Our Personal Data mission statement
- We will try to get the least amount possible of the best, most accurate data from you at the outset. We will then use that data in ways which you would expect us to generally or as we explicitly describe to you in writing, including in this policy. We will share that data internally within Berwins staff members in order to provide you with the best value service in a cost effective way, unless sharing that data would clearly not be in your best interests. The less personal data we hold about you the better, and we try our best to minimise this where possible.
- We will never share your data with any third parties without your prior approval except where we have a strict legal obligation to do so and we will always tell you about this in advance where we are legally allowed to.
- If you get marketing from us, it will be relevant to you or it will be about our services and it will never be about unrelated third parties unless we’ve agreed that with you in advance. We won’t send you the type of marketing that would need your consent, and we will always provide an “opt-out” or “unsubscribe” option. You can also opt-out of this at any time by contacting our DPO.
If you think that we haven’t done something we say we are going to do, please let us know as soon as possible. You can notify our DPO directly if you want to and we will respond to you as soon as we can to provide as full a response as we are able to.
Who We are
We are: Berwins Solicitors Limited (Trading as “Berwins” including “Berwins Digital”), a registered Company in England and Wales with number 06874412 with its address at 2 North Park Road, Harrogate, North Yorkshire, HG1 5PA (“We”, “Us” or “Berwins”).
ICO Registration number
We are the Data Controller as defined under the Data Protection Legislation in relation to the personal data collected by Berwins in whatever professional capacity it acts in and we are registered with the Information Commissioner’s Office in the UK (the ICO) with number Z1821877
Our Data Protection Officer
Our Data Protection Officer (DPO) is Paul Berwin who can be contacted on 01423 509000 and at PaulBerwin@berwins.co.uk. If you do not understand this document, please contact him; he will be able to help you.
We are required to manage the way we hold personal data about actual persons in order to meet our legal, regulatory and operational obligations. We want to reassure all our clients and contacts that we take our responsibilities seriously. We aim to be as transparent as possible in our processing of personal data and this policy is the main way in which we do that.
FYI - The Data Protection principles
The Data Protection Legislation regulates the use of personal information generally. This means everyone must comply with six data protection principles which say that personal data and its processing needs to be:
- Fair, lawful and transparent;
- for specified, explicit and legitimate purposes (purpose limitation);
- adequate, relevant and limited to what is necessary (data minimisation);
- accurate and, where necessary, kept up to date (accuracy);
- not kept longer than necessary (storage limitation); and
- processed using appropriate security (integrity and confidentiality).
What laws apply to the personal data we hold?
As lawyers, we have always held personal data about our clients, staff, suppliers and others. This personal data, whether it is held on paper, on computer or other media, is subject to certain legal safeguards as specified in the Data Protection Legislation.
Data Protection Legislation means:
- the UK’s Data Protection Act 2018 and the relevant parts of the General Data Protection Regulation (EU) 2016/279).
- The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2016 (SI 2016/524); and
- other data protection rules, policies, directions and regulatory guidance that we are subject to from time to time.
Accessibility - Obtaining a copy of this Policy
Copies of this policy can be supplied by email, on paper, on our website www.berwin.co.uk and in person at our offices: just ask.
If you need to have this information in another format (for example, in a larger font or in another language) to understand it, please let our Data Protection Officer know.
Who is affected by this policy?
This policy applies to any personal information we collect about:
- clients including prospective, potential and former clients;
- business contacts or those we come across at networking events, or work collaboratively with;
- job applicants and our current and former employees, contractors, work experience personnel and providers of outsourced services;
- people who make enquiries or requests under the Data Protection Legislation;
- people who use our services, e.g. those who subscribe to our newsletter;
- visitors to our website; and
- anyone who sends us anything which constitutes personal data for any reason.
What information do we collect?
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, passport number/driving license or similar identification (including photographic), marital status, title, date of birth and gender and also information regarding who you are to us (such as a client, employee or a member of the public) and sometimes (for conflict and professional reasons) how/whether you are related to another client or person;
- Contact Data includes billing or home address, email address and telephone numbers.
- Financial Data includes bank account and payment card details.
- Transaction Data includes details about payments to and from you and other details of services or anything else you have purchased from or through us.
- Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our websites.
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences in relation to our newsletter and our agreed methods for contacting you generally.
- Lifestyle Data including social circumstances data for certain types of legal work e.g. Divorce. Some of this data is classified as special categories of personal data. To process this type of data we need your explicit consent and we will discuss this with you when appropriate.
- Staff Data: Next of kin, bank details and GP’s address if you are a member of staff; and: Your current (and occasionally) previous home addresses; CV, if you are a job candidate. We may also require background checks to be carried out by the Disclosure and Barring Service and we will get your consent where these are required. We also capture details from internal key fobs for security purposes only.
- CCTV images (if we monitor premises or where these are revived from law enforcement agencies) both internal and external on and around our premises for the purpose of providing security and investigating crime.
In addition, because of the wide-ranging nature of our legal work, we may collect other information and data about you and any business you run and this information may be collated or shared across departments within Berwins in order for us to understand things like the potential for conflicts of interest or to provide you with better and more relevant legal advice generally.
Some information is defined in the Data Protection Legislation as falling under a special category of personal data. This is information about you which relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, membership of a trade union, genetic and biometric data processing, health data, data about sex life or sexual orientation. Nor do we normally collect any information about criminal convictions and offences. We will only process this type of data with your explicit consent.
Legal basis for processing
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- (Contract) Where we need to perform the contract we are about to enter into or have entered into with you (Contract). For example: to provide legal advice and related services to you.
- (LI) Where it is necessary for our legitimate interests (LI) (or those of a third party) and your interests and fundamental rights do not override those interests. For example: where we need to contact you to let you know about a legal claim or when we send you newsletters or other updates.
- (Legal) Where we need to comply with a legal obligation; and
- (Vital) Very rarely – where we have to act to protect your vital interests where you are unable to give consent. This usually applies to emergency services, but we want to help protect your vital interests as best we can and we will only use this legal basis in a real emergency.
Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending any third party direct marketing communications to you via email or text message. For example, and as further set out below, we will use the legitimate interests basis to send you our newsletter and similar updates. You have the right to withdraw consent to marketing at any time by contacting us.
The legal bases we rely on
We ensure that the data we collect is processed on a specific legal basis, as set out below. We do not transfer any data outside the UK without telling you first. If you have any questions about the legal bases upon which we say we are processing your personal data below, please contact our Data Protection Officer.
Keeping our data up to date
This is both your responsibility and ours. It helps us to keep your personal data up to date if you:
- Check that any personal data you provide to us is accurate and up to date when you give it to us.
- Tell us if anything changes e.g. a change of address as soon as possible after changing it
- Check that any information we send you is accurate: if we get something wrong, please tell us straight away so that we can correct it.
How is your personal data collected
We use different methods to collect data from and about you including through:
Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email, social media networking (such as LinkedIn) or otherwise. This includes personal data you provide when you:
- apply for our products or services or instruct us to act for you;
- email us directly for any reason;
- meet us in person or speak with us over the phone;
- provide/exchange business cards or connect with us on social media;
- input your details on any of our websites;
- subscribe to our service or publications;
- request marketing to be sent to you;
- enter a competition, promotion or survey;
- give us feedback or contact us; or
- leave or send data to or at our premises.
Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources as set out below:
Technical Data from the following parties:
- analytics providers such as Google based outside the EU;
- advertising and social media networks such as LinkedIn Ireland Unlimited Company based inside the EU and the LinkedIn Corporation based in the USA; and
- search information providers based inside the EU.
Identity and Contact Data from;
- publicly available sources such as Companies House, Land Registry and the Electoral Register based inside the EU.
- tracing service providers in order to locate you in order to carry out legal or contractual rights and obligations.
How and why do we process data?
How we store and review data
We operate a central database, which stores all our client, financial, and contact list data. It is maintained by us. Our Data Protection Officer is responsible for ensuring all data entry is accurate, that the database is secure, confidential and that back-ups are made and appropriately secured. The firm will also regularly complete data cleansing exercises to check our contacts are up to date e.g. when we are notified of a death, change of address, change of name, withdrawals of consents and opt-outs of mailings..
Processing data via outsourced services that we use
Outsourced Service Providers
We use outsourced providers to provide services that are required to run a legal business properly and particular to deal with overflow. This allows us to provide a cost-effective service to you and we will only pass data to these providers if we first make sure that we have a written contract in place with them. We set out what additional protections are provided below, but those are in addition to contractual measures. The table below gives details.
Holding data about others when we did not obtain it from them
If we hold personal data about you (for example it has been given to us by someone else, rather than by you directly), we have to provide you with some information, unless you hold that information already. That data will be stored in accordance with our Data Collection and Retention Policy and Procedure. It is processed on the basis of our legitimate interest: normally that will be for the purposes of progressing our legal work for the client concerned.
You have a right to know what personal data we hold about you, for it to be corrected if wrong and you have a right to know where that data came from. In some circumstances you may have the right to request erasure of some or all of that data which identifies you. You have the right to lodge a complaint with the Information Commissioners Office at https://ico.org.uk/
We are currently in the process of reviewing and updating this section in accordance with recent guidance issued by the ICO – watch this space!
Complete information about the cookies we may set on your browser appears below. A hyperlink to this information about cookies appears prominently on most pages of our website. Below is a list of cookies set by our website, along with a brief description of what each is used for. To obtain further information about cookies (including how to set your browser to reject cookies), you can visit the website www.allaboutcookies.org
|Cookie name||Category||Purpose||More information|
|CraftSessionId||Our website uses a CMS which anonymously tracks the user's movement around the site to allow us to improve the overall experience.||No personal information is stored|
|__utma, __utmb, __utmc, __utmz, _ga, _gat_*||This website uses Google Analytics to help analyse how users use the site.||We will never use the statistical analytics tool to track or to collect any Personally Identifiable Information of visitors to our site. Google will not associate your IP address with any other data held by Google.|
Some services we use ti add value and convenience to those who use the website. The browsers may set cookies on our behalf. These services fall into two broad groups: social media and web analytics (see below for details).
How we deal with the data of people who contact us via social media
If people contact us via social media then we treat it just like if we had met that person in the real world, because in practise we live in a digital world. Our regulators might not take the same view and therefore sometimes only face to face will do!
How we ensure the security of our website
We use third party IT services providers to help maintain the security and performance of our website.
People who email us
Any email sent to us, including any attachments, may be monitored and used by us for reasons including IT security, appropriate use and for monitoring compliance with our office email policy. Email monitoring, system security and blocking software may be used.
When do we delete your data? Data Retention
We keep some data longer than others. We have a Data Collection and Retention Policy and Procedure which enables us to identify which data must be preserved and which data must be erased, to comply with the storage limitation requirements of GDPR.
We will keep your personal data only for as long as is necessary to ensure we can fulfil our business requirements and to comply with our regulatory requirements and will then confidentially destroy that data in line with our Data Collection and Retention Policy and Procedure.
We can retain personal data if we need it to meet our legal, regulatory and operational requirements in accordance with our Data Collection and Retention Policy and Procedure a copy of which is available on request; just ask our Data Protection Officer
Knowing your rights under data protection
As an individual, you have these rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
There is a lot more information on these rights on the Information Commissioner’s website at https://ico.org.uk/
Your rights in more detail
Your right to be informed
You have a right to be informed as a data subject of the data we hold and process about you. This policy document is intended to do that. If you have any questions or if you feel that this Policy does not deal with your concerns or questions, please contact our Data Protection Officer on the contact details below.
Your right of access to personal information
We try to be as open as we can about giving people access to their personal information. Individuals can find out if we hold any personal information by making a request under the Data Protection Legislation. If we do hold information about you we will:
- give you a description of it;
- tell you why we are holding it;
- tell you who it could be disclosed to and
- let you have a copy of the information
To make a request to us for any personal information we may hold you need to put the request in writing addressing it to our Data Protection Officer (contact details below). If you agree, we may try to deal with your request informally, for example by providing you with the specific information you need over the telephone. We will still need to verify your identity if we do this. We will need to satisfy ourselves as to your identity. Please therefore send us proof of who you are so that we know we are sending the information to the right person. We accept the following as proof:
- a copy of your birth certificate
- a copy of your passport
- a copy of your driving licence
Please do not send original documents.
You will also need to let us have a postal or email address so that we can send you the information. We ask that you mark the covering envelope or email as 'Confidential'.
Your right to rectification
This is a right to ask us to correct any wrong data we hold about you. You can ask us to correct any mistakes by contacting the Data Protection Officer.
Your right to erasure
This is a right to ask us to delete any data we hold about you. You can ask us to do this by contacting the Data Protection Officer. We will not be able to delete data in situations where there is a legal or regulatory need to retain it and we will explain this if it happens. We may also be unable to fully delete computer-held data because of system design restrictions and again we will explain this if it happens.
Your right to restrict processing
This is a right to ask us to restrict the processing of any data we hold about you. You can ask us to do this by contacting the Data Protection Officer.
Your right to data portability
You have a right to ask us to transfer certain data to another organisation. You can ask us to do this by contacting the Data Protection Officer.
Your right to object
When and if we process your data based on our legitimate interests, you have a right to object to that processing. You can ask us to do this by contacting the Data Protection Officer.
Your rights in relation to automated decision-making and profiling
You have rights where your data is involved in automated decision making and profiling. As we do not collect or process your data for that purpose, the right will generally not apply to data we hold on you. If it does, then you can ask us to do this by contacting the Data Protection Officer.
How to contact us
Our Data Protection Officer is Paul Berwin who may be contacted on 01423 509000 and at PaulBerwin@berwins.co.uk