![]() |
1. Summary
OBEP collects and uses personal data about its clients and other business contacts in order to manage its business and provide legal services. We are regulated by the Solicitors Regulation Authority and we also use personal data to comply with our regulatory (and other legal) requirements.
We may collect data directly from you, or from other people within your business or other business contacts (for example, where relevant to legal services we are providing). We may also collect relevant information from publicly available sources, such as Companies House, the press, your website and social media. We do not collect personal data via our website nor use cookies on our website.
We use other providers to help us with our email and accounting systems. Your data may therefore be held on these providers’ systems. As at the date of this notice, OBEP and its providers mainly hold data within the UK, but OBEP’s accounting system provider also has an encrypted back-up outside the UK and the European Union.
If you have any queries in relation to the processing of your personal data by OBEP, or would like to exercise any of your data protection rights (including your right to access a copy of the personal data which we hold about you), please contact us using the contact details set out here: Contact Details.
2. Introduction and context
This data protection and privacy notice provides information on how OBEP (“we” or “us”) uses personal data relating to:
(also referred to in this notice as “you”).
It also contains information on marketing communications.
It has been prepared in consideration of the requirements of the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2013 (in relation to direct marketing and cookies).
3. Who is OBEP?
OBEP is an English law firm with a sole principal, Olivia Whitcroft. It is authorised and regulated by the Solicitors Regulation Authority, registration number 563704. The rules of the SRA can be found at: www.sra.org.uk.
OBEP is a controller in relation to use of your information (as outlined in this notice), and is registered with the Information Commissioner’s Office, registration number: Z2818829.
You can contact OBEP using the contact details set out here: Contact Details
4. What personal data will OBEP collect and why?
4.1. Visiting our website
OBEP does not collect personal data when you visit our website, unless you contact us using the contact details and/or links provided on the website – see section 4.2 below.
We do not use cookies on our website, though see section 4.6 below in relation to the SRA digital badge provided by a third party. We collect IP addresses and store them temporarily in order to monitor flow of traffic to the website. We do not seek to identify anyone from these IP addresses.
4.2. Contacting us
If you contact or communicate with us (via email, telephone, social media, post or otherwise), we may collect and retain your contact details and the contents of your communication in electronic and/or hard copy. We shall use such details for the purposes of following up on our discussion or handling your query (where relevant), and keeping records of communications. See also section 4.5 below.
Our legal basis for this is legitimate interests. See section 9 below for more information about this.
4.3. Clients and potential clients
OBEP collects and processes information about clients and potential clients in order to provide you or your business with legal services and related information, to communicate with you in relation to legal and business issues, for billing and finance purposes, and to manage OBEP’s relationship with you. The data includes includes your name and contact details, communications with you, and information relevant to legal services being provided or business issues being discussed. It may include personal data of your staff, customers, suppliers and other contacts, where relevant to such services and issues – see section 7 below.
Certain information about you and your business or personal circumstances will also be required to carry out client acceptance and risk management procedures. This includes financial details, and information confirming your identity and those of your directors and shareholders.
Our legal bases for these activities are legitimate interests, necessity for performance of a contract (where you are a client who is an individual), and legal obligation. See section 9 below for more information about this.
See also section 4.5 below for other potential uses of client data.
4.4 Suppliers, referrers and other business contacts
OBEP collects and processes information about suppliers, referrers of clients, and other business contacts in order to manage our relationship with you, and to communicate with you in relation to matters relevant to the service you provide, or the circumstances of our relationship with you. The data may include your name and contact details, communications with you, and finance and billing details (where relevant).
Our legal bases for these activities are legitimate interests and necessity for performance of a contract (where you are a supplier who is an individual). See section 9 below for more information about this.
See also section 4.5 below for other potential uses of business contact data.
4.5. Other use of your personal data
OBEP may also collect and process personal data (including in all of the above categories) in order to:
As well as communicating with you using OBEP’s communications systems (such as email), we may also connect with you or follow you on social media, in order to keep up to date with your activities and business issues of interest.
Our legal basis for these activities is legitimate interests. See section 9 below for more information about this.
4.6 SRA Digital Badge
This website has a page containing the SRA Digital Badge, which demonstrates that OBEP is a law firm regulated by the Solicitors Regulation Authority (SRA). The SRA Digital Badge is managed by Yoshki, which uses Google Analytics to power their reporting functionality, and shares some information with the SRA. OBEP does not use or control the information collected by the SRA and Yoshki, nor the Google Analytics service or any cookies which they use.
For privacy information about the badge, see the Yoshki data and privacy policy which (as at January 2019) is available at (link to third party website): http://www.yoshki.com/data-security-policy/. As at January 2019, Yoshki indicates as follows:
5. Special category personal data
Special category personal data means personal data about health, ethnic or racial origin, political or religious opinions, trade union membership, sexual life or sexual orientation. It also includes genetic or biometric information used to identify an individual. Information about criminal convictions or offences is also distinguished from other types of personal data under data protection laws. Due to the sensitivity of all these types of data, additional data protection rules apply if they are collected or used.
OBEP does not collect or process these types of personal data unless relevant or incidental to the provision of legal services or one of the purposes and categories of data described in earlier sections, for example where:
6. Marketing communications
OBEP may send or make marketing communications to you using contact details provided or published by you for business purposes (including email, social media, post, or by telephone). OBEP will only do this if relevant to specific issues or queries raised by you (including other legal services OBEP has provided to you) or in which you have expressed an interest, or otherwise with your consent. OBEP may also maintain records of marketing-related communications with you.
Where consent is not obtained, our legal basis for our marketing activities is legitimate interests. See section 9 below for more information about this.
7. How do we collect your personal data?
We collect the majority of your personal data directly from you, but may also receive information from other people within your business or your business contacts (for example, if your information is relevant to the legal services we are providing). Where you have been referred to OBEP by a third party, we may collect background information from that third party.
We may also collect information from publicly available sources, such as Companies House, the press, your website, LinkedIn, Twitter, other relevant social media, and other providers of business and financial information.
Where we collect personal data from you relating to other individuals (e.g. your staff, customers, suppliers, directors, shareholders or other business contacts), we may rely on you to make such individuals aware that their details are being disclosed to and processed by OBEP (unless this is not required in accordance with the requirements of the Data Protection Act 2018 and the UK GDPR). Please direct such individuals to this privacy notice for more information about how we may use their data.
8. To whom may we disclose your personal data?
OBEP may disclose personal data for the purposes outlined at section 4 above to:
9. Legal bases for processing of personal data
The legal bases for OBEP’s collection, use and disclosure of personal data (as described above) are as follows:
10. Security and retention of your personal data
OBEP takes steps to protect your personal data from misuse or damage. This includes electronic and physical security measures.
Given the nature of the internet, data transmitted over email or other internet-based communication is not completely secure from unauthorised access or misuse. For particularly sensitive or confidential information, therefore, you may wish to discuss with us in advance steps which can be taken to improve security, or other options for means of communication.
OBEP’s standard retention period for client data is eight years following closure of the relevant matter.
If you would like further information about the security measures implemented by OBEP, or about retention practices, please contact OBEP using the contact details set out here: Contact Details.
11. International data transfers
OBEP does not generally store or otherwise transfer your personal data outside the UK, other than as follows.
One of OBEP’s accounting systems is provided by a third party cloud provider, whose terms allow for sub-processors and data centres outside the UK and the European Economic Area. OBEP seeks to minimise personal data stored in this accounting system and will not generally use client names. As at the date of this policy, OBEP uses FreeAgent as its provider, which has indicated that its current data centres are in the UK, with only an encrypted back-up outside the European Union. However, full detail of its potential sub-processors and data transfers can be found here (as at January 2019, link to third party website): https://www.freeagent.com/company/subprocessors/.
Relevant personal data may also be transferred outside the UK where appropriate to specific legal services or business communications. For example:
Safeguards for protecting personal data when it is sent outside the UK or the European Economic Area will be assessed on a case by case basis, where required.
12. Access to your details and other rights
If you would like us to provide you with a copy of any personal data which we hold about you, together with additional information about how we use it, please send a request by email to Olivia Whitcroft: olivia.whitcroft@obep.uk (or use our other Contact Details).
Please note that we may not be required to provide you with all this information where exemptions apply, for example, where the information is subject to legal professional privilege.
You also have rights, in certain circumstances, to:
Please contact Olivia Whitcroft for more information about these rights or if you wish to exercise them.
You also have the right to complain to the Information Commissioner’s Office if you are unhappy about our use of your personal data. See www.ico.org.uk.
13. Queries
If you have any queries in relation to the processing of your personal data by OBEP, please contact us using the contact details set out here: Contact Details.