What is the Privacy Notice?
This Privacy Notice (“Notice”) describes how Doyle Clayton collects and uses Personal Data in accordance with the EU General Data Protection Regulation (“GDPR”).
What are the aims of the Privacy Notice?
This Notice tells you what Personal Data Doyle Clayton collects, why we need it, how we use it and what protections are in place to keep it secure.
What are the key terms?
“Doyle Clayton” “we” “us” and “our” means Doyle Clayton Solicitors Limited (trading as Doyle Clayton Workplace Lawyers).
“Doyle Clayton Personnel” means Doyle Clayton’s prospective, present and past partners, employees, consultants and agency staff, and people connected to such persons.
“Personal Data” means information about individuals (including you), and from which such individuals could be identified.
“You” means individuals whose Personal Data we process including, but not limited to job applicants, Doyle Clayton clients, Doyle Clayton client personnel, counter-parties, counter-party personnel, other solicitors/advisors, witnesses, suppliers, supplier personnel and individuals who visit this website.
“You” does not include Doyle Clayton Personnel.
Who is the Data Controller?
Doyle Clayton, registered with the ICO under registration number Z1955125, is the Data Controller in relation to your Personal Data and is committed to protecting the privacy rights of individuals, including your rights.
Who is the Data Protection Manager?
Doyle Clayton is not required under the GDPR to appoint a Data Protection Officer and, following a detailed analysis does not consider it appropriate to do so on a voluntary basis. Doyle Clayton has however, appointed a Data Protection Manager, Piers Leigh-Pollitt (“DPM”) who is responsible for overseeing Doyle Clayton’s compliance with the GDPR and any other applicable data protection legislation and regulation. In addition, our Compliance Officer for Legal Practice (“COLP”) oversees compliance with our professional responsibilities and with legislative requirements.
Piers Leigh-Pollitt, the DPM can be contacted at email@example.com
How does Doyle Clayton obtain your Personal Data?
In some circumstances, we may obtain Personal Data from you or the data subject directly but will frequently obtain Personal Data from a third-party source, for example, we may collect information from our clients/our clients’ personnel, agents and advisors, other law firms/advisors which represent you, the company for whom you work, other organisations/persons with whom you have dealings, government agencies, credit reporting agencies, information or service providers and publicly available records.
What about Personal Data which you provide to Doyle Clayton?
If you provide information to us about someone else (such as one of your associates, directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that information to us and that, without our taking any further steps, we may process that information in accordance with this Notice. This may be legitimately shared with us for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings (including prospective legal proceedings), but if you are in any doubt, you should check with the DPM (if we act for you or your organisation) or take your own legal advice.
What Personal Data does Doyle Clayton collect from and about you?
We collect and use different types of Personal Data about you, which will vary in type and detail depending on the circumstances and purpose of processing. Please consider the following illustrative and non-exhaustive examples:
- Personal Data about you: name, address, date of birth, marital status, nationality, race, gender, preferred language, job title, work life and restrictions and/or required accommodations, possibly about your family life;
- Personal Data to contact you at work or home: name, address, telephone, and e-mail addresses;
- Personal Data which may identify you: photographs and video, passport and/or driving licence details, electronic signatures;
- Personal Data to process any payment we might need to make to you: bank account details, HMRC numbers and references (where applicable);
- Personal Data obtained through our client electronic verification service (SmartSearch): if you are intending to be a client of Doyle Clayton, you will be separately advised of the information that we are able to access and the reasons for accessing it.
Why do we need to collect and use Personal Data?
We need to collect and use Personal Data for a number of reasons, the primary purpose being to provide legal advice and services to our clients and which may involve the use of your Personal Data in the following (non-exhaustive) ways:
- for recruitment purposes: to assess your suitability to work for Doyle Clayton, to conduct screening, assessments and interviews, to make offers and provide contracts of employment and to conduct pre-employment checks, including determining your legal right to work;
- to contact you if you are involved in a matter we are undertaking for a client, whether in your professional or personal capacity;
- to carry out investigations, risk assessments and client due diligence;
- to analyse the practices of your employer or other organisations and/or persons with whom you have dealings;
- to review, draft and disclose correspondence and other documents, including court documents;
- to instruct third-parties on behalf of our clients; and
- for comparison/analytical purposes and to formulate legal opinions and provide advice.
We may also process Personal Data for effective business management purposes which may involve the use of Personal Data in the following (non-exhaustive) ways:
- to engage and contact suppliers;
- to carry out internal reviews, investigations, audits;
- to conduct business reporting and analytics;
- to help measure performance and improve our services;
- for regulatory and legislative compliance and related reporting;
- for marketing our services to you, usually by email;
- for client satisfaction surveys; and
- for the prevention and detection of crime.
What is Doyle Clayton’s legal basis for processing your Personal Data?
Under the GDPR, Doyle Clayton must identify a lawful basis for processing your Personal Data which may vary according to the type of Personal Data processed and the individual to whom it relates.
We will only send you marketing emails if you have given us your prior consent unless there is another lawful basis for doing so (see also “Legitimate interests of Doyle Clayton or a third party”).
Performance of a contract with you (where applicable):
Doyle Clayton is entitled to process the Personal Data it requires in order to fulfil its obligations under its contract with you. This will be the relevant legal basis if you are an individual client or supplier/other individual with a direct contractual relationship with Doyle Clayton.
Legitimate interests of Doyle Clayton or a third party:
Doyle Clayton processes some Personal Data on the basis that it is necessary for its legitimate interests and/or the legitimate interests of a third-party to do so. This will primarily concern the processing of Personal Data that is necessary to provide legal advice and services to our clients. Doyle Clayton’s legitimate business interest in such instances is the proper performance of its function as an authorised and regulated provider of legal services. Doyle Clayton’s clients also have a legitimate interest (and more general right in law) in obtaining legal advice and services.
Doyle Clayton’s broad interest in the provision of legal services as a basis for processing Personal Data, and our clients’ corollary interest in the receipt of such services, can be broken down into more discreet categories which may include, but are not limited, to:
- the interest in contacting individuals relevant to Doyle Clayton’s work and our clients’ matters, which may involve the use of your Personal Data;
- the interest in reviewing documents and correspondence that have been disclosed to Doyle Clayton, Doyle Clayton clients and third-parties which may contain your Personal Data;
- the interest in reviewing and analysing all evidence available to Doyle Clayton and its clients, which may contain your Personal Data;
- the interest in adducing legal arguments, creating documents and correspondence, which may contain your Personal Data;
- the interest in disclosing documents and correspondence, which may contain your Personal Data, to various parties in the furtherance of Doyle Clayton’s clients’ objectives;
- the interest in instructing third parties on behalf of Doyle Clayton clients such as Counsel, expert witnesses and so on;
- the interest in contacting individuals in a business-to-business environment or where there has been a prior contractual relationship with that individual/those individuals for the purpose of emailing them or using a postal service to notify them about our services, upcoming events and legal updates;
- the interest in receiving payment from Doyle Clayton clients and third-parties and to facilitate payments to and from Doyle Clayton clients and third-parties; and
- in order to allow for all of the above, the secure management and storage of your Personal Data, within our IT environment and hard-copy filing systems.
Doyle Clayton may also process your Personal Data on the basis that it is necessary for its legitimate business interests in the effective management and running of Doyle Clayton which may include, but is not limited to: engaging suppliers and supplier personnel; ensuring that its systems and premises are secure and running efficiently; for regulatory and legislative compliance, and related auditing and reporting; for insurance purposes; and to facilitate, make and receive payments.
Doyle Clayton does not consider that the processing of your Personal Data, on the basis that it is necessary for Doyle Clayton’s legitimate interests (whatever such interests might be), is unwarranted because of any prejudicial effect on your rights and freedoms or your legitimate interests.
Compliance with a legal obligation to which Doyle Clayton is subject:
In certain circumstances, Doyle Clayton must process your Personal Data in order to comply with its legal obligations. This might include, but is not limited to, Personal Data required: for tax and accounting purposes; for conflict checking purposes as required by the common law and Doyle Clayton’s regulators; and for Doyle Clayton to fulfil its compliance and other obligations under relevant legislation/regulation, including compliance with our Anti-Money Laundering and Counter Financing of Terrorism Policy.
More information relating to legal bases for processing Personal Data can be found on the Information Commissioner’s website (see details below) or by contacting Piers Leigh-Pollitt, the DPM (firstname.lastname@example.org).
What will Doyle Clayton do with special category and criminal records Personal Data?
If Doyle Clayton processes your criminal records Personal Data or special category Personal Data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data or sexual orientation, we will obtain your explicit consent to those activities unless this is not required by law (because, for example, it is processed for the purpose of exercising or defending legal claims or because it may be a Home Office requirement for such information to be disclosed to the appropriate authorities when applying for a visa in relation to which we have been instructed) or the information is required to protect your health in an emergency. Where we are processing Personal Data based on your consent, you have the right to withdraw that consent at any time.
Who receives your Personal Data?
We may disclose Personal Data to third-parties (outside of Doyle Clayton and Doyle Clayton Personnel) if, but only when, we have a legal basis to do. Such recipients include but are not limited to:
- co-counsel, other solicitors/barristers/experts/foreign law firms whom we instruct on your behalf or on behalf of our clients;
- third parties engaged in the course of services we provide to clients, including mediators, witnesses, costs draftsmen;
- Doyle Clayton’s insurance brokers and underwriters;
- Doyle Clayton’s bank, auditors and accountants and other professional advisers;
- Doyle Clayton’s outsourced IT providers and other suppliers;
- Government or regulatory authorities;
- the Solicitors Regulation Authority;
- the Law Society;
- the Home Office and Passport Services;
- the Courts/Tribunals;
- third party courier providers or postal services who deliver documents;
- the other side/other parties on any given matter (lay and solicitor);
- third party service providers to assist us with client insight analytics, such as Google Analytics.
How do we protect Personal Data?
We have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction or accidental loss of Personal Data. We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any Personal Data we hold is not accessed by anyone unauthorised to access it. We have in place, and abide by, a specific IT and Communications Systems Policy and Procedure about the security standards used to protect your Personal Data.
When we use third-party organisations to process your Personal Data on our behalf, they must also have appropriate security arrangements, must comply with our contractual requirements and instructions and must ensure compliance with the GDPR and any other relevant data protection legislation.
Is your Personal Data transferred to “third countries” and, if so, what safeguards are in place?
In accordance with this Notice and the provisions of the GDPR, we may transfer your Personal Data to organisations located in “third countries” (those outside of the EEA). In addition to the security arrangements mentioned above in relation to our engagement of third-party organisations, where such transfers are required we will ensure that your Personal Data is adequately protected, for example, by using a contract for the transfer which contains specific data protection provisions that have been adopted by the European Commission or a relevant data protection authority. If you want to request evidence of the lawful basis for any overseas transfer of Personal Data, please contact the DPM.
How long will your Personal Data be retained by Doyle Clayton?
It is our policy to retain your Personal Data for the length of time required for the specific purposes for which it is processed by Doyle Clayton. However, we may be obliged to keep your Personal Data for a longer period, for example, where required by our legal and regulatory obligations or in order to ensure we have effective back-up systems. In such cases, we will ensure that your Personal Data will continue to be treated in accordance with this Notice, restrict access to any archived Personal Data and ensure that all Personal Data is held securely and kept confidential.
Is information collected by third party sites?
Our website contains links to other sites whose information practices may differ from ours. You should consult those other websites’ privacy notices as Doyle Clayton has no control over information that is submitted to, or collected by, these third parties.
What are your rights?
You have the following rights (although please note that some of these rights may be subject to restrictions):
- to make access requests: regarding the nature of information held and to whom it has been disclosed (Data Subject Access Requests) – see below for further details;
- to correct and delete: rectify, block, erase (including the right to be forgotten) or destroy inaccurate data;
- to request the restriction of processing of your Personal Data. This enables you to ask us to suspend the processing of Personal Data about you, for example if you want us to establish its accuracy or the reason for processing it;
- to prevent processing: likely to cause damage or distress, or for the purposes of direct marketing;
- to data portability: to have personal data transmitted to another controller;
- to complain to Doyle Clayton: relating to the processing of your personal data or the handling of requests;
- to claim compensation: if you suffer damage by any contravention of the GDPR; and
- to involve the ICO: to assess whether any provision of the GDPR has been contravened.
Subject Access Request
You are entitled to make a Data Subject Access Requests (“SAR”). Put simply, a SAR is a request made by you which requires us to provide you with details of your Personal Data which we hold and process and a description of how we process it. Any questions should be put in writing to Piers Leigh-Pollitt, the DPM (email@example.com).
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Right to withdraw consent
You may withdraw your consent to allow us to continue processing your personal data, but only where consent was sought as a lawful means of processing your personal data.
In the limited circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the DPM. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
There are exceptions to the rights of individuals in relation to their Personal Data and, particularly when we are processing your Personal Data for the purpose of providing legal advice to our clients, your rights may be limited. We will, at all times, respect your Personal Data and seek to be as transparent as possible but please be aware that, in some instances, we may be restricted from even acknowledging that we process your Personal Data.
How can you make a complaint?
If you are unhappy with the information provided in this Notice or have concerns about the way in which Doyle Clayton processes your Personal Data you may in the first instance contact Piers Leigh-Pollitt, the DPM (firstname.lastname@example.org), and if you remain dissatisfied then you may apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at: -
Information Commissioner’s Office
What if there are any changes to this Privacy Notice?
We reserve the right to update this Notice at any time. We encourage you to review this privacy notice periodically to be informed about how we use your Personal Data.
What if I use Doyle Clayton’s Notarial services?
This privacy notice relates to the processing of Personal Data by or on behalf of Doyle Clayton. For clients and users of notarial services supplied by our Notarial team, please see www.readingnotarypublic.co.uk/privacy-policy.html where the privacy notice in respect of notarial services is prominently displayed.