Your rights under the GDPR
The Right to be Informed:
Now Legal is committed to ensuring that your privacy is protected. This policy explains how we use the information we collect about you and procedures that we have in place to safeguard your privacy as well as informing you of our obligations under the GDPR which is effective from 25 May 2018.
In providing legal services in the United Kingdom we will either act as a data controller or a data processor. Where we act as a controller in relation to any processing of personal data we will comply with the provisions of GDPR. Where we act as a data processor we will take such security measures as are required to enable us to process personal data in compliance with obligations equivalent to those imposed on you by the GDPR.
When you contact us to obtain details of costs to act for you, we will require your name, email and telephone number as well as details of the proposed transaction. This will allow us to give an accurate representation of the likely costs so you can then make a decision as to whether you wish to proceed to instruct us. This information at this time is not shared with third parties (unless you request us to). Your information is retained on file for a year for the purposes of analysing conversion rates for new matters.
When you instruct us to act for you we will ask you to complete an instruction form providing your name, address, email address and telephone numbers and confirming the details of your proposed transaction which may include details of any finances required for the transaction. We gather this information so that we can proceed to open a file and progress your matter. Such processing may include the disclosure of relevant information to third parties involved in the transaction such as other solicitors, brokers, mortgage lenders, estate agents, and Freeholders/management companies/managing agents.
There will be times where your data may be shared with other third parties not listed above. These are our case management providers, Tikit and our IT support team Medhurst. As providers of support for our IT systems there will be instances where they have to log onto our systems in order to fix any problems and they will be able to see your data, they will not however share this data with anyone else.
In the event of a claim our Firm’s Professional Indemnity Insurers, who are currently AM Trust may require us to share details of your file. This data will only be processed for the purposes of investigating the claim.
Information is also shared with our Chartered Accountants but this is for audit purposes only and your data will not be passed on.
The internal procedures of Now Legal Solicitors cover the storage, access and disclosure of your information.
All information that we collect about you has to be processed, lawfully, fairly and in a transparent manner. We can only process the data lawfully if we have a lawful basis. Our lawful basis’ are as follows:
(b) processing is necessary for the performance of a contract to which you are party to or in order to take steps at your request prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which we are subject;
(f) processing is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data
The right of access:
You have the right to obtain a copy of the personal information that we hold about you. This will be free of charge unless of course the request is unfounded or excessive, then we can charge a reasonable fee or refuse to respond. If we refuse to respond to a request we must explain the reason why and inform you of your right to make a complaint to the ICO.
Information requested will be dealt with as soon as possible and at the latest within one month of receipt. If we are unable to meet your request within this timescale we must inform you of the reason for the delay. The person making the request for information must have their identity verified by us before we can release any information. A request for information should be made to Carole Desmond, the Data Protection Officer, this request can be made in writing to Now Legal Solicitors, 4 Brunel Way, Segensworth East, Fareham, Hampshire PO15 5TX or by email to [email protected]
The right to rectification:
Individuals have the right to have their personal data rectified if it is inaccurate or incomplete. If we have disclosed this personal data to third parties we must inform them of the correct details and also inform you of the third parties who have this information. We must respond to your request for rectification within one month although we can extend this is the rectification is complex. If we do not take action in respect of the request you have the right to complain to the ICO and also to a judicial remedy.
The right to erase:
The right to erasure is also known as “the right to be forgotten”. This right enables an individual to request the removal or deletion of personal data where there is no compelling reason for it to be processed. This is not an absolute right and can only be carried out under certain specific circumstances. We can refuse to comply with a request for erasure in the following circumstances:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- Archiving purposes in the public interest
- The exercise of defence of legal claims
If the personal data is to be erased and this information had disclosed to third parties, the third parties must be made aware of the erasure of the data.
The right to restrict processing:
Individuals have a right to block or supress processing of personal data. When processing is restricted we are permitted to store the data but not process it further. We, as a firm are required to restrict the processing of personal data in the following circumstances:
- Where an individual contests the accuracy of the data. The processing should be restricted until the accuracy of the data has been verified
- Where an individual has objected to processing, and we have to consider whether our legitimate grounds for processing overrides the individual’s
- When processing is unlawful and the individual opposes erasure and requests restriction instead
- If we no longer need the data but it is required by the individual to establish exercise or defend a legal claim
The right to data portability:
This allows individuals to obtain and re-use their personal data for their own purposes across different services. This right only applies to personal data which an individual has provided to us, where the processing is based on the individual’s consent or for the performance of a contract; and where the processing is carried out by automated means.
We must provide the personal data in a commonly used and machine readable way, enabling other organisations to use the data. The information will be provided free of charge. If required by the individual we can transmit the data electronically directly to another organisation.
The right to object:
You have a right to object to:
- Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority
- Direct marketing; and
- Processing for the purposes of scientific/historical research and statistics
You must have an objection “on grounds relating to your own particular situation”.
We must stop processing the personal data as soon as we receive the objection, we are unable to refuse or reject such a request.
Rights in relation to automated decision making and profiling:
The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
When processing personal information we need to identify whether we use any automated decision making. Currently we are not carrying out solely automated decision making that has legal or similarly significant effects on people. However, if we were to start processing information in this way, we would ensure that full information is given in relation to the processing, we would also introduce ways for human intervention to be requested and decisions challenged as well as carrying out sufficient checks to ensure that systems are working as required.
Retention of Information:
Any credit or debit card information that you have provided will be removed from your file and destroyed securely before archiving. Your file will then be kept for a period of seven years from the date that we archive it. The file will either be kept in it’s original paper format or the information stored electronically. The GDPR does not allow us to retain any data beyond what is required of us so after the period of seven years the data will be destroyed.