Data protection and privacy notice

1. Summary

OBEP collects and uses personal data about its clients and other business contacts in order to manage its business and provide legal services. We are regulated by the Solicitors Regulation Authority and we also use personal data to comply with our regulatory (and other legal) requirements.

We may collect data directly from you, or from other people within your business or other business contacts (for example, where relevant to legal services we are providing). We may also collect relevant information from publicly available sources, such as Companies House, OFSI sanctions lists, the press, your website and social media. We do not collect personal data via our website nor use cookies on our website.

We use other providers to help us with our email and accounting systems. Your data may therefore be held on these providers’ systems. As at the date of this notice, OBEP and its providers mainly hold data within the UK. OBEP’s accounting system provider also has sub-processors outside the UK and the European Union, and OBEP seeks to minimise personal data stored on this system.

If you have any queries in relation to the processing of your personal data by OBEP, or would like to exercise any of your data protection rights (including your right to access a copy of the personal data which we hold about you), please contact us using the contact details set out here: Contact Details.

Last updated: 3 May 2024.

2. Introduction and context

This data protection and privacy notice provides information on how OBEP (“we” or “us”) uses personal data relating to:

• visitors to our website;
• enquirers and other people who contact us;
• clients and potential clients; and
• suppliers, referrers and other business contacts,

(also referred to in this notice as “you”).

It also contains information on marketing communications.

It has been prepared in consideration of the requirements of the UK General Data Protection Regulation (“UK GDPR”) and the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2013 (in relation to direct marketing and cookies).

3. Who we are

OBEP is an English law firm with a sole principal, Olivia Whitcroft. It is authorised and regulated by the Solicitors Regulation Authority, registration number 563704. The rules of the SRA can be found at (link to third party website): www.sra.org.uk.

OBEP is a controller in relation to use of your information (as outlined in this notice), and is registered with the Information Commissioner’s Office, registration number: Z2818829.

You can contact OBEP using the contact details set out here: Contact Details

4. What personal data we collect and why

4.1. Visiting our website

OBEP does not collect personal data when you visit our website, unless you contact us using the contact details or links provided on the website – see section 4.2 below.

We do not use cookies on our website, though see section 4.6 below in relation to the SRA digital badge provided by a third party. We collect IP addresses and store them temporarily in order to monitor flow of traffic to the website. We do not seek to identify anyone from these IP addresses.

4.2. Contacting us

If you contact or communicate with us (via email, telephone, social media, post or otherwise), we may collect and retain your contact details and the contents of your communication in electronic or hard copy. We shall use such details for the purposes of following up on our discussion or handling your query (where relevant), and keeping records of communications. See also section 4.5 below.

Our lawful basis for this is legitimate interests. See section 9 for more information about lawful bases.

4.3. Clients and potential clients

OBEP collects and processes information about clients and potential clients in order to provide you or your business with legal services and related services (such as training), to communicate with you in relation to legal and business issues, for billing and finance purposes, and to manage OBEP’s relationship with you.

The data includes your name and contact details, communications with you, notes of discussions with you, records of services which we provide and invoicing details. It may also include personal data of your staff and other business contacts who are points of contact for us in providing our services, who are attending training we provide, or who are otherwise involved in a matter (such as representatives of other parties to contracts we are advising on).

Additional information about clients and individuals may be collected as relevant to the legal services being provided or business issues being discussed. For example, if we are advising on a data protection matter, we may collect information about the individuals whose data you process.

Certain information about you and your business or personal circumstances will also be required to carry out client acceptance and risk management procedures. This includes financial details, and information confirming your identity and those of your directors and shareholders.

Our lawful bases for these activities are legitimate interests, necessity for performance of a contract (where you are a client who is an individual), and legal obligation (including anti-money laundering and sanctions laws, and requirements of the Solicitors Regulation Authority). See section 9 for more information about lawful bases.

See also section 4.5 below for other potential uses of client data, and section 7 about who we collect data from.

4.4 Suppliers, referrers and other business contacts

OBEP collects and processes information about suppliers, referrers of clients, and other business contacts in order to manage our relationship with you, and to communicate with you in relation to matters relevant to the service you provide, or the circumstances of our relationship with you. The data may include your name and contact details, communications with you, and finance and billing details (where relevant).

Our lawful bases for these activities are legitimate interests and necessity for performance of a contract (where you are a supplier who is an individual). See section 9 for more information about lawful bases.

See also section 4.5 below for other potential uses of business contact data.

4.5. Other use of your personal data

OBEP may also collect and process personal data (including in all of the above categories) in order to:

• manage and maintain records of business communications, services and finances;
• prevent or detect fraud or other illegal activities;
• ensure and monitor equality and diversity;
• investigate complaints, manage insurance and claims, or protect or enforce OBEP’s legal rights; and
• manage actual or potential business transactions (e.g. in the case of an acquisition of OBEP’s business).

Our lawful basis for these activities is legitimate interests.

As well as communicating with you using OBEP’s communications systems (such as email), we may also connect with you or follow you on social media, in order to keep up to date with your activities and business issues of interest. Our lawful basis is legitimate interests.

OBEP may also collect and use data as required to comply with regulatory and other legal obligations, including requirements of the Solicitors Regulation Authority, Proceeds of Crime legislation, and sanctions legislation. Our lawful basis is legal obligation.

See section 9 for more information about lawful bases.

4.6 SRA Digital Badge

This website has a page containing the SRA Digital Badge, which demonstrates that OBEP is a law firm regulated by the Solicitors Regulation Authority (SRA). The SRA Digital Badge is managed by Yoshki, which uses Google Analytics to power their reporting functionality, and shares some information with the SRA. OBEP does not use or control the information collected by the SRA and Yoshki, nor the Google Analytics service or any cookies which they use.

For privacy information about the badge, see the Yoshki data privacy policy which (as at May 2024) is available at (link to third party website): https://www.yoshki.co/privacy-policy/ (and the cookie policy link appears to direct to the privacy policy). Of particular note (as also discussed with the SRA when the badge was implemented in 2019):

• through the reporting functionality, Yoshki and the SRA have access to information about how many times SRA Digital Badge has been clicked – this is to help manage system performance and to gain insight into usage;
• Yoshki does not record or store any additional data such as IP addresses, page navigation behaviour, etc., and only tracks user interaction up to the point of click; and
• of the information it does access, it is shared between the SRA and Yoshki, to facilitate the Digital Badge service.

5. Special category personal data

Special category personal data, and information about criminal convictions or offences have additional protection under data protection laws, due to their sensitivity. Special category data means personal data about health, ethnic or racial origin, political or religious opinions, trade union membership, sexual life or sexual orientation. It also includes genetic or biometric information used to identify an individual.

OBEP does not collect or process these types of personal data unless relevant or incidental to the provision of legal services or one of the purposes and categories of data described in earlier sections, for example where:

• the legal services you require involve the disclosure of special category personal data to OBEP by you or your other business contacts;
• documentation confirming your identity reveals racial or ethnic origin;
• actions taken to prevent or detect illegal activities give rise to the processing of actual or alleged criminal offences; or
• steps taken to ensure equality and diversity involve the use of these types of personal data.

6. Marketing communications

OBEP may send communications to you using contact details or accounts provided or published by you for business purposes (including email, social media, post, or by telephone). OBEP will only do this if relevant to specific issues or queries raised by you (including other legal services OBEP has provided to you) or in which you have expressed an interest (for example where we have discussed at a business event), or otherwise with your consent. OBEP may also maintain records of marketing-related communications with you.

Where consent is not obtained, our legal basis for our marketing activities is legitimate interests. See section 9 for more information about lawful bases.

7. How we collect your personal data

We collect the majority of your personal data directly from you, but may also receive information from other people within your business or your business contacts. This includes where your information is relevant to the legal services we are providing, or where information about you is needed for our client acceptance procedures. Where you have been referred to OBEP by a third party, we may collect background information from that third party.

We may also collect information from publicly available sources, such as Companies House (and relevant overseas company registries), public sanctions lists (such as OFSI), the press, your website, LinkedIn, X, other relevant social media, and other providers of business and financial information. This is particularly relevant for our client acceptance procedures.

Where we collect personal data from you relating to other individuals (e.g. your staff, customers, suppliers, directors, shareholders or other business contacts), we may rely on you to make such individuals aware that their details are being disclosed to and processed by OBEP (unless this is not required in accordance with the requirements of the UK GDPR and Data Protection Act 2018). Please direct such individuals to this privacy notice for more information about how we may use their data.

8. Who we may disclose your personal data to

OBEP may disclose personal data for the purposes outlined at section 4 (What personal data we collect and why) to:

• our service providers and professional advisers. In particular other parties help us with our technology including helping to run our email accounts and store emails, and cloud-based accounting system (though OBEP seeks to minimise personal data stored in the accounting system);
• our clients (and our clients’ other advisors), where relevant and appropriate to the legal services being provided (in our or their legitimate interests);
• regulatory and governmental bodies (including the Solicitors Regulation Authority and HMRC) and law enforcement authorities (such as the police or National Crime Agency) (as required for a legal obligation, or in our or their legitimate interests);
• our insurers (in our legitimate interests);
• any purchaser or (on terms of confidentiality) likely purchaser of OBEP’s business (in our or their legitimate interests); and
• other third parties where required or permitted by law (to comply with a legal obligation, or in our legitimate interests), or with your consent.

9. Lawful bases for processing of personal data

Data protection law requires us to have a lawful basis for each different use of your personal data (including our collection and use, and sharing data with other parties). The lawful bases for OBEP’s collection, use and disclosure of personal data are described in brief in the relevant sections above. More detail of these are as follows:

• processing necessary for OBEP’s legitimate interests as a business and a provider of legal services, for example, to provide legal services, to handle queries and complaints, to manage insurance and claims, to maintain appropriate records of communications, to manage our finances, and otherwise to manage our relationship with you;
• processing necessary for performance of a contract with you, for example, where you are a client who is an individual, use of your information in order to provide you with requested legal services, or to process invoices and payments;
• processing necessary to comply with a legal obligation, for example Proceeds of Crime Act, anti-money laundering and sanctions legislation, or requirements of the Solicitors Regulation Authority or HMRC.
• processing necessary for the legitimate interests of another party, for example our clients who are receiving legal services from us; and
• other processing of personal data with your consent. We would provide you with more details of the proposed use of your data at the time of seeking consent. You may withdraw any consent you have given using the Contact Details.

10. Security and retention of your personal data

OBEP takes steps to protect your personal data from misuse or damage. This includes electronic and physical security measures.

Given the nature of the internet, data transmitted over email or other internet-based communication (such as over social media) is not completely secure from unauthorised access or misuse. For particularly sensitive or confidential information, therefore, you may wish to discuss with us in advance steps which can be taken to improve security, or other options for means of communication.

OBEP’s standard retention period for client data is eight years following closure of the relevant matter.

If you would like further information about the security measures implemented by OBEP, or about retention practices, please contact OBEP using the contact details set out here: Contact Details.

11. International data transfers

OBEP does not generally store or otherwise transfer your personal data outside the UK, other than as follows.

One of OBEP’s accounting systems is provided by a third party cloud provider, FreeAgent (FreeAgent Central Limited, a UK company) whose terms allow for sub-processors and data centres outside the UK and the European Economic Area (including within the US). OBEP seeks to minimise personal data stored in this accounting system and will not generally use client names. Detail of FreeAgent’s potential sub-processors and data transfers can be found here (as at May 2024, it indicates it was last updated in July 2020) (link to third party website): https://www.freeagent.com/company/subprocessors/.

Relevant personal data may also be transferred outside the UK where appropriate to specific legal services or business communications. For example:

• where you ask OBEP to liaise with other providers of business services in other countries; or
• where you (or your colleagues or associates), or your communications systems are located outside the UK.

Safeguards for protecting personal data when it is sent outside the UK or the European Economic Area will be assessed on a case by case basis, where required.

12. Access to your details and other rights

If you would like us to provide you with a copy of any personal data which we hold about you, and additional information about how we use it, please send a request by email to Olivia Whitcroft: olivia.whitcroft@obep.uk (or use our other Contact Details).

Please note that we may not be required to provide you with all this information where exemptions apply, for example, where the information is subject to legal professional privilege.

You also have rights, in certain circumstances, to:

• object to OBEP processing your personal data;
• request a restriction on OBEP’s use of your personal data;
• request that your personal data is corrected or erased; or
• request that we provide you with personal data which you have given us in a structured form (known as the right to “data portability”).

Please contact Olivia Whitcroft for more information about these rights or if you wish to exercise them.

You also have the right to complain to the Information Commissioner’s Office if you are unhappy about our use of your personal data. See www.ico.org.uk.

13. Queries

If you have any queries in relation to the processing of your personal data by OBEP, please contact us using the contact details set out here: Contact Details.