Privacy Statement – Aspley Law Solicitors

This policy

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

When we use your personal data we are regulated under the General Data Protection Regulation (GDPR) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal data for the purposes of the GDPR. Our use of your personal data is subject to your instructions, the GDPR, other relevant UK and EU legislation and our professional duty of confidentiality.

We may provide additional, specific privacy information to you as you interact with us in different ways (e.g. that we will only use certain information for specific purposes). To the extent that any of that information differs from what we say below, those specific statements will apply in those circumstances

Who we are

Aspley Law Ltd is the data controller in relation to the processing activities described below. This means that we decide why and how your personal information is processed. Our registered address is 203 Church Street, Billericay, CM11 2TP; our company number is 06916689; and the Firm is authorised and regulated by the Solicitors Regulation Authority (SRA). SRA no. 521772.

Our Director is responsible for our data protection function. You can find the relevant contact details at the end of this policy.

Personal Data that we collect

Personal data is defined in the GDPR as any information relating to an identified or identifiable natural person. It can include obvious data like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Categories of personal data that we collect include:

Contact information:

This includes such information as your name, address, telephone numbers, email addresses, and other such information as may be necessary.

Identity Information and Documentation:

This includes:

Documents to enable us to check and verify your identity, such as copies of passports, driving licences , bank statements, utility bills, records of home visits, and other such documentation as appropriate; and
Other supporting information to enable us to check and verify your identity, in addition to your contact details, such as your, date of birth, gender, marital status, National Insurance number, your tax details, occupation and other such information as appropriate.

Case Information:

This includes in information which is necessary to the matter in which you are seeking our advice or representation, or the documents you have asked us to draft; this will include information that has not already been obtained in the above two categories, for example:

Details of your assets, including pension arrangements and life insurances (e.g. if you instruct us to provide Estate planning advice);
Details of your spouse/partner and dependants or other family members (e.g. if you instruct us to prepare a Will or Lasting Power of Attorney);
Your employment status and details including salary and benefits (e.g. if relevant in a case you instruct us on);
Your medical records (e.g. if there is an issue relating to your mental or testamentary capacity in executing documents);
Other information as may be necessary – it is not possible to provide an exhaustive list in advance

Billing and Financial Information:

This might include for example:

your billing address, bank account and payment information
Your bank and/or building society details
Information to enable us to undertake a credit or other financial checks on you
Your financial details so far as relevant to your instructions, (e.g. the source of your funds)

Marketing and Communications information:

This might include for example:

Information about your use of our IT, communication and other systems, and other monitoring information, e.g. if using our secure online client portal;
Details of your professional online presence, e.g. LinkedIn profile;
Marketing, communication preferences and related information

Depending on how we interact, some of the above personal data may be required to enable us to provide our service to you; so if you do not provide personal data that we ask for, it may delay or prevent us from providing services to you.

How your personal data is collected

When you use our website, our products or services, interact with us online, or by phone, email or otherwise, the categories of information that we collect about you are as follows; we collect most of this information from you, directly or via our secure online client portal. However, we may also collect information:

from publicly accessible sources, e.g. Companies House or HM Land Registry;
Directly from a third party, e.g.:
- sanctions screening providers;
- credit reference agencies;
- client due diligence providers;
from a third party with your consent, e.g.:
- your bank or building society, another financial institution or advisor;
- consultants and other professionals we may engage in relation to your matter;
- your employer and/or trade union, professional body or pension administrators;
- your doctors, medical and occupational health professionals;
via our website—we use cookies on our website (for more information on cookies, please see our Cookie policy)
via our information technology (IT) systems, e.g.:
- case management, document management and time recording systems;
- monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems;
We may also receive information about you from Google Analytics, a web analytics service provided by Google, Inc. (“Google”) whose servers are in the United States of America. If we engage Google Analytics, they will use cookies to help us analyse how users use our site.

How and why we use your personal data

Under data protection law, we can only use your personal data if we have a proper reason for doing so, e.g.:

to comply with our legal and regulatory obligations;
for the performance of our contract with you or to take steps at your request before entering into a contract;
for our legitimate interests or those of a third party; or
where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal data for and our reasons for doing so:

What we use your personal data for	Why we use it
To provide legal services to you	For the performance of our contract with you or to take steps at your request before entering into a contract
Conducting checks to identify our clients and verify their identity	To comply with our legal and regulatory obligations
Screening for financial and other sanctions or embargoes	Legal Obligation: To comply with our legal and regulatory obligations
Other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, eg under health and safety regulation or rules issued by our professional regulator	Legal Obligation: To comply with our legal and regulatory obligations
Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies	Legal Obligation: To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, eg policies covering security and internet use	For our legitimate interests or those of a third party, ie to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training and quality control	For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service for you
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e. to protect our intellectual property and other commercially valuable information To comply with our legal and regulatory obligations
Statistical analysis to help us manage our practice, eg in relation to our financial performance, client base, work type or other efficiency measures	For our legitimate interests or those of a third party, i.e. to be as efficient as we can so we can deliver the best service for you at the best price
Preventing unauthorised access and modifications to systems	For our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us and for you To comply with our legal and regulatory obligations
Updating [and enhancing] client records	For the performance of our contract with you or to take steps at your request before entering into a contract To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g. making sure that we can keep in touch with our clients about existing and new services
Statutory returns	To comply with our legal and regulatory obligations
Ensuring safe working practices, staff administration and assessments	To comply with our legal and regulatory obligations For our legitimate interests or those of a third party, e.g. to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you
Marketing our services and those of selected third parties to: existing and former clients; third parties who have previously expressed an interest in our services;third parties with whom we have had no previous dealings.	For our legitimate interests or those of a third party, i.e. to promote our business to existing and former clients
Credit reference checks via external credit reference agencies	For our legitimate interests or a those of a third party, i.e. for credit control and to ensure our clients are likely to be able to pay for our services
External audits and quality checks, e.g. for Lexcel, ISO or Investors in People accreditation and the audit of our accounts	For our legitimate interests or a those of a third party, ie to maintain our accreditations so we can demonstrate we operate at the highest standards To comply with our legal and regulatory obligations

Special Category Data

Special category data includes data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation. We will only process special category data where:

you have given explicit consent to the processing of such data for one or more specified purposes;
the processing is necessary for the purposes of carrying out the obligations and exercising specific rights, of you or ourselves, in the field of employment and social security and social protection law;
it is necessary to do so in order to establish, exercise or defend legal claims.

Promotional communications

We may use your personal data to send you updates (by email, text message, telephone or post) about legal developments that might be of interest to you and/or information about our services, including exclusive offers, promotions or new services or products.

We have a legitimate interest in processing your personal data for promotional purposes (see above ‘How and why we use your personal data’). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal data with the utmost respect and will never sell it to other organisations for marketing purposes.

You have the right to opt out of receiving promotional communications at any time by:

contacting us using the contact details at the end of this policy;
using an of the stated opt-out methods detailed in promotional communications themselves.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

Who we share your personal data with

We may share your personal data with:

professional advisers who we instruct on your behalf or refer you to, e.g. barristers, medical professionals, accountants, tax advisors or other experts;
other third parties where necessary to carry out your instructions (institutions and organisations that hold your assets, official bodies such as HMCTS, HMRC, HM Land Registry, Companies House, and other organisations such as the National Will Register);
credit reference agencies;
our insurers and brokers;
external accountants and auditors, e.g. in relation to our regulatory accounting obligations and the audit of our accounts;
our bank;
external service suppliers, representatives and agents that we use to make our business more efficient, e.g. accounting system suppliers, IT security and back-up providers, marketing agencies, document collation or analysis suppliers.

We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers relating to ensure they can only use your personal data to provide services to us and to you.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal data with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

Where we store your personal information

Information may be held at our offices and those of our third party agencies, service providers, representatives and agents as described above (see ‘Who we share your personal data with’).

On occasion, the information you provide to us may be transferred to countries outside the European Economic Area (EEA). By way of example, this may happen where any of our servers or those of our third party service providers are from time to time located in a country outside of the EEA. These countries may not have similar data protection laws to the UK. Where possible, we will seek to work with service providers whose servers are located within the EEA.

If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. Please contact us using the details at the end of this policy for more information about the protections that we put in place.

How long we keep your personal information

We do not keep your personal data for any longer than is necessary to fulfil the purpose for which we collected it, or to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims.

Different retention periods apply for different types of data; when it is no longer necessary to retain your personal data, we will delete or anonymise it.

Your rights

You have the following rights, which you can exercise free of charge:

Access	The right to be provided with a copy of your personal data
Rectification	The right to require us to correct any mistakes in your personal data
To be forgotten	The right to require us to delete your personal data, in certain situations
Restriction of processing	The right to require us to restrict processing of your personal data, in certain circumstances, e.g. if you contest the accuracy of the data
Data portability	The right to receive the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party, in certain situations
To object	The right to object: at any time to your personal data being processed for direct marketing (including profiling);in certain other situations to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
Not to be subject to automated individual decision-making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

You can exercise the above rights, where applicable by contacting us using the details at the end of this policy. We will require you to provide satisfactory proof of your identity in order to ensure that your rights are respected and protected, and to ensure that your personal data is disclosed only to you.

Withdrawing Consent

Where we rely on your consent as the legal basis for processing your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this policy.

If you would like to withdraw your consent or object to receiving any direct marketing to which you previously opted-in, you can do so by using the contact details at the end of this policy. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.

If you have provided consent for your details to be shared with a third party, and wish to withdraw this consent, please let us know – but please also contact the relevant third party in order to amend your preferences.

Keeping your personal data secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Complaining to the UK data protection regulator

We’d like to be able to resolve all your concerns, and we hope that we can do so. Where we haven’t been able to do this, you have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details: https://ico.org.uk.

Changes to this privacy policy

This policy may change from time to time so please check www.aspleylaw.com/privacy occasionally to ensure that you’re happy with any changes. If you do not have online access, please just contact us using the details below, and we will be happy to send you a hard-copy of any updated policy. We will inform you in any case of any changes to this policy, if you are a client of our Firm, and we are actively acting for you.

Contact details

Please contact us by post, email or telephone if you have any questions about this privacy policy or the information we hold about you. Our contact details can be found on our contact page.