1.1 This Privacy Notice stems from the overall Data Protection Policy (see 12 below) which is held and documented by Three Graces Legal.
We ALL have extra responsibilities to ensure your personal data is protected
We are a firm of Solicitors based in Liverpool
1.3 Three Graces Legal, whose registered office is 504-505 The Cotton Exchange, Old Hall Street, Liverpool L3 9LQ, is the trading name of Three Graces Legal Limited which is an Alternative Business Structure (ABS) and is authorised and regulated by the Solicitors Regulation Authority (SRA).
1.5 This policy applies to information we collect about:
1.5.1 visitors to our website
This policy covers everyone whose data may be used by us
1.5.2 people who do business with us or register for our service 1.5.3 third-parties who are natural persons
2. THE INFORMATION WE COLLECT ABOUT YOU
The purposes of the processing are that we are a firm of solicitors and you have instructed us to act for you
2.1 When you do business with us or register for our services we collect the following personal information from you:
2.1.2 postal address, email address and telephone number
2.1.3 any details available via social media that is available to the public domain and which we deem is necessary for us to be able to continue working for you
2.2 Occasionally we may receive information about you from other sources (such as your employer, medical practitioner, Department for Work and Pensions – all from whom we will have sought permission from you to obtain that information) which we will add to the information which we already hold about you in order to help us provide legal services and comply with our legal and/or regulatory duties, including those under the anti-money laundering regulations.
We will hold your personal data in our archive for six years after your matter concludes. This means your case is closed and the information is securely held until destroyed.
2.3 To enable us to act for you, whether in a transaction (i.e. something that requires us to use or adhere to a process, for example, a legal claim), or, advice (i.e. where we are instructed only to provide a written advice for you or draft legal documentation), we may need to provide a third party or parties with your data. If this is required, then we will obtain your consent to do so unless we are able to do so by relying on one of the lawful bases contained within Article 6 GDPR. It is likely we will be relying on consent, contract, legal obligation and/or legitimate interests as our basis/bases for processing.
2.4 On matters where we have formally been instructed by you to act, we are required, by law, to retain your information for archiving purposes for six years after your matter has closed. This archived information will be secured using encryption and your identifiable information contained within, for example, your identification documents, will be redacted. We may from time to time, depending on the nature of the personal information we hold, take steps to anonymise or pseudonymise your data.
2.5 We will only collect that information that is strictly necessary to enable us to perform our lawful basis for processing.
2.6 Our reasons for processing your data is to enable us to compile our client matter database and then verify your information based on requisite identification, following which we are able to act for you in the pursuance of your legal transaction or advice.
2.7 Where we have processed your data but you have not instructed us to act, for example, because you consented us to market our services to you, then you may at any time withdraw your consent, at which point we would immediately cease contacting you and we would remove your data from our records. It may, however, become necessary to retain a list of those data subjects who do not wish to be contacted so as to avoid future contact against your wishes.
3. HOW WE WILL USE THE INFORMATION ABOUT YOU
3.1 We gather this information to allow us to provide the services requested by you, by way of your formal written instructions authorising us to act for you. The relevant information is then used by us to communicate with you on any matter relating to the conduct of your instructions in general. If you agree, we may also contact you about other products and services we think may be of interest to you.
3.2 We may also use aggregate information and statistics for the purposes of monitoring compliance in order to help us to improve our services, as well as for our own internal compliance monitoring and reviewing policies to be adhered to. We may also be required to provide such aggregate information to third parties. These statistics will not include any information that can be used to identify you.
We provide individuals with privacy information at the time we collect their personal data from them.
If we obtain personal data from someone else, we provide them with privacy information:
- within a reasonable of period of obtaining the personal data and no later than one month;
- if we plan to communicate with the individual, at the latest, when the first communication takes place; or
- if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
4.1 We may also wish to provide you with information about special features of our website or any other service we think may be of interest to you. To do so, we shall provide you with the option to ‘opt-in’ to our marketing list. If you do not opt in, we will not contact you again. However, if you agree to us providing you with marketing information, you can always opt out at a later date.
This information is important about how we may market our services to you
4.2 We may, from time to time, use a host marketing company to contact other businesses on our behalf by e-mail marketing. This means that the e-mail marketing will be sent to a specified individual at the business. The personal data obtained from the host marketing company is strictly limited to your name and e-mail address. For the avoidance of doubt, Three Graces Legal Limited do not have access or sight to this marketing data, and will only be made aware of the data subject should that data subject respond to the marketing email indicating an interest in our services.
4.3 The host marketing company will rely on legitimate interest and consent as its lawful bases of processing.
4.4 In considering the legitimate interest basis, it has considered the following:
4.4.1 why we want to process the data and what we are trying to achieve
4.4.2 who benefits from the processing and in what way
4.4.3 whether there are there any wider public benefits to the processing
4.4.4 how important those benefits are
4.4.5 what the impact would be if we cannot go ahead
4.4.6 whether the use of the data be unethical or unlawful in any way
4.4.7 whether the processing helps to further that interest
4.4.8 whether it is a reasonable way to go about it
4.4.9 whether there is another less intrusive way to achieve the same result
4.5 We will also consider the following questions:
4.5.1 what is the nature of our relationship with the individual?
4.5.2 is any of the data particularly sensitive or private?
4.5.3 would people expect us to use their data in this way?
4.5.4 are we happy to explain it to them?
4.5.5 are some people likely to object or find it intrusive?
4.5.6 what is the possible impact on the individual?
4.5.7 how big an impact might it have on them?
4.5.8 are we processing children’s data?
4.5.9 are any of the individuals vulnerable in any other way?
4.5.10 can we adopt any safeguards to minimise the impact?
4.5.11 can we offer an opt-out?
5. HOW WE PROTECT YOUR INFORMATION
5.1 We have put in place the following security procedures and technical and organisational measures to safeguard your personal information: we are Cyber Essentials accredited to ensure that suitable security measures are in place in relation to the personal data processed. This ensures we have applied and maintained, as well as annually-reviewed our firewalls, browser certification technology, encryption, limited access and use of passwords policy. We also have robust procedures in place to comply with our internal policies and systems of governance.
We undergo annual tests and reviews to maintain ongoing compliance with information security
5.2 We will use all reasonable efforts to safeguard your personal information. However, you should be aware that the use of the Internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the Internet.
6. ACCESS TO YOUR INFORMATION AND UPDATING AND CORRECTING YOUR INFORMATION
If you require us to update your information, here are our contact details
7. YOUR RIGHTS
7.1 Under GDPR, you have the following data subject rights:
7.1.1 The right to be informed about what information we hold about you
7.1.2 The right of access to the information we hold about you
7.1.3 The right to rectification of any data we hold about you which is incorrect
Here are your rights which include the right to see what information we hold about you.
7.1.4 The right to erasure of any data which we either no longer require, or which is irrelevant, or which you object to
7.1.5 The right to restrict processing while considering your requests under either 7.1.4 or 7.1.7
7.1.6 The right to data portability in a machine-readable format which easily accessible
Your rights also include:
Putting right your information
Objecting about us using your information
Withdrawing your consent
7.1.7 The right to object to us processing your data
7.1.8 Rights in relation to automated decision-making and profiling. For the avoidance of doubt, we do not as a firm perform any automated decision-making or profiling.
7.2 You also have the right to withdraw consent at any time if where you had previously provided us with it.
7.3 Where you are dissatisfied with how we are handling your request or you think we have acted or omitted to act in a way that causes risk to your rights and freedoms then you have the right to lodge a complaint with a supervisory authority, which in the United Kingdom is the Information Commissioners' Office (ICO)
8. CHANGES TO DATA PROTECTION POLICY AND PRIVACY NOTICE
8.1 We keep our Data Protection Policy and Privacy Notice under regular review. If we change our Data Protection Policy we will post the changes on this page, and place notices on other pages of the website, so that you may be aware of the information we collect and how we use it at all times. This Privacy Notice was last updated and published on 30 April 2018.
9. HOW TO CONTACT THREE GRACES LEGAL
Changes to the information
We regularly review and, where necessary, update our privacy information.
If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing. Where appropriate, we will conduct a Data Protection Impact Assessment.
10. LINKS TO OTHER WEBSITES
10.1 Our website contains links to other websites. This Privacy Notice applies only to this website so when you access links to other websites you should read their own privacy policies.
How to contact us
11. SECURITY AND PERFORMANCE
11.1 We use a third-party service to help maintain the security and performance of our website. To deliver this service it processes the IP addresses of visitors to the website.
11.2 We use a third-party service, Joomla, which is run by C Progress. We use a standard Joomla service to collect anonymous information about users' activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. For more information about how Joomla processes data, please see their privacy notice.
12. DATA PROTECTION POLICY
This Privacy Notice form part of our overall Data Protection Policy. Our Data Protection Policy also comprises the following policies which we adhere to:
Here are all our other policies