General Data Protection Regulations Privacy Notice

The purpose of this privacy notice is to communicate how and why we collect, process and store personal data in accordance with the General Data Protection Regulations (GPDR).  It also provides instructions and the appropriate contact information should you wish to exercise any of your data processing rights under GDPR.  We ask that you read it carefully.

Who We Are

Paul Dodds Law is a partnership.  Our office is at 70 High Street East, Wallsend, Tyne & Wear, NE28 7RH.  It is a legal practice which is authorised and regulated by the Solicitors Regulation Authority under number 48849. The firm collects, uses and is responsible for certain personal information about you. When it does so it is also regulated under the GDPR by the Information Commissioner and is responsible as ‘controller’ of that personal information.  The person responsible for this policy is Paul Dodds.

The Personal Information We Collect, Use and Share

Personal data is any type of data from which someone else would be able to identify you as an individual.

In the course of your legal transaction we collect the following personal information when you provide it to us:

  • Name, address, date of birth, contact information (such as a telephone number and/or email address, where appropriate)
  • National Insurance number (where appropriate)
  • Identity information and documentation (such as a passport, driving licence or utility bill)
  • Additional information in relation to your legal transaction to enable us to advise you and progress your case. This will depend on the type of legal work you instruct the firm to undertake.  This may include, for example, details of your bank account to allow monies to be sent to you following the sale of a property.

We use your personal information primarily to enable us to provide you with a legal service in accordance with your instructions.  We also use your personal information for related purposes including identity verification, administration of files, updating existing records if you have instructed the firm previously, analysis to help improve the management of the firm, for statutory returns and legal and regulatory compliance. The information will be held in hard copy and/or electronic format.

You are responsible for ensuring the accuracy of all the personal data you supply to us and we will not be held liable for any errors unless you have advised us previously of any changes in your personal data.

Where you are acting as an agent or trustee, you agree to advise your principal or the beneficiary of the trust that their personal information will be dealt with on these terms.

If we are working on your matter in conjunction with other professionals who are advising you, including experts, barristers, banks, building societies, mortgage lenders, estate agents, etc., we will assume, unless you notify us otherwise, that we may share and disclose relevant personal data and information about your matter to them, if we feel it is appropriate and necessary.

On occasions we ask other trusted companies to provide typing, costing, photocopying or other support work on our files to ensure that this work can be done promptly.  We expect these outsourced providers to ensure that they keep the information sent to them securely and confidentially and will undertake checks to ensure that they do.  All routine typing, costing and photocopying is undertaken in-house.

We use private, secure, computers to assist us in processing and protecting your information and keeping it secure from the risks of cybercrime and fraud.  All of the personal information you provide to us is kept in the UK; we will not transfer any of your personal data to another country outside the UK unless you specifically instruct us to do so.

There may be occasions when we are under a legal duty to share personal information with law enforcement or other authorities, including the Solicitors Regulation Authority or the Information Commissioner.  If we are required to disclose information to the National Crime Agency, we may not be able to tell you that a disclosure has been made.  We may have to stop working for you for a period of time and may not be able to tell you why.  We cannot be held liable for any loss you suffer due to delay or our failure to provide information in these circumstances.

Occasionally some of our client files may be audited by external auditors or examiners to ensure we meet our legal, quality and financial management standards.  Some information may also be disclosed to our professional indemnity insurers and to our financial auditors, if required.  Any information that we disclose is provided on a strictly confidential basis where this concerns individuals.  Unless you tell us otherwise we will assume you have no objection.  You may object at any time and refusing your consent will not affect our work for you.

We will not share your personal information with any other third party and will not issue any publicity material or information to the media about our relationship and the work we are doing for you without your explicit consent.

Should you choose to withhold your personal information when we require it we may not be able to provide you with the services you have requested.

How Long Your Personal Data Will Be Retained

We will hold your personal data, including your name, address and contact details plus your file of papers for a period of time.  How long that period of time is will depend on the nature of your case. We will confirm this to you at the end of your case.  This will typically be six years but may be longer.  After this period of time, your file of papers including the electronic file, will be destroyed confidentially without further reference to you, unless we contact you to confirm other arrangements or you contact us to request your file of papers at an earlier date.

In order to meet our regulatory obligations we may be required to retain basic information about you, to include your name, address and date of birth, on our electronic database for a longer period of time.

Client Data – We hold client contract data, correspondence and contact details on our systems throughout the period of the contract and after the contract ends for at least six years.  The reasons for retaining the data are so that we have accurate business records of the business relationship should the client decide to return to Paul Dodds Law as a client in the future; for marketing purposes under the grounds of ‘legitimate interests’ to keep the client / former client informed of progress and news about Paul Dodds Law and relevant industry news; and for analytical and statistical business planning purposes.  Depending on individual circumstances the data will either continue to be processed for these reasons or it will be obfuscated and no longer processed in line with the client / former clients wishes.

Employee Data – We hold employee and perspective employee data on our system.  We hold this data for the purposes of recruitment and employment.  We hold the data of successful candidates as long as their employment contract lasts with Paul Dodds Law and for at least six years following their departure.  For unsuccessful candidates we hold personal data for at least two years so that we can have accurate business records for efficient recruitment processes.  For example, so that we do not process an unsuccessful candidate for the same type of role more than once.

Supplier / Business Associate Data – We hold the personal data of suppliers and business associates for as long as their contract with us to supply goods and services lasts.  We may hold onto their details afterwards indefinitely in case we ever want to purchase products or services from them again in the future, including correspondence relating to the levels of product quality and service quality we had received from them.

Reasons We Can Collect and Use Your Personal Information

The GPDR provides six lawful bases for processing personal data.  We intend to rely on the following lawful bases to collect and use your personal or sensitive personal data:

  • Your consent – You have given clear consent for us to process your personal data for a specific purpose, which is to say the provision of legal services
  • Contractual obligations – the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract

Paul Dodds Law will process the personal data required from clients, employees, and suppliers/business associates in order to fulfil the terms of our contracts with them under the legal basis of ‘contract’ under GDPR e.g. to deliver legal services to clients, to employ our employees, to commission products and services from our suppliers and business associates relating to the delivery of our services to our clients or to run the Paul Dodds Law business.

We will only ever collect, process and store the essential information required for delivering the contract and for making contact with the data subjects that have a contract with Paul Dodds Law.  The personal data we collect is typically contact details, business / employee / supplier contractual details and other relevant data that enables us to fulfil our side of the contract.  We will only record sensitive or special category personal data when freely given to us by employees or clients.

  • Legal Obligations – the processing is necessary for us to comply with the law (not including contractual obligations).  We will use personal information where we have to comply with the law.  For example, we have to provide information to HM Revenue and Customs.
  • Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

Paul Dodds Law collects, processes and stores data relating to individuals in order to provide legal services to those individuals and to operate as a business.  This includes the personal data of our clients, prospective clients, former clients and employees.  We process this data under the GDPR legal basis ‘legitimate interests’ as we consider that the individuals whose data that we are processing are likely to have an interest in our legal services.  This is based upon specific criteria including the work previously undertaken for a client.  For example, where we hold a will for a client we may contact them if we consider that sufficient time has passed since the will was made that it may be in their interests to update their will.

We may also keep our employees up-to-date by processing their data for internal marketing purposes in relation to business progress, related services and relevant industry news.  We consider ‘legitimate interest’ to be the lawful basis for doing this.

A situation may arise in which, for the purpose of contact tracing, we may be asked to provide the NHS Test and Trace service (or any government service that subsequently replaces it) with the name, address, postcode, telephone number(s) or our clients and/or clients and details of any relevant contact between clients, members of our staff or other visitors to our premises. This is a legitimate interest because collecting the data is likely to be in the interests of the individuals concerned, the firm, and the wider public health efforts to tackle COVID-19.

How We Process Personal Data

Paul Dodds Law takes your privacy seriously and we will only use your personal business data in the following ways:

  • We process data belonging to our clients, in order to deliver legal advice and related services
  • We process data for sales and marketing purposes belonging to clients, former clients, prospective clients and target organisations we would like to do business with, regarding our firm
  • We process employee and prospective employee data in order to recruit, employ, pay, retain and develop our workforce
  • We process contact enquiries to fulfil requests for certain services and information
  • We process data to carry out our obligations arising from any contracts we enter into with you
  • We process data to process payment from you
  • We process data to request feedback from you on the services we provide
  • We process data to notify you of changes to our products and services
  • We process employee personal information to comply with the law
  • We process data to monitor behaviour on our website
  • We process data to assist with public health efforts to tackle Covid-19 by providing contact tracing information to NHS Track and Trace

Marketing

Information about the firm and up to date articles which may be of interest to you are available on our website www.pauldodds.co.uk.

In relation to future marketing, we would like to keep in touch with you and let you know periodically about information that we think may be of specific interest to you or to tell you about events or developments in the firm.  We ask you to provide your email address and give specific confirmation that you want to “opt in” to us sending you such information in the future.  If you provide your consent, by opting in, you may withdraw it at any time by contacting us to confirm that you no longer want us to contact you.  If you provide your consent we may use third party software and services to assist us in relation to the processing of our marketing communications but we will ensure we have confidentiality agreements in place and will never disclose your information to third parties for them to use for their own marketing purposes.

If you are an existing client of the firm or we are holding documents for you such as wills or deeds we may rely on legitimate interests as the lawful reason for contacting you in future.  We will only do this where we feel it would be of benefit to you or where we need to update you in relation to our terms and conditions.

Legitimate Interest Assessment

Paul Dodds Law has undertaken a Legitimate Interest Assessment (LIA).  Based upon that assessment we consider that the rights and freedoms of the data subjects would not be overridden in receiving correspondence regarding Paul Dodds Law and that a data subject would not be caused harm by our correspondence.

We will only send direct marketing material to individuals who have opted in to receiving that maternal or who have previously received a service from us and we feel that there is a legitimate interest reason to write to them.

In accordance with the ICO guidance Paul Dodds Law confirms:

  • We have checked that legitimate interests is the most appropriate basis for processing data for the purposes of sending marketing and sales messages to our clients, prospective clients and former clients
  • We understand our responsibility to protect the individual’s interests
  • We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision
  • We have identified the relevant legitimate interests (marketing opt-in, previous instructions on the same or similar work type)
  • We have checked that the processing is necessary and there is no less intrusive way to achieve the same result
  • We have done a balancing test, and are confident that the individual’s interests do not override those legitimate interests
  • We only use individuals’ data in ways they would reasonably expect
  • We are not using people’s data in ways they would find intrusive or which could cause them harm
  • We do not process the data of children for marketing purposes
  • We have considered safeguards to reduce the impact where possible
  • We will always ensure there is an opt-out / ability to object
  • Our LIA did not identify a significant privacy impact
  • We keep our LIA under review every six months, and will repeat it if circumstances change

Your Rights

Further information about your rights under GDPR can be found on the Information Commissioner’s website www.ico.org.uk. You have the following rights under GDPR:

  • The Right to be Informed

If we hold your personal data you have the right to be informed about the collection and use of it. This privacy notice is designed to fulfil our obligation under GDPR to keep you informed. In line with guidance from the ICO we have made every effort to ensure this privacy notice is concise, transparent, intelligible, easily accessible and that it uses clear and plain language.  If you have any questions about any aspect of this privacy notice please let us know.

  • The Right of Access

You have a right to access your personal information by making a ‘Subject Access Request’ to Paul Dodds Law at any time if you wish to see what personal information we hold about you and how we are using it so you can be satisfied it is being processed lawfully. You can ask for copies of this information and we will usually provide it free of charge and within one month of the date we receive your request (unless there are exceptional circumstances which may prevent us from complying with your request or when we may then charge a reasonable fee to cover administrative charges or we advise you that due to the nature of the data that we hold about you we require longer to deal with your request)

  • The Right to Rectification – The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.  If you believe the personal data that we hold about you is incorrect then please let us know and we will respond to the request within one month
  • The Right to Erasure – If you make a request for deletion we will remove any data that we hold about you from the Paul Dodds Law systems (subject to any requirement to retain your data for legal or other regulatory reasons)
  • The Right to Restrict Processing – Under GDPR individuals have the right to request the restriction or suppression of their personal data.  When processing is restricted Paul Dodds Law will store the personal data but not use it. Requests for restricting processing will be dealt with within one month of receiving the request
  • The Right to Data Portability – Under GDPR Paul Dodds Law is expected to provide clients with their personal data in a structured, commonly used and machine readable format, such as a CSV or PDF file. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.  The data itself must be provided free of charge.
  • The Right to Object – Under GDPR you have the right to object to processing based on legitimate interests, direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.  On any marketing emails you receive from us there will be the option to ‘unsubscribe’ from receiving any further email correspondence.  If you receive a telephone call from us, you have the right to request not to receive any further calls.  Your request to object will be logged on our system to ensure that you do not receive any further correspondence or calls by changing the marketing flag to ‘No’.  You may also exercise your right to object by contacting us in writing by letter or email.
  •  Rights in Relation to Automated Decision Making and Profiling – Under GDPR individuals have rights in relation to automated individual decision-making (making a decision solely by automated means without any human involvement); and profiling (automated processing of personal data to evaluate certain things about an individual). Paul Dodds Law does not carry out automated decision making or profiling.

If you would like to exercise any of these rights you should contact our Practice Manager marking your correspondence GDPR:

Email:                   GDPR@pauldodds.co.uk

Telephone:           0191 2636200

Post:                      GDPR, Paul Dodds Law, 70 High Street East, Wallsend, NE28 7RH

  • Let us have enough information to identify you
  • Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
  • Let us know the information to which your request relates, including any account or reference numbers, if you have them

Keeping Your Personal Information Secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way.  We limit access to your personal information to those who have a genuine business need to know it.  Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach.  We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Google Analytics

When someone visits our website we use a third party service, Google Analytics, to collect certain information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We cannot see the identities of those visiting our website via the Google Analytics tool. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Website Cookies

Our website uses cookies as a means of improving the user experience for visitors. A cookie is a small file that we put on your device when you visit our website that collects information about how you browse our site. These cookies allow us to recognise your device, help us to make your browsing experience better and improve our website.

We do use encrypted information gathered from cookies to help us improve your experience of the website, to help us improve our website and to help us resolve any issues. The cookies we use do not collect or use personal information which means we cannot identify web visitors as individuals.

To get the full benefits of our website you need to have cookies enabled. If you don’t wish to enable cookies, you’ll still be able to browse the website and use it for research purposes but some features may not work without them. Most web browsers have cookies enabled by default but you can manage cookies through your web browser controls. You can change your browser preferences which include turning cookies on, restricting them or turning them off altogether.  We cannot advise you how to do this but information on how to do this is readily available elsewhere on the web.

How to Complain

We will always do what we can to resolve any query or concern you raise with us about our use of your information.  However, the GDPR also gives you right to lodge a complaint with a supervisory authority.  The supervisory authority in the UK is the Information Commissioner.  The Information Commissioner may be contacted at www.ico.org.uk or by telephone on 0303 1231113.

Changes to this Privacy Notice

This privacy notice was published on 14 May 2018.  We may change this privacy notice from time to time.  When we do we will inform you via our website or by a direct communication with you

How to Contact Us

Please contact our Practice Manager if you have any questions about this privacy notice or the information we hold about you.

If you wish to contact our Practice Manager, please send a letter marked GDPR, Paul Dodds Law, 70 High Street East. Wallsend, Tyne & Wear, NE28 7RH, email GDPR@pauldodds.co.uk or call 0191 2636200.

If you would like this Notice in another format then please let us know.