Our access and handling of this information is subject to the General Data Protection Regulations (GDPR). This replaces the Data Protection Act of 1998.
The data we collect
Any issue we manage on your behalf typically makes it necessary to provide us with information. This could be about you, your business and possibly one or more of your employees.
Depending upon the nature of the issue, the specific information may vary. However, we will only request information that is relevant and required for managing the issue in question.
If the matter includes the gathering and assessing of evidence, that evidence may include information that would be subject to GDPR and this policy.
For example, in the course of an investigation, documentary evidence might be provided that also contains an employee’s name, address, date of birth or similar.
We also collect personal information such as names and contact details via contact forms on our web site and/or through voluntary subscriptions to newsletters or electronic marketing communications.
Why we collect this data
When you engage us on a matter, we have a contractual obligation to deliver the service required.
Every situation involves a narrative, together with various stakeholders and actors. It is necessary to understand these in order to evaluate the situation and determine an appropriate route forward.
Hence, this information is required so that we can perform these activities in line with our contractual obligations.
For personal information gathered via contact forms and voluntary subscriptions to newsletters or electronic marketing, this is based on your specific consent being explicitly given for us to contact you.
How we use the data
We only use personal information provided via an engagement on a matter for the purposes of handling that matter. We will not use this information for any other purpose.
Information provided by consent, e.g. via contact forms or subscriptions to electronic marketing materials, will only be used for that purpose. We may use a third party mailing list or marketing service provider to send out marketing communications (electronic or physical), provided that service provider also complies with GDPR.
How this data is protected
Personal information may be stored in a number of locations, depending upon the nature of the information and how it was acquired (e.g. through being engaged to handle a matter or through a consensual subscription or contact request).
Information relating to engagements typically resides in our email correspondence with you as we handle the matter. This includes any documents that you send us or that we produce. Our email is held on a secure server and is accessed via an encrypted network connection. Documentation is stored in a client-specific folder, which is maintained on a cloud drive. There may be working copies and backups of those documents on a system within our office.
Information relating to matters that we handle is only retained as long as necessary. This typically means that once a matter has been completed, we will only retain your information for long enough to ensure that any supplementary queries or further actions (e.g. a matter being taken to an Employment Tribunal) can be handled.
We would not retain information for more than one year beyond the end of our engagement, unless there is a specific requirement to do so.
Once an engagement is completed we may, with your consent, retain your information in our customer database so that we can follow up with you in future on possible engagements or keep you informed via our newsletters.
We store personal information acquired via consent-based subscriptions or contact forms in local or cloud hosted customer management systems, e.g. a third party mailing list service provider such as MailChimp.
Your rights regarding your data
You have the right to request access (i.e. copies of) all your personal information held by us. We will provide this information within thirty days of having received your request. Where applicable, you can have your data in a “portable” format.
You have the right to ensure any information we retain is accurate. You can inform us of any changes to your personal information and we will update our records.
You have the right to have your personal information erased, provided it is no longer required for the handling of any unresolved matter or legal proceeding.
You have the right to restrict the use of your information under certain circumstances. This means that while we retain the information, it will not be processed until those circumstances are addressed.
You also have the right to object against the use of your personal information, for example by withdrawing consent to be contacted for direct marketing purposes.
Handling of data breaches
A data breach is any occasion where security measures have been deliberately or accidentally circumvented in order to access, alter, disclose or destroy personal information.
For example, if unauthorised parties have gained access to and potentially obtained copies of your personal information from our systems.
Outside of documents pertaining to matters we have handled, we generally do not retain anything except contact names, email addresses and telephone numbers (i.e. the information provided with consent). As such, the information we retain is generally low risk.
In the unlikely event that there is a personal data breach that represents a risk to individuals or their businesses, we will inform the Information Commissioners Office (ICO) within 72 hours of becoming aware of it.
Embedded content from other websites
Some pages on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.