This privacy notice relates specifically to Moon & Co Solicitors processing personal data of clients and former clients for direct marketing. In particular it applies to us sending our email Legal Updates and invitations to events.
Moon & Co Solicitors are the data controller in this Privacy Notice.
This privacy notice applies to Direct Marketing to all clients and former clients. If you fall into this category then you are a ‘data subject’ for the purposes of this Direct Marketing Privacy Notice and we will refer to you here as a client.
A separate “Privacy Notice – Legal Services” applies to our clients relating to personal data and the legal services we provide to them . That policy also applies those who have contacted us with a view to obtaining legal advice but who have not progressed to the stage of becoming clients but who we have received personal data about in relation to legal advice. If you are a not a client please read our “Privacy Notices – Direct Marketing to Contacts”.
This Privacy Notice give lots of detail about what information we may collect, why we want it, what we do with it, who can see it, how we protect it and what you can require us to do with it. By law we have to give you a lot of this information and explain why we have a legal right to use your data.
This notice is long and so we have added some headings and a “Table of Contents” to help you find what you are looking for. However if there is anything you don’t understand or you have any questions about this Privacy Notice or about how we handle your personal information you contact our Data Protection Manager, Kirsten Moon, partner, Applewood House The Hill, Charing Kent, email email@example.com, tel. 01233 714055. As a data protection manager she oversees compliance with this Privacy Notice and deals with any queries.
- Overview.. 2
- Data protection principles. 3
- What is a data controller?. 3
- What is personal data?. 3
- What is special category personal data?. 3
- What amounts to processing personal data?. 4
- What types of personal data may we collect about you for direct marketing?. 4
- How do we collect your personal information for direct marketing?. 5
- Why and how do we use your personal information for direct marketing. 5
- Objection to Direct Marketing and Withdrawal of Consent. 6
- Method of sending you our direct marketing. 6
- Examples of the direct marketing we might process your personal data for. 8
- Change of purpose. 9
- Who has access to your personal information for direct marketing?. 9
- How do we protect your personal information?. 9
- For how long do we keep your personal information for direct marketing?. 10
- Your rights in connection with your personal data used for direct marketing. 11
- Subject Access Request 12
- Transferring personal information for direct marketing outside the European Economic Area 13
- Automated decision making for direct marketing. 13
- Changes to this Privacy Notice. 13
- Other Notices and Policies. 13
- Complaints. 14
1.1 We take the security and privacy of your data seriously. We collect and processes personal information, or personal data, relating to clients as part of our business and to manage the service we provide to you.
1.2 We are committed to being transparent about how we handle your personal information, to protecting the privacy and security of your personal information and to meeting our data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. The purpose of this privacy notice is to make you aware of how and why we will collect and use your personal information specifically for the purpose of direct marketing. We are required under the GDPR to notify you of the information contained in this privacy notice.
1.2.1. “Direct Marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. This includes the promotion of aims and ideals as well as the sale of products and services.
1.3 This Privacy Notice is non-contractual and does not form part of any contract we have with you.
1.4 We do not use bought in call lists to carry out direct marketing. We do not provide clients details to third parties for marketing purposes or for any other purpose without your consent.
1.5 We intend this to fully comply with the 2018 Act and the GDPR. If there are any conflict between those laws and this notice, we intend to comply with the 2018 Act and the GDPR.
2.1 Under the GDPR Personal data must be processed in accordance with six ‘Data Protection Principles.’ the personal information we hold about you must be:
2.1.1. Processed lawfully, fairly and transparently.
2.1.2. Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
2.1.3. Adequate, relevant and limited to what is necessary in relation to those purposes.
2.1.4. Accurate and, where necessary, kept up to date. Any inaccurate data must be deleted or rectified without delay;
2.1.5. Where you can be identified from the information the data must not be kept longer than is necessary for those purposes.
2.1.6. Processed securely.
2.1.7. We are responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.
3.1 Moon & Co Solicitors is a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
4.1 “Personal data” means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It doesn’t include anonymised data, i.e. where all identifying particulars have been removed.
5.1 There are also “special categories” of personal data, and personal information on criminal convictions and offences, which requires a higher level of protection because it is of a more sensitive nature. The special categories of personal information comprise information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
6.1 Processing’ means doing anything with personal data such as:
6.1.1. collection, recording, organisation, structuring or storage;
6.1.2. adaption or alteration
6.1.3. retrieval, consultation or use;
6.1.4. disclosure by transmission, dissemination or otherwise making available;
6.1.5. alignment or combination; and
6.1.6. restriction, destruction or erasure.
6.2 Personal data may be held by us on paper in a filing system or in electronic format. Your personal information may be stored in different places, including in your client file, in our client management system and in other IT systems, such as the e-mail system.
7.1 Basic Personal Data
7.1.2. Business/Organisation name
7.1.5. Telephone numbers (landline and mobile)
7.2 Further personal information
7.2.1. This includes further information you have given use or we have obtained in communications with you. For example you may make your will with us or give us information about your employment.
Special Category Data
7.3 We do not expect to collect special category data about you for direct marketing.
8.1 We will collect your basic personal information of name, business name, address, email, telephone numbers (landline and/or mobile) in a variety of ways. These will normally be
8.1.1. We meet you in person or talk to you on the phone
8.1.2. You email us or provide other written information
8.1.3. You complete a form on our web site.
8.2 We may collect further personal information about you in a variety of ways. It is collected during discussions about you becoming a client and during the client relationship, either directly from you or sometimes from a third part. It may be collected or created by the either of our partners
8.3 If we meet you in person at our premises during the Covid 19 pandemic we may collect your name the date of the meeting and your telephone number and/or email. We may use these details to contact you in relation to any suspected case of Covid 19 and share the details with the relevant NHS service or as otherwise required by law. We will normally destroy this data 28 days after the meeting.
9.1 We will only collect and use your personal information when the law allows us to. These are known as the legal bases for processing. We will use your personal information for direct marketing in one or more of the following circumstances:
Legitimate Interest – our ground for processing
9.1.1. where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our (or their) interests. You have the right to challenge our legitimate interests and request that we stop this processing. In the case of using your personal data for direct marketing purposes you have an absolute right to object to us processing your personal data for this purpose at any time. You can use this link to “Update Your Contact Preferences”. See further details of your rights in section 16 below “Your rights in connection with your personal information”.
Your consent – our ground for processing
9.1.2. To be valid your Consent must
9.1.2.a. be freely given, e.g. there is no pressure to agree
9.1.2.b. be for a specific purpose, e.g. to send marketing material
9.1.2.c. be informed e.g. we will explain we want give you information about employment services
9.1.2.d. be an unambiguous indication of your wishes -. it is clear what you agree to and how we can market to you, e.g. you agree we may email you.
9.1.2.e. record your right to refuse consent or withdraw consent at any time
9.1.2.f. record how you withdraw consent.
10.1 Where we are processing your personal data in relation to direct marketing you have the right
10.1.1. To object at any time to us processing your personal data for direct marketing purposes whatever ground for processing we rely on and
10.1.2. where you have provided and we have relied on your consent to the processing of your personal information for a direct marketing you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal.
10.2 If you wish to object to our processing for direct marketing or withdraw your consent, you can please
10.2.1. contact Kirsten Moon our Data Protection Manager post by email or telephone 01233 714055 or
10.2.2. use this link to our web site to “Update Your Contact Preferences”
10.3 Once we have received notification of your object and/or you have withdrawn your consent, we will no longer process your personal information for direct marketing purposes. We will normally acknowledge your request and confirm that marketing will stop
10.4 We will retain your details to ensure that we do not contact you again for marketing purposes. However as you are a client we may retain your personal data for other purposes and you should refer to our Privacy Notice for Clients.
10.5 It is important that the personal information we hold about you is accurate and up to date so that you receive our communications. Please keep us informed if your personal information changes, e.g. you change your email, so that our records can be updated
Time limits on Consent
10.6 As a client we may rely on other grounds than Consent for marketing directly to you. However if we rely on your Consent we will normally consider that your Consent remains valid for contacting you for about 3 years after you cease to be an active client. We may contact before that time to check whether you want to update your contact preferences or unsubscribe. Whenever we contact you for direct marketing we provide you with the opportunity to unsubscribe.
11.1 We will normally send our direct marketing by email. But we may also provide Specific Legal Services Reminders by post or telephone.
11.1.1. However we contact you each time we give you direct marketing material we will tell you who we are, provide you with our contact details and remind you of the right to stop receiving direct marketing material and how to do this.
11.1.2. Where we rely on your consent it must be specific to the method of contacting you e.g. email or post.
11.1.1. If you have registered with the Mail Preference Service we won’t write to by post you unless we have your Consent specific to postal communication
11.1.2. If we contact you by telephone
11.1.2.a. if you have registered with the Telephone Preference Service or Corporate Telephone Preference Service we won’t call you unless we have your Consent and that of the person who receives the telephone bill.
11.1.2.b. we won’t withhold our telephone number.
11.1.2.c. we do not call people who are not clients
11.1.3. However we contact you you have the absolute rightat any time to object to receiving direct marketing from us however we contact you, whatever our ground for direct marketing and whether we require your consent or not. If you give us notice we will stop sending marketing messages as soon as possible and normally within 28 days
11.2 How we contact you depends on what type of client you are and what we want to give you
Individuals partnerships or sole traders we may
11.2.1. email direct market you as an existing client about similar products or services to those we have previously supplied to you e.g. legal services so we may send our
- Legal Updates or
- Specific Invitations or
- Specific Legal Services Reminders
and rely on legitimate interest as our ground for processing your personal data or
11.2.2. email you other direct marketing e.g. if we have your Consent to do so and consent is specific to us emailing you
11.2.3. telephone or contact you by post to direct market you as an existing client about similar products or services to those we have previously supplied to you e.g. our Specific Legal Services Reminders and rely on
11.2.3.a. legitimate interest as our ground for processing that personal data or
11.2.3.b. your Consent to do so where consent is specific to the method we use e.g. post
Limited companies and limited liability partnerships we may
11.2.4. may email you about direct marketing including Specific Legal Services Reminders, Legal Updates and Specific Invitations relying on
11.2.4.a. legitimate interest as our ground for processing that personal data. This includes where we also refer to an individual in the email, (including for example “Hello Jane” or using a corporate personal email e.g. firstname.lastname@example.org or on
11.2.4.b. your Consent to do so where consent is specific to the method we use
11.2.5. telephone or contact you by post to direct market you as an existing client about similar products or services to those we have previously supplied to you e.g. our Specific Legal Services Reminders and rely on
11.2.5.a. legitimate interest as our ground for processing that personal data or
11.2.5.b. your Consent to do so where consent is specific to the method we use
11.2.6. Whatever our ground for processing for direct marketing purposes you have the right to ask us to stop direct marketing to you at any time. We will stop sending marketing messages as soon as possible and normally within 28 days at most.
12.1 For direct marketing purposes we will use your information to send you
12.1.1. Legal updates – these may include reminders about the services we provide in general e.g. that we prepare wills or write employment contracts, offers, information about events we may be involved with and general legal news that you may find interesting. Such updates usually come as
12.1.1.a. the regular edition normally sent out around April and October each year and
12.1.1.b. occasional other special email editions,
12.1.2. Specific invitations by email to events we think you may like to attend. These may be events we attend, host or co-host.
You can choice to have emails about either of the above, both or neither.
12.1.3. Specific Legal Services Reminders –these are specific reminders about specific legal services/products we provide e.g. we may write to remind you how long it is since you wrote your will or suggest that as a business owner it is a good idea to write a will.
12.1.4. You can choice to have emails, letters or telephone calls, any of them, all of them or none.
12.2 We may also process this information to analyse the effectiveness of our marketing, performing effective internal administration and ensuring the smooth running of our business We believe that you have a reasonable expectation as a client that we will process your personal information for these purpose. We believe that our processing for this purpose
12.2.1. will have a minimal impact on your privacy.
12.2.2. you will not be surprised at our use of your personal data for this purpose and
12.2.3. you are not likely to object to use processing your personal data for this purpose
12.3 However whether or not this is the case you have the absolute right at any time to object to receiving direct marketing from us however we contact you, whatever our ground for direct marketing and whether we require your consent or not. If you give us notice we will stop sending marketing messages as soon as possible and normally within 28 days.
13.1 We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, before we use it for the new purpose we will provide you with information about the new purpose. We will also explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new privacy notice to you.
14.1 Your personal information for direct marketing purposes may be shared internally within Moon & Co between the two partners. We do not use third parties for our direct marketing nor provide your details to third parties for their marketing purposes.
14.2 We use an external IT company to provide certain IT services including
14.2.1. hosting of our website
14.2.2. e-mail services, all emails which are encrypted at source
14.2.3. off site back up to secure mirrored data centres based in the UK
15.1 We have put in place measures to protect the security of your personal information. We have internal policies, procedures and controls in place to try and prevent your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to the partners and any third parties who have a business need to know in order to perform their job duties and responsibilities e.g. IT services. You can obtain further information about these measures from our Data Protection Manager.
15.2 Where your personal information is shared with third-party service providers, we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
15.3 We also have in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so
16.1 We will only retain your personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.
16.2 We will generally use your personal information for direct marketing purposes for the duration of your relationship with us as an active client and a further 3 years. The exceptions are:
16.2.1. we will cease processing for direct marketing purposes when you object to us doing so
16.2.2. we will cease processing for direct marketing purposes you withdraw consent to us directly marketing to you
16.2.3. we will continue to market directly to you in relation wills and/or lasting powers of attorney until
16.2.3.a. you object to use doing so or
16.2.3.b. you withdraw consent to us doing so.
16.3 As a client we will retain your personal data (but not for direct marketing) in accordance with our Privacy Notice to clients. If we believe we have another basis for retaining your data and processing it we will notify you.
16.4 Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable.
16.5 In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period.
17.1 It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes we cannot be held responsible for any errors in your personal information in this regard unless you have notified us of the relevant change.
17.2 As a client and data subject whose data we are processing in relation to direct marketing you have a number of statutory rights. It is possible that at times your rights in relation to your personal data held by us in relation to you being a client will be different to your rights relating personal data used for direct marketing. Subject to certain conditions, and in certain circumstances, you have the rights relating your personal data as set out in this Privacy Notice and the right to:
17.2.1. information about what personal data we process, how and on what basis as set out in this notice
17.2.2. request access to your personal information – this is usually known as making a data Subject Access Request (see below)
17.2.3. request rectification of your personal information – this enables you to have any inaccurate or incomplete personal information we hold about you corrected To do you should contact Kirsten Moon
17.2.4. request the erasure of your personal information – this enables you to ask us to delete or remove your personal information where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected and we have no legal obligation to keep it. To do so you should contact Kirsten Moon.
17.2.5. apply for the use of your data to be restricted while you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing. To do so you should contact Kirsten Moon.
17.2.6. object to us processing your personal data where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own (or the third parties) and you wish us to stop. When you inform us in writing unless we have a compelling reason for continuing to do so we will stop using this personal data for that purpose as soon as practical and in any event within 28 days of your objection.
17.2.7. You have the right to object if we process your personal data for the purposes of direct marketing.
17.2.8. data portability – this gives you the right to request the transfer of your personal data to another party so that you can reuse it across different services for your own purposes. We will not charge for this and will in most cases aim to do this within one month.
17.2.9. You have the right to be notified of a data security breach concerning your personal data if the breach is likely to result in a high risk of adversely affecting your individual rights and freedoms
17.2.10. In circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact our Kirsten Moon our Data Protection Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.
17.3 If you wish to exercise any of these rights, please email Kirsten Moon (email@example.com) our Data Protection Manager or call her on 01233 714055.
18.1 Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
18.1.1. We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months. There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.
18.1.2. For your convenience and ours we provide a form which you can use to make an SAR. You can get this form from Kirsten Moon our data protection Manager. You do not need to use the form to make an SAR but should still contact the Kirsten Moon.
18.1.3. We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.
18.2 As part of an SAR you have the right to
18.2.1. confirmation as to whether or not your personal data are being processed by Moon & Co,
18.2.2. access to copies of your specified personal data, and
18.2.3. the following supplementary information:
18.2.4. the purposes of the processing
18.2.5. the categories of personal data concerned
18.2.6. the recipients, or categories of recipients, to whom your personal data have been or will be disclosed, in particular recipients in non-EEA countries
18.2.7. where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period
18.2.8. the existence of your right to request rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing
18.2.9. your right to lodge a complaint with the Information Commissioner’s Office
18.2.10. where your personal data are not collected from you, any available information as to their source
18.2.11. the existence of automated decision making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you
18.2.12. where your personal data are transferred to a non-EEA country, what appropriate safeguards are in place relating to the transfer.
18.3 We will provide you with the data in written form. If you wish this will be provided in appropriate electronic form
19.1 We will not transfer your personal information to countries outside the European Economic Area.
20.1 Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention. We do not use automated decision making for direct marketing.
21.1 We reserve the right to update or amend this Privacy Notice at any time, including where we intend to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new Privacy Notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.
22.1 As well as this Privacy Notice we have a:-
22.1.1. Data Protection Policy – setting out how we should deal with data subjects personal data
22.1.2. A Privacy Notice for Clients in relation to Legal Services
22.1.3. A Privacy Notice for Contacts relating to Direct Marketing.
Copies are available on request from our Data Protection Manager
23.1 If you believe that we have not complied with your data protection rights, or our Privacy Notices are not being followed in respect of personal data we hold about you, you should raise the matter with Kirsten Moon our Data Protection Manager.
23.2 Whether or not you raise the issue with us you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. Full contact details including a helpline number can be found on the Information Commissioner’s Office website www.ico.org.uk. This website has further information on your rights and our obligations.
For more about what you can do, see our