Privacy Notice

The privacy of our clients is important to us and we take care to safeguard it. Morton Fraser has now merged with MacRoberts, to download the Morton Fraser MacRoberts LLP Privacy Notice, visit our landing page

1. Who we are

We are Morton Fraser LLP (Morton Fraser), a limited liability partnership with registered number SO300472 and having its registered office address at 5th Floor, Quartermile Two, 2 Lister Square, Edinburgh, EH3 9GL.

This Privacy Notice also applies to our subsidiary companies and so in this privacy notice, references to “we” or “us” mean Morton Fraser and its subsidiary companies.

We are a controller for the purposes of data protection law. We are registered with the Information Commissioner's Office; our registration number is Z8122652.

2. How to contact us

We have appointed a data protection officer who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our DPO using the details set out below:

By post:        Data Protection Officer, Morton Fraser LLP, Quartermile Two, 2 Lister Square, Edinburgh, Midlothian, EH3 9GL

By email:      dataprotectionofficer@morton-fraser.com

By phone:     0131 247 1000

3. Purpose of this privacy notice 

We are committed to protecting your personal data and your privacy. This Privacy Notice sets out the basis on which any personal data that you provide to us or that we obtain from a third party will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. Any other privacy notice or fair processing notice will supplement (not override) this Privacy Notice.

4. Important definitions 

Anonymous data means any information which can no longer identify an individual.

Legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Personal data, or personal information, means any information about an individual from which that person can be identified. This includes name, contact details (both personal and business), identification number, location data, online identifier (such as a social media username), biographical or physical information.

Special categories of personal data means information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data. Data relating to criminal convictions is not included as a "special category of personal data" but is afforded much of the same protections.

5. Children's data 

We obtain data relating to children both directly from such children and from persons with parental responsibility or educational responsibility for such children. Where we process children's data, we take additional care to ensure the security of such data and to ensure that the rights and freedoms of the child are taken into consideration.

6. Structure of this privacy notice 

This Privacy Notice contains sections that apply to different categories of individuals that we deal with: individual clients (section 7); individuals who are related to a client organisation (section 8); business and professional contacts (section 9); website users (section 10) and other individuals (section 11). For details about what personal data we obtain and how we use it, please consider which of the categories applies to you. Please note that we may use your personal data in different contexts and therefore more than one category may apply to you.

The other sections in this Privacy Notice apply to all categories of individuals.

7. Individual clients

7.1  Who does this part of the Privacy Notice apply to?

This part of the Privacy Notice applies to our clients who are individuals (acting in their own capacity or jointly with another individual or acting as a sole trader, trustee, partner in a partnership or member of an unincorporated club or association).

7.2  What personal data do we collect and process?

We may obtain and process different kinds of personal data about you in the course of providing legal and other services to you, which we have grouped together follows:

  • Identity Data includes first name, last name, nationality, marital status, title, date of birth, gender and National Insurance number.

  • Contact Data includes home and/or business addresses, email addresses and telephone numbers.

  • Transaction Data includes information obtained by providing legal and other services to you, details about services provided by us to you, details of payments to and from you, and other details of our interactions including correspondence and conversations.

  • Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials.

  • Financial Data includes bank account and payment card details.

  • Social Data includes information about your family, lifestyle and social circumstances.

  • Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.

  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

  • Special Categories of Personal Data includes information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data.

  • Criminal Convictions Data includes information about criminal convictions or offences.

Data protection law treats some types of personal data as special. We will only obtain and use the Special Categories of Personal Data and the Criminal Convictions Data where we need to and where data protection law allows us to do so.

7.3  How is your personal data obtained?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your personal data (including Special Categories of Personal Data and Criminal Convictions Data) through any number of direct interactions. This includes personal data you provide when you:

    • make an enquiry about our services;

    • instruct us to provide legal or other services and during the course of the provision of legal or other services;

    • correspond with us by post, phone, email, social media or otherwise;

    • provide feedback or respond to surveys

    • register for, attend or participate in events or seminars hosted or provided by us.

  • Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:

    • fraud prevention agencies and credit reference agencies.

    • social media providers and other Internet sites (such as Twitter or LinkedIn).

    • Companies House, the Electoral Register, Registers of Scotland and other public bodies.

    • organisations or businesses that refer you to us, such as other law firms, other clients, accountants or financial institutions

    • other professional advisors, financial institutions, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to you.

7.4 Failure to provide information

Where we need to collect personal data by law (for example in order to carry out identity verification and anti-money laundering checks), or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have entered into with you or we may be unable to comply with our own legal obligations.

In some cases, a failure to provide information when requested may delay our provision of legal or other services to you and in other cases, we may be unable to act for you or may have to withdraw from acting.

7.5  How will we use your information?

The main reason why we process your personal data is to be able to provide you with legal or other services as instructed by you.

Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) the performance of a contract with you; or (2) compliance with a legal obligation to which we are subject; or (3) the purposes of our legitimate interests (or those of a third party).

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose

Legal basis

Legitimate Interest (where relevant)

To provide you with legal services

To provide you with other services such as company secretarial, wealth management or estate agency services

Performance of a contract

Legitimate interests

To pursue commercial objectives, including running our business profitably and efficiently

To exercise our rights under a contract with you

To keep our client and other records up to date

To manage our relationship with you, including:

  • fulfilling our contractual obligations;

  • managing payments, fees and charges;

  • collecting and recovering money owed to us;

  • dealing with client complaints; and

  • notifying you of any changes to our terms of business or privacy notices.

 

Performance of a contract

Legitimate interests

 

 

 

 

 

 

To exercise our rights under a contract with you

To manage credit control and debt recovery

To manage complaints or potential claims

To fulfil our responsibilities to our clients

 

 

 

 

 

To carry out identity verification and fraud prevention checks, background checks and anti-money laundering procedures

 

Legal obligation

Legitimate interests

To prevent fraud or money laundering

To protect our business and reputation

 

To improve and develop our services

Legitimate interests

To improve our services and our efficiency

To manage our business as a whole, including:

  • financial management and administration;

  • business planning;

  • corporate governance;

  • audits

Legal obligation

Legitimate interests

 

 

 

To improve our services and our efficiency

To operate an efficient and profitable commercial business

 

 

 

 

To comply with relevant legal obligations

To comply with reporting obligations to regulatory bodies

Legal obligation

 

 

To protect the rights, property, or safety of our staff, our clients, or others

Legal obligation

Legitimate interests

To manage the safety of our staff, clients and others

 

 

To establish, exercise or defend our legal rights

Legitimate interests

To enforce our legal rights

 

Where we process Special Categories of Personal Data, we will generally do so on the basis that (1) it is necessary for the establishment, exercise or defence of legal claims or (2) it is necessary for reasons of substantial public interest (as permitted by Schedule 1 of the Data Protection Act 2018, for example for the purposes of fraud prevention). In exceptional circumstances, we may process Special Categories of Personal Data on the basis of your explicit consent or where it is necessary to protect your vital interests or those of another individual. Other lawful bases for processing Special Categories of Personal Data may apply from time to time, but we would inform you of this at the relevant time.

Where we process Criminal Conviction Data, we only do so where authorised by law, in particular Schedule 1 of the Data Protection Act 2018.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

7.6 Who do we share your personal data with?

There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:

  • Other third parties to any transaction, dispute, legal proceedings or other legal matter on which we are advising you (including other professional advisers, external counsel, expert witnesses, courts and tribunals, search agencies, surveyors, sheriff officers, etc);

  • • our service providers who provide IT and system administration services (including client management systems, anti-money laundering, data rooms and other software services). A list of our current suppliers can be provided on request;

  • our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;

  • fraud prevention agencies and credit reference agencies;

  • any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.

  • the police and any other law enforcement agency, HM Revenue & Customs or other government body;

  • public registers and public information resources, such as Companies House or Registers of Scotland

  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

Any sharing of your personal data will only take place either where we are legally obliged to do so, where it is necessary for the performance of a contract with you or where it is in our legitimate interests to do so, including as follows:

  • to maintain network and information security;

  • to develop and improve our services in order to remain competitive;

  • to undertake reference checks, credit checks and risk assessments;

  • to protect and defend our legal rights

  • to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.

7.7  International transfers

General information. We hold all personal data relating to clients within the UK, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the UK so their processing of your personal data may involve a transfer of data outside of the UK.

We will only send your personal data outside of the UK:

  • where you instruct us to do so, including where we are required to do so as part of the legal services that you have instructed us to provide (for example when we deal with professional advisors outwith the UK on your behalf or when we deal with counterparties to a transaction or other legal matter outwith the UK on your behalf);

  • where we are instructed on your behalf by someone outwith the UK (for example your professional advisors outwith the UK);

  • where we need to do so in order to comply with our or your legal obligations;

  • where the transfer is necessary for reasons of public interest;

  • where the transfer is necessary for the establishment, exercise or defence of legal rights;

Whenever we transfer your personal data outside of the UK, we will seek to ensure that it is protected to a similar degree as within the UK by using appropriate safeguards, which may include the following:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.

  • where the recipient organisation is not located in a country with an adequacy decision, we may use specific contracts approved by the UK which give personal data the same protection it has in UK.

The safeguards used will depend on the circumstances of the transfer and the location of the non-UK recipient.

Fraud and credit information. Fraud prevention agencies and credit reference agencies may transfer your personal data outside of the UK. Whenever they transfer your personal data outside of the UK, they will impose contractual obligations on the recipients of that data. Those obligations require the recipient to protect your personal data to the standard required in the UK. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

7.8  Automated-decision making or profiling

We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.

7.9  How long do we retain your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.

Generally speaking, we will keep your client files (and any personal data contained therein) for a minimum period of ten years following completion of the matters, so that we are able to respond to a question, complaint or claim. We will keep the information used to verify your identity, and other related client due diligence information, for five years after you cease to be our client.

Retention periods for records are determined on the basis of the type of record, the nature of the service or advice that we have provided, and any applicable legal or regulatory requirements. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files (including personal data contained therein), but the rules that apply to determine how long it is appropriate to hold client files can be complex and varied. If you require further information about our retention periods, please contact our Data Protection Officer using the contact details above

8. Individuals who are related to a client organisation

8.1  Who does this part of the Privacy Notice apply to?

 This part of the Privacy Notice applies to:

  • individuals who are directors, officers, partners, shareholders or other owners or beneficial owners of an organisation that is our client (the client organisation); and

  • individuals who work for the client organisation (as an employee, consultant, worker or otherwise.

8.2  What personal data do we collect and process?

Depending on the work we are doing for the client organisation, we may obtain and process different kinds of personal data about you in the course of providing legal services to our client, which we have grouped together follows:

  • Identity Data includes first name, last name, nationality, marital status, title, date of birth, gender and National Insurance number.

  • Contact Data includes home and/or business addresses, email addresses and telephone numbers

  • Transaction Data includes information obtained by providing legal and other services to our client and other details of our interactions including correspondence and conversations.

  • Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials

  • Financial Data includes bank account and payment card details.

  • Social Data includes information about your family, lifestyle and social circumstances.

  • Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.

  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

  • Special Categories of Personal Data includes information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data.

  • Criminal Convictions Data includes information about criminal convictions or offences.

Data protection law treats some types of personal data as special. We will only obtain and use the Special Categories of Personal Data and the Criminal Convictions Data where we need to and where data protection law allows us to do so.

8.3  How is your personal data obtained?

We use different methods to collect data from and about you including through

  • Direct interactions. You may give us your personal data (including Special Categories of Personal Data and Criminal Convictions Data) through any number of direct interactions. This includes personal data you provide when you:

    • make an enquiry about our services on behalf of the client organisation;

    • instruct us to provide legal or other services and during the course of the provision of legal or other services on behalf of the client organisation;

    • correspond with us by post, phone, email, social media or otherwise;

    • provide feedback or respond to surveys;

    • register for, attend or participate in events or seminars hosted or provided by us.

  • From the client organisation. We may receive or obtain personal data about you from your organisation or from your colleagues. This includes personal data provided to us by your organisation relating to your work contact details, details about your role in any such organisation and your credentials.

  • Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:

    • fraud prevention agencies and credit reference agencies;

    • social media providers and other Internet sites (such as Twitter or LinkedIn).

    • Companies House, the Electoral Register, Registers of Scotland and other public bodies.

    • organisations or businesses that refer you (or the client organisation) to us, such as other law firms, other clients, accountants or financial institutions

    • other professional advisors, financial institutions, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to the client organisation.

8.4  Failure to provide information

Where we need to collect personal data by law (for example in order to carry out identity verification and anti-money laundering checks), or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have entered into with the client organisation or we may be unable to comply with our own legal obligations.

In some cases, a failure to provide information when requested may delay our provision of legal services to the client organisation and in other cases, we may be unable to act for the client organisation or may have to withdraw from acting.

8.5 How will we use your information?

The main reason why we process your personal data is to be able to provide the client organisation with legal services as instructed by such client organisation.

Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) compliance with a legal obligation to which we are subject; or (2) the purposes of our legitimate interests (or those of a third party).

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose

Legal basis

Legitimate Interest (where relevant)

To provide the client organisation with legal or other services

To provide the client organisation with other services such as company secretarial or estate agency services

To contact you in the course of providing our services to the client organisation

To use information about you where relevant to the legal or other services we provide to the client organisation

 

Legitimate interests

 

 

 

 

 

 

To pursue commercial objectives, including running our business profitably and efficiently

To provide legal and other services to the client organisation

To fulfil our contractual obligations to the client organisation

To keep our client and other records up to date

 

 

 

To manage our relationship with you, including:

  • fulfilling our contractual obligations;

  • managing payments, fees and charges;

  • collecting and recovering money owed to us;

  • dealing with client complaints; and

  • notifying you of any changes to our terms of business or privacy notices.

Legitimate interests

 

 

 

 

 

 

 

To exercise our rights under a contract with the client organisation

To manage credit control and debt recovery

To manage complaints or potential claims

To fulfil our responsibilities to our clients

 

 

 

To carry out identity verification and fraud prevention checks, background checks and anti-money laundering procedures (relating to directors, officers, partners, shareholders and other owners and beneficial owners only)

Legal obligation

Legitimate interests

 

To prevent fraud or money laundering

To protect our business and reputation

 

To improve and develop our services

Legitimate interests

To improve our services and our efficiency

To manage our business as a whole, including:

  • financial management and administration;

  • business planning;

  • corporate governance;

  • audits

Legal obligation

Legitimate interests

 

 

 

 

To improve our services and our efficiency

To operate an efficient and profitable commercial business

 

 

 

 

To comply with relevant legal obligations

To comply with reporting obligations to regulatory bodies

Legal obligation

 

 

To protect the rights, property, or safety of our staff, our clients, or others

Legal obligation

Legitimate interests

To manage the safety of our staff, clients and others

 

To establish, exercise or defend our legal rights

Legitimate interests

To enforce our legal rights

 

Where we process Special Categories of Personal Data, we will generally do so on the basis that (1) it is necessary for the establishment, exercise or defence of legal claims or (2) it is necessary for reasons of substantial public interest (as permitted by Schedule 1 of the Data Protection Act 2018, for example for the purpose of fraud prevention). In exceptional circumstances we may process Special Categories of Personal Data with your explicit consent or where it is necessary to protect your vital interests or those of another individual. Other lawful bases for processing Special Categories of Personal Data may apply from time to time, but we would inform you of this at the relevant time.

Where we process Criminal Conviction Data, we only do so where authorised by law, in particular by Schedule 1 of the Data Protection Act 2018.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

8.6  Who do we share your personal data with?

There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:

  • your organisation (our client organisation) and your colleagues within such organisation;

  • other third parties to any transaction, dispute, legal proceedings or other legal matter on which we are advising the client organisation (including other professional advisers, external counsel, expert witnesses, courts and tribunals, search agencies, surveyors, sheriff officers, etc)

  • other professional advisers and agents engaged by the client organisation;

  • our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);

  • our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;

  • fraud prevention agencies and credit reference agencies;

  • any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.

  • the police and any other law enforcement agency, HM Revenue & Customs or other government body;

  • public registers and public information resources, such as Companies House or Registers of Scotland;

  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

Any sharing of your personal data will only take place either where we are legally obliged to do so or where it is in our legitimate interests to do so, including as follows:

  • to provide legal and other services to the client organisation;

  • to maintain network and information security;

  • to develop and improve our services in order to remain competitive;

  • to undertake reference checks, credit checks and risk assessments;

  • to protect and defend our legal rights;

  • to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.

8.7  International transfers

General information. We hold all personal data relating to clients (and their employees, directors and owners) within the UK, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the UK so their processing of your personal data may involve a transfer of data outside of the UK.

We will only send your personal data outside of the UK:

  • where you instruct us to do so or where you consent to us doing so;

  • where we are required to do so as part of the legal services that the client organisation has instructed us to provide (for example when we deal with professional advisors outwith the UKon behalf of the client organisation or when we deal with counterparties to a transaction or other legal matter outwith the UK on behalf of the client organisation);

  • where we are instructed on behalf of the client organisation by someone outwith the UK (for example your professional advisors outwith the UK);

  • where we need to do so in order to comply with our or your or the client organisation’s legal obligations

  • where the transfer is necessary for reasons of public interest

  • where the transfer is necessary for the establishment, exercise or defence of legal rights

Whenever we transfer your personal data outside of the UK, we will seek to ensure that it is protected to a similar degree as within the UK by using appropriate safeguards, which may include the following:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.

  • where the recipient organisation is not located in a country with an adequacy decision, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK.

The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.

Fraud and credit information. Fraud prevention agencies and credit reference agencies may transfer your personal data outside of the UK. Whenever they transfer your personal data outside of the UK, they will impose contractual obligations on the recipients of that data. Those obligations require the recipient to protect your personal data to the standard required in the UK. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

8.8  Automated-decision making or profiling

We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.

8.9 How long do we retain your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.

Generally speaking, we will keep client files (and any personal data contained therein) for a minimum period of ten years following completion of the matter, so that we are able to respond to a question, complaint or claim. We will keep the information used to verify your identity, and other related client due diligence information, for five years after the relevant client organisation ceases to be our client.

Retention periods for records are determined on the basis of the type of record, the nature of the service or advice that we have provided, and any applicable legal or regulatory requirements. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files (including personal data contained therein), but the rules that apply to determine how long it is appropriate to hold client files can be complex and varied. If you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.

9. Business and professional contacts

9.1  Who does this part of the Privacy Notice apply to?

This part of the Privacy Notice applies to individuals who, or whose organisation, supply goods or services to us, provide professional services (including other solicitors, accountants, surveyors and financial advisers), have expressed an interest in us or have any other business or professional relationship with us (including where the organisation is a public authority, an industry body or regulatory authority or similar) and where:

  • the individual is a sole trader, attorney, trustee, partner in a partnership, member of an unincorporated club or association or an employee of any of these; or

  • the individual is an owner, director, officer, partner or authorised signatory or employee of an organisation or other entity (including public authorities).

9.2  What personal data do we collect and process?

We may obtain and process different kinds of personal data about you in the course of our business or professional relationship, which we have grouped together follows:

  • Identity Data includes first name, last name, marital status, title, and gender.

  • Contact Data includes business addresses, email addresses and telephone numbers.

  • Transaction Data includes details of our interactions including correspondence and conversations.

  • Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials.

  • Financial Data includes bank account and payment card details.

  • Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.

  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

9.3  How is your personal data obtained?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your personal data through any number of direct interactions. This includes personal data you provide when you:

  • enter into discussions about potential contractual arrangements;

  • correspond with us by post, phone, email, social media or otherwise;

  • provide feedback or respond to surveys;

  • register for, attend or participate in an event or seminar hosted or provided by us.

  • From your organisation. Where you are employed or otherwise engaged by another organisation, we may receive or obtain personal data about you from your organisation or from your colleagues.

  • Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:

    • your, or your organisation’s, website.

    • social media providers and other Internet sites (such as Twitter or LinkedIn).

    • Companies House, the Electoral Register, Registers of Scotland and other public bodies.

    • organisations or businesses that refer you (or your organisation) to us, such as other law firms, other clients, accountants or financial institutions.

    • other professional advisors, financial institutions, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to the client organisation.

9.4 How will we use your information?

Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) compliance with a legal obligation to which we are subject; or (2) the purposes of our legitimate interests (or those of a third party).

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

 

Purpose

Legal basis

Legitimate Interest (where relevant)

To communicate with you in the course of our business or professional relationship

 

 

 

 

 

 

 

 

 

Legitimate interest

Performance of a contract (where such contract is with you, rather than your organisation)

 

 

 

 

To provide our clients with legal and other services

To obtain goods or services from you or your organisation for our benefit

To obtain services from you or your organisation for the benefit of our clients

 

 

 

 

 

 

 

To manage our professional relationship with professional advisors, regulatory authorities, public authorities

Legitimate interests 

 

To maintain good working relationships with other professionals 

To fulfil our responsibilities to our clients, suppliers and other third parties

To manage our business relationships with third party suppliers, which will include:

(a) assessing the suitability of any existing or potential supplier of goods and services to us

(b) negotiating and entering into appropriate contracts for the supply of goods or services to us, carrying out any obligations under such contracts (including obligations of payment) and if necessary enforcing any such contracts

(c) undertaking on-going monitoring and management of our relationship with suppliers

(d) investigating any complaints or enquiries

Legitimate interests 

Performance of a contract (where such contract is with you, rather than your organisation)

 

 

 

 

 

 

To perform a contract with your organisation or business 

To manage third party relationships

To run our business efficiently and profitably

To enhance, modify and improve our services and products

To pursue our commercial objectives where this does not override your rights and freedoms as a data subject

 

 

 

 

 

 

To improve and develop our services 

Legitimate interests 

To improve our services and our efficiency 

To manage our business as a whole, including 

  • financial management and administration;

  • business planning;

  • corporate governance

  • audits

Legal obligation 

Legitimate interests

 

 

 

To improve our services and our efficiency 

To operate an efficient and profitable commercial business

 

 

 

 

To comply with relevant legal obligations 

To comply with reporting obligations to regulatory bodies

Legal obligation 

 

To protect the rights , property, or safety of our staff, clients , or others 

Legal obligation

Legitimate interests

To manage the safety of our staff, clients and others 

 

 

To establish, exercise or defend our legal rights 

Legitimate interests

To enforce our legal rights

 

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

9.5  Who do we share your personal data with?

There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:

  • your organisation (where you are employed or engaged by another organisation) and your colleagues within such organisation;

  • our clients and prospective clients, where relevant to the provision of legal and other services to our clients;

  • our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);

  • our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;

  • any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.

  • the police and any other law enforcement agency, HM Revenue & Customs or other government body;

  • public registers and public information resources, such as Companies House or Registers of Scotland;

  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

Any sharing of your personal data will only take place either where we are legally obliged to do so or where it is in our legitimate interests to do so, including as follows:

  • to provide legal and other services to our clients;

  • to maintain network and information security;

  • to develop and improve our services in order to remain competitive;

  • to undertake reference checks, credit checks and risk assessments;

  • to protect and defend our legal rights;

  • to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.

9.6 International transfers

General information. We hold all personal data relating to our business and professional contacts within the UK, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the UK so their processing of your personal data may involve a transfer of data outside of the UK.

We will only send your personal data outside of the UK:

  • where you instruct us to do so or where you consent to us doing so;

  • with respect to professional contacts, where we are required to do so as part of the legal or other services that our or your clients have instructed (for example when we deal with professional advisers outwith the UK or when we deal with counterparties to a transaction or other legal matter outwith theUK);

  • where we need to do so in order to comply with our legal obligations

  • where the transfer is necessary for reasons of public interest

  • where the transfer is necessary for the establishment, exercise or defence of legal rights

Whenever we transfer your personal data outside of the UK, we will seek to ensure that it is protected to a similar degree as within the UK by using appropriate safeguards, which may include the following:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data

  • where the recipient organisation is not located in a country with an adequacy decision by the UK, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK.

The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.

9.7  Automated-decision making or profiling

We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.

9.8  How long do we retain your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.

Generally speaking, we will retain your personal data for so long as you remain a business or professional contact.

In relation to your personal data which may be recorded in client files, we keep client files (and any personal data contained therein) for a minimum period of ten years following completion of the matter, so that we are able to respond to a question, complaint or claim. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files, and if you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.

10. Website users and marketing 

10.1  Who does this part of the Privacy Notice apply to?

This part of the Privacy Notice applies to individuals who visit our website (www.morton-fraser.com, www.commercialrealestatenews.co.uk or any other domain name registered in our name).

10.2  Information about our website

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Notice (section 10.7 below).

10.3 Children

Our website is not intended for children and we do not knowingly collect data relating to children via our website.

10.4  What personal data do we collect and process?

We may obtain and process different kinds of personal data about you, which we have grouped together follows:

  • Identity Data includes first name, last name, social media username or similar identifier, marital status, title, and gender.

  • Contact Data includes personal and business addresses, email addresses and telephone numbers.

  • Financial Data includes bank account or credit card details.

  • Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.

  • Usage Data includes information about how you use our website, products and services.

  • Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice

10.5  How is your personal data obtained?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your personal data through any number of direct interactions. This includes personal data you provide when you:

  • request marketing to be sent to you;

    • submit an online enquiry;

    • sign up for one of our events

  • correspond with us by post, phone, email, social media or otherwise;

  • provide feedback or respond to surveys.

  • Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment/devices, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Notice (section 10.7 below) for further details.

  • Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:

    • social media providers and other Internet sites (such as Twitter or LinkedIn).

    • analytics providers, advertising networks or search information providers (such as Google Analytics).

10.6  How will we use your information?

Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) the performance of a contract with you; or

(2) compliance with a legal obligation to which we are subject; or (3) the purposes of our legitimate interests (or those of a third party).

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose

Legal basis

Legitimate Interest (where relevant)

To manage our online relationship with you, including:

  1. notifying you about changes to our terms and conditions or our privacy policy

  2. communicating with you in response to any online enquiries, requests or other contact

Legal obligation

Legitimate interests

To develop our relationship with you

To process any registrations for events including:

  1. manage payments, fees and charges

  2. collect and recover money owed to us

Legitimate interests

To hold events, such as seminars and networking events, to promote our business

To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

Legal obligation

Legitimate interests

To run our business properly and efficiently

To ensure the provision of administration and IT services

To ensure network security To prevent fraud

To use data analytics to improve our website, services, marketing, customer relationships and experiences

Legitimate interests

To keep our website updated and relevant

To develop our business

To inform our marketing strategy

To establish, exercise or defend our legal rights

Legitimate interests

To enforce and protect our legal rights

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

10.7  Cookies

Our website (www.morton-fraser.com, or any other domain name registered in our name) uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.

We use the following cookies:

  • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e- billing services.

  • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.

  • Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

  • Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

Cookie

Name

Purpose

More information

Google Analytics

_utma
_utmb
_utmc
_utmz
_ga
_utm*

These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

An overview of privacy at Google

Drupal has_js

has_js

Used by Drupal, the content management system which powers this website. It helps the website understand if the browser javascript functionality is enabled or not. This allows Drupal to generate different markup depending on whether the user agent is capable of executing JavaScript or not.

Hotjar

_hs*,hubspotutk,hsPagesViewedThisSession,hsfirstvisit
mp_*
_hjMinimizedTestersWidgets
_hjDoneTestersWidgets
_hjIncludedInSample

These cookies are used by Hotjar to analyse the online behaviour of visitors to our website. We use the information to improve the end user's experience and to improve the performance of our website. The cookies collect information including standard internet log information and details of your behavioural patterns upon visiting our website.

An overview of privacy at Hotjar

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

We also use analytic services to help us understand how effective our content is, what interests our users have, and to improve how this website works. In addition, we use web beacons or tracking pixels to count visitor number and performance cookies to track how many individual users access this website and how often.

This information is used for statistical purposes only and we do not use such information to personally identify any user.

10.8 Marketing

Our direct marketing communications generally consist of delivering regular newsletters (on various subjects) and informing you of upcoming events hosted or organised by us, usually by email or other electronic means.

Generally speaking, we will only provide you with direct marketing communications where you have consented to receive such communications.

You can subscribe to such marketing communications, and you can adjust your marketing preferences at any time via the “Preference Centre” or by contacting us on marketing@morton-fraser.com or 0131 247 1011.

In limited circumstances, we may rely on our legitimate interests to market our business to provide direct marketing communications to other businesses (business-to-business marketing).

You can also opt-out or unsubscribe from all or some of these marketing communications at any time via the “Preference Centre”, by contacting us on marketing@morton-fraser.com or 0131 247 1011 or by clicking “unsubscribe” at the bottom of any marketing email.

Where you opt out of receiving these marketing communications, this opt-out will not apply to personal data provided to us for any other purpose

10.9  Who do we share your personal data with?

There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:

  • payment and credit card providers;

  • our service providers who provide marketing and event management services (including Concep and Eventbrite);

  • our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);

  • any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.

  • the police and any other law enforcement agency, HM Revenue & Customs or other government body

  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

Any sharing of your personal data will only take place either where we are legally obliged to do so, where it is necessary in the performance of a contract with you or where it is in our legitimate interests to do so, including as follows:

  • to provide legal and other services to our clients;

  • to maintain network and information security;

  • to develop and improve our services in order to remain competitive;

  • to protect and defend our legal rights;

  • to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.

10.10 International transfers

General information. We hold all personal data relating to our business and professional contacts within the UK, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the UK so their processing of your personal data may involve a transfer of data outside of the UK.

Whenever we transfer your personal data outside of the UK, we will seek to ensure that it is protected to a similar degree as within the UK by using appropriate safeguards, which may include the following:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.

  • where the recipient organisation is not located in a country with an adequacy decision by the UK, we may use specific contracts approved by the UK which give personal data the same protection it has in UK.

The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.

10.11  Automated-decision making or profiling

We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.

10.12  How long do we retain your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes for which we obtained it, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Unless any retention period set out elsewhere in this Privacy Notice applies, we will retain any personal data obtained via our website for no longer than three years.

11. Other individuals 

11.1 To whom does this part of the Privacy Notice apply?

This part of the Privacy Notice applies to other individuals (who are not our clients or our corporate client contacts) whose personal data we may process from time to time in the course of providing legal and other services, for example:

  • individuals who are third party litigants, whether as claimant or respondent (e.g. the debtor where we are acting for the organisation seeking to enforce the debt, or an employee or former employee where we are acting for the employer);

  • individuals who are witnesses in a litigation claim;

  • individuals who are family members of an individual client;

  • individuals who are a relevant party to a commercial or corporate transaction (e.g. the seller/purchaser of property, or a selling shareholder where we are acting for the purchaser of a company);

  • individuals who are beneficiaries under a will or beneficiaries of a trust.

This part of the Privacy Notice also applies to individuals who are relevant to our employees and other staff, such as referees and emergency contacts.

11.2 Important information about providing our Privacy Notice

While we will seek to confirm to all individuals whose personal data we hold how we use their personal data (by providing our Privacy Notice), sometimes we are unable to do so, for example because we do not have contact details of the individual concerned. In other circumstances, we may be restricted from providing our Privacy Notice because our obligations of professional secrecy (client confidentiality) require and/or allow us not to provide such information or because providing such information would substantially impair the purposes for which we are processing any such personal data.

11.3 What personal data do we collect and process?

Depending on the reason why we process the relevant personal data, we may obtain and process different kinds of personal data about you, which we have grouped together follows:

  • Identity Data includes first name, last name, nationality, marital status, title, date of birth, gender and National Insurance number.

  • Contact Data includes home and/or business addresses, email addresses and telephone numbers.

  • Transaction Data includes information obtained by providing legal and other services to our client and other details of our interactions including correspondence and conversations.

  • Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials.

  • Financial Data includes bank account and payment card details.

  • Social Data includes information about your family, lifestyle and social circumstances.

  • Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.

  • Special Categories of Personal Data includes information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data.

  • Criminal Convictions Data includes information about criminal convictions or offences.

Data protection law treats some types of personal data as special. We will only obtain and use the Special Categories of Personal Data and the Criminal Convictions Data where we need to and where data protection law allows us to do so.

11.4 How is your personal data obtained?

We use different methods to collect data from and about you including through:

  • Direct interactions. You may give us your personal data when you correspond with us by post, phone, email, social media or otherwise.

  • From the client. We may receive or obtain personal data about you from your organisation or from your colleagues. This includes personal data provided to us by your organisation relating to your work contact details, details about your role in any such organisation and your credentials.

  • From the relevant member of staff. Specifically for referees, emergency contacts and other individuals relevant to one of our employees or other members of staff, we will receive or obtain personal data about you from the relevant member of staff.

  • Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:

    • social media providers and other Internet sites (such as Twitter or LinkedIn).

    • Companies House, the Electoral Register, Registers of Scotland and other public bodies.

    • other relevant organisations or, such as other law firms, other clients, accountants or financial institutions

    • other professional advisors, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to the client organisation.

11.5 How will we use your information?

The main reasons why we process your personal data is either (1) to be able to provide our client with legal or other services as instructed by such client or (2) to be able to seek appropriate references, maintain emergency contacts and otherwise manage certain aspects of our relationship with members of staff.

Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) compliance with a legal obligation to which we are subject; or (2) the purposes of our legitimate interests (or those of a third party).

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose

Legal basis

Legitimate Interest (where relevant)

To provide our client with legal advice and legal services

To provide our client with other services such as company secretarial, wealth management or estate agency services

To use information about you where relevant to the legal or other services we provide to the client organisation

To assist our client with the establishment, exercise and defence of legal claims

Our legitimate interests

 

To pursue commercial objectives, including running our business profitably and efficiently

To provide legal advice and legal and other services to our client

To support the administration of justice (in particular in connection with litigation)

To fulfil our contractual obligations to our client

To keep our client and other records up to date

Our client's legitimate interests

To obtain legal

To establish, defend or exercise legal claims and legal rights

To carry out identity verification and fraud prevention checks, background checks and anti-money laundering procedures (where relevant to the specific services)

Legal obligation

Legitimate interests

To prevent fraud or money laundering

To protect our business and reputation

To improve and develop our services

Legitimate interests

To improve our services and our efficiency

To manage our business as a whole, including:

  • financial management and administration;

  • business planning;

  • corporate governance;

  • audits

Legal obligation

Legitimate interests

To improve our services and our efficiency

To operate an efficient and profitable commercial business

To comply with relevant legal obligations

To comply with reporting obligations to regulatory bodies

Legal obligation

 

To protect the rights, property, or safety of our staff, our clients, or others

Legal obligation

Legitimate interests

To manage the safety of our staff, clients and others

To establish, exercise or defend our legal claims and legal rights

Legitimate interests

To enforce our legal rights

With regard to referees, emergency contacts and other staff-related individuals:

To ensure appropriate references are obtained prior to employment; to ensure we maintain appropriate emergency contacts for each member of staff; and in connection with family-related staff benefits, to ensure the appropriate management of such benefits

Legitimate interests

To screen and recruit appropriate staff

To manage our business efficiently

To ensure the proper administration of staff benefits

Where we process Special Categories of Personal Data, we will generally do so on the basis that (1) it is necessary for the establishment, exercise or defence of legal claims or (2) it is necessary for reasons of substantial public interest (as permitted by Schedule 1 of the Data Protection Act 2018, for example for the purposes of fraud prevention). In exceptional circumstances we may process Special Categories of Personal Data with your explicit consent or where it is necessary to protect your vital interests or those of another individual. Other lawful bases for processing Special Categories of Personal Data may apply from time to time, but we would inform you of this at the relevant time.

Where we process Criminal Conviction Data, we only do so where authorised by law, in particular by Schedule 1 of the Data Protection Act 2018.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

11.6 With whom do we share your personal data?

There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:

  • our client;

  • other third parties to any transaction, dispute, legal proceedings or other legal matter on which we are advising our client (including other professional advisers, external counsel, expert witnesses, courts and tribunals, search agencies, surveyors, sheriff officers, etc);

  • other professional advisers and agents engaged by our client;

  • our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);

  • our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;

  • fraud prevention agencies and credit reference or reporting agencies such as TransUnion International UK Limited 'TransUnion'. More information about TransUnion's activities is available at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.

  • any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.

  • the police and any other law enforcement agency, HM Revenue & Customs or other government body;

  • public registers and public information resources, such as Companies House or Registers of Scotland;

  • with regard to staff-related individuals, any relevant benefits provider;

  • third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.

Any sharing of your personal data will only take place either where we are legally obliged to do so or where it is in our legitimate interests to do so, including as follows:

  • to provide legal and other services to the client organisation;

  • to maintain network and information security;

  • to develop and improve our services in order to remain competitive;

  • to undertake reference checks, credit checks and risk assessments;

  • to protect and defend our legal rights;

  • to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.

11.7 International transfers

General information. We hold all personal data within the UK, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the UK so their processing of your personal data may involve a transfer of data outside of the UK.

We will only send your personal data outside of the UK:

  • where you instruct us to do so or where you consent to us doing so;

  • where we are required to do so as part of the legal services that the client organisation has instructed us to provide (for example when we deal with professional advisors outwith the UK on behalf of the client organisation or when we deal with counterparties to a transaction or other legal matter outwith the UK on behalf of the client organisation);

  • where we are instructed on behalf of the client organisation by someone outwith the UK (for example your professional advisors outwith the UK);

  • where we need to do so in order to comply with our or your or the client organisation’s legal obligations;

  • where the transfer is necessary for reasons of public interest;

  • where the transfer is necessary for the establishment, exercise or defence of legal rights.

Whenever we transfer your personal data outside of the UK, we will seek to ensure that it is protected to a similar degree as within the UK by using appropriate safeguards, which may include the following:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data;

  • where the recipient organisation is not located in a country with an adequacy decision by the UK, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK;

The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.

11.8 Automated-decision making or profiling

We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.

11.9 How long do we retain your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.

Generally speaking, we will keep client files (and any personal data contained therein) for a minimum period of ten years following completion of the matter, so that we are able to respond to a question, complaint or claim. We will keep the information used to verify your identity, and other related client due diligence information, for five years after the relevant client organisation ceases to be our client.

Retention periods for records are determined on the basis of the type of record, the nature of the service or advice that we have provided, and any applicable legal or regulatory requirements. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files (including personal data contained therein), but the rules that apply to determine how long it is appropriate to hold client files can be complex and varied.

If you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.

12. Accuracy of your data

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.

13. Data security 

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those agents, contractors and other third parties who have a business need to know.

They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner's Office of a breach where we are legally required to do so.

14. Your rights

Your personal data is protected by legal rights, which include your rights to:

  • Request access to your personal data (commonly known as a “subject access request”). This enables you to get access to the personal data we hold about you and to check that we are lawfully processing it

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, in response to your request.

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.

  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

  • Request the transfer of your personal data to you or to a third party (data portability). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of these rights, please contact us using the details above.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

15. Changes to this privacy notice 

We keep this Privacy Notice under regular review and will place any updates on our website. This Privacy Notice was last updated on March 2021.

16. Complaints 

You have the right to complain to the Information Commissioner's Office, which regulates the processing of personal data, about how we are processing your personal data:

By post:        Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

By phone:     0303 123 1113

Online:          www.ico.org.uk