Privacy Notice
All personal information provided by you will be treated in accordance with the Data Protection Act 2018 and the EU GDPR 2018 or UK GDPR 2021 depending on where the information is processed:
Personal data is information which directly or indirectly identifies you. We at Pengillys LLP are committed to processing your personal data in accordance with UK and EU Data Protection laws. For the purpose of UK and EU Data Protection laws, Pengillys LLP is the data controller and is a registered data controller under ICO registration number Z5385444.
It may be necessary for you to give us personal data so that we can provide you with the requested services, fulfil any contractual relationship with you, inform you of our services, comply with applicable laws, regulations and/or codes of practice, and for other purposes as set out in this notice where in our legitimate interests.
Collecting Your Personal Data
We may collect your personal data in a number of ways, including from:
| a. | You, for example when you: i. Apply for and use our services. ii. Call us or make an enquiry via our website. iii. Enter into any agreement with us. iv. Contact and interact with us, including via using our website. v. Ask us to contact you, including via the exchange of business cards with a member of the firm. vi. Attend events. vii. participate in surveys. |
| b. | Someone else may share your personal data with us, for example: i. Within the course acting on a conveyancing transaction. ii. Administering an estate. iii. Conducting litigation on your behalf or the like. |
| c. | Third parties, such as: i. Credit reference agencies. ii. Fraud prevention agencies. |
| d. | Public sources, for example:
i. Companies House. |
What Personal Data We Collect
Types of information we may collect include your personal details, e.g. date of birth, contact details, nationality, tax details, employment details, regulatory history.
Other personal information as required, e.g. as part of litigation in which you may have asked us to represent you.
Financial information, e.g. income and outgoings, assets and liabilities, bank details, account information and history, account activity, credit history and information, share holdings. Information we have from our dealings with you or from anyone acting on your behalf, e.g. records of telephone calls, records of our interactions/correspondence with you, details of your transactions.
Sensitive personal data including but not limited to the following: religious belief, sexual orientation. (We will only collect this with your explicit consent, or where the processing is specifically authorised by a regulatory body, or required by law/legal process.)
If you give us personal data about someone else you should have a lawful basis for doing so, e.g. you have their consent to share personal data with us. Where applicable, you should ensure that they read this Privacy Notice and understand how we will use and disclosure their information, in the ways described in this Privacy Notice.
How We May Use Your Personal Data
We collect your personal data or information to operate the firm effectively and provide you with a high-quality service. We may use your information:
- To deliver legal services to you on your instruction.
- To answer enquiries that you make prior to any formal instruction.
- To avoid any conflict of interest as we represent you.
- To adhere to regulations set out by the Solicitors Regulatory Authority.
- To adhere to quality standards as set out under the Lexcel Standard.
- To maintain security of our office and IT infrastructure.
- To invoice you, and to track payments you make or payments made to you. We believe that all these purposes are justified on the basis of our legitimate interests in running and promoting the firm, our contractual requirements to deliver the agreed legal services to you, and our legal obligations, both as a limited company and responsible employer. If we represent you in a criminal case, we will collect information about the alleged offences and any related criminal history. Where we process sensitive personal information in the course of these and other similar cases, we do so to assist you and/or your organisation to establish, exercise or defend legal claims.
We may disclose certain personal data (which may include electronic ID verification results) as follows:
| a. | To Courts, tribunals, mediators, governmental and non-governmental agencies, regulators and ombudsmen. |
| b. | To law enforcement agencies. |
| c. | To relevant tax authorities. |
| d. | To any relevant third party in the course of an acquisition, sale, transfer, re-organisation or merger of parts of our business or our assets. |
| e. | In the course of conveyancing we follow the Law Society Protocol which encourages communication with all parties involved including but not limited to estate agents, mortgage brokers; conveyancing practitioners; HMRC and the Land Registry and other statutory bodies. |
| f. | In the course of probate we will need to contact many third parties who will need to have relevant personal data (eg but not limited to) banks or other financial institutions; utility companies; the press; financial advisors; estate agents; the Probate Registry; HMRC; the Land Registry; other solicitors; charities; beneficiaries and a range of third parties in particular to assist in the administration of an estate. |
| g. | In the course of contentious matters we follow the procedure prescribed by the court or in various protocols. Invariably this requires disclosure of relevant personal data which can include sensitive data. Examples of this include in Family cases where a range of personal data and at times sensitive personal data will need to be given to the court; CAFCASS; CYPS; exchanged or provided to the other party/ parties (occasionally including medical records in certain cases); in Employment cases similarly personal data will need to be shared with the court and other party/ parties to the case and on occasion this can include sensitive personal data; in Civil Litigation cases (eg personal injury claims), personal data and at times sensitive data will need to be disclosed to the other party/parties as part of pre action protocol; at mediation/ADR; and certainly within the course of court proceedings. Frequently in all such cases experts may be used and will need relevant personal data in order to prepare their report/s. |
| h. | As required or permitted by law or regulation, where we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property or safety of Pengillys LLP, our clients or others. |
| i. | To credit reference agencies (CRAs). |
| j. | To fraud prevention agencies (FPAs). You may ask us for details of the CRAs and FPAs which we have used for your searches. If there are any errors in the information we hold about you, please tell us so that we can correct information we hold about you. |
| k. | As part of our Lexcel accreditation and professional auditing process generally, your file may be selected for inspection. We do this on the basis of legitimate interests; if you wish to object, please contact us on the details below. Objecting will not affect the service you receive from us. |
We do not sell or rent your personal data or information to any third party or share your information with third parties for their marketing purposes. If you would like to know more, please read below:
As a client, we will hold the following information about you:
- Name, date of birth, and contact information.
- National insurance number
- Information relating to your legal matter
- Financial details
- Demographic information such as postcode
- Information and documents relating to the service we are providing, including communications with you.
- Billing and payment information.
We store your information on our secure servers based in the UK. We also hold paper copies of your information in the client matter files, stored in our Weymouth and Poundbury offices, and in a secure, offsite storage archive.
We will retain your client matter file for the duration of our relationship with you, then for a minimum of 7 years after, and a maximum of 12 years, if required for audit purposes. We will retain financial records for 6 years, following the end of the current financial year.
Transfer of personal data outside the European Economic Area (EEA)
We may transfer your personal data to recipients who may carry out services on our behalf, or in accordance with your request, or to fulfil your instructions, located in countries outside of the EEA. If we transfer your personal data to such a country, we will take all necessary steps to ensure your data is protected to an equivalent standard as within the EEA.
Your rights
You have the following rights:
The right to be informed, which is what this privacy policy is for.
- The right to access the data we hold about you.
- The right to object to direct marketing.
- The right to object to processing carried out on the basis of legitimate interests.
- The right to erasure (in some circumstances).
- The right to data portability, i.e. to request the transfer of personal data from one data controller to another.
- The right to have your data rectified if it is inaccurate.
- The right to have your data restricted or blocked from processing.
If you wish to exercise any of these rights or withdraw consent to use your personal data, you should contact the Data Protection Manager as described below. You also have the right to lodge a complaint about the processing of your personal data with your local Data Protection Supervisory Authority (in the UK the Information Commissioner’s Office).
Contacting us via email
We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government standards. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.
We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
Marketing
We may contact you periodically to provide information regarding events, products, services and content that may be of interest to you, and to invite you to participate in market research.
If applicable law requires we receive your consent before we send you certain types of marketing communications, we will only send you those types of communications after receiving your consent. Where this information is provided electronically we may track your response, e.g. with which e-mails you open.
If you wish to stop receiving marketing or marketing research communications from Pengillys LLP, please simply inform the person with conduct of your case, or contact the Data Protection Manager as described below.
Prospective clients
We will retain minimal personal information about you to enable us to conduct conflict of interest checks as required by the Solicitors Regulatory Authority. If you do not instruct us, we will retain details relating to your enquiry for a maximum of 2 years.
Changes to this Privacy Notice
We may revise or supplement our Privacy Notice from time to time to reflect, for example, any changes in our business, law, markets, or the introduction of any new technology.
Enquiries, requests or concerns
All enquiries, requests or concerns regarding this Notice or relating to the processing of personal data should be sent to our Data Protection Manager, Mr Walkington, Pengillys LLP, 67 St Thomas Street, Weymouth, Dorset, DT4 8HB, or e-mail contact@pengillys.co.uk