PRIVACY POLICY

Overview
Privacy, and the security of personal data, is important to Stone White Solicitors Limited (“the Firm”) and the director(s) are committed to ensuring that we safeguard your personal data at all times and in the best way possible.

We are committed to preserving the privacy of your data so that we can:
deliver services of a high quality to clients;
at all times comply with the law and the various regulations to which we are subject;
meet the expectations of clients, employees and third parties; and
protect our reputation and that of the legal profession in general as a professional and trustworthy provider of legal services

This policy applies in all circumstances where we are acting as a data controller in relation to the personal data of our clients and website users. That is to say it applies where we have a supervisory role in relation to how personal data is collected, stored, used and shared.

Our use of your personal data is regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and by the Data Protection Act 2018 which incorporates many of the GDPR requirements. For the purposes of the GDPR we are regarded as a ‘controller’ of your personal data. That is to say, we are the “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

In this policy, please note the use of the following terms:
“we, “us” and “our” refers to the Firm and its director(s);
“you” and ‘your” refers to the person whose data is processed;

Using your personal data
We may collect, store, use and share personal data relating to you in the course of advising you or acting for you. The data we will need to collect from you in order for us to be able to provide you with our services will include the following:
Your name and contact details including address, telephone number and email address;
Information required by us in order to enable us to verify your identity (for example for anti-money laundering purposes). This may include passport details, driving license details and date of birth;
Information as to the matter concerning which we have been instructed;
Information required by us in order to carry out a financial or credit check;
Financial details relating to you including details of your bank account if money is, or is likely to be, remitted to you;
The source of any funds being supplied by you in relation to any transaction that involves a purchase;

Note that failure to provide the personal data requested may prevent us from acting for you or delay the provision of services.

In most cases we will collect data about you directly from you by letter, email, by phone, at a meeting with you or by using a secure portal on our website. However, we may also need to acquire information about you:

From publicly available sources such as HM Land Registry, Companies House, professional records and other membership records;
From third-party services such as screening suppliers, credit reference agencies, due diligence suppliers;
From third parties with whom you have a relationship, including banks, building societies, financial institutions, other professionals and advisers, employers, professional bodies, doctors and trade unions;
Through information technology related methods including by the use of cookies on websites, CCTV and messaging systems;

The purpose for which your data is used
Data protection law requires that we only use your personal data for the purposes for which it was acquired or where we have a proper reason for using it. Those reason can include:

Where you have given consent to the use of your personal data for one or more specific purposes;
Where the use is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
Where the use is necessary for compliance with a legal obligation to which we are subject;
Where the use is necessary in order to protect your vital interests or those of another person;
Where the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
Where the use is necessary for the purposes of our legitimate interests or those of a third party, except where those interests are overridden by your interests or fundamental rights and freedoms or which require protection of personal data, in particular you or the relevant person is a child.

We may use your personal data for the following purposes:
To provide our legal and other services to you so as to comply with our contract with you;
Carrying out identity checks and undertaking information gathering and audits as required by regulatory bodies to comply with legal and regulatory obligations;
Carrying out financial, embargo and other security checks and undertaking such other processing activities as are required for legal and regulatory compliancegenerally or specifically by our regulator(s);
Complying with our internal business policies and for operational reasons such as security, confidentiality, competency and efficiency control, training and client care;
Audits and external quality reviews in relation to standards adopted by us (e.g. ISO standards, Law Society Standards etc.)
Statistical analysis to enable us to better manage our business;
Maintaining and updating records to ensure accuracy of processing;
Legal and regulatory obligations to make information returns to regulators and legally constituted bodies;
To ensure safe working practices;
Marketing our services to existing and former clients and third parties; and
Credit control and credit reference checks in relation to the services we perform

Contacting you
In additional to the general matters dealt with in paragraph 8 above, please be aware that we may also send you updates concerning legal and other relevant developments which might concern, or be of interest to, you. This may be by post, telephone, email or text and may include information about the services we offer and information relating to changes in the law and practice.

We regard ourselves as having a legitimate interest in processing your personal data for promotional purposes for these purposes and that we do not require your consent in order to do so. From time to time we undertake legitimate interest assessments in order to balance our interests in contacting you with those of your own in relation to your data. Where we believe that consent is required, we will contact you specifically for this and will do so in a clear and transparent manner.

Be assured that we treat your personal data with the utmost respect and will never share it with others for marketing or promotional purposes. You have, at all times, the right to request that we do not contact you for any purpose other than carrying out the matter which we are instructed to undertake. We may however require that you confirm your marketing preferences from time to time so that we can be sure that your views remain the same – especially in relation to issues such as legal and regulatory updates.

Sharing your data with others
Notwithstanding the fact that we will not share your personal data for marketing purposes, it may be necessary to share your personal data with others.

These may include:
professional advisers used in connection with the matter about which we are instructed e.g. accountants, advisors, experts, barristers, medical professionals and search agents;
third parties involved in the matter which we are dealing with such financial services providers, banks, building societies, registrars;
government and similar organisations such as H M Land Registry, Companies House, HM Revenue and Customs
others within our business;
our regulator(s);
credit reference agencies in connection with our contract with you;
our bank, insurers and insurance brokers;
external auditors in relation to the audits and external quality reviews referred to above; and
suppliers of services required in relation to your matter.

When sharing your personal data, we will ensure at all times that those with whom it is shared process it in an appropriate manner and take all necessary measures in order to protect it.

Please be aware that, from time to time, we may be required to disclose personal data and exchange information about, or relating to, you with government, law enforcement and regulatory bodies and agencies in order to comply with our own legal and regulatory obligations.

During the course of, and sometimes following the conclusion of, our instructions from you, we may need to share your personal data with other third parties involved in a relevant transaction. We will only share that information which is necessary and relevant.

From time to time it may be necessary for us to share data for statistical purposes – for example with our regulatory body. We will always take steps to try to ensure that information shared is anonymised but, where this is not possible, we will require that the recipient of the information keeps it confidential at all times.

Storing your personal data
We will keep any personal data relating to you secure at all times.

Some of your personal data will be held at our offices, at third party agencies and service providers, representatives and those agents used by us as set out in paragraphs 12 – 18 above.

Some of your data may be held on computers, hand-held electronic devices and case management software. Where this takes place outside of the European Economic Area (EEA) then the provisions set out below will apply.

Retaining and deleting your data
We operate various security measures in order to prevent loss of, or unauthorised access to, your personal data. In order to ensure this, we restrict access to your personal data to those with a genuine business need to access it and we have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Personal data that is processed by us will not be retained for any longer than is necessary for that purpose or for purposes relating to or arising from that purpose.

Where your personal data is retained after we have finished acting for you or where the contract with you has ended in any other way, then this will generally be for one of the following reasons:

So that we can respond to any questions, complaints or claims made by you or on your behalf;So that we are able to demonstrate that your matter was dealt with adequately and that you were treated fairly;

In order to comply with legal and regulatory requirements.

In general, we will retain your data for only so long as is necessary for the various objectives and purposes contained in this policy. Please note, however, that different periods for keeping your personal data will apply depending upon the type of data being retained and the purpose of its retention.

We will retain your personal data for such time as is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Transferring your data outside of the EEA
In order for us to provide you with the services for which we have been instructed, it may be necessary for us to share your personal data with those who are outside the EEA where, for example, those persons have offices outside of the EEA, are based outside of the EEA, where electronic services and resources are based outside of the EEA or where there is an international element to the instructions we have received from you. Where this is the case, special rules apply to the protection of your data.
For further information please contact us.

Your rights in relation to your data
The GDPR and data protection legislation gives you, the data subject, various rights in relation to your personal data held and processed. These rights are exercisable without charge and specific time limits apply to us in terms of how quickly we must respond. Those rights are, in the main, set out in Article 12 – 23 of the GDPR and are as follows:

A right of access – that is to say the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to that personal data and various other information including the purpose for the processing, with whom the data is shared, how long the data will be retained and the existence of various other rights (see below);
A right to rectification – that is to say the right to obtain from us, without undue delay, the putting right of inaccurate personal data concerning you;
A right to erasure – sometimes referred to as the right to be forgotten this is the right for you to request that, in certain circumstances, we delete data relating to you;
A right to restrict processing – the right to request that in certain circumstances we restrict the processing of your data;
A right to data portability – that is to say the right in certain circumstances to receive that personal data which you have provided to us, in a structured, commonly used and machine-readable format and have the right to have that personal data transmitted to another controller;
A right to object – a right in certain circumstances to object to personal data being processed by us where it is in relation to direct marketing or in relation to processing supported by the argument of legitimate interest; and
A right not to be subject to automated decision making – that is to say a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Full details of these rights can be found in the GDPR or by reference to guidance produced by the Information Commissioner’s Office.

In the event that you wish to exercise any of these rights you may do so by:
Contacting us using any medium you wish including in writing, by telephone, electronically or using such social media as we employ for communication purposes;
By completing a form which we can supply to you for this purpose; or
Through a third-party whom you have authorised for this purpose.

Making a complaint
We will at all times make every effort to ensure that your privacy is protected and that any personal data relating to you is kept secure and used only for the purposes for which it was acquired and in an appropriate manner. If you have any queries as the acquisition, use, storage or disposal of any personal information relating to you please contact us.

We can be contacted at Stone White Solicitors, 110 Butterfield, Great Marlings, Luton, Bedfordshire, LU2 8DL.

Notwithstanding our best efforts, inevitably sometimes things do go wrong. If you are unhappy with any aspect of the use and/or protection of your personal data, you have the right to make a complaint to an appropriate supervisory authority. In the United Kingdom this is the Information Commissioner’s Office who may be contacted in writing at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; by telephone on 0303 123 1113; by fax on 01625 524510 or online at https://ico.org.uk/concerns.