Key terms

Please familiarise yourself with the following key terms:

The table below sets out the personal data we will or may collect in the course of advising and/or acting for you.

How your personal data is collected

We will collect most of the above information directly from you. The circumstances in which we may collect personal data about you include:

• when you or your organisation seek legal advice from us or use any of our online client services;
• when you correspond with us by phone, email or other electronic means, or in writing, or when you provide other information directly to us;
• when you or your organisation browse, complete a form or make an enquiry or otherwise interact on our website or other online platforms;
• when you or your organisation offer to provide, or provides, services to us; and
• when you attend our seminars or other events or sign up to receive personal data from us, including training.

We may also collect information:

• from publicly accessible sources e.g. Companies House or HM Land Registry;
• directly from a third party e.g.:
  • online anti-money laundering check providers;
  • sanctions screening providers; and
  • credit reference agencies;
• from a third party e.g.:
  • your bank or building society, another financial institution or advisor;
  • consultants and other professionals we may engage in relation to your matter;
  • your employer and/or trade union, professional body or pension administrators; and
  • your doctors, medical and occupational health professionals;
• via our website—we use cookies on our website (for more information on cookies, please see the section headed “Cookies” at the end of this Privacy Notice);
• via our information technology (“IT”) systems e.g.:
  • case management, document management and time recording systems; or
  • automated monitoring of our websites and other technical systems, such as our computer networks and connections, communications and email systems.

Should you provide information to us about any person other than yourself, such as your employees, your suppliers, or your counterparties you must ensure that such third parties have been informed and understand how their personal data will be used and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use it.

We may use your personal data only for the following purposes:

• to register you as a client of Hay & Kilner and provide legal services to you;

• to administer our relationship with you, including processing payments,

• accounting, auditing, billing and taking other steps linked to the performance of our business relationship;

• to carry out background checks, where permitted;

• compliance with our legal obligations, including maintaining records, compliance checks or screening and recording (e.g. anti-money laundering, financial and credit checks, fraud and crime prevention and detection, which may include automated checks of personal data you provide about your identity against relevant databases);

• gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies including external audits and quality checks for Lexcel or ISO and the audit of our accounts;

• to analyse and improve our services and communications and to ensure business policies are adhered to e.g. policies covering security and internet use;

• to manage access to our premises and for security purposes;

• to protect the security of our communications and other systems and to prevent and detect security threats, frauds or other criminal or malicious activities;

• for credit reference checks via external credit reference agencies;

• for insurance purposes;

• to exercise or defend our legal rights, or to comply with court orders;

• for any other purposes related and/or ancillary to any of the above or any other purposes for which your personal data was provided to us;

• for statistical analysis to help us manage our practice e.g. in relation to our financial performance, client base, work type or other efficiency measures;

• to communicate with you to keep you up-to-date on the latest developments, announcements, and other information about our, events and initiatives;

• to send you details of client surveys and marketing campaigns; and

• to collect information about your marketing preferences to personalise and improve the quality of our communications with you.

Under data protection law, we can only use your personal data if we have a reason for doing so. We may process your personal data in connection with any of the purposes set out above on one or more of the following legal grounds:

• for the performance of our contract with you or to take steps at your request before entering into a contract;

• to comply with our legal and regulatory obligations;

• because our legitimate interests, or those of a third party recipient of your personal data, make the processing necessary, provided that those interests are not overridden by your interests or fundamental rights and freedoms;

• where you have given consent; or

• in order to establish, exercise or defend our legal rights or for the purpose of legal proceedings.

Please note a legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

Special Category Personal Data

This includes personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data, data concerning health, sexual orientation, or details of criminal offences. We will only process such data if it is necessary in relation to the matter on which we are advising you and where we have a legal basis in addition to those set out above.

• Where we are processing Special category personal data for purposes relating to litigation, our additional lawful basis under data protection legislation is that processing is necessary for the establishment, exercise or defence of legal claims.

• Where we are processing Special category personal data for purposes not relating to litigation, our additional lawful basis under data protection legislation is your explicit consent, which we will request at the outset of the relevant matter and/or the processing is necessary for the establishment, exercise or defence of legal claims. “Legal claims” in this context is not limited to current legal proceedings and also includes processing necessary for actual or prospective court proceedings; obtaining legal advice; or establishing, exercising or defending legal rights in any other way.

Where we are required by law to collect personal data or in order to perform a contract we have with you or process your instructions and you fail to provide such information when requested, we may be unable to process your instructions or perform the contract we have with you. If so, it may be necessary for us to cancel the contract you have with us. We will, however, notify you of this at the relevant time.

We may use your personal data to send you updates (by email, telephone or post) about legal developments that might be of interest to you and/or information about our services, including seminars or new services or products.

We have a legitimate interest in processing your personal data for promotional purposes (see above ‘How and why we use your personal data’). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal data with the utmost respect.

You have the right to opt out of receiving promotional communications at any time or to update your marketing preferences by:

• contacting us by e-mailing Kadie O’Neill at oneill@hay-kilner.co.uk; or
• using the ‘unsubscribe’ link in emails.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We routinely share personal data with:

• professional advisers whom we instruct on your behalf or to whom we refer you or from whom you have been referred to us e.g. counsel, medical professionals, accountants, tax advisors, agents or other experts;

• local and national law enforcement officials and the Court;

• other third parties where necessary to carry out your instructions, e.g. your mortgage provider or HM Land Registry in the case of a property transaction or Companies House;

• the Office of the Public Guardian;

• HM Revenue & Customs;

• credit reference agencies and with companies providing services for money laundering and terrorist financing checks and other fraud and crime prevention purposes;

• our insurers and brokers;

• external auditors and regulatory bodies, e.g. in relation to our ISO, Lexcel or Conveyancing Quality Scheme accreditations;

• our auditors;

• our bank; and

• external service suppliers, representatives and agents that we use to make our business more efficient including providers of IT services, PR agencies, offsite storage of computer data, maintenance of office machines, telephone and call recording services, photocopying, storage of completed files and shredding of confidential documents.

We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to us and to you.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

Information may be held at our offices, with third party agencies or with service providers as described above (see ‘Who we share your personal data with’).

Some of these third parties may be based outside the United Kingdom. For more information, including on how we safeguard your personal data when this occurs, see below: ‘Transferring your personal data out of the UK’.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. We will keep your personal data after we have finished advising or acting for you. We will do so for one of these reasons:

• to respond to any questions, complaints or claims made by you or on your behalf;

• to show that we treated you fairly; and/or

• for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

If you want to learn more about our specific retention periods for your personal data established in our retention policy you may contact us at ben.jackson@hay-kilner.co.uk.

When it is no longer necessary to retain your personal data, we will delete or anonymise it.

To deliver services to you, it is sometimes necessary for us to share your personal data outside of the UK e.g.:

• with service providers or advisers located outside the UK;
• if you are based outside the UK; or
• where there is an international dimension to the matter in which we are advising you.

These transfers are subject to special rules under data protection law.

We will ensure any such transfer complies with data protection law and all personal data will be secure. We only transfer personal information to these countries when it is necessary for the services we provide you, or it is necessary for the establishment, exercise or defence of legal claims or subject to safeguards that assure the protection of your personal information.

If you would like further information please contact our Data Protection Officer (see ‘How to contact us’ below).

You have the following rights, which you can exercise free of charge in most cases:

If you would like to exercise any of those rights, please:

• email, call or write to our Data Protection Officer—see below: ‘How to contact us’; and

• let us have enough information to identify you (e.g. your full name, address and client or matter reference number);

• let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill); and

• let us know what right you want to exercise and the information to which your request relates.

If you have provided your consent to the processing of your personal data, you have the right to withdraw your consent. If you wish to do so, please contact us or “unsubscribe” to any marketing e-mail we send to you, where relevant.

Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose(s) to which you originally consented unless there are compelling legitimate grounds for further processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.  Withdrawal of consent to receive marketing communications will not affect the processing of personal data for the provision of our legal services.

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We are committed to maintaining the accuracy of the personal data we process. If any of the personal data that you have provided to us changes or if you become aware that we are processing inaccurate personal data about you, please get in touch.  We will not be responsible for any losses arising from any inaccurate or incomplete personal data provided to us by you.

We hope that we can resolve any query or concern you may raise about our use of your information.

The UK GDPR also gives you right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.

This privacy notice was last updated on 29^th September 2021.

We may change this privacy notice from time to time.

A cookie is a small piece of data that websites store on your computer. Some cookies only exist whilst you remain on the site and are erased when you close your browser; these are known as session cookies. Others remain on your machine between sessions allowing us to recognise you when you return to the site; these are known as persistent cookies.

Session Cookies

We use these to improve your user experience. For example, a cookie is stored when a form has been submitted but contains errors. The correct information submitted is stored temporarily so that the user does not have to repeat themselves.

Persistent Cookies

We use these to remember who you are. For example, we store a cookie allowing us to automatically log you in on your return. We also like to keep track of how many different individuals are visiting our site each day; again this requires a cookie to be stored on each user’s machine.

You can enable or disable cookies by modifying the settings in your browser. You can find out how to do this, and find more information on cookies, at: www.allaboutcookies.org.