The data controller is Cannings Connolly of 16 St Martin’s-le-Grand, London, EC1A 4EE, and we are registered with the Information Commissioner’s Office (ICO) under registration number is Z7830297.
Data Protection Officer (DPO)
Types of personal data that we collect
How we use personal data
We will obtain, store and process personal data for the following purposes:
(a) to provide individual clients (or the organisation on behalf of which an individual client instructs us) with legal advice and assistance, or other information that is requested from us;
(b) to keep records of the work that we have carried out for clients, including related email and other correspondence;
(c) to keep records of the anti-money laundering documentation that we have collected from clients for the purposes of preventing money laundering or terrorist financing, and as required by applicable anti-money laundering legislation– this documentation may include copy passports, utility bills, driving licences, names of company directors, and other identifying information;
(d) to send to clients and contacts information on legal updates that may be of interest to them, invitations to firm events, and other marketing materials related to our services, unless they have told us that they do not want to receive this information;
(e) to keep records of applicants for trainee solicitor, qualified solicitor, Partner and support staff roles in our firm;
(f) to keep records of the work that our suppliers and third party professional service providers (e.g. tax advisors, overseas counsel) have carried out for us and our clients, including related email and other correspondence; and
(g) to keep human resources records of our personnel, including employees, consultants and Partners.
We will process your personal data where it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request before entering into a contract (for example, to establish your business as a new client of the firm); where the processing is necessary for compliance with a legal obligation to which we (as data controller) are subject (for example, complying with applicable anti-money laundering legislation); and where it is necessary for the purposes of our legitimate interests, except where those interests are overridden by the interests or fundamental rights and freedoms of the individual. Processing that is carried out for marketing purposes and certain human resources data processing is carried out on the basis of our legitimate interests, which are the promotion and growth of the firm’s business and efficient staff management.
If you do not allow us to process your personal data, our firm will not be able to represent you or offer you employment, as this processing is required for us to provide legal services and to fulfil our duties as an employer.
Sharing personal data
We will not share personal data with third parties without the relevant individual’s consent unless we are required to do so in order to comply with a legal, regulatory or professional obligation or in connection with any legal proceedings.
Where personal data is stored
The personal data that we collect will be stored within the European Economic Area.
We have information security systems in place and use appropriate technical and organisational measures in order to prevent unauthorised access to or disclosure of personal data.
How long do we keep personal data
We periodically evaluate the personal data collected by us to determine whether it is current and still needs to be held. As a general rule we store personal data for minimum of 7 years and otherwise in accordance with our retention policy. If you would like more information on this please contact our DPO.
Individuals have the right to ask us at any time not to send marketing information to them, by emailing us on firstname.lastname@example.org or by writing to the Partners at our office address.
Data subjects’ rights
You have the following data protection rights in relation to your personal data that apply in certain circumstances:
- Right to erasure: You can ask us to erase or delete all or some of your personal data.
- Change or correct data: You can also ask us to update the data we hold about you.
- Object to, or limit, our use of your data: You can ask us to stop using all or some of your personal data or to limit our use of it.
- Subject access requests and portability right: you can ask us for a copy of your personal data and can ask for a copy of personal data you provided in machine readable form.
All requests for access to personal information that is held about a particular individual should be directed to the Practice Manager. We try to respond to all legitimate requests within one month.
Questions and complaints
If you have any questions or complaints relating to our handling of your personal data please contact either our DPO, Guy Bate, by email at email@example.com and firstname.lastname@example.org, with the heading ‘data privacy’, or our Practice Manager in writing at our office address. You have the right to lodge a complaint with the Information Commissioner’s Office, but we would ask you to notify us first.