This data protection and privacy notice provides information on how OBEP (also referred to in this notice as “we” or “us”) uses personal data relating to:
(also referred to in this notice as “you”).
It also contains information on marketing communications.
It has been prepared in consideration of the requirements of the EU General Data Protection Regulation and the Data Protection Act 2018 (which have applied since 25 May 2018) and the Privacy and Electronic Communications Regulations 2013 (in relation to direct marketing and cookies).
1. Who is OBEP?
OBEP is an English law firm with a sole principal, Olivia Whitcroft. It is authorised and regulated by the Solicitors Regulation Authority, registration number 563704. The rules of the SRA can be found at: www.sra.org.uk.
OBEP is registered as a data controller with the Information Commissioner’s Office, registration number: Z2818829 (although registration requirements have changed as from 25 May 2018).
You can contact OBEP using the contact details set out here: Contact Details
2. What personal data will OBEP collect and why?
2.1. Visiting our website
OBEP does not collect personal data when you visit our website, unless you contact us using the contact details and/or links provided on the website – see section 2.2 below.
2.2. Contacting us
If you contact us (via email, telephone, post or otherwise), we may collect and retain your contact details and the contents of your communication in hard and/or electronic copy. We shall use such details for the purpose of handling your query and keeping records of communications. See also section 2.5 below.
2.3. Clients and potential clients
OBEP collects and processes information about clients and potential clients in order to provide you with legal services and related information, to communicate with you in relation to legal and business issues, for billing and finance purposes, and to manage OBEP’s relationship with you. The data includes includes your name and contact details, communications with you, and information relevant to legal services being provided or business issues being discussed. It may include personal data of your staff, customers, suppliers and other contacts, where relevant to such services and issues – see section 5 below.
Certain information about you and your business or personal circumstances will also be required to carry out client acceptance and risk management procedures. This includes financial details, and information confirming your identity and those of your directors and shareholders.
See also section 2.5 below.
2.4 Suppliers, referrers and other business contacts
OBEP collects and processes information about suppliers, referrers of clients, and other business contacts in order to manage our relationship with you, and to communicate with you in relation to matters relevant to the service you provide, or the circumstances of our relationship with you. The data may include your name and contact details, communications with you, and finance and billing details (where relevant). See also section 2.5 below.
2.5. Other use of your personal data
OBEP may also collect and process personal data (including in all of the above categories) in order to:
As well as communicating with you using OBEP’s communications systems (such as email), we may also connect with you or follow you on social media, in order to keep up to date with your activities and business issues of interest.
2.6 SRA Digital Badge
This website may have a page containing the SRA Digital Badge, which demonstrates that OBEP is a law firm regulated by the Solicitors Regulation Authority (SRA). The SRA Digital Badge is managed by Yoshki, which uses Google Analytics to power their reporting functionality, and shares some information with the SRA. Yoshki also uses a cookie when a visitor visits the page containing the SRA Digital Badge.OBEP does not use or control the information collected by the SRA and Yoshki, nor the Google Analytics service or cookies which they use.
3. Sensitive personal data
OBEP does not collect or process sensitive personal data unless relevant or incidental to the provision of legal services or one of the above purposes and categories of data, for example where:
4. Marketing communications
OBEP may send you marketing materials by email or post, or contact you by telephone for marketing purposes. OBEP will only do this if relevant to specific issues or queries raised by you (including other legal services OBEP has provided to you), or otherwise with your consent.
5. How do we collect your personal data?
We collect the majority of your personal data directly from you, but may also receive information from other people within your business or your business contacts. Where you have been referred to OBEP by a third party, we may collect background information from that third party.
We may also collect information from publicly available sources, such as Companies House, the press, your website, LinkedIn, Twitter and other providers of business and financial information.
Where we collect personal data from you relating to other individuals (e.g. your staff, customers, suppliers, directors, shareholders or other business contacts), it is up to you to ensure such individuals are aware of that their details are being disclosed to and processed by OBEP (unless this is not required in accordance with the requirements of the Data Protection Act 2018 and the EU General Data Protection Regulation).
6. To whom may we disclose your personal data?
OBEP may disclose personal data for the purposes outlined at section 2 above to:
7. Legal bases for processing of personal data
The legal bases for OBEP’s collection, use and disclosure of personal data (as described above) are as follows:
8. Security and retention of your personal data
OBEP takes steps to protect your personal data from misuse or damage. This includes electronic and physical security measures.
Please note that given the nature of the internet, data transmitted over email is not completely secure from unauthorised access or misuse.
OBEP’s standard retention period for client data is eight years following closure of the relevant matter.
If you would like further information about the security measures implemented by OBEP or options for more secure transmission of information to and from OBEP, or about retention practices, please contact OBEP using the contact details set out here: Contact Details
9. International data transfers
OBEP does not generally store or otherwise transfer your personal data outside the UK, other than as follows.
One of OBEP’s accounting systems is provided by a third party cloud provider, whose terms allow for sub-processors and data centres outside the UK and the EEA. OBEP seeks to minimise personal data stored in this accounting system and will not generally use client names. As at the date of this policy, OBEP uses FreeAgent as its provider, which has indicated that its current data centres are in the UK, with only an encrypted back-up outside the EU. However, full detail of its potential sub-processors and data transfers can be found here (as at January 2019, link to third party website): https://www.freeagent.com/company/subprocessors/.
Relevant personal data may also be transferred outside the UK where appropriate to specific legal services or communications. For example:
10. Access to your details and other rights
If you would like to access a copy of any personal data which we hold about you, please send a request by email to Olivia Whitcroft: firstname.lastname@example.org. You also have rights, in certain circumstances, to object to OBEP processing your personal data or to request that your personal data is corrected or erased. Please also contact Olivia Whitcroft about these rights.
You also have the right to complain to the Information Commissioner’s Office if you are unhappy about our use of your personal data. See www.ico.org.uk.
If you have any queries in relation to the processing of your personal data by OBEP, please contact us using the contact details set out here: Contact Details