Lester Aldridge LLP (LA) is a firm of solicitors offering a wide range of legal services to its clients. It is a limited liability partnership with registered number OC321318 and its registered office is Russell House, Oxford Road, Bournemouth BH8 8EX.
In order to provide our services, we need to use and keep personal data about our clients and third parties that are connected to our clients’ matters. We are required to provide information about how we will use personal data, the safeguards to ensure that the personal data will not be used or shared inappropriately and an individual’s rights in respect of their personal data.
Please also see a copy of ourdata protection policy, which gives more information about how we look after personal data.
Context
An organisation that holds personal data and decides how it should be used is a controller. An organisation that holds personal data but processes it only in accordance with documented instructions from a controller is a processor. In almost all cases, LA will be a controller because we have to decide how to use the data to progress the matter about which our clients have instructed us.
In some circumstances, LA may be a processor in relation to the personal data that is provided. We will identify this in our letter of engagement and enter into the appropriate form of agreement with the client.
Controller
LA is the controller. LA has appointed a Data Protection Officer to oversee compliance with data protection. The Data Protection Officer isCatherine Tree. Any enquiries about the personal data that we hold should be addressed to the Data Protection Officer, Lester Aldridge LLP, Russell House, Oxford Road, Bournemouth BH8 8EX or by email atdpo@LA-law.com.
We might hold your personal data for the following reasons:
- because you are a client or have contacted us with a view to becoming a client for the provision of legal services and advice;
- because you have been referred to us by a third party for the provision of legal services and advice to you:
- because you are a point of contact/Director (third party) of a Corporate client who has engaged us to provide legal services and advice;
- to meet our legal and regulatory duties, including our duties to know our clients, to protect against fraud, money laundering, and check/monitor for sanctions;
- for administrative reasons to enable us to provide our services;
- because your data has been passed to us by a client or by a third party on our client’s matter, or we have interacted with you as a result of our client’s matter (third party);
- because you have made an enquiry with us (third party);
- because you have submitted a data subject request to us (third party);
- because you have requested us to witness documents (third party);
- because you have made a complaint to us (third party);
- because you are providing expert advice or opinions or services in connection with our clients’ matters or otherwise (expert);
- because you are a contractor or supplier of services to us;
- for security reasons, if you have visited our premises;
- for security reasons, including our system security;
- for our marketing, publications, webinars and events, and to understand how visitors to our website interact with it. (Please see ourPrivacy and Cookiesstatement and our websiteTerms & Conditions);
- because contact has been made to us for recruitment and/or work placement opportunities;
- because we are acting as a processor for another business/organisation and processing your data on their behalf;
- because we are instructed by another professional or agent to act on your behalf.
How we collect this information
We mainly collect information direct from you when you contact us, visit us, enter into a contract with us or are referred to us by a third party. We receive data about third parties from our client(s) in the course of dealing with our client’s matter. We might collect data from third parties about our client or other third parties in the course of dealing with the provision of legal services and advice.
If we are acting as a processor, we will receive your data under the instructions of the controller. If we are instructed by another professional or agent to act for you, we will receive your data from that provider.
The Legal Basis for the Processing
The collection, use, sharing and storage of personal data are all termed “processing”. There must be a legal basis for any processing, which we have set out below.
THE PURPOSE OF THE PROCESSING | THE LEGAL BASIS FOR THE PROCESSING |
If you are a client, we will require proof of your identity to satisfy the requirements of the Money Laundering Regulations 2017. | Proof of your identity is necessary to comply with a legal obligation upon us. |
If you are a client, we will use electronic identification and verification (EIDV) software tools to verify your identity, undertake strict regulatory screening (including checking sanctions and politically exposed person (PEP) connections) and perform financial checks**. We will use the EIDV tool to perform ongoing monitoring of sanctions until the end of our legal services with you.. | It is in our legitimate interests to use an EIDV tool as this is a far more reliable and robust way for us to carry out the checks and ongoing monitoring. We have a legal obligation to verify identity, prevent money laundering, prevent fraud and check/monitor for sanctions. It is in our legitimate interest to assess financial risk. |
If you are a client, we will require personal data, particularly contact information, in order to discuss the legal advice and services that you require and to provide legal advice and services in accordance with the letter of engagement between us. We will also need your personal data to carry out the retainer, the administration of your account with us and to enable us to perform conflict of interest checks within our client database. | The data is necessary to perform the contract for legal advice and services between us, constituted by the letter of engagement, or to take steps prior to writing the letter of engagement. |
If you are a client or a third party to our client’s matter, it may be necessary to process special category or more sensitive personal data in order to provide legal advice and services to our client. Special category data includes data about racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health records or information about a person’s sex life or sexual orientation, or information about criminal convictions and offences. | We will process special category or sensitive personal data where: (a) the processing is necessary for the establishment, exercise or defence of legal claims(b) your explicit consent to the processing has been obtained. |
If you are a client, for certain types of legal services, it may be necessary for us to take financial information from you or from third parties to check the source of funds or wealth. | We have a legal obligation to verify the source of funds or wealth to prevent money laundering and/or fraud. |
It may be necessary to take bank account details in certain circumstances if bank transfers need to be made to a client or third party. | The processing is necessary to fulfil the contract of services between us. It is in our client’s or the third party’s legitimate interest for us to have the information to make the bank transfers. You consent to us having the data. |
If you are a client, we will store the ID and verification information. | We have a legal obligation upon us to maintain records of evidence of identity. |
We will store the files or a copy of the files relating to a client’s matter. | It is in our legitimate interests to retain files or a copy of files in order to deal with any queries that may arise after a matter has been completed. |
We will store Deeds or Wills relating to client matters. | We have our clients consent to do so. It is in our client’s legitimate interest for us to store the original documents to keep them safe. |
Personal data may be collected on our CCTV system if you visit our offices and recorded in our visitor book at reception. If we occupy office premises that have their own CCTV, front of house receptions, and room booking systems, your name and image may be recorded in their system. | Where we are the controller, it is in our legitimate interests to maintain the security of our premises. |
If you telephone our offices, your telephone number will appear in our call logs. Your voice will be recorded if you leave a voice message. | We will only have the recording if you choose to leave a message |
Your voice might be recorded if you telephone a legal team that has call recording facilities in place. We might use the voice recording for audit, quality and training purposes | You will hear a notification that the call is to be recorded. You can choose whether to continue with the telephone call. It is in our legitimate interests to audit/check the quality of calls to ensure standards are maintained. |
We may use your name, address, email address and telephone numbers for marketing purposes. | We will only use your name, address, email address and telephone numbers for marketing purposes if we have your consent to do so. |
We may use a third-party name, address and contact information supplied by clients (or other parties) when we carry out our client’s instructions. | It is in our client’s legitimate interests that the personal data of other parties or third party to the client’s matter be processed. |
We may use a third party’s name and address supplied by a client to carry out conflict of interest checks within our client database. | It is in our legitimate interests that the personal data be processed to check for any conflicts of interest. |
We hold expert names, addresses, contact data and areas of expertise, which we refer to when we engage experts whilst we carry out our client’s instructions. | It is in our legitimate interests that we hold data of experts to refer to for selection of appropriate skills for our client’s requirements. The data is necessary to engage the expert and enter into a contract for services with the expert. |
We may need proof of identity of a third party before we release information or funds or to satisfy the requirements of the Money Laundering Regulations 2017. We may use electronic identification and verification (EIDV) software tools to verify your identity. | It is in our or our client’s legitimate interests that the personal data be collected and verified before we release information or funds. Proof of your identity is necessary to comply with a legal obligation upon us.It is in our legitimate interests to use an EIDV tool as this is a far more reliable and robust way for us to perform the checks. |
In certain circumstances, we may need to check whether or not a third party is a designated person and carry out sanctions checks against them. We will use the EIDV tool to perform the checks. We might need to set up ongoing monitoring where necessary. | The processing is necessary for compliance with a legal obligation to which we are subject, namely, to check for sanctions and designated persons. We have an ongoing duty to check for updates to the sanctions list. It is in our legitimate interests to use an EIDV tool as this is a far more reliable and robust way for us to perform the checks. |
If you asked us to witness a document, in certain circumstances, we might need to retain a copy of the document. | You consent to us having the data. |
We may need to use data to comply with audit and statutory regulations. | The processing is necessary for compliance with a legal obligation to which we are subject. It is in our legitimate interest to comply with the requirements of audits. |
We hold applicant information for recruitment vacancies. | The data is necessary to consider the application for employment prior to making any offer of employment. You consent to us having the data. |
We may be acting as a processor and processing your data on behalf of another business/organisation. | We process the data on the instruction of the controller. |
We may need to use data to test an IT system upgrade or migration. | It is in our legitimate interest to use data to ensure that functionality, continuity, and integrity of the IT system is maintained, |
Recipients of Your Personal Data:
We may need to provide personal data to other people in order to provide legal advice and services to our clients. The recipients of such data may include:
- the other party(ies) involved in the matter and their legal advisers;
- Counsel;
- the Court;
- expert witnesses;
- other professionals acting on our client’s behalf such as accountant, surveyor, financial adviser, costs draftsmen or lawyers in other jurisdictions.
We are subject to professional obligations of confidentiality and will always discuss and agree any disclosure of personal data with our client unless we are obliged to disclose it by law. Where appropriate, with experts, we will enter into a Data Sharing Agreement with them to ensure that the data is protected.
We may use external service providers for IT, archive storage, fileshare, and communication services. We use external service providers to take card payments. All our external service providers are required to take appropriate security measures to protect your data.
We may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal data with a regulator or to otherwise comply with the law.
**As part of our client onboarding and due diligence process, the EIDV service provider will pass data to a credit reference agency (CRA) to perform the financial checks. The CRA may keep a record of that check/search, sometimes called a “footprint”. The footprint will be visible to others who subsequently check your credit file for approximately 1 year.
International Transfers
In most cases, there will be no need to transfer your Personal Data to a country outside the UK.
If there is a need to transfer your Personal Data outside the UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- The country has been deemed to provide an adequate level of protection for Personal Data by the UK;
- We may use specific contracts approved by us in the UK which give Personal Data the same protection that it has in Europe;
- We adopt safeguard mechanisms to protect the data, e.g. use encryption, put in place standard contractual clauses.
If there are no appropriate safeguards in place, we may transfer data outside the UK where the transfer is necessary for:
- the performance of the contract between us for the provision of legal services or advice, or for taking steps, at your request, prior to entering into such a contract;
- the conclusion or performance of a contract concluded in your interest between us and someone else; or
- the transfer is necessary for the establishment, exercise or defence of legal claims.
- you explicitly consent to the transfer.
How Long Will Your Data be Kept?
The data collected for the ID verification and client and/or third party due diligence checks will be kept for a minimum of 5 years after the end of the business relationship with our client.
Client and matter related data (which might include third party data) will be kept until the completion of the matter for which it was collected. Once the matter has been completed, we will keep our files and that data for as long as is necessary to fulfil the purposes of satisfying any legal, accounting or regulatory requirements and, where necessary, as long as is required for us to assert or defend legal claims. In most instances client data and matter related data will be retained by us for a period of between 7 years and 15 years. In matters where a child is involved, or that relate to wills, the period may be much longer. The appropriate period differs for different types of matters, and we will inform our client of the period for which we will keep their file in a letter or email when we close their file.
Recruitment applications will be retained for seven months by our HR Team, unless your application was made via a recruitment agent, then your name may be retained for longer.
Where we are the controller, CCTV images are kept for 30 days, at which point they are overwritten unless there has been a security incident in which case the images will be kept until such time as the incident has been investigated and any necessary action has been taken.
Where we are the controller, visitor information in our visitor book is kept for a 2-year period.
We will keep any data that we hold for marketing purposes whilst we have your consent to do so.
Where we have acted as a processor, we return the data to the controller upon completion of their instructions.
Consent
If we ask for your consent to use your personal data for marketing purposes, you have the right to withdraw your consent at any time. The form of consent and a subsequent marketing communication will tell you how to withdraw your consent. In addition, you can withdraw consent by email todpo@LA-law.com.
The withdrawal of consent will not affect our provision of legal advice and services in any way.
Other Rights in Relation to Your Personal Data
Under certain circumstances, you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on our legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us by writing to Data Protection Officer, Russell House, Oxford Road, Bournemouth BH8 8EX or by email todpo@LA-law.com.
Prior to actioning your request, we may ask you to validate your identity and we will only carry out any request by you when we are satisfied that we have validated your identity appropriately.
If you are dissatisfied with the way in which we have dealt with your personal data, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Telephone number: 0303 123 1113.
Website address:https://ico/org.uk
Last updated: October 2024