This policy sets out the obligations of Peter Dunn and Co Limited, a company registered in England and Wales under company registration number 08017997 regarding Data Protection and the rights of clients and business contacts in respect of their personal data held under EU Regulation 2016/679 being the General Data Protection Regulations (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable person. An identifiable person is one who can be identified either directly or indirectly by reference to information such as a name, an identification number, location, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. This policy sets out the company’s obligations regarding the collection, processing, transfer, storage and disposal of personal data. The procedures and principles set out herein must be followed at all times by the company, its employees, agents, contractors, or other parties working on behalf of the company.
The company is committed not only to the letter of the law, the spirit of the law and places high importance on the correct, lawful and fair handling of personal data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
1) The Data Protection Principles
This policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:-
1.1 Processed lawfully, fairly and in a transparent manner in relation to the data subject.
1.2 Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
1.3 Adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.
1.4 Accurate and where necessary kept up to date. Every reasonable step must be taken to ensure the personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
1.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of which the personal data is processed. Personal data may be stored for longer periods so far as the personal data will be processed solely for archiving purposes in the public interest or the interest of the data subject.
1.6 Processed in a manner that ensures appropriate security of the personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measure.
2) The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):-
2.1 The Right to be informed (Part 12)
2.2 The right of access (Part 13)
2.3 The right to rectification (Part 14)
2.4 The right to eraser (known as the “Right to be forgotten”) (Part 15)
2.5 The right to restrict processing (Part 16)
2.6 The right to data portability (Part 17)
2.7 The right to object (Part 18)
2.8 The right with respect to automated decision making and profiling (Parts 19/20)
3) Lawful, Fair and Transparent Data Processing
3.1 The GDPR seeks to ensure that personal data is processed lawfully, fairly and transparently, without adversely effecting the rights of the data subject. The GDPR states that the processing of personal data shall be lawful if at least one of the following applies:
3.1.1 The date subject has given consent to the processing of their personal data for one or more specific purposes.
3.1.2 The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them.
3.1.3 The processing is necessary for compliance with a legal obligation to which the data controller is subject.
3.1.4 The processing is necessary to protect the vital interests of the data subject or of another person.
3.1.5 The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
3.1.6 The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4) Specified, Explicit and Legitimate Purposes
4.1 The company collects and processes the personal data set out in Part 21 of this policy. This includes personal data collected directly from the data subject and personal data obtained from third parties.
4.2 The company only collects, processes, and hold personal data for the specific purposes set out in Part 21 of this policy, or for other purposes expressly permitted by the GDPR.
4.3 Data subjects are kept informed at all times of the purpose or purposes for which the company uses their personal data. Please refer to Part 12 for more information on keeping data subjects informed.
5) Adequate Relevant and Limited Data Processing
The company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which the data subjects have been informed as under part 5, above, and set out in part 21 below.
6) Accuracy of Data and Keeping Up to Date
6.1 The company shall ensure that all personal data collected, processed and held by it is kept accurate and up to date. This includes, but not limited to, the rectification of personal data at the request of a data subject set out in Part 14 below.
6.2 The accuracy of the personal data will be checked when it is collected. If any personal data is found to be inaccurate or out of date, reasonable steps will be taken to amend or erase the data, as appropriate.
7) Data Retention
7.1 The company shall not keep personal data for any longer than is necessary or required by regulatory bodies such as the Law Society or the Solicitors Regulation Authority, or for which that personal data was originally collected, held and processed.
7.2 When personal data is no longer required as above, all reasonable steps will be taken to erase or otherwise dispose of it.
8) Secure Processing
The company shall ensure that all personal data collected held and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage. Further details are provided in parts 22- 27 of this policy.
9) Accountability and Record Keeping
9.1 The company Data Protection Officer is Rebecca Davison.
9.2 The Data Protection Officer shall be responsible for overseeing the implementation of this policy and for monitoring compliance with the policy.
9.3 The company shall keep written internal records of all personal data collection holding and processing.
10) Data Protection Impact Assessments
10.1 The company shall carry out data protection impact assessments for any and all new projects and/or new uses or personal data which involve the use of new technologies.
10.2 Data protection impact assessments shall be overseen by the Data Protection Officer and shall address the following:-
- The types of personal data that will be collected, held and processed.
- The purposes for which the personal data is to be used.
- The company objectives.
- How personal data is to be used.
- The risks posed to data subjects.
- Risks posed both within and to the company.
- Measures to minimise and handles identified risks.
11) Keeping Data Subjects Informed
11.1 The company shall provide the information set out in Part 12.2, to every data subject:-
- Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time for collection and where personal data is obtained from a third party the relevant data subjects will be informed of its purpose.
11.2 The following information shall be provided:-
- Details of the company and identity of its Data Protection Officer.
- The purposes for which the personal data is being collected and will be processed and the legal basis justifying that collection.
- Where applicable, the legitimate interests upon which the company is justifying its collection and processing of personal data.
- Where personal data is to be transferred to one or more third parties and giving details of those parties.
- Details of data retention.
- Details of data subject’s rights under the GDPR.
- Details of the data subjects right to withdraw consent.
- Details of the data subject’s right to complain to the Information Commissioners Office (“The Supervisory Authority”) under the GDPR.
13) Data Subject Access
13.1 Data subjects may make subject access requests (“SAR’s”) at any time to find out more about personal data which the company holds about them.
13.2 Employees wishing to make an SAR should do so using a “Subject Access Request Form”), sending the form to the company Data Protection Officer at 20 Athenaeum Street, Sunderland, Tyne and Wear SR1 1DH.
13.3 Responses to SAR’s shall normally be made within 1 month of receipt, but this may be extended by up to 2 months if the matter is complex and numerous requests are made.
13.4 All SAR’s received should be handled by the company’s Data Protection Officer.
13.5 The company does not charge a fee for handing of normal SAR’s.
14) Rectification of Personal Data
14.1 Data subjects have the right to require the company to rectify any of their personal data that is inaccurate or incomplete.
14.2 The company shall rectify the personal data in question and inform the data subject that rectification has been made. This is normally done within 1 month but the period can be extended by up to 2 months if the issues are complex.
14.3 In the event that any effected personal data has been disclosed to a third party, those parties shall be informed of any rectification.
15) Eraser of Personal Data
15.1 Data subjects have the right to request that the company erases personal data in the following circumstances:-
- It is no longer necessary for the company to hold that personal data.
- The data subject wishes to withdraw their consent to the company holding and processing personal data.
- The data subject objects to the company holding and processing their personal data, and there is no overriding legitimate interest to allow the company to do so.
- The personal data has been processed unlawfully.
- The personal data needs to be erased in order for the company to comply with particular legal obligations.
15.2 Unless the company has reasonable grounds to refuse to erase personal data requests will be actioned within 1 month of receipt of the data subject’s request. The period can be extended by up to 2 months in the case of a complex request.
15.3 In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those third parties shall be informed of the eraser (unless it is impossible or would require disproportionate effort to do so).
16) Restriction of Personal Data Processing
16.1 Data subjects may request that the company ceases processing personal data it holds about them.
16.2 In the event that any effected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
17) Data Portability
17.1 The company, at present, does not process personal data using automated means.
18) Objections to Personal Data Processing
18.1 Data subjects have the right to object to the company processing their personal data based on legitimate interests and direct marketing.
18.2 Where a data subject objects to the company processing their personal data based on its legitimate interests the company shall cease such processing immediately, unless it can be demonstrated that the company’s legitimate grounds for such processing override the data subject’s interest, rights and freedoms or that the processing is necessary for the conduct of legal claims.
18.3 Where a data subject objects to the company processing their personal data for direct marketing purposes, the company shall cease such processing immediately.
19) Automated Decision Making
19.1 The company at present does not use personal data in automated decision making processes.
The company at present does not use personal data for profiling purposes.
21) Personal Data Collected Held and Processed
The company is a firm of solicitors and the following personal data is collected, held or processed by the company for the purposes representing the client/data subject in the matters instructed.
Date of birth
Personal information about your case/claim
Credit card details
Other information you give us or we receive about, and in order to represent you, and for which you instruct the company.
22) Data Security – Transferring Personal Data and Communications
The company shall ensure the following measures are taken in respect of all communications involving personal data:-
- All emails containing personal data will be marked “confidential”
- Personal data may be transmitted over secure networks only
- Personal data may not be transmitted over a wireless network, if there is a wired alternative that is reasonably practicable.
- All personal data to be transferred physically, whether in hard copy form or on removable electronic media shall be done so securely.
23) Data Security – Storage
The company shall ensure that the following measures are taken with respect to the storage of personal data:-
- Electronic copies should be stored securely using passwords and/or data encryption.
- All hard copies of personal data should be stored securely.
- All personal data stored electronically should be backed up.
- No personal data should be stored on any mobile device whether should device belongs to the company or otherwise and it should be stored for no longer than is absolutely necessary.
- No personal data should be transferred to any device personally belonging to an employee.
24) Data Security – Disposal
When any personal data is to be erased or otherwise disposed of it should be securely deleted or disposed of.
25) Data Security – Use of Personal Data
The company shall ensure that the following measures are taken with respect to the use of personal data:-
- No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the company requires access to personal data that they do not already have access to, such access should be formally requested.
- No personal data may be transferred to any employees, agents, contractors or other parties without the authorisation of the company.
- Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties.
- If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time the user must lock the computer and screen.
26) Data Security – IT Security
The company shall ensure the following measures are taken with respect to IT and information security:-
- All passwords to protect personal data should be changed regularly. Passwords should contain a combination of upper- case and lower-case letters, numbers and symbols.
- Passwords should not be written down or shared between employees, agents or contractors or other parties.
- All software shall be kept up to date. The company’s IT partner, Meridian, shall be responsible for installing any and all security related updates.
- No software may be installed on any company – owned computer or device without prior approval of Meridian.
27) Organisational Measures
The company shall ensure that the following measures are taken with respect to the collection, holding and processing of personal data:-
- All employees, agents, contractors or other parties working for or on behalf of the company shall be made aware of their responsibilities under GDPR.
- Only employees, agents, sub-contractors or other parties working on behalf of the company shall have use of the personal data and shall only use it to carry our their assigned duties.
- All employees, agents, contractors or other parties working on behalf of the company handling personal data shall be required to encourage the exercise of care, caution and discretion when discussing work related matters that relate to personal data.
- The methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed.
- All employees, agents, contractors or other parties working on behalf of the company handling personal data will be bound to do so in accordance with the principles of the GDPR and this policy by contract.
28) Transferring Personal Data to a Country Outside the EEA
The company does not, at present, transfer personal data to countries outside the EEA.
29) Data Breach Notification
29.1 All personal data breaches must be reported immediately to the company’s Data Protection Officer.
29.2 If personal data breaches occur and that breach is likely to result in a risk to the rights and freedoms of the data subjects such as financial loss, breach of confidentiality, the Data Protection Officer must ensure that the Information Commissioners Office informed of the breach without delay and in any event within 72 hours after having become aware of it.
29.3 In the event that a personal data breach is likely to result in high risk to the rights and freedoms of the data subjects, the Data Protection Officer must ensure that all effected data subjects are informed of the breach directly and without undue delay.
29.4 Data breach notifications shall include the following information:_
- The categories and approximate number of data subjects concerned.
- The categories and approximate number of personal data records concerned.
- The name and contact details of the company’s Data Protection Officer.
- The likely consequences of the breach.
- Details of the measures taken or proposed to be taken by the company to address the breach.
30) Implementation of Policy
This policy shall be deemed to be effective as of Tuesday 29th May 2018. No part of this policy shall have a retroactive effect and thus shall only apply to matters occurring on or after this date.
This policy has been approved and authorised by the Directors of Peter Dunn & Company Limited:-
Dated this 21st day of May 2018