contractual arrangement with us;
- to send you marketing information, including updates on products, services and details of events in which we believe you might be interested;
- to process it in accordance with our operational policies and to provide statistical analysis, including checking for conflicts of interests, monitoring client service delivery, recording complaints and claims information and creating archiving records;
- to gather and provide information required by or relating to financial returns, reports and audits;
- to respond to enquiries or investigations by regulatory bodies or law enforcement agencies;
- as part of any report required for external audits and quality checks; and/or
- for the purposes of complying with our professional, legal and regulatory obligations.
- How we use your special category data
‘Special category data’ requires higher levels of protection. We may only process your special category data if we have a lawful basis and a specific condition for doing so. The following four conditions are most relevant to how we process your special category data:
- Where processing is necessary for the establishment, exercise or defence of legal claims (or whenever courts are acting in their judicial capacity);
- We only process it where that processing is necessary to protect your vital interests or those of another natural person, where you are physically or legally incapable of giving consent (e.g. where we liaise with a third party under a power of attorney);
- We only process it where the personal data has been manifestly made public by the data subject; or
- where it is needed in the public interest, such as for equal opportunities monitoring.
In limited circumstances, where we need to process your special category data and we cannot rely on any of the four conditions set out above, we will only process it with your explicit, written consent.
We may use your special category data in the following ways:
- To create client and matter records and files to enable us to provide legal services to you;
- To share with third parties in the course of your matter and in accordance with your instructions;
- To respond to requests from our regulator to provide, for example, information on equality and diversity;
- To respond to a request for your personal information; and/or
- To enable us to make reasonable adjustments to our premises, service delivery or events to accommodate any special requirements based on your special category data and in accordance with our Equality and Diversity policy.
- Who we share your personal data with
In the course of carrying out our work and your instructions we sometimes need to share your personal data with third parties, including but not limited to:
- professional advisers who we instruct on your behalf or refer you to, such as barristers, costs draftsmen, medical professionals, accountants, tax advisers, investment companies, architects, estate agents, case management companies or other experts;
- other third parties where necessary to carry out your instructions, e.g. where you have asked us to appoint a carer or driver on your behalf, pay bills etc.;
- our regulator, the Solicitors Regulation Authority;
- insurers and brokers;
- Government departments i.e. Companies House, the Legal Aid Agency, Land Registry, HMP HMRC, DWP, Inland Revenue, Legal Ombudsman;
- external auditors and accreditors (e.g. SRA, SQM, Chambers Directory);
- our bank; and/or
- our data processors, including but not limited to trustees, translators, third-party IT providers, and reprographics providers.
We only allow third parties to handle your personal data if we are satisfied they take appropriate measures to protect it. If we share personal data with them, they will process that data as a data controller or a data processor, dependent upon how they will process that data, and in accordance with the data sharing requirements of the GDPR. We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share personal data with other third parties, such as potential buyers of some or all of our business, or during a restructuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
- Transferring your personal data out of the EEA
In delivering our services to you, it is sometimes necessary for us to share your personal data outside the EEA. This might arise where, for example, you are domiciled overseas, your matter has an international dimension or where our service providers are located outside the EEA. Any transfers of personal data outside the EEA are subject to special rules under the GDPR. We will therefore put in place appropriate safeguards where we transfer your information outside of the EEA by either:
- ensuring that there is an adequacy decision by the European Commission in respect of those countries in place; and/or
- ensuring that information is treated by third parties in a way that is consistent with and which respects the EU and UK laws on data protection. Our standard practice is to use the standard data protection contract clauses which have been approved by the European Commission.
- Keeping and storing your personal data
The security of your personal data is of paramount importance to us. The majority of the personal data we hold is stored electronically, in our secure IT systems, or in hard copy, either at our secure office premises or at a secure offsite archive provider. It may also be stored by third parties processing your data on our behalf (see who we share your data with) but in accordance with a data sharing agreement.
We retain your personal data in accordance with our Terms of Business. We do so for one (or more) of the following reasons:
- in accordance with regulatory, insurance or statutory requirements
- to respond to any enquiries, complaints or claims made by you or on your behalf; or
- where we have a legitimate interest in retaining your personal data (e.g. to prevent conflicts of interest or where you have indicated you would like to hear from us for marketing purposes).
Different retention periods apply for different types of data.
- Withdrawing your consent
Where we process your personal data on the lawful basis of having obtained your specific consent, you are welcome to withdraw that consent at any time. Please contact email@example.com.
- Your rights
Under the GDPR you can exercise a number of rights, as follows:
- Right of access - to be provided with a copy of your personal data;
- Right to rectification - to require us to correct any mistakes in your personal data;
- Right to be forgotten - to require us to delete your personal data - in certain situations;
- Right to restrict processing - to require us to restrict processing of your personal data - in certain circumstances;
- Right to data portability - to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party - in certain situations;
- Right to object - to object to your personal data being processed for direct marketing and, in certain other situations, to our continued processing of your personal data;
- Rights related to automated decision-making - The right not to be subject to a decision based solely on automated processing;
You will not have to pay a fee to exercise any of your rights, however, we may charge a reasonable fee if a request for access is clearly unfounded or if it is deemed to be excessive. Alternatively, we may refuse to comply with a request in such circumstances. We will ask for proof of identity before we provide any personal information, to prevent any unauthorised access.
If you would like to exercise any of these rights, please contact firstname.lastname@example.org, or the firm's COLP (please see the 'How to contact us' section below).
- Keeping your personal data secure
We have security measures which strive to prevent personal data from being accidentally lost, or used or accessed unlawfully. We follow strict procedures as to how your personal information is processed, to prevent any unauthorised person obtaining access to it. All personal information you register on our website will be located behind a firewall and we will use our strict procedures and security features to try to prevent unauthorised access to our systems. Unfortunately, the transmission of information via the internet is not completely secure and although we strive to protect your personal data, we cannot absolutely guarantee the security of your data. Those processing your information within our business and on our behalf, will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
- Processing of data belonging to children or young people
We may find it necessary to process the data of children or young people for whom we act or where their data is relevant to a matter on which you have instructed us.
Children under the age of eleven are unlikely to be able to grasp the concepts involved in their data rights and we can provide a separate explanation to them.
Children who are able to understand the relevant concepts, or with whom we are engaging online and are over the age of 13, control the rights to their own data.
- How to contact us
If you would like to contact us to discuss any aspect of this Policy, please contact our Compliance Officer for Legal Practice (COLP), as follows:
- How to complain
We hope that our COLP can resolve any query or concern you may raise about our use of your information. However, the General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: +44 0303 123 1113.
This policy will be regularly reviewed and updated.
Dated: 17 December 2018