Privacy Notice
The privacy of our clients is important to us and we take care to safeguard it. Our Privacy Notice below explains how we use your personal information. You can also download a pdf version as required.
X
Edinburgh
0131 247 1000
Glasgow
0141 274 1100
Edinburgh
0131 247 1000
Glasgow
0141 274 1100
Welcome to clarity
Welcome to clarity
Edinburgh
0131 247 1000
Glasgow
0141 274 1100
Welcome to clarity
-
Services
Business
- Agricultural and rural
- Banking & Finance
- Business restructuring and insolvency
- Charities and third sector
- Corporate law
- Debt and asset recoveries
- Employment law
- Health and safety
- Hospitality, licensing and leisure
- Immigration
- IP and IT
- Litigation and dispute resolution
- Media law
- Small To Medium Enterprises (SMEs)
- Public procurement and state aid
- Real estate
- Regulatory compliance and governance
- Sports law
Stay - Our People
-
About Us
About us menu
About Morton Fraser
At Morton Fraser Lawyers we have highlighted clarity as our guiding principle.
This directs the way we communicate, the way we advise, the way we conduct relationships with our clients and the way we are totally transparent and upfront about our charges. This applies to all our services from the straightforward to the more complex.
Stay -
news & insights
insights & news
News and Insights
Read legal insights, our comments on the latest legal updates and articles covering all types of legal queries and scenarios, written by experts from our teams.
Insights & news
Stay -
Work with Us
are you mortan fraser person
Work with us
A clear future together.
Work with Us
Stay - Contact Us
- Hazy Coffee
Welcome to clarity
Edinburgh
0131 247 1000
Glasgow
0141 274 1100
Welcome to clarity
You are here
1. Who we are
We are Morton Fraser LLP (Morton Fraser), a limited liability partnership with registered number SO300472 and having its registered office address at 5th Floor, Quartermile Two, 2 Lister Square, Edinburgh, EH3 9GL.
This Privacy Notice also applies to our subsidiary companies and so in this privacy notice, references to “we” or “us” mean Morton Fraser and its subsidiary companies.
We are a data controller for the purposes of data protection law. We are registered with the Information Commissioner's Office; our registration number is Z8122652.
2. How to contact us
We have appointed a data protection officer who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our DPO using the details set out below:
By post: Data Protection Officer, Morton Fraser LLP, Quartermile Two, 2 Lister Square, Edinburgh, Midlothian, EH3 9GL
By email: dataprotectionofficer@morton-fraser.com
By phone: 0131 247 1000
3. Purpose of this Privacy Notice
We are committed to protecting your personal data and your privacy. This Privacy Notice sets out the basis on which any personal data that you provide to us or that we obtain from a third party will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. Any other privacy notice or fair processing notice will supplement (not override) this Privacy Notice.
4. Important definitions
Personal data, or personal information, means any information about an individual from which that person can be identified. This includes name, contact details (both personal and business), identification number, location data, online identifier (such as a social media username), biographical or physical information.
Anonymous data means any information which can no longer identify an individual.
Special categories of personal data means information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data. Data relating to criminal convictions is not included as a "special category of personal data" but is afforded much of the same protections.
5. Children's data
We obtain data relating to children both directly from such children and from persons with parental responsibility or educational responsibility for such children. Where we process children's data, we take additional care to ensure the security of such data and to ensure that the rights and freedoms of the child are taken into consideration.
6. Structure of this Privacy Notice
This Privacy Notice contains sections that apply to different categories of individuals that we deal with: individual clients (section 7); individuals who are related to a client organisation (section 8); business and professional contacts (section 9); website users (section 10) and other individuals (section 11). For details about what personal data we obtain and how we use it, please consider which of the categories applies to you. Please note that we may use your personal data in different contexts and therefore more than one category may apply to you.
The other sections in this Privacy Notice apply to all categories of individuals.
7. Individual clients
7.1 Who does this part of the Privacy Notice apply to?
This part of the Privacy Notice applies to our clients who are individuals (acting in their own capacity or jointly with another individual or acting as a sole trader, trustee, partner in a partnership or member of an unincorporated club or association).
7.2 What personal data do we collect and process?
We may obtain and process different kinds of personal data about you in the course of providing legal and other services to you, which we have grouped together follows:
-
Identity Data includes first name, last name, nationality, marital status, title, date of birth, gender and National Insurance number.
-
Contact Data includes home and/or business addresses, email addresses and telephone numbers.
-
Transaction Data includes information obtained by providing legal and other services to you, details about services provided by us to you, details of payments to and from you, and other details of our interactions including correspondence and conversations.
-
Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials.
-
Financial Data includes bank account and payment card details.
-
Social Data includes information about your family, lifestyle and social circumstances.
-
Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.
-
Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
- Special Categories of Personal Data includes information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data.
-
Criminal Convictions Data includes information about criminal convictions or offences.
Data protection law treats some types of personal data as special. We will only obtain and use the Special Categories of Personal Data and the Criminal Convictions Data where we need to and where data protection law allows us to do so.
7.3 How is your personal data obtained?
We use different methods to collect data from and about you including through:
-
Direct interactions. You may give us your personal data (including Special Categories of Personal Data and Criminal Convictions Data) through any number of direct interactions. This includes personal data you provide when you:
-
make an enquiry about our services;
-
instruct us to provide legal or other services and during the course of the provision of legal or other services;
- correspond with us by post, phone, email, social media or otherwise;
- provide feedback or respond to surveys
-
register for, attend or participate in events or seminars hosted or provided by us.
- Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:
- fraud prevention agencies and credit reference or reporting agencies such as TransUnion International UK Limited 'TransUnion'. More information about TransUnion's activities is available at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
- social media providers and other Internet sites (such as Twitter or LinkedIn).
- Companies House, the Electoral Register, Registers of Scotland and other public bodies.
- organisations or businesses that refer you to us, such as other law firms, other clients, accountants or financial institutions
- other professional advisors, financial institutions, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to you.
7.4 Failure to provide information
Where we need to collect personal data by law (for example in order to carry out identity verification and anti-money laundering checks), or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have entered into with you or we may be unable to comply with our own legal obligations.
In some cases, a failure to provide information when requested may delay our provision of legal or other services to you and in other cases, we may be unable to act for you or may have to withdraw from acting.
7.5 How will we use your information?
The main reason why we process your personal data is to be able to provide you with legal or other services as instructed by you.
Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) the performance of a contract with you; or (2) compliance with a legal obligation to which we are subject; or (3) the purposes of our legitimate interests (or those of a third party).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|
Purpose |
Legal basis |
Legitimate Interest (where relevant) |
|
To provide you with legal services To provide you with other services such as company secretarial, wealth management or estate agency services |
Performance of a contract Legitimate interests |
To pursue commercial objectives, including running our business profitably and efficiently To exercise our rights under a contract with you To keep our client and other records up to date |
|
To manage our relationship with you, including:
|
Performance of a contract Legitimate interests |
To exercise our rights under a contract with you To manage credit control and debt recovery To manage complaints or potential claims To fulfil our responsibilities to our clients |
|
To carry out identity verification and fraud prevention checks, background checks and anti-money laundering procedures |
Legal obligation Legitimate interests |
To prevent fraud or money laundering To protect our business and reputation |
|
To improve and develop our services |
Legitimate interests |
To improve our services and our efficiency |
|
To manage our business as a whole, including:
|
Legal obligation Legitimate interests |
To improve our services and our efficiency To operate an efficient and profitable commercial business |
|
To comply with relevant legal obligations To comply with reporting obligations to regulatory bodies |
Legal obligation |
|
|
To protect the rights, property, or safety of our staff, our clients, or others |
Legal obligation Legitimate interests |
To manage the safety of our staff, clients and others |
|
To establish, exercise or defend our legal rights |
Legitimate interests |
To enforce our legal rights |
Where we process Special Categories of Personal Data, we will generally do so on the basis that (1) it is necessary for the establishment, exercise or defence of legal claims or (2) it is necessary for reasons of substantial public interest (as permitted by Schedule 1 of the Data Protection Act 2018, for example for the purposes of fraud prevention). In exceptional circumstances, we may process Special Categories of Personal Data on the basis of your explicit consent or where it is necessary to protect your vital interests or those of another individual. Other lawful bases for processing Special Categories of Personal Data may apply from time to time, but we would inform you of this at the relevant time.
Where we process Criminal Conviction Data, we only do so where authorised by law, in particular Schedule 1 of the Data Protection Act 2018.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
7.6 Who do we share your personal data with?
There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:
- Other third parties to any transaction, dispute, legal proceedings or other legal matter on which we are advising you (including other professional advisers, external counsel, expert witnesses, courts and tribunals, search agencies, surveyors, sheriff officers, etc);
- our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);
- our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;
- fraud prevention agencies and credit reference or reporting agencies such as TransUnion International UK Limited 'TransUnion'. More information about TransUnion's activities is available at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
- any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.
- the police and any other law enforcement agency, HM Revenue & Customs or other government body;
- public registers and public information resources, such as Companies House or Registers of Scotland
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
Any sharing of your personal data will only take place either where we are legally obliged to do so, where it is necessary for the performance of a contract with you or where it is in our legitimate interests to do so, including as follows:
- to maintain network and information security;
- to develop and improve our services in order to remain competitive;
- to undertake reference checks, credit checks and risk assessments;
- to protect and defend our legal rights
- to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.
7.7 International transfers
General information. We hold all personal data relating to clients within the European Union, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the European Economic Area (EEA) so their processing of your personal data may involve a transfer of data outside of the EEA.
We will only send your personal data outside of the EEA:
- where you instruct us to do so, including where we are required to do so as part of the legal services that you have instructed us to provide (for example when we deal with professional advisors outwith the EEA on your behalf or when we deal with counterparties to a transaction or other legal matter outwith the EEA on your behalf)
- where we are instructed on your behalf by someone outwith the EEA (for example your professional advisors outwith the EEA)
- where we need to do so in order to comply with our or your legal obligations
- where the transfer is necessary for reasons of public interest
- where the transfer is necessary for the establishment, exercise or defence of legal right
Whenever we transfer your personal data outside of the EEA, we will seek to ensure that it is protected to a similar degree as within the EEA by using appropriate safeguards, which may include the following:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- where the recipient organisation is not located in a country with an adequacy decision by the European Commission, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- where the recipient organisation is based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the USA.
The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.
Fraud and credit information. Fraud prevention agencies and credit reference agencies may transfer your personal data outside of the EEA. Whenever they transfer your personal data outside of the EEA, they will impose contractual obligations on the recipients of that data. Those obligations require the recipient to protect your personal data to the standard required in the EEA. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
7.8 Automated-decision making or profiling
We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.
7.9 How long do we retain your personal data?
We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.
Generally speaking, we will keep your client files (and any personal data contained therein) for a minimum period of ten years following completion of the matters, so that we are able to respond to a question, complaint or claim. We will keep the information used to verify your identity, and other related client due diligence information, for five years after you cease to be our client.
Retention periods for records are determined on the basis of the type of record, the nature of the service or advice that we have provided, and any applicable legal or regulatory requirements. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files (including personal data contained therein), but the rules that apply to determine how long it is appropriate to hold client files can be complex and varied. If you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.
8. Individuals who are related to a client organisation
8.1 Who does this part of the Privacy Notice apply to?
This part of the Privacy Notice applies to:
- individuals who are directors, officers, partners, shareholders or other owners or beneficial owners of an organisation that is our client (the client organisation); and
- individuals who work for the client organisation (as an employee, consultant, worker or otherwise.
8.2 What personal data do we collect and process?
Depending on the work we are doing for the client organisation, we may obtain and process different kinds of personal data about you in the course of providing legal services to our client, which we have grouped together follows:
- Identity Data includes first name, last name, nationality, marital status, title, date of birth, gender and National Insurance number.
- Contact Data includes home and/or business addresses, email addresses and telephone numbers
- Transaction Data includes information obtained by providing legal and other services to our client and other details of our interactions including correspondence and conversations.
- Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials
- Financial Data includes bank account and payment card details.
- Social Data includes information about your family, lifestyle and social circumstances.
- Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
- Special Categories of Personal Data includes information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data.
- Criminal Convictions Data includes information about criminal convictions or offences.
Data protection law treats some types of personal data as special. We will only obtain and use the Special Categories of Personal Data and the Criminal Convictions Data where we need to and where data protection law allows us to do so.
8.3 How is your personal data obtained?
We use different methods to collect data from and about you including through
- Direct interactions. You may give us your personal data (including Special Categories of Personal Data and Criminal Convictions Data) through any number of direct interactions. This includes personal data you provide when you:
- make an enquiry about our services on behalf of the client organisation;
- instruct us to provide legal or other services and during the course of the provision of legal or other services on behalf of the client organisation;
- correspond with us by post, phone, email, social media or otherwise;
- provide feedback or respond to survey;
- register for, attend or participate in events or seminars hosted or provided by us.
- From the client organisation. We may receive or obtain personal data about you from your organisation or from your colleagues. This includes personal data provided to us by your organisation relating to your work contact details, details about your role in any such organisation and your credentials.
- Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:
- fraud prevention agencies and credit reference or reporting agencies such as TransUnion International UK Limited 'TransUnion'. More information about TransUnion's activities is available at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
- social media providers and other Internet sites (such as Twitter or LinkedIn).
- Companies House, the Electoral Register, Registers of Scotland and other public bodies.
- organisations or businesses that refer you (or the client organisation) to us, such as other law firms, other clients, accountants or financial institutions
- other professional advisors, financial institutions, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to the client organisation.
8.4 Failure to provide information
Where we need to collect personal data by law (for example in order to carry out identity verification and anti-money laundering checks), or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have entered into with the client organisation or we may be unable to comply with our own legal obligations.
In some cases, a failure to provide information when requested may delay our provision of legal services to the client organisation and in other cases, we may be unable to act for the client organisation or may have to withdraw from acting.
8.5 How will we use your information?
The main reason why we process your personal data is to be able to provide the client organisation with legal services as instructed by such client organisation.
Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) compliance with a legal obligation to which we are subject; or (2) the purposes of our legitimate interests (or those of a third party).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|
Purpose |
Legal basis |
Legitimate Interest (where relevant) |
|
To provide the client organisation with legal or other services To provide the client organisation with other services such as company secretarial or estate agency services To contact you in the course of providing our services to the client organisation To use information about you where relevant to the legal or other services we provide to the client organisation |
Legitimate interests |
To pursue commercial objectives, including running our business profitably and efficiently To provide legal and other services to the client organisation To fulfil our contractual obligations to the client organisation To keep our client and other records up to date |
|
To manage our relationship with you, including:
|
Legitimate interests |
To exercise our rights under a contract with the client organisation To manage credit control and debt recovery To manage complaints or potential claims To fulfil our responsibilities to our clients |
|
To carry out identity verification and fraud prevention checks, background checks and anti-money laundering procedures (relating to directors, officers, partners, shareholders and other owners and beneficial owners only) |
Legal obligation Legitimate interests |
To prevent fraud or money laundering To protect our business and reputation |
|
To improve and develop our services |
Legitimate interests |
To improve our services and our efficiency |
|
To manage our business as a whole, including:
|
Legal obligation Legitimate interests |
To improve our services and our efficiency To operate an efficient and profitable commercial business |
|
To comply with relevant legal obligations To comply with reporting obligations to regulatory bodies |
Legal obligation |
|
|
To protect the rights, property, or safety of our staff, our clients, or others |
Legal obligation Legitimate interests |
To manage the safety of our staff, clients and others |
|
To establish, exercise or defend our legal rights |
Legitimate interests |
To enforce our legal rights |
Where we process Special Categories of Personal Data, we will generally do so on the basis that (1) it is necessary for the establishment, exercise or defence of legal claims or (2) it is necessary for reasons of substantial public interest (as permitted by Schedule 1 of the Data Protection Act 2018, for example for the purpose of fraud prevention). In exceptional circumstances we may process Special Categories of Personal Data with your explicit consent or where it is necessary to protect your vital interests or those of another individual. Other lawful bases for processing Special Categories of Personal Data may apply from time to time, but we would inform you of this at the relevant time.
Where we process Criminal Conviction Data, we only do so where authorised by law, in particular by Schedule 1 of the Data Protection Act 2018.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
8.6 Who do we share your personal data with?
There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:
- your organisation (our client organisation) and your colleagues within such organisation;
- other third parties to any transaction, dispute, legal proceedings or other legal matter on which we are advising the client organisation (including other professional advisers, external counsel, expert witnesses, courts and tribunals, search agencies, surveyors, sheriff officers, etc)
- other professional advisers and agents engaged by the client organisation;
- our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);
- our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;
- fraud prevention agencies and credit reference or reporting agencies such as TransUnion International UK Limited 'TransUnion'. More information about TransUnion's activities is available at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
- any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.
- the police and any other law enforcement agency, HM Revenue & Customs or other government body;
- public registers and public information resources, such as Companies House or Registers of Scotland;
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
Any sharing of your personal data will only take place either where we are legally obliged to do so or where it is in our legitimate interests to do so, including as follows:
- to provide legal and other services to the client organisation;
- to maintain network and information security;
- to develop and improve our services in order to remain competitive;
- to undertake reference checks, credit checks and risk assessments;
- to protect and defend our legal rights;
- to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.
8.7 International transfers
General information. We hold all personal data relating to clients (and their employees, directors and owners) within the European Union, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the European Economic Area (EEA) so their processing of your personal data may involve a transfer of data outside of the EEA.
We will only send your personal data outside of the EEA:
- where you instruct us to do so or where you consent to us doing so;
- where we are required to do so as part of the legal services that the client organisation has instructed us to provide (for example when we deal with professional advisors outwith the EEA on behalf of the client organisation or when we deal with counterparties to a transaction or other legal matter outwith the EEA on behalf of the client organisation)
- where we are instructed on behalf of the client organisation by someone outwith the EEA (for example your professional advisors outwith the EEA)
- where we need to do so in order to comply with our or your or the client organisation’s legal obligations
- where the transfer is necessary for reasons of public interest
- where the transfer is necessary for the establishment, exercise or defence of legal rights
Whenever we transfer your personal data outside of the EEA, we will seek to ensure that it is protected to a similar degree as within the EEA by using appropriate safeguards, which may include the following:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- where the recipient organisation is not located in a country with an adequacy decision by the European Commission we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe
- where the recipient organisation is based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the USA.
The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.
Fraud and credit information. Fraud prevention agencies and credit reference agencies may transfer your personal data outside of the EEA. Whenever they transfer your personal data outside of the EEA, they will impose contractual obligations on the recipients of that data. Those obligations require the recipient to protect your personal data to the standard required in the EEA. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.
8.8 Automated-decision making or profiling
We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.
8.9 How long do we retain your personal data?
We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.
Generally speaking, we will keep client files (and any personal data contained therein) for a minimum period of ten years following completion of the matter, so that we are able to respond to a question, complaint or claim. We will keep the information used to verify your identity, and other related client due diligence information, for five years after the relevant client organisation ceases to be our client.
Retention periods for records are determined on the basis of the type of record, the nature of the service or advice that we have provided, and any applicable legal or regulatory requirements. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files (including personal data contained therein), but the rules that apply to determine how long it is appropriate to hold client files can be complex and varied. If you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.
9. Business and professional contacts
9.1 Who does this part of the Privacy Notice apply to?
This part of the Privacy Notice applies to individuals who, or whose organisation, supply goods or services to us, provide professional services (including other solicitors, accountants, surveyors and financial advisers), have expressed an interest in us or have any other business or professional relationship with us (including where the organisation is a public authority, an industry body or regulatory authority or similar) and where:
- the individual is a sole trader, attorney, trustee, partner in a partnership, member of an unincorporated club or association or an employee of any of these; or
- the individual is an owner, director, officer, partner or authorised signatory or employee of an organisation or other entity (including public authorities).
9.2 What personal data do we collect and process?
We may obtain and process different kinds of personal data about you in the course of our business or professional relationship, which we have grouped together follows:
- Identity Data includes first name, last name, marital status, title, and gender.
- Contact Data includes business addresses, email addresses and telephone numbers.
- Transaction Data includes details of our interactions including correspondence and conversations.
- Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials.
- Financial Data includes bank account and payment card details.
- Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
9.3 How is your personal data obtained?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your personal data through any number of direct interactions. This includes personal data you provide when you:
- enter into discussions about potential contractual arrangements;
- correspond with us by post, phone, email, social media or otherwise;
- provide feedback or respond to surveys;
- register for, attend or participate in an event or seminar hosted or provided by us.
- From your organisation. Where you are employed or otherwise engaged by another organisation, we may receive or obtain personal data about you from your organisation or from your colleagues.
- Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:
- your, or your organisation’s, website.
- social media providers and other Internet sites (such as Twitter or LinkedIn).
- Companies House, the Electoral Register, Registers of Scotland and other public bodies.
- organisations or businesses that refer you (or your organisation) to us, such as other law firms, other clients, accountants or financial institutions.
- other professional advisors, financial institutions, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to the client organisation.
9.4 How will we use your information?
Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) compliance with a legal obligation to which we are subject; or (2) the purposes of our legitimate interests (or those of a third party).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|
Purpose |
Legal basis |
Legitimate Interest (where relevant) |
|
To communicate with you in the course of our business or professional relationship |
Legitimate interest Performance of a contract (where such contract is with you, rather than your organisation) |
To provide our clients with legal and other services To obtain goods or services from you or your organisation for our benefit To obtain services from you or your organisation for the benefit of our clients |
|
To manage our professional relationship with professional advisors, regulatory authorities, public authorities |
Legitimate interests |
To maintain good working relationships with other professionals To fulfil our responsibilities to our clients, suppliers and other third parties |
|
To manage our business relationships with third party suppliers, which will include:
|
Legitimate interests Performance of a contract (where such contract is with you, rather than your organisation) |
To perform a contract with your organisation or business To manage third party relationships To run our business efficiently and profitably To enhance, modify and improve our services and products To pursue our commercial objectives where this does not override your rights and freedoms as a data subject |
|
To improve and develop our services |
Legitimate interests |
To improve our services and our efficiency |
|
To manage our business as a whole, including:
|
Legal obligation Legitimate interests |
To improve our services and our efficiency To operate an efficient and profitable commercial business |
|
To comply with relevant legal obligations To comply with reporting obligations to regulatory bodies |
Legal obligation |
|
|
To protect the rights, property, or safety of our staff, our clients, or others |
Legal obligation Legitimate interests |
To manage the safety of our staff, clients and others |
|
To establish, exercise or defend our legal rights |
Legitimate interests |
To enforce our legal rights |
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
9.5 Who do we share your personal data with?
There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:
- your organisation (where you are employed or engaged by another organisation) and your colleagues within such organisation;
- our clients and prospective clients, where relevant to the provision of legal and other services to our clients;
- our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);
- our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;
- any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.
- the police and any other law enforcement agency, HM Revenue & Customs or other government body;
- public registers and public information resources, such as Companies House or Registers of Scotland;
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
Any sharing of your personal data will only take place either where we are legally obliged to do so or where it is in our legitimate interests to do so, including as follows:
- to provide legal and other services to our clients;
- to maintain network and information security;
- to develop and improve our services in order to remain competitive;
- to undertake reference checks, credit checks and risk assessments;
- to protect and defend our legal rights;
- to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.
9.6 International transfers
General information. We hold all personal data relating to our business and professional contacts within the European Union, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the European Economic Area (EEA) so their processing of your personal data may involve a transfer of data outside of the EEA.
We will only send your personal data outside of the EEA:
- where you instruct us to do so or where you consent to us doing so;
- with respect to professional contacts, where we are required to do so as part of the legal or other services that our or your clients have instructed (for example when we deal with professional advisers outwith the EEA or when we deal with counterparties to a transaction or other legal matter outwith the EEA)
- where we need to do so in order to comply with our legal obligations
- where the transfer is necessary for reasons of public interest
- where the transfer is necessary for the establishment, exercise or defence of legal rights
Whenever we transfer your personal data outside of the EEA, we will seek to ensure that it is protected to a similar degree as within the EEA by using appropriate safeguards, which may include the following:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- where the recipient organisation is not located in a country with an adequacy decision by the European Commission we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- where the recipient organisation is based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the USA.
The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.
9.7 Automated-decision making or profiling
We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.
9.8 How long do we retain your personal data?
We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.
Generally speaking, we will retain your personal data for so long as you remain a business or professional contact.
In relation to your personal data which may be recorded in client files, we keep client files (and any personal data contained therein) for a minimum period of ten years following completion of the matter, so that we are able to respond to a question, complaint or claim. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files, and if you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.
10. Website users and marketing
10.1 Who does this part of the Privacy Notice apply to?
This part of the Privacy Notice applies to individuals who visit our website (www.morton-fraser.com, www.commercialrealestatenews.co.uk or any other domain name registered in our name).
10.2 Information about our website
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Notice (section 10.7 below).
10.3 Children
Our website is not intended for children and we do not knowingly collect data relating to children via our website.
10.4 What personal data do we collect and process?
We may obtain and process different kinds of personal data about you, which we have grouped together follows:
- Identity Data includes first name, last name, social media username or similar identifier, marital status, title, and gender.
- Contact Data includes personal and business addresses, email addresses and telephone numbers.
- Financial Data includes bank account or credit card details.
- Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Usage Data includes information about how you use our website, products and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice
10.5 How is your personal data obtained?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your personal data through any number of direct interactions. This includes personal data you provide when you:
- request marketing to be sent to you;
- submit an online enquiry;
- sign up for one of our events
- correspond with us by post, phone, email, social media or otherwise;
- provide feedback or respond to surveys.
- Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment/devices, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our Cookie Notice (section 10.7 below) for further details.
- Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:
- social media providers and other Internet sites (such as Twitter or LinkedIn).
- analytics providers, advertising networks or search information providers (such as Google Analytics).
10.6 How will we use your information?
Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) the performance of a contract with you; or
(2) compliance with a legal obligation to which we are subject; or (3) the purposes of our legitimate interests (or those of a third party).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|
Purpose |
Legal basis |
Legitimate Interest (where relevant) |
|
To manage our online relationship with you, including:
|
Legal obligation Legitimate interests |
To develop our relationship with you |
|
To process any registrations for events including:
|
Legitimate interests |
To hold events, such as seminars and networking events, to promote our business |
|
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
Legal obligation Legitimate interests |
To run our business properly and efficiently To ensure the provision of administration and IT services To ensure network security To prevent fraud |
|
To use data analytics to improve our website, services, marketing, customer relationships and experiences |
Legitimate interests |
To keep our website updated and relevant To develop our business To inform our marketing strategy |
|
To establish, exercise or defend our legal rights |
Legitimate interests |
To enforce and protect our legal rights |
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
10.7 Cookies
Our website (www.morton-fraser.com, www.commercialrealestatenews.co.uk or any other domain name registered in our name) uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. By continuing to browse the site, you are agreeing to our use of cookies.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer’s hard drive.
We use the following cookies:
- Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e- billing services.
- Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
- Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
- Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
|
Cookie |
Name |
Purpose |
More information |
|
Google Analytics |
_utma |
These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. |
|
|
Drupal has_js |
has_js |
Used by Drupal, the content management system which powers this website. It helps the website understand if the browser javascript functionality is enabled or not. This allows Drupal to generate different markup depending on whether the user agent is capable of executing JavaScript or not. |
|
|
Hotjar |
_hs*,hubspotutk,hsPagesViewedThisSession,hsfirstvisit |
These cookies are used by Hotjar to analyse the online behaviour of visitors to our website. We use the information to improve the end user's experience and to improve the performance of our website. The cookies collect information including standard internet log information and details of your behavioural patterns upon visiting our website. |
Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control. These cookies are likely to be analytical/performance cookies or targeting cookies.
You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.
We also use analytic services to help us understand how effective our content is, what interests our users have, and to improve how this website works. In addition, we use web beacons or tracking pixels to count visitor number and performance cookies to track how many individual users access this website and how often.
This information is used for statistical purposes only and we do not use such information to personally identify any user.
10.8 Marketing
Our direct marketing communications generally consist of delivering regular newsletters (on various subjects) and informing you of upcoming events hosted or organised by us, usually by email or other electronic means.
Generally speaking, we will only provide you with direct marketing communications where you have consented to receive such communications.
You can subscribe to such marketing communications, and you can adjust your marketing preferences at any time via the “Preference Centre” or by contacting us on marketing@morton-fraser.com or 0131 247 1011.
In limited circumstances, we may rely on our legitimate interests to market our business to provide direct marketing communications to other businesses (business-to-business marketing).
You can also opt-out or unsubscribe from all or some of these marketing communications at any time via the “Preference Centre”, by contacting us on marketing@morton-fraser.com or 0131 247 1011 or by clicking “unsubscribe” at the bottom of any marketing email.
Where you opt out of receiving these marketing communications, this opt-out will not apply to personal data provided to us for any other purpose
10.9 Who do we share your personal data with?
There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:
- payment and credit card providers;
- our service providers who provide marketing and event management services (including Concep and Eventbrite);
- our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);
- any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.
- the police and any other law enforcement agency, HM Revenue & Customs or other government body
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
Any sharing of your personal data will only take place either where we are legally obliged to do so, where it is necessary in the performance of a contract with you or where it is in our legitimate interests to do so, including as follows:
- to provide legal and other services to our clients;
- to maintain network and information security;
- to develop and improve our services in order to remain competitive;
- to protect and defend our legal rights;
- to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.
10.10 International transfers
General information. We hold all personal data relating to our business and professional contacts within the European Union, however some of our third party service providers (such Eventbrite) are headquartered or based outside of the European Economic Area (EEA) so their processing of your personal data may involve a transfer of data outside of the EEA.
Whenever we transfer your personal data outside of the EEA, we will seek to ensure that it is protected to a similar degree as within the EEA by using appropriate safeguards, which may include the following:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- where the recipient organisation is not located in a country with an adequacy decision by the European Commission we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- where the recipient organisation is based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the USA.
The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.
10.11 Automated-decision making or profiling
We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.
10.12 How long do we retain your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes for which we obtained it, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Unless any retention period set out elsewhere in this Privacy Notice applies, we will retain any personal data obtained via our website for no longer than three years.
11. Other Individuals
11.1 To whom does this part of the Privacy Notice apply?
This part of the Privacy Notice applies to other individuals (who are not our clients or our corporate client contacts) whose personal data we may process from time to time in the course of providing legal and other services, for example:
- individuals who are third party litigants, whether as claimant or respondent (e.g. the debtor where we are acting for the organisation seeking to enforce the debt, or an employee or former employee where we are acting for the employer);
- individuals who are witnesses in a litigation claim;
- individuals who are family members of an individual client;
- individuals who are a relevant party to a commercial or corporate transaction (e.g. the seller/purchaser of property, or a selling shareholder where we are acting for the purchaser of a company);
- individuals who are beneficiaries under a will or beneficiaries of a trust.
This part of the Privacy Notice also applies to individuals who are relevant to our employees and other staff, such as referees and emergency contacts.
11.2 Important information about providing our Privacy Notice
While we will seek to confirm to all individuals whose personal data we hold how we use their personal data (by providing our Privacy Notice), sometimes we are unable to do so, for example because we do not have contact details of the individual concerned. In other circumstances, we may be restricted from providing our Privacy Notice because our obligations of professional secrecy (client confidentiality) require and/or allow us not to provide such information or because providing such information would substantially impair the purposes for which we are processing any such personal data.
11.3 What personal data do we collect and process?
Depending on the reason why we process the relevant personal data, we may obtain and process different kinds of personal data about you, which we have grouped together follows:
- Identity Data includes first name, last name, nationality, marital status, title, date of birth, gender and National Insurance number.
- Contact Data includes home and/or business addresses, email addresses and telephone numbers.
- Transaction Data includes information obtained by providing legal and other services to our client and other details of our interactions including correspondence and conversations.
- Employment Data includes details about who you work for and your role in any such organisation, your employment history and your credentials.
- Financial Data includes bank account and payment card details.
- Social Data includes information about your family, lifestyle and social circumstances.
- Public Data includes publicly available information such as details on Companies House or otherwise publicly available on the Internet.
- Special Categories of Personal Data includes information about racial or ethnic origin, health, sexual orientation or sex life, political, philosophical or religious beliefs, trade union membership and genetic or biometric data.
- Criminal Convictions Data includes information about criminal convictions or offences.
Data protection law treats some types of personal data as special. We will only obtain and use the Special Categories of Personal Data and the Criminal Convictions Data where we need to and where data protection law allows us to do so.
11.4 How is your personal data obtained?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your personal data when you correspond with us by post, phone, email, social media or otherwise.
- From the client. We may receive or obtain personal data about you from your organisation or from your colleagues. This includes personal data provided to us by your organisation relating to your work contact details, details about your role in any such organisation and your credentials.
- From the relevant member of staff. Specifically for referees, emergency contacts and other individuals relevant to one of our employees or other members of staff, we will receive or obtain personal data about you from the relevant member of staff.
- Third parties or publicly available sources. We may receive or obtain personal data about you from various third parties and publicly available sources as set out:
- social media providers and other Internet sites (such as Twitter or LinkedIn).
- Companies House, the Electoral Register, Registers of Scotland and other public bodies.
- other relevant organisations or, such as other law firms, other clients, accountants or financial institutions
- other professional advisors, expert witnesses, courts and tribunals, mediators, arbiters, title and search agents and others with whom we interact in connection with the services that we provide to the client organisation.
11.5 How will we use your information?
The main reasons why we process your personal data is either (1) to be able to provide our client with legal or other services as instructed by such client or (2) to be able to seek appropriate references, maintain emergency contacts and otherwise manage certain aspects of our relationship with members of staff.
Personal data will be processed by us where you consent to the processing or where that processing is necessary for (1) compliance with a legal obligation to which we are subject; or (2) the purposes of our legitimate interests (or those of a third party).
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|
Purpose |
Legal basis |
Legitimate Interest (where relevant) |
|
To provide our client with legal advice and legal services To provide our client with other services such as company secretarial, wealth management or estate agency services To use information about you where relevant to the legal or other services we provide to the client organisation To assist our client with the establishment, exercise and defence of legal claims |
Our legitimate interests |
To pursue commercial objectives, including running our business profitably and efficiently To provide legal advice and legal and other services to our client To support the administration of justice (in particular in connection with litigation) To fulfil our contractual obligations to our client To keep our client and other records up to date |
|
Our client's legitimate interests |
To obtain legal To establish, defend or exercise legal claims and legal rights |
|
|
To carry out identity verification and fraud prevention checks, background checks and anti-money laundering procedures (where relevant to the specific services) |
Legal obligation Legitimate interests |
To prevent fraud or money laundering To protect our business and reputation |
|
To improve and develop our services |
Legitimate interests |
To improve our services and our efficiency |
|
To manage our business as a whole, including:
|
Legal obligation Legitimate interests |
To improve our services and our efficiency To operate an efficient and profitable commercial business |
|
To comply with relevant legal obligations To comply with reporting obligations to regulatory bodies |
Legal obligation |
|
|
To protect the rights, property, or safety of our staff, our clients, or others |
Legal obligation Legitimate interests |
To manage the safety of our staff, clients and others |
|
To establish, exercise or defend our legal claims and legal rights |
Legitimate interests |
To enforce our legal rights |
|
With regard to referees, emergency contacts and other staff-related individuals: To ensure appropriate references are obtained prior to employment; to ensure we maintain appropriate emergency contacts for each member of staff; and in connection with family-related staff benefits, to ensure the appropriate management of such benefits |
Legitimate interests |
To screen and recruit appropriate staff To manage our business efficiently To ensure the proper administration of staff benefits |
Where we process Special Categories of Personal Data, we will generally do so on the basis that (1) it is necessary for the establishment, exercise or defence of legal claims or (2) it is necessary for reasons of substantial public interest (as permitted by Schedule 1 of the Data Protection Act 2018, for example for the purposes of fraud prevention). In exceptional circumstances we may process Special Categories of Personal Data with your explicit consent or where it is necessary to protect your vital interests or those of another individual. Other lawful bases for processing Special Categories of Personal Data may apply from time to time, but we would inform you of this at the relevant time.
Where we process Criminal Conviction Data, we only do so where authorised by law, in particular by Schedule 1 of the Data Protection Act 2018.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
11.6 With whom do we share your personal data?
There may be circumstances in which we may also need to share your personal data with certain third parties. The third parties to which we may transfer your personal data include:
- our client;
- other third parties to any transaction, dispute, legal proceedings or other legal matter on which we are advising our client (including other professional advisers, external counsel, expert witnesses, courts and tribunals, search agencies, surveyors, sheriff officers, etc);
- other professional advisers and agents engaged by our client;
- our service providers who provide IT and system administration services (including client management systems, data rooms and other software services);
- our agents and service providers who we engage in the provision of our services, including professional advisers, bankers, surveyors, external counsel, insurers, auditors and others;
- fraud prevention agencies and credit reference or reporting agencies such as TransUnion International UK Limited 'TransUnion'. More information about TransUnion's activities is available at https://www.transunion.co.uk/legal-information/bureau-privacy-notice.
- any relevant regulatory authority, including the Law Society of Scotland, the Scottish Legal Complaints Commission, the Law Society of England & Wales, the Solicitors Regulation Authority, the Financial Conduct Authority and the Information Commissioner’s Office.
- the police and any other law enforcement agency, HM Revenue & Customs or other government body;
- public registers and public information resources, such as Companies House or Registers of Scotland;
- with regard to staff-related individuals, any relevant benefits provider;
- third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets.
Any sharing of your personal data will only take place either where we are legally obliged to do so or where it is in our legitimate interests to do so, including as follows:
- to provide legal and other services to the client organisation;
- to maintain network and information security;
- to develop and improve our services in order to remain competitive;
- to undertake reference checks, credit checks and risk assessments;
- to protect and defend our legal rights;
- to pursue our commercial objectives where this does not override your rights and freedoms as a data subject.
11.7 International transfers
General information. We hold all personal data within the European Union, however some of our third party service providers (such as Eventbrite) are headquartered or based outside of the European Economic Area (EEA) so their processing of your personal data may involve a transfer of data outside of the EEA.
We will only send your personal data outside of the EEA:
- where you instruct us to do so or where you consent to us doing so;
- where we are required to do so as part of the legal services that the client organisation has instructed us to provide (for example when we deal with professional advisors outwith the EEA on behalf of the client organisation or when we deal with counterparties to a transaction or other legal matter outwith the EEA on behalf of the client organisation);
- where we are instructed on behalf of the client organisation by someone outwith the EEA (for example your professional advisors outwith the EEA)
- where we need to do so in order to comply with our or your or the client organisation’s legal obligations;
- where the transfer is necessary for reasons of public interest;
- where the transfer is necessary for the establishment, exercise or defence of legal rights.
Whenever we transfer your personal data outside of the EEA, we will seek to ensure that it is protected to a similar degree as within the EEA by using appropriate safeguards, which may include the following:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- where the recipient organisation is not located in a country with an adequacy decision by the European Commission, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- where the recipient organisation is based in the USA, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the European Union and the USA.
The safeguards used will depend on the circumstances of the transfer and the location of the non-EEA recipient.
11.8 Automated-decision making or profiling
We do not use automated decision-making (including profiling) to make any decisions which would produce a legal or similarly significant effect on you.
11.9 How long do we retain your personal data?
We will retain your personal data for as long as necessary to fulfil the purposes for which the personal data was obtained and to comply with any legal, accounting or reporting requirements.
Generally speaking, we will keep client files (and any personal data contained therein) for a minimum period of ten years following completion of the matter, so that we are able to respond to a question, complaint or claim. We will keep the information used to verify your identity, and other related client due diligence information, for five years after the relevant client organisation ceases to be our client.
Retention periods for records are determined on the basis of the type of record, the nature of the service or advice that we have provided, and any applicable legal or regulatory requirements. We follow the guidelines issued by the Law Society of Scotland concerning the retention of client files (including personal data contained therein), but the rules that apply to determine how long it is appropriate to hold client files can be complex and varied.
If you require further information about our retention periods, please contact our Data Protection Officer using the contact details above.
12. Accuracy of your data
It is important that the personal data we hold about you is accurate and up to date. Please keep us informed if your personal data changes during your relationship with us.
13. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those agents, contractors and other third parties who have a business need to know.
They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and the Information Commissioner's Office of a breach where we are legally required to do so.
14. Your rights
Your personal data is protected by legal rights, which include your rights to:
- Request access to your personal data (commonly known as a “subject access request”). This enables you to get access to the personal data we hold about you and to check that we are lawfully processing it
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, in response to your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party (data portability). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of these rights, please contact us using the details above.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
15. Changes to this Privacy Notice
We keep this Privacy Notice under regular review and will place any updates on our website. This Privacy Notice was last updated on 8 August 2018.
16. Complaints
You have the right to complain to the Information Commissioner's Office, which regulates the processing of personal data, about how we are processing your personal data:
By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5 AF
By phone: 0303 123 1113
Online: www.ico.org.uk
X