This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be collected, stored, used, disclosed and otherwise processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
Hewitsons LLP is the controller of the personal data that it collects from you or otherwise receives. This means that it determines the purposes and means of the processing of your personal data and will process your personal data in accordance with this policy. Occasionally we may act as a processor of data on behalf of a client, for example, where we collect personal data on trustees for the purposes of completing the HMRC trust register on the client’s instruction.
|In this policy: |
we / our / us
|Refers to Hewitsons LLP, a limited liability partnership registered in England and Wales under registered number OC334689 whose registered office is at Shakespeare House, 42 Newmarket Road, Cambridge, CB5, regulated and authorised by the Solicitors Regulation Authority;|
|personal data||means any information relating to an identified or identifiable natural person. An ‘identifiable natural person’ is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and|
|Special categories of personal data and details of criminal offences||means data relating to: your racial or ethnic origin; your political opinions; your religious beliefs or other beliefs of a similar nature; your membership of a trade union; your physical or mental health or condition; your sexual life; the commission or alleged commission by you or any offence; or any proceedings for any offence committed or alleged to have been committed by you, the disposal of such proceedings or the sentence of any court in such proceedings.|
2. Information we collect from you
2.1 We will collect and process the following personal data about you:
2.1.1 Information you give us. This is information about you that you give us: by contacting us via our website, or filling in online forms on our website, at www.hewitsons.com (our website); or by communicating with us by post, telephone, e-mail or otherwise. The information you give us may include: your name; contact details; identification documents such as your passport and driver’s licence as well as documents that include your National Insurance number and tax identification number; information about you in connection with the matter on which you require our advice or services; financial information such as credit searches, bank account and credit card information; biographical information; information about your job, background, interests and personal life; images captured by CCTV cameras at our offices; marketing and communications information including your subscription preferences in receiving marketing materials from us and your communication preferences; and expressions of opinion about you. Please be aware that if you fail to provide to us information that we ask for, we may be unable to provide our services to you or otherwise fulfil your requirements. It is important that we hold current and accurate information about you, so please provide us with any appropriate updates.
2.1.2 Information we collect about you. With regard to each of your visits to our website we will automatically collect the following information:
126.96.36.199 technical information, which may include the Internet protocol (IP) address used to connect your computer or other device to the Internet, your login information, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform; and
188.8.131.52 information about your visit to our website, which may include the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), pages you viewed or information you searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
2.1.3 Information we receive from other sources. We may receive information about you from third parties such as: other professional advisers, consultants and administrators; financial institutions and financial advisers; witnesses, opponents, courts, arbitration panels and tribunals; other parties and their advisers associated with legal proceedings or contract negotiations in which we are involved on your behalf; or from publicly available sources (such as Companies House, HM Land Registry and the Intellectual Property Office).
4. Uses made of the information
4.1 We comply with the law. We will only use your personal data to the extent that the law allows us to do so. Under the EU General Data Protection Regulation (the GDPR) we will rely on one or more of the following legal bases for processing your personal data:
4.1.1 where it is necessary to perform a contract we have entered into or are about to enter into with you;
4.1.2 where we need to comply with our legal and professional obligations to our clients and to third parties. This includes, for example, our professional and contractual duties to our clients, the courts and our regulators. It also includes other legal obligations that we have, for example, in respect of anti-money laundering;
4.1.3 where it is necessary for the purposes of our legitimate interests (or those of a third party) and your interests or fundamental rights and freedoms do not override those interests. Our ‘legitimate interests’ means our interests in conducting and managing our business, and providing services to our clients. In assessing our legitimate interests, we make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests; and
4.1.4 where you have given us your consent.
4.2 Information you give to us. We will use this information to the extent that it is appropriate to do so:
4.2.1 to process an enquiry received from you, or to respond to an expression of interest from you regarding our services;
4.2.2 to carry out our obligations arising from any contracts entered into between you and us, and to pursue our rights in relation to any such contract;
4.2.3 to provide you with marketing communications such as newsletters, updates about legal developments and information about our services, and to invite you to events and seminars that we think may be of interest to you. From time to time we may host these events with other organisations. If you register to attend we may share your contact details with the other organisation;
4.2.4 to provide payments, rebates or other benefits to you;
4.2.5 to request feedback and comments from you on our services or to provide information to you which may be of interest to you;
4.2.6 to notify you about changes to our services or the terms on which we provide our services;
4.2.7 to try to ensure that content from our website is presented in the most effective manner and appropriate format for you and for your computer, tablet or mobile device; and
4.2.8 to process any application which you may have made for employment with, or engagement by, us.
4.3 Information we collect about you. We will use this information to the extent that it is appropriate to do so:
4.3.1 to administer our website and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
4.3.2 to improve our website to try to ensure that content is presented in the most effective manner for you and for your computer or other device;
4.3.3 to allow you to participate in interactive features of our website or services, when you choose to do so;
4.3.4 as part of our efforts to keep our website and IT systems safe and secure; and
4.3.5 to make suggestions and recommendations to you and other users of our website about our services that may be of interest to you or them.
4.4 Information we receive from other sources. We will use this information to the extent that it is appropriate to do so to combine with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).
4.5 Special categories of personal data and details of criminal offences. Certain personal data is subject to additional safeguards. We may process some special categories of personal data and details of criminal offences: in order to comply with legal or regulatory obligations; comply with our contractual duties; comply with our legal and professional obligations; establish or defend legal claims; or otherwise with your consent.
5. Personal data of children
If our legal advice, services or representation on your behalf in any particular matter involves a child or children below the age of 16 years, we will process the personal data of such child or children only if and to the extent that consent to such processing is given or authorised by the parents or guardians of the child or children concerned. In these circumstances we will explain to the parents or guardians why we need any personal data relating to the child or children and how it will be used, both when we first collect the data and as the particular matter progresses.
6. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.
7. Marketing Communications
7.1 We may use your personal data to send you marketing communications (by email, telephone or post) including newsletters, updates about legal developments that might be of interest to you and/or information about our services, including any new or restructured services.
7.2 We have a legitimate interest in processing your personal data for our marketing and business development purposes. This means that we do not usually need your consent to send you newsletters, legal updates and information about our services. However, where consent is needed, for example to send you electronic communications, we will ask for this consent separately and clearly.
7.3 We will always treat your personal data with the utmost respect and we will never sell or share it with other organisations for marketing purposes.
7.4 You have the right to opt out of receiving marketing communications at any time by sending an email to firstname.lastname@example.org or by using the ‘unsubscribe’ link in our emails.
8. Disclosure of your information
8.1 We may share your personal data with selected third parties including:
8.1.1 other lawyers and professional advisers who we instruct on your behalf or to whom we refer you for other services, and other third parties where necessary to carry out your instructions or complete any matter for you (for example, Companies House, HM Land Registry and the Intellectual Property Office);
8.1.2 courts, arbitration panels, tribunals and other judicial authorities, in relation to any legal proceedings or settlement negotiations in which we have been instructed to represent you, and persons appointed to mediate or resolve any dispute in which you are involved and in relation to which we have been instructed to represent you;
8.1.3 companies and other organisations providing IT and other business support services to whom we outsource certain functions required in relation to our business, for example, archiving, shredding, taxi and courier, translation, disaster recovery, and hardware/software support and development services (outsource providers);
8.1.4 relevant parties and/or their professional advisers if there is a merger, acquisition, change of control, joint venture, sale or other similar arrangement involving Hewitsons LLP;
8.1.5 our insurers, advisers, auditors, and external assessors, public authorities including HMRC or other bodies as required so as to comply with our insurance, legal or regulatory obligations;
8.1.6 cloud service and other IT services providers, including the entity that hosts our website, for the purposes of storage of data and the provision of hosting services;
8.1.7 analytics and search engine providers that assist us in the improvement and optimisation of our website; and
8.1.8 credit card processors and other payment services providers, for the purposes of effecting payments by or to you.
8.2 We only allow our outsource providers and other service providers to handle your personal data if we are satisfied that they take appropriate measures to protect your personal data. We also impose contractual obligations on our outsource providers and other service providers to ensure that they can only use your personal data to provide services to us and to you.
9. Where we store and how we protect your personal data
9.1 All information you provide to us is stored on our secure servers located in our Northampton and Cambridge offices, on back up tapes, on our outsourced software providers’ servers (including email archive, time recording, HR, drop box and similar services), within our live and archived papers stored within our offices and at our outsourced archive providers’ premises. It may also be held on computers, laptops, mobile phone and other devices at any of our offices (in Cambridge, Northampton, London and Milton Keynes).
9.2 However, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us/to our website; any transmission is at your own risk.
9.3 We have put in place, and will maintain, appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
9.4 We also require third parties to whom we disclose your personal data to take appropriate measures to protect the security of your personal data and not to use it except for the purposes for which we disclose it to them.
10. Transferring personal data out of the EEA
10.1 In the course of delivering services to you and carrying out some of the activities referred to in this policy, it is sometimes necessary to transfer your personal data outside of the European Economic Area (EEA), for example, if you or our outsource providers are based outside of the EEA; if there is an international dimension to the matter on which we are advising you; or if one of our lawyers or members of staff needs to access it remotely while they are travelling outside the EEA.
10.2 Where it is necessary for your personal data to be transferred outside of the EEA we will take steps to ensure that your personal data is adequately protected in accordance with UK legal requirements. This may involve at least one of the following safeguards being implemented:
10.2.1 the transfer will only be to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries;
10.2.2 the transfer may be based on standard contractual clauses approved by the European Commission which offer sufficient safeguards on data protection for the data to be transferred internationally. For further details, see European Commission: Model contracts for the transfer of personal data to third countries; or
10.2.3 for transfers to the United States, data may be transferred to a company or organisation which has joined the EU-US Privacy Shield, a framework designed to comply with data protection requirements when transferring personal data from the European Union to the United States. For further details, see European Commission: EU-US Privacy Shield.
10.3 In addition to the safeguards referred to in paragraph 10.2, a transfer of your personal data outside of the EEA may take place based on the conditions and requirements in Article 49 of the GDPR. This may involve obtaining your explicit consent to the proposed transfer or we may make the transfer if it is necessary for the performance of a contract between us. Please contact us, using the contact details provided as set out in paragraph 15 below, if you want further information on the specific safeguards used by us when transferring your personal data outside of the EEA.
10.4 Where necessary we have entered into contracts with our outsource providers and other third parties with whom we may share your personal data to ensure that your personal data is not transferred outside of the EEA without one or more of the safeguards referred to in paragraph 10.2 being implemented, or unless the conditions and requirements in Article 49 of the GDPR have been met.
11. Retention of personal data
11.1 We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected your personal data, including for the purposes of satisfying any legal, accounting or reporting requirements.
11.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of that personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. If by law we are required to retain any information about our clients or their interactions with us, we will retain your personal data insofar as required to comply with such law.
11.3 We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
12. Your legal rights
12.1 Under certain circumstances, you have the right to:
12.1.1 Request access to your personal data (commonly known as a “subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
12.1.2 Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
12.1.3 Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data in certain other circumstances, namely where you have successfully exercised your right to object to processing (see paragraph 12.1.4 below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with applicable law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
12.1.4 Object to processing of your personal data where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
12.1.5 Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example, if you want us to establish its accuracy or the reason for processing it.
12.1.6 Request the transfer of your personal data to you or to another person or entity. In that case we will provide to you, or to the person or entity to whom you wish us to transfer your personal data, your personal data in a structured, commonly used, machine-readable format.
12.1.7 Withdraw consent at any time where we are relying on consent to process your personal data. However this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
12.1.8 Lodge a complaint with the UK Information Commissioner’s Office or another applicable regulator. If you have any complaints about the way in which we process your personal data please do contact us, as set out in paragraph 15 below, as we would appreciate the opportunity to resolve your complaint.
12.2 If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us using the contact details provided as set out in paragraph 15 below.
13. Other websites,
Our website may, from time to time, contain links to third party websites, plug-ins or applications. If you follow any of these links, please note that the providers of these other websites, plug-ins and applications may have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to the providers of any of these other websites, plug-ins or applications.
Any changes we make to this policy in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to this policy.