Data protection and privacy notice

1. Summary

OBEP collects and uses personal data about its clients and other business contacts in order to manage its business and provide legal services. We are regulated by the Solicitors Regulation Authority and we also use personal data to comply with our regulatory (and other legal) requirements.

We may collect data directly from you, or from other people within your business or other business contacts (for example, where relevant to legal services we are providing). We may also collect relevant information from publicly available sources, such as Companies House, the press, your website and social media. We do not collect personal data via our website nor use cookies on our website.

We use other providers to help us with our email and accounting systems. Your data may therefore be held on these providers’ systems. As at the date of this notice, OBEP and its providers mainly hold data within the UK, but OBEP’s accounting system provider also has an encrypted back-up outside the UK and the European Union.

If you have any queries in relation to the processing of your personal data by OBEP, or would like to exercise any of your data protection rights (including your right to access a copy of the personal data which we hold about you), please contact us using the contact details set out here: Contact Details.

2. Introduction and context

This data protection and privacy notice provides information on how OBEP (“we” or “us”) uses personal data relating to:

• visitors to our website;
• enquirers and other people who contact us;
• clients and potential clients; and
• suppliers, referrers and other business contacts,

(also referred to in this notice as “you”).

It also contains information on marketing communications.

It has been prepared in consideration of the requirements of the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2013 (in relation to direct marketing and cookies).

3. Who is OBEP?

OBEP is an English law firm with a sole principal, Olivia Whitcroft. It is authorised and regulated by the Solicitors Regulation Authority, registration number 563704. The rules of the SRA can be found at: www.sra.org.uk.

OBEP is a controller in relation to use of your information (as outlined in this notice), and is registered with the Information Commissioner’s Office, registration number: Z2818829.

You can contact OBEP using the contact details set out here: Contact Details

4. What personal data will OBEP collect and why?

4.1. Visiting our website

OBEP does not collect personal data when you visit our website, unless you contact us using the contact details and/or links provided on the website – see section 4.2 below.

We do not use cookies on our website, though see section 4.6 below in relation to the SRA digital badge provided by a third party. We collect IP addresses and store them temporarily in order to monitor flow of traffic to the website. We do not seek to identify anyone from these IP addresses.

4.2. Contacting us

If you contact or communicate with us (via email, telephone, social media, post or otherwise), we may collect and retain your contact details and the contents of your communication in electronic and/or hard copy. We shall use such details for the purposes of following up on our discussion or handling your query (where relevant), and keeping records of communications. See also section 4.5 below.

Our legal basis for this is legitimate interests. See section 9 below for more information about this.

4.3. Clients and potential clients

OBEP collects and processes information about clients and potential clients in order to provide you or your business with legal services and related information, to communicate with you in relation to legal and business issues, for billing and finance purposes, and to manage OBEP’s relationship with you. The data includes includes your name and contact details, communications with you, and information relevant to legal services being provided or business issues being discussed. It may include personal data of your staff, customers, suppliers and other contacts, where relevant to such services and issues – see section 7 below.

Certain information about you and your business or personal circumstances will also be required to carry out client acceptance and risk management procedures. This includes financial details, and information confirming your identity and those of your directors and shareholders.

Our legal bases for these activities are legitimate interests, necessity for performance of a contract (where you are a client who is an individual), and legal obligation. See section 9 below for more information about this.

See also section 4.5 below for other potential uses of client data.

4.4 Suppliers, referrers and other business contacts

OBEP collects and processes information about suppliers, referrers of clients, and other business contacts in order to manage our relationship with you, and to communicate with you in relation to matters relevant to the service you provide, or the circumstances of our relationship with you. The data may include your name and contact details, communications with you, and finance and billing details (where relevant).

Our legal bases for these activities are legitimate interests and necessity for performance of a contract (where you are a supplier who is an individual). See section 9 below for more information about this.

See also section 4.5 below for other potential uses of business contact data.

4.5. Other use of your personal data

OBEP may also collect and process personal data (including in all of the above categories) in order to:

• manage and maintain records of business communications, services and finances;
• comply with regulatory and other legal obligations, including those of the Solicitors Regulation Authority and under anti-money laundering legislation;
• prevent or detect fraud or other illegal activities;
• ensure and monitor equality and diversity;
• investigate complaints, manage insurance and claims, or protect or enforce OBEP’s legal rights; and
• manage actual or potential business transactions (e.g. in the case of an acquisition of OBEP’s business).

As well as communicating with you using OBEP’s communications systems (such as email), we may also connect with you or follow you on social media, in order to keep up to date with your activities and business issues of interest.

Our legal basis for these activities is legitimate interests. See section 9 below for more information about this.

4.6 SRA Digital Badge

This website has a page containing the SRA Digital Badge, which demonstrates that OBEP is a law firm regulated by the Solicitors Regulation Authority (SRA). The SRA Digital Badge is managed by Yoshki, which uses Google Analytics to power their reporting functionality, and shares some information with the SRA. OBEP does not use or control the information collected by the SRA and Yoshki, nor the Google Analytics service or any cookies which they use.

For privacy information about the badge, see the Yoshki data and privacy policy which (as at January 2019) is available at (link to third party website): http://www.yoshki.com/data-security-policy/. As at January 2019, Yoshki indicates as follows:

• through the reporting functionality, Yoshki and the SRA have access to information about how many times SRA Digital Badge has been clicked – this is to help manage system performance and to gain insight into usage;
• Yoshki does not record or store any additional data such as IP addresses, page navigation behaviour, etc., and only tracks user interaction up to the point of click; and
• of the information it does access, it is shared between the SRA and Yoshki, to facilitate the Digital Badge service.

5. Special category personal data

Special category personal data means personal data about health, ethnic or racial origin, political or religious opinions, trade union membership, sexual life or sexual orientation. It also includes genetic or biometric information used to identify an individual. Information about criminal convictions or offences is also distinguished from other types of personal data under data protection laws. Due to the sensitivity of all these types of data, additional data protection rules apply if they are collected or used.

OBEP does not collect or process these types of personal data unless relevant or incidental to the provision of legal services or one of the purposes and categories of data described in earlier sections, for example where:

• the legal services you require involve the disclosure of special category personal data to OBEP by you or your other business contacts;
• documentation confirming your identity reveals racial or ethnic origin;
• actions taken to prevent or detect illegal activities give rise to the processing of actual or alleged criminal offences; or
• steps taken to ensure equality and diversity involve the use of these types of personal data.

6. Marketing communications

OBEP may send or make marketing communications to you using contact details provided or published by you for business purposes (including email, social media, post, or by telephone). OBEP will only do this if relevant to specific issues or queries raised by you (including other legal services OBEP has provided to you) or in which you have expressed an interest, or otherwise with your consent. OBEP may also maintain records of marketing-related communications with you.

Where consent is not obtained, our legal basis for our marketing activities is legitimate interests. See section 9 below for more information about this.

7. How do we collect your personal data?

We collect the majority of your personal data directly from you, but may also receive information from other people within your business or your business contacts (for example, if your information is relevant to the legal services we are providing). Where you have been referred to OBEP by a third party, we may collect background information from that third party.

We may also collect information from publicly available sources, such as Companies House, the press, your website, LinkedIn, Twitter, other relevant social media, and other providers of business and financial information.

Where we collect personal data from you relating to other individuals (e.g. your staff, customers, suppliers, directors, shareholders or other business contacts), we may rely on you to make such individuals aware that their details are being disclosed to and processed by OBEP (unless this is not required in accordance with the requirements of the Data Protection Act 2018 and the UK GDPR). Please direct such individuals to this privacy notice for more information about how we may use their data.

8. To whom may we disclose your personal data?

OBEP may disclose personal data for the purposes outlined at section 4 above to:

• our service providers and professional advisers. In particular other parties help us with our technology including helping to run our email accounts and store emails, and cloud-based accounting system (though OBEP seeks to minimise personal data stored in the accounting system);
• our clients (and our clients’ other advisors), where relevant and appropriate to the legal services being provided;
• regulatory and governmental bodies (including the Solicitors Regulation Authority and HMRC) and law enforcement authorities;
• our insurers;
• any purchaser or (on terms of confidentiality) likely purchaser of OBEP’s business; and
• other third parties where required or permitted by law, or with your consent.

9. Legal bases for processing of personal data

The legal bases for OBEP’s collection, use and disclosure of personal data (as described above) are as follows:

• processing necessary for OBEP’s legitimate interests as a business and a provider of legal services, for example, to provide legal services, to handle queries and complaints, to manage insurance and claims, to maintain appropriate records of communications, to manage our finances, and otherwise to manage our relationship with you;
• processing necessary for performance of a contract with you, for example, where you are a client who is an individual, use of your information in order to provide you with requested legal services, or to process invoices and payments;
• processing necessary to comply with a legal obligation, for example anti-money laundering legislation, or requirements of the Solicitors Regulation Authority or HMRC.
• processing necessary for the legitimate interests of another party, for example our clients who are receiving legal services from us; and
• other processing of personal data with your consent. We would provide you with more details of the proposed use of your data at the time of seeking consent. You may withdraw any consent you have given using the Contact Details.

10. Security and retention of your personal data

OBEP takes steps to protect your personal data from misuse or damage. This includes electronic and physical security measures.

Given the nature of the internet, data transmitted over email or other internet-based communication is not completely secure from unauthorised access or misuse. For particularly sensitive or confidential information, therefore, you may wish to discuss with us in advance steps which can be taken to improve security, or other options for means of communication.

OBEP’s standard retention period for client data is eight years following closure of the relevant matter.

If you would like further information about the security measures implemented by OBEP, or about retention practices, please contact OBEP using the contact details set out here: Contact Details.

11. International data transfers

OBEP does not generally store or otherwise transfer your personal data outside the UK, other than as follows.

One of OBEP’s accounting systems is provided by a third party cloud provider, whose terms allow for sub-processors and data centres outside the UK and the European Economic Area. OBEP seeks to minimise personal data stored in this accounting system and will not generally use client names. As at the date of this policy, OBEP uses FreeAgent as its provider, which has indicated that its current data centres are in the UK, with only an encrypted back-up outside the European Union. However, full detail of its potential sub-processors and data transfers can be found here (as at January 2019, link to third party website): https://www.freeagent.com/company/subprocessors/.

Relevant personal data may also be transferred outside the UK where appropriate to specific legal services or business communications. For example:

• where you ask OBEP to liaise with other providers of business services in other countries; or
• where you (or your colleagues or associates), or your communications systems are located outside the UK.

Safeguards for protecting personal data when it is sent outside the UK or the European Economic Area will be assessed on a case by case basis, where required.

12. Access to your details and other rights

If you would like us to provide you with a copy of any personal data which we hold about you, together with additional information about how we use it, please send a request by email to Olivia Whitcroft: olivia.whitcroft@obep.uk (or use our other Contact Details).

Please note that we may not be required to provide you with all this information where exemptions apply, for example, where the information is subject to legal professional privilege.

You also have rights, in certain circumstances, to:

• object to OBEP processing your personal data;
• request a restriction on OBEP’s use of your personal data;
• request that your personal data is corrected or erased; or
• request that we provide you with personal data which you have given us in a structured form (known as the right to “data portability”).

Please contact Olivia Whitcroft for more information about these rights or if you wish to exercise them.

You also have the right to complain to the Information Commissioner’s Office if you are unhappy about our use of your personal data. See www.ico.org.uk.

13. Queries

If you have any queries in relation to the processing of your personal data by OBEP, please contact us using the contact details set out here: Contact Details.