Privacy policy
We are committed to safeguarding the privacy of all parties who provide us with information.
The information you provide, including personal information, will be used by us primarily to provide legal services to you. This information will be kept confidential and secure and our use of this information is subject to your instructions, the data protection regulations under which we are a data controller, and our duty of confidentiality.
You have the right to be informed and access the personal data that we hold about you. You have the right to rectify, erase, or obtain a copy of the data that we hold about you. You also have the right to ask questions and object to direct marketing. If you have any questions, please email us: hello@emmtoria.co.uk.
Why we process data
We process personal data because it is necessary for us to comply with common law or statutory obligations. The data protection regulations refer to this lawful basis for processing information as a legal obligation. This includes updating and enhancing client records, analysis to help us manage our practice, statutory returns, and legal and regulatory compliance. We are allowed to process special categories of data because it is necessary for the administration of justice.
Third parties
Please note that our work for you may require us to give information to third parties such as expert witnesses and other professional advisers. You are responsible for ensuring the accuracy of all personal data you supply to us, and we will not be held liable for any errors unless you have advised us previously of any changes in your personal data.
Outsource
In the interest of speed, or controlling cost, we may outsource some of our typing or other administrative functions to a third party. Confidentiality agreements are in place with any service providers we use, and they are obliged, as we are, to keep your data both confidential and secure.
Credit decisions
We may need to make credit decisions about you, for example in relation to the payment of costs, and we may search the files of credit reference agencies who will record any credit searches on their file.
Audits and quality checks
As we are authorised and regulated by the Solicitors Regulation Authority (for the work carried out by our Solicitors) and the Faculty Office of the Archbishop of Canterbury (for our Notary work), and are accredited under various professional schemes, we are subject to audits and quality checks on our practice. These external firms or organisations are required to maintain confidentiality in relation to any files that they see in the course of their work.
Cookies
A cookie consists of information sent by a web server to a web browser, and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
We may use session cookies and persistent cookies on the website. We will use the session cookies to keep track of you whilst you navigate the website; and other uses. We will use the persistent cookies to: enable our website to recognise you when you visit.
Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.
We use Squarespace Analytics and Google Analytics to analyse the use of this website. Both Analytics generates statistical and other information about website use by means of cookies, which are stored on users' computers. The information generated relating to our website is used to create reports about the use of the website. Google and Squarespace will store this information. Google's privacy policy is available at: http://www.google.com/privacypolicy.html.
Data protection principles
Emmtoria Limited complies with the data protection principles set out below. When processing personal data:
· we will process personal data lawfully, fairly and in a transparent manner;
· we will collect personal data for specified, explicit and legitimate purposes only and will not process it in a way that is incompatible with those purposes;
· we will only process the personal data that is adequate, relevant and necessary in relation to the purposes for which it is processed;
· we will keep accurate and up-to-date personal data, and take reasonable steps to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay;
· we will keep personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
· we will process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Emmtoria Limited will facilitate any request from a data subject who wishes to exercise their rights under data protection law as appropriate, always communicating in a concise, transparent, intelligible and easily accessible form and without undue delay.
Process and procedures
Emmtoria Limited will:
· ensure that the legal basis for processing personal data is identified in advance and that all processing complies with the law;
· not do anything with personal data that an individual would not expect given the content of this policy and the fair processing or privacy notice;
· ensure that appropriate privacy notices are in place advising staff and others how and why their data is being processed, and, in particular, advising data subjects of their rights;
· only collect and process the personal data that it needs for purposes it has identified in advance;
· ensure that, as far as possible, the personal data it holds is accurate, or a system is in place for ensuring that it is kept up to date as far as possible;
· only hold on to personal data for as long as it is needed, after which time the practice will securely erase or delete the personal data (the practice’s data retention policy sets out the appropriate period of time);
· ensure that appropriate security measures are in place to ensure that personal data can only be accessed by those who need to access it and that it is held and transferred securely.
Emmtoria Limited will ensure that all staff who handle personal data on its behalf are aware of their responsibilities under this policy and other relevant data protection and information security policies, and that they are adequately trained and supervised.
Breaching this policy may result in disciplinary action for misconduct, including dismissal. Obtaining (including accessing) or disclosing personal data in breach of the practice’s data protection policies may also be a criminal offence.
Data subject rights
Emmtoria Limited has processes in place to ensure that it can facilitate any request made by an individual to exercise their rights under data protection law. All staff have received training and are aware of the rights of data subjects. Staff can identify such a request and know who to send it to.
All requests will be considered without undue delay and within one month of receipt as far as possible.
· Subject access: the right to request information about how personal data is being processed, including whether personal data is being processed and the right to be allowed access to that data and to be provided with a copy of that data along with the right to obtain the following information:
– the purpose of the processing;
– the categories of personal data;
– the recipients to whom data has been disclosed or which will be disclosed;
– the retention period;
– the right to lodge a complaint with the Information Commissioner’s Office;
– the source of the information if not collected direct from the subject; and
– the existence of any automated decision making.
· Rectification: the right to allow a data subject to rectify inaccurate personal data concerning them.
· Erasure: the right to have data erased and to have confirmation of erasure, but only where:
– the data is no longer necessary in relation to the purpose for which it was collected; or
– consent is withdrawn; or
– there is no legal basis for the processing; or
– there is a legal obligation to delete data.
· Restriction of processing: the right to ask for certain processing to be restricted in the following circumstances:
– if the accuracy of the personal data is being contested; or
– if our processing is unlawful but the data subject does not want it erased; or
– if the data is no longer needed for the purpose of the processing but it is required by the data subject for the establishment, exercise or defence of legal claims; or
– if the data subject has objected to the processing, pending verification of that objection.
· Data portability: the right to receive a copy of personal data which has been provided by the data subject and which is processed by automated means in a format which will allow the individual to transfer the data to another data controller. This would only apply if the practice was processing the data using consent or on the basis of a contract.
· Object to processing: the right to object to the processing of personal data relying on the legitimate interests processing condition unless the practice can demonstrate compelling legitimate grounds for the processing which override the interests of the data subject or for the establishment, exercise or defence of legal claims.
Special category personal data
This includes the following personal data revealing:
· racial or ethnic origin;
· political opinions;
· religious or philosophical beliefs;
· trade union membership;
· the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person;
· an individual’s health;
· a natural person’s sex life or sexual orientation;
· criminal convictions or offences.
Emmtoria Limited processes special category data of clients and third parties as is necessary to provide legal services for the establishment, exercise or defence of legal claims.
Emmtoria Limited processes special category data of employees as is necessary to comply with employment and social security law. This policy sets out the safeguards we believe are appropriate to ensure that we comply with the data protection principles set out above. Emmtoria Limited also has a data retention policy which sets out how long special category data will be held for.
Data breaches
A data breach may take different forms, for example:
· loss or theft of data or equipment on which personal data is stored;
· unauthorised access to or use of personal data by either a member of staff or a third party;
· loss of data resulting from an equipment or systems (including hardware and software) failure;
· human error, such as accidental deletion or alteration of data;
· unforeseen circumstances, such as a fire or flood;
· deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
· ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.
Emmtoria Limited will:
· make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and
· notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
Data protection privacy impact assessment
Where processing of personal data is likely to result in a high risk to an individual’s data protection rights (e.g. where the practice is planning to use a new form of technology), we will, before commencing the processing, carry out a data protection privacy impact assessment to assess:
· whether the processing is necessary and proportionate in relation to its purpose;
· the risks to individuals; and
· what measures can be put in place to address those risks and protect personal data.
Before any new form of technology is introduced, the employee responsible should therefore contact the data protection officer in order that a data protection privacy impact assessment can be carried out.
During the course of any data protection privacy impact assessment, the practice will seek the advice of the data protection officer and the views of any other relevant stakeholders.
Data retention and storage
Personal data (and special category personal data) will be kept securely in accordance with the practice’s information management and security policy.
Personal data (and special category personal data) should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal data was obtained. Where there is any uncertainty, staff should consult the data protection officer.
Personal data (and special category personal data) that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely.
Training
Emmtoria Limited will ensure that staff are adequately trained regarding their data protection responsibilities. Individuals whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests under this policy, will receive additional training to help them understand their duties and how to comply with them.
Monitoring and review
In order to ensure that it remains fit for purpose, this policy will be formally reviewed at least every two years by the senior management team.