Privacy Notice for clients and prospective clients
Paladin is a law firm providing legal advice, assistance and representation. We are regulated by the Solicitors’ Regulation Authority. We are committed to protecting the privacy and security of the personal data which we hold and guard it as if it were our own.
This Privacy Notice describes how we collect and may use personal data prior to, during and after your relationship with us in accordance with the Data Protection Act 2018 and the General Data Protection Regulations (collectively “Data Protection Legislation”).
We do not knowingly collect data relating to children otherwise than from an authorised guardian or parent in the ordinary course of our acting for you or them.
We are required under the Data Protection Legislation to notify you of the information contained in this Privacy Notice. Please ensure that you read this notice, together with any other privacy notice we may issue on specific occasions, so that you are aware of how and why we are using your data or how and why we may use your data.
1. Controller and Data Privacy Manager
Paladin is the “Data Controller” and responsible for your personal data.
We have appointed a Data Privacy Manager (the “DPM”) to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, please contact the DPM using the following contact details:
- Legal Entity: Paladin-Knight Ltd, trading as “Paladin”
- Name of DPM: Neil Ashley
- Email: [email protected]
- Address: Wildwood House, Hall Road, Barton Turf, Norfolk, NR12 8AR.
- Telephone number: 0345 222 0 111
The supervisory body for data protection issues is the Information Commissioner’s Office (the “ICO”). You have the right to complain to the ICO at any time (www.ico.org.uk). However, we would obviously appreciate the opportunity to deal with any concerns you may have prior to this and hope that we would be able to resolve any concerns to your satisfaction.
2. The data we collect about you
“Personal data” is any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymised data). Personal data also includes information that you provide to us about other individuals, for example individuals within your business or organisation.
Where relevant and appropriate we may collect, store and use the following categories of personal data about you:
- Client matter/case data – including the details of matters/cases upon which we are advising you and any other services we are providing to you;
- Contact data, including your billing/postal addresses, telephone numbers (including mobile numbers) and email addresses;
- Financial details including bank account details and payment card details;
- Identity data including first name, maiden name, last name, username or other identifier, title, date of birth and gender;
- Marketing data including your marketing preferences and communication preferences;
- Technical data such as your IP address, login data, browser type and version, time-zone setting and location, browser plug-in types and versions, operating systems and platform and other technology on the devices you use to access our website.
Where we need to collect and process data under the terms of our contract with you, and where you fail to provide that data when requested, we may not be able to perform the contract we are trying to enter into with you (e.g. to provide services to you). In this case we may have to cease to act for you. We will notify you if this is the case.
3. Special categories of data
”Special categories” of personal data are more sensitive personal information: information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation and criminal convictions and offences are also special categories of data.
We may collect special category data in the course of you instructing us about a particular matter involving special categories of your personal data. Outside of this, we do not anticipate collecting any special categories of information. If the position changes we will inform you at the time and we will not do so without your explicit consent.
4. How we use data about you
We will only use your personal data when the law allows us to do so. Most commonly, we will use your personal data in the following circumstances:
- Where we need to perform the contract we have entered into with you i.e. the provision of legal or other services or in preparation for providing legal or other services to you;
- Where we need to comply with a legal or regulatory obligation or requirement;
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- We may also use your personal data where we need to protect your interests (or someone else’s interests) or where it is needed in the public interest or for official purposes. These circumstances are likely to be rare.
We may only process special categories of personal data in the following circumstances:
- With explicit consent;
- Where the processing is needed to protect your interests (or someone else’s interests, for example, your employer) and you are not capable of giving your consent;
- Where the processing relates to personal data which you have made public; or
- Where the processing is necessary for establishing, exercising, or defending legal claims.
Some of the grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
5. Purposes for which we will use your personal data
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. We have set out below a description of the ways in which we plan to use your personal data and which of the legal bases we rely upon. Where appropriate we have identified our legitimate interests.
If we need to use your personal data for an unrelated purpose to that set out below, we will notify you and we will explain the legal basis which allows us to do so or seek your consent.
Purpose/Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
To register you as a new client | Identity data Contact data |
Performance of a contract with you. |
Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new client Identity data
Contact data
Performance of a contract with you.
Necessary to comply with a legal or regulatory obligation
To manage our relationship with you, including:
i) Providing legal and related services;
ii) Collecting and recovering any money owed to us;
iii) Notifying you of any changes to our privacy notice;
iv) Asking for feedback on our service.
Client matter data
Identity data
Contact data
Financial data
Marketing data
Performance of a contract with you.
Necessary to comply with a legal or regulatory obligation
Necessary for our legitimate interests (to keep our records updated)
To administer and protect our business and our website, including troubleshooting, data analysis, testing, system maintenance, support, reporting and data hosting Identity data
Contact data
Technical data
Necessary to comply with a legal or regulatory obligation
Necessary for our legitimate interests (to run our business, provide IT and administration services, network security, prevention of fraud)
To make recommendations or suggestions to you about our services that may be of interest to you Identity data
Contact data
Marketing data
Technical data
Necessary for our legitimate business interests (to grow our business)
6. Marketing
You may at any time opt-out of receiving marketing communications. Please do so by contacting our DPM by email, [email protected]. If you opt out of marketing communications this will not apply to any other personal data we have collected in the course of other purposes or activities.
7. Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set up or access cookies. Please note if you disable or refuse cookies then some parts of our website may not function properly or may become inaccessible. Our website carries a cookie notification message.
8. Automated decision-making
Automated decision-making takes place when an electronic system uses personal data to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means. We will notify you if this position changes.
9. Data sharing
We may have to share your personal data with third parties. These third-parties may include:
- Professional advisers acting as joint processors or joint controllers including lawyers, bankers, experts, auditors and insurers based within the European Economic Area who provide consultancy, legal, expert witness, insurance, accounting and other services;
- HM Revenue and Customs, regulators, fraud prevention agencies and other authorities;
- Courts, Tribunals and other organisations involved in the administration of justice;
- Couriers.
Where we are able to do so, we will require third parties to:
- respect the security of your data and have appropriate security measures in place;
- treat your data in accordance with the law;
- use your data for specified purposes only; and
- use your personal data only in accordance with our permission or instructions.
We do not anticipate transferring your data outside the EEA. We will notify you if this position changes.
10. Data security
We have in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those who have a business need to know and they will only process your personal data on our instructions. They are subject to a duty of confidentiality.
In the event of a suspected data security breach we will notify the ICO, the applicable regulator, and you where we are required or consider it appropriate to do so.
11. Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting and regulatory requirements. The retention period for personal data is determined by a number of factors, including the amount, nature and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of the personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and any legal and regulatory requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
By law we have to keep basic information about our clients (including Client Matter, Contact, Identity and Financial data) for at least seven years after they cease to be a client.
12. Rights of access, correction, erasure, and restriction
Under certain circumstances you have the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes;
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it;
- Request transfer of your personal data to another party;
- Withdraw consent at any time where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose. To withdraw your consent, please contact the DPM. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
If you want to exercise any of these rights please contact the Data Privacy Manager in writing.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights detailed above). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and verify your right to access the data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer. In this case we will notify you and keep you updated.
13. Changes to this privacy notice
We reserve the right to update this Privacy Notice at any time. The current version of this Privacy Notice will be available on our website. We will provide you with a new Privacy Notice when we make any substantial updates.
V.1 10th September 2018
Paladin advises on all aspects of data protection, privacy and security. For more information, please contact us.