This privacy notice relates specifically to Moon & Co Solicitors processing personal data of clients and former clients and prospective client in relation to providing legal services.
Data Protection Manager: Kirsten Moon, partner Applewood House The Hill, Charing Kent, email email@example.com, tele 01233 714055
Moon & Co Solicitors are the data controller in this Privacy Notice.
This privacy notice applies to all clients and former clients. It also applies to anyone enquiring about legal services who hasn’t yet become a client but who gives us personal data in relation to potentially getting legal advice. If you fall into this category then you are a ‘data subject’ for the purposes of this Privacy Notice and we will refer to you here as a “client”.
We do not provide services to children or people under 16. We may collect data relating to children as part of the provision of legal services to adults.
Separate Privacy Notices deal with how we process data for Direct Marketing e.g. sending you our newsletters so if you want information about that please look at them here.
“Privacy Notices – Direct Marketing to Contacts”.
“Privacy Notices – Direct Marketing to Clients”.
We need some personal information, or personal data, about you when you become a client. Some information relates to advising you and some to running our business. We may need to keep some information even after you stop being our client.
This Privacy Notice explains our duties to you in relation to that data and your rights. It includes why we want data, what we do with it, who can see it, how we protect it and what you can require us to do with it. By law we have to give you a lot of this information and explain why we have a legal right to use your data.
This notice is long and so we have added some headings and a “Table of Contents” to help you find what you are looking for. However if there is anything you don’t understand or you have any questions about this Privacy Notice or about how we handle your personal information you can telephone Kirsten Moon our data protection manager on 01233 714055 or email who oversees compliance with this privacy notice and deals with any queries. Her contact details are at the top of this privacy notice.
Table of Contents
1 Overview.. go to
2 Data protection principles. go to
3 What is a data controller?. go to
4 What is a data processor?. go to
5 What is personal data?.go to
6 What is special category personal data?. go to
7 What amounts to processing personal data?. go to
8 What types of personal data do we collect about you. go to
9 What types of special category personal data do we collect about you?. go to
10 How do we collect your personal information?. go to
11 Why and how do we use your personal information?. go to
12 Why and how do we use your sensitive personal information?.go to
13 Summary of data use. go to
14 What if you fail to provide personal information?. go to
15 Change of purpose. go to
16 Who has access to your personal information?. go to
17 How do we protect your personal information?. go to
18 For how long do we keep your personal information?. go to
19 Your rights in connection with your personal data. go to
20 Complaints. go to
21 Transferring personal information outside the European Economic Area. go to
22 Automated decision making. go to
23 Changes to this Privacy Notice. go to
24 Other Privacy Notices and Policies. go to
1.1 We take the security and privacy of your data seriously. We collect and processes personal information, or personal data, relating to clients as part of our business and to manage the service we provide to you.
1.2 We are committed to being transparent about how we handle your personal information, to protecting the privacy and security of your personal information and to meeting our data protection obligations under the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018, “DPA 2018”.
1.3 This Privacy Notice applies to all current and former clients and anyone providing us with personal information with a view to obtaining legal advice. If you fall into one of these categories then you are a ‘data subject’ for the purposes of this Privacy Notice and we will refer to you here as a Client. However giving us information purely as a result of an enquiry e.g. in a contact form, will not create a solicitor-client relationship between us. We will only form a solicitor-client relationship when we accept your instructions and complete the necessary formalities.
1.4 Where there is no solicitor-client relationship information you give us may not be privileged. This means it may be disclosable in legal proceedings.
1.5 This Privacy Notice is not contractual and does not form part of any contract we have with you.
1.6 We intend this to fully comply with the 2018 Act and the GDPR. If there are any conflict between those laws and this notice, we intend to comply with the 2018 Act and the GDPR
2 Data protection principles
2.1 Under the GDPR Personal data must be processed in accordance with six ‘Data Protection Principles.’ the personal information we hold about you must be:
• Processed lawfully, fairly and transparently.
• Collected only for legitimate purposes that have been clearly explained to you and not further processed in a way that is incompatible with those purposes.
• Adequate, relevant and limited to what is necessary in relation to those purposes.
• Accurate and, where necessary, kept up to date. Any inaccurate data must be deleted or rectified without delay;
• Where you can be identified from the information the data must not be kept longer than is necessary for those purposes.
• Processed securely.
We are responsible for, and must be able to demonstrate compliance with, these principles. This is called accountability.
3 What is a data controller?
3.1 We are a ‘data controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data.
4 What is a data processor?
4.1 “Data processors” generally means anybody (other than an employee of the data controller) who processes the data on behalf of a data controller in accordance with the data controller’s instructions.
5 What is personal data?
5.1 “Personal data” means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It doesn’t include anonymised data, i.e. where all identifying particulars have been removed.
6 What is special category personal data?
6.1 There are also “special categories” of personal data, and personal information on criminal convictions and offences, which requires a higher level of protection because it is of a more sensitive nature. The special categories of personal information comprise information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and genetic and biometric data.
7 What amounts to processing personal data?
7.1 Processing’ means doing anything with personal data such as:
7.1.1 collection, recording, organisation, structuring or storage;
7.1.2 adaption or alteration;
7.1.3 retrieval, consultation or use;
7.1.4 disclosure by transmission, dissemination or otherwise making available;
7.1.5 alignment or combination; and
7.1.6 restriction, destruction or erasure.
7.2 This includes processing personal data which forms part of a paper filing system and any electronic processing. Your personal information may be stored in different places, including in your client file, in our client management system and in other IT systems, such as the e-mail system.
8 What types of personal data do we collect about you
8.1 We collect, use and process a range of personal information about you. The exact information will depend on the type of work we do for you. We have set out below data we are likely to hold for all clients and then examples of typical data we hold depending on the type of work we do grouped together as.
Identity and Contact Information –
8.2 Data we are likely to hold about all clients:
• your contact details, including your full name, previous names, user or other identifier, relationship status, title, date of birth, gender, job title, employer, address, telephone number and personal e-mail address
• information to enable us to check your identity e.g. passport, driving licence, utility bill, bank statement
• technical data relating to any use of our website including IP address, and use of our website.
8.3 Typical data we may process in relation to Employment Law related matters
• information about you, your job and your business,
• partnership and company shareholding details
• financial information including income, tax, NI, expenditure, benefits expenses, pension
• education and qualification, including driving qualifications.
• employment contract terms including right to work information
• lifestyle and social information
• disciplinary and grievances
• discrimination and other issues relating to martial or civil partnership status, pregnancy, maternity, parental status or age or disability religion or beliefs, colour, ethnic or national origin, sex, sexual orientation or, gender reassignment,
We may also process similar data about third parties in relation to employment matters for example
• Employees of your business
• Fellow workers
• family members and dependents,
8.4 Typical data we may process in relation Private Client Law including wills, trusts, probate, Lasting powers of attorney.
• Information about assets including money, shares, land and property, interest in trusts, partnerships, insurances, debts, loans, pensions and gifts made.
• Tax information and status
• Details relating for a divorce or separation,
• Funeral wishes
We may also process similar data about third parties in relation to private client matters for example
• Beneficiaries including name, date of birth, and address of children, civil partner, former civil partner, spouse, former spouse and other beneficiaries,
8.5 This includes bank account details.
8.6 We may also collect information about your preferences in relation to us marketing to you details are set out in our Privacy Notice – Direct Marketing Clients
8.6.1 In summary. Direct Marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. This includes the promotion of aims and ideals as well as the sale of products and services. We may wish to provide information and reminders about the services we provide e.g. that we prepare wills or write employment contracts, offers, information about or invitations to events we may be involved with and general legal news that you may find interesting.. We do not provide your details to third parties for marketing purposes or for any other purpose without your consent. Subject to preferences you express we may contact you by post, phone or email. However we contact you, you have the absolute right at any time to object to receiving direct marketing from us however we contact you, whatever our ground for direct marketing and whether we require your consent or not. If you give us notice we will stop sending marketing messages as soon as possible and normally within 28 days
Technical and Web Use Data relating to our web site
8.7 If you interact through our web site we may collect your IP address (internet protocol address), browser type and associated information, time zone/location, operating system used by the device you use to connect to the site. We may also collect information about how you use our web site.
9 What types of special category personal data do we collect about you?
9.1 We may also collect, use and process special categories of your personal information including criminal conviction data for example (as applicable): . The exact information will depend on the type of work we do for you. We have set out below data we are likely to hold depending on the type of work we do grouped together as.
Sensitive Service Data
Employment Law related matters
• information about your health, including any medical conditions and disability,
• information about your racial or ethnic origin, religious or philosophical beliefs
• sex life or sexual orientation
• trade union membership
• information about criminal convictions and offences
Private Client Law related matters including wills probate Lasting powers of attorney.
• information about your health, including any medical conditions, and disability
• information about your racial or ethnic origin, religious or philosophical beliefs and sexual orientation
• any other category of special category personal data which we may notify you of from time to time.
10 How do we collect your personal information?
10.1 We may collect personal information about you orally or in writing in a variety of ways including post, telephone, meetings, email, Tthese are common examples
10.1.1 From you when becoming a client and during the client relationship.
10.1.2 third parties or publicly available sources. such as
10.1.2.a an employer, or family member
10.1.2.b from other external third parties, such as financial institutions, former employers, background check providers, your attorney
10.1.2.c organisations that have referred you to us such as financial advisor or bank
10.1.3 It may also be created by us.
10.2 We may collect personal information about third parties from you in a variety of ways and these are common examples
10.2.1 Your employees or fellow employees in connection with an employment dispute
10.2.2 Family members, executors, beneficiaries, trustees, attorneys
10.3 When you provide us with personal information about third parties e.g. family members/employees you must
10.3.1 ensure that in doing so you comply with data protection legislation in particular that you have a legal basis for processing that data, have complied where necessary with your duty to give notices to the data subject and have a legal right to disclose the same to us
10.3.2 you ensure that the information is accurate
10.4 Whilst some of the personal information you provide to us is mandatory and/or is a statutory or contractual requirement, some of it you may be asked to provide to us on a voluntary basis. We will inform you whether you are required to provide certain personal information to us or if you have a choice in this.
11 Why and how do we use your personal information?
11.1 We will only use your personal information when the law allows us to. These are known as the legal bases for processing. We will use your personal information in one or more of the following circumstances:
11.1.1 where we need to do so to perform the client contract we have with you “Contract”
11.1.2 where we need to comply with a legal obligation “Legal Obligation”
11.1.3 where it is necessary for our legitimate interests (or those of a third party), and your interests or your fundamental rights and freedoms do not override our (or their) interests “Legitimate Interest”. You have the right to challenge our legitimate interests and request that we stop this processing on this basis. See details of your rights in section 17 “Your rights in connection with your personal information”
• Our legitimate interests include: performing or exercising our obligations or rights under the direct relationship that exists between us; pursuing our client business; performing effective internal administration and ensuring the smooth running of the business;, ensuring the security and effective operation of our systems and network; protecting our confidential information; and conducting due diligence on clients; registration of a will or codicil we have prepared for you with the national will registry Certainty or other specified will register.. We believe that you have a reasonable expectation, as our client, that we will process your personal information for this.
11.1.4 We do not generally rely on the ground of your consent to our processing your personal data. This may be relevant in relation to Direct Marketing
11.1.4.b To be valid the consent must be freely given, specific, informed and there must be an unambiguous indication of the individual’s wishes. There must be (save in limited circumstances related to direct marketing) a positive opt in.
11.1.4.c In the limited circumstances where our processing of your personal information is for a specific purpose and is based on your consent, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. Once we have received notification that you have withdrawn your consent, we must no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing and notify third parties and get them to stop processing.
11.1.5 In rare circumstances where it is necessary to protect your vital interests (or someone else’s vital interests) you/they are physically or legally incapable of giving consent e.g. a medical emergency
Examples of when we might process your personal data
11.2 We want your personal information primarily when it is relevant to providing you with the legal services you want. For example
11.2.1 advising you, preparing documents, completing agreements or dealing with courts and tribunals or attending hearings.
11.2.2 liaising with any external experts including barristers, other solicitors, accountants, medical advisors, trustees, attorneys, deputies,
11.2.3 liaising with any external benefit or service providers such as pension providers or insurers, financial institutions
11.2.4 liaising with tax authorities and ensuring compliance with tax law and requirements e.g. tax payable on estates or trusts.
11.2.5 registering your will with the National Will Register Certainty or other will register
11.2.6 maintaining a track and trace register of clients or contacts we meet in respect of the Covid 19 pandemic (name, date of meeting and telephone number and/or email).We may use these details to contact you in relation to any suspected case of Covid 19 and to inform the relevant NHS service or as otherwise required by law.
11.3 We also have to process your personal data for various other reasons during your relationship with us as a client and even following the end of that relationship. These include:
11.3.1 to enable us to maintain accurate and up-to-date client records and contact details
11.3.2 comply with statutory and/or regulatory requirements and obligations, e.g. checking your identity in relation to money laundering and anti-fraud legislation
11.3.3 check for conflicts of interest
11.3.4 prevent fraud and other criminal offences
11.3.5 administer the contract we have entered into with you and respond to any concerns, or complaints
11.3.6 make decisions about how we provide our services to you and the advice we give you
11.3.7 ensure compliance with your statutory and contractual rights
11.3.8 ensure you are charged correctly
11.3.9 manage, plan and organise work
11.3.10 ensure network and information security and prevent unauthorised access and modifications to systems to protect you, and others
11.3.11 ensure effective personnel management and business administration, including accounting and auditing
11.3.12 ensure adherence to the firms and our regulators rules, policies and procedures
11.3.13 enable us to establish, exercise or defend possible legal claims
11.4 Please note that we may process your personal information without your consent, in compliance with these rules, where this is required or permitted by law.
11.5 We will only use your personal information for the purposes for which we collected it. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it. We may notify you of other reasons from time to time.
12 Why and how do we use your sensitive personal information?
12.1 We will only collect and use your sensitive personal information, which includes special categories of personal information and information about criminal convictions and offences, when the law allows us to. We will normally process this personal information without your consent, in compliance with these rules, where this is required or permitted by law in the following circumstances
12.1.1 the processing of special categories of personal information is necessary for the establishment, exercise or defence of legal claims or
12.1.2 the processing of criminal convictions and offences is necessary for the purpose of,
12.1.2.a or in connection with, any legal proceedings (including prospective legal proceedings),
12.1.2.b obtaining legal advice, or
12.1.2.c establishing, exercising or defending legal rights
12.2 We may on rare occasions process special category personal information and information about criminal convictions and offences without your consent
12.2.1 where you have made the data public;
12.2.2 where it is necessary to protect your vital interests (or someone else’s vital interests) you/they are physically or legally incapable of giving consent e.g. a medical emergency
12.3 We may also process your sensitive personal information, which includes special categories of personal information and information about criminal convictions and offences where we have your explicit written consent. In this case, we will first provide you with full details of the personal information we would like and the reason we need it, so that you can properly consider whether you wish to consent or not. It is entirely your choice whether to consent. Your consent can be withdrawn at any time by contacting Kirsten Moon the data protection manager.
Examples of when we might process your special category personal data
12.4 The purposes for which we are processing will normally relate to the type of service we provide to you for example, these special categories of your personal information, may relate to a disability and advice about disability discrimination or you provide us with health information or religious belief if you are writing your will. However the purposes for which we are processing, or will process, these special categories of your personal information, and information about any criminal convictions and offences will also include where we need to :
12.4.1 comply with statutory and/or regulatory requirements and obligations, e.g. checking your identity in relation to money laundering and anti-fraud legislation
12.4.2 comply with insurer requirements
12.4.3 ensure compliance with your statutory and contractual rights
12.4.4 ensure adherence to the firms and regulators rules, policies and procedures
12.4.5 monitor equal opportunities
12.4.6 enable us to establish, exercise or defend possible legal claims.
13 Summary of data use
14 What if you fail to provide personal information?
14.1 If you fail to provide certain personal information when requested or required, we may not be able to perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations. We may than have to stop providing a service to you but we will notify you if this is the case at that time. You may also be unable to exercise your statutory or contractual rights.
15 Change of purpose
15.1 We will only use your personal information for the purposes for which we collected it. If we need to use your personal information for a purpose other than that for which it was collected, before we use it for the new purpose we will provide you with information about the new purpose. We will also explain the legal basis which allows us to process your personal information for the new purpose and we will provide you with any relevant further information. We may also issue a new Privacy Notice to you.
16 Who has access to your personal information?
16.1 Your personal information may be shared internally within Moon & Co between the two partners. It is possible that at some time we may employ other legally qualified staff to assist with your matter and we would normally provide you with that information at the time.
16.2 We may share your personal information with third parties where it is necessary to administer the contract we have entered into with you, where we need to comply with a legal obligation, or where it is necessary for our legitimate interests (or those of a third party) or with legal and other professional advisors where it is needed to establish, exercise or defend possible legal claims
16.3 For example in relation to the legal services we provide to you we may share your personal information with third-party service providers (and their designated agents) including
16.3.1 Court or tribunals
16.3.3 Office of the public guardian
16.3.4 Legal experts e.g. barristers
16.3.5 Non legal experts e.g. accountant, medical advisor, independent financial advisors
16.3.9 Land Registry
16.3.10 Companies House
16.3.11 Insurance company
16.3.12 Care providers
16.3.13 Pension provider
16.3.14 Regulators e.g. Care Quality Commission, Financial Conduct Authority,
16.3.15 Financial institution
16.3.16 HMRC or other government agency
16.4 For example in relation to running our business or to otherwise comply with the law we may share your personal information with third-party service providers (and their designated agents) including:
16.4.1 external organisations for the purposes of conducting money laundering or other background checks
16.4.2 regulators such as the Solicitors Regulation Authority, the Information Commissioner, or Financial Conduct Authority
16.4.3 police or other law enforcement agency
16.4.4 external accountant and auditor banks and financial institutions
16.4.5 professional indemnity insurers
16.4.6 external IT services
16.4.7 professional advisers, such as other lawyers and accountants.
16.4.8. For example, in relation to track and trace data in relation to the Covid 19 pandemic, we may share the details with the relevant NHS service or as otherwise required by law.
17 How do we protect your personal information?
17.1 We have put in place measures to protect the security of your personal information. We have internal policies, (including relating to Data Security Policy) procedures and controls in place aimed at preventing your personal information from being accidentally lost or destroyed, altered, disclosed or used or accessed in an unauthorised way. In addition, we limit access to your personal information to the partners and those agents, contractors and other third parties who have a business need to know in order to perform their job duties and responsibilities. You can obtain further information about these measures from our Data Protection Manager.
17.2 Where your personal information is shared with third-party service providers (e.g. our IT service provider or our accountant), we require all third parties to take appropriate technical and organisational security measures to protect your personal information and to treat it subject to a duty of confidentiality and in accordance with data protection law. We only allow them to process your personal information for specified purposes and in accordance with our written instructions and we do not allow them to use your personal information for their own purposes.
17.2.1 Where reasonably possible we will sign data processing agreements with third parties. However this may not prove practical in relation particularly to large service providers such as HMRC and banks. In most cases they will be Data Controllers in their own right in relation to you and but please be aware of this anomaly. We will assume that you accept this if you wish us to continue providing our legal service so you should notify us if this is an issue and make further enquiries with our Data Protection Manager if you have concerns.
17.3 As part of our procedure for protecting personal data we do not disclose the name of our IT service providers or other details of our security systems. If you want further information please ask and we will provide more information unless we consider that might put security at risk.
17.4 We also have in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
18 For how long do we keep your personal information?
18.1 We will only retain your personal information (including special category information or criminal conviction data) for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.
18.2 We will generally hold your personal information for the duration of your relationship with us as an active client and a further 7 years. We will hold personal information longer if exceptions apply
18.2.2 Wills and lasting powers of attorney and files relating to the preparation of these documents will be kept indefinitely.
18.2.3 Trust records until the trust (and associated trusts) are wound up plus 7 years
18.2.4 Probate files may be needed in relation to a surviving spouse or civil partner (e.g. inheritance tax allowances). They will therefore be kept until 7years after the death and administration of the estate of the surviving spouse/civil partner.
18.2.5 Deeds relating to unregistered property will kept indefinitely
18.2.6 minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records requiring us to keep the data longer, and
18.2.7 the retention of some types of personal information for up to twelve years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, County Court or High Court.
18.2.8 data collected for the purposes of track and trace in relation to the Covid 19 pandemic will normally be destroyed 28 days after the meeting with you which it relates to.
18.3 Where relevant we may thin out our files to remove information, which is not relevant to the above exceptions, seven years after you cease to be an active client so that we only continue to retain for a longer period what is strictly necessary.
18.4 Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require third parties to destroy or erase such personal information where applicable.
18.5 In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period.
19 Your rights in connection with your personal data
19.1 It is important that the personal information we hold about you is accurate and up to date. Please keep us informed if your personal information changes, e.g. you change your home address, so that our records can be updated. This is particularly important if we hold original documents such as your will, enduring power of attorney, lasting power of attorney or property documents. We cannot be held responsible for any errors in your personal information in this regard unless you have notified us of the relevant change.
19.2 As a data subject, you have a number of statutory rights. Subject to certain conditions, and in certain circumstances, you have the right to:
19.2.1 information about what personal data we process, how and on what basis as set out in this notice
19.2.2 request access to your personal information – this is usually known as making a data Subject Access Request (see below)
19.2.3 request rectification of your personal information – this enables you to have any inaccurate or incomplete personal information we hold about you corrected. To do you should contact Kirsten Moon.
19.2.4 request the erasure of your personal information – this enables you to ask us to delete or remove your personal information where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected and we have no legal obligation to keep it. To do so you should contact Kirsten Moon.
19.2.5 apply for restrictions on the use of your data while you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing. To do so you should contact Kirsten Moon.
19.2.6 object to us processing your personal data where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own (or the third parties) and you wish us to stop. When you inform us in writing unless we have a compelling reason for continuing to do so we will stop using this personal data for that purpose as soon as practical and in any event within 28 days of your objection.
19.2.6.a You have the right to object at any time if we process your personal data for the purposes of direct marketing. For more information on Direct Marketing see out Direct Marketing Privacy Notices for Clients.
19.2.7 data portability – this gives you the right to request the transfer of your personal data you gave us and consented to us using, to another party so that you can reuse it across different services for your own purposes. We will not charge for this and will in most cases aim to do this within one month.
19.2.8 You have the right to be notified of a data security breach concerning your personal data if the breach is likely to result in a high risk of adversely affecting your individual rights and freedoms
19.2.9 In the circumstances where you have provided your consent to the processing of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on your consent before its withdrawal. If you wish to withdraw your consent, please contact Kirsten Moon our Data Protection Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your personal information for the purpose you originally agreed to, unless we have another legal basis for processing.
19.3 If you wish to exercise any of these rights, please contact Kirsten Moon our Data Protection Manager.
19.4 The data subject rights set out at section 19.2 are modified in the case of clients or third party data subjects data where the processing of their data is
19.4.1 is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
19.4.2 is necessary for the purpose of obtaining legal advice, or
19.4.3 is otherwise necessary for the purposes of establishing, exercising or defending legal rights
Subject Access Request
19.5 Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them and it enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
19.5.1 We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months. There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.
19.5.2 For your convenience and ours we provide a form which you can use to make an SAR. You can get this form from our web site or Kirsten Moon our Data Protection Manager. However you do not need to use the form to make an SAR but should still contact the Data Protection Manager.
19.5.3 We may need to request specific information from you in order to verify your identity and check your right to access the personal information or to exercise any of your other rights. This is a security measure to ensure that your personal information is not disclosed to any person who has no right to receive it.
As part of an SAR you have the right to
• confirmation as to whether or not your personal data are being processed by us,
• access to copies of your specified personal data, and
• the following supplementary information:
• the purposes of the processing
• the categories of personal data concerned
• the recipients, or categories of recipients, to whom your personal data have been or will be disclosed, in particular recipients in non-EEA countries
• where possible, the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period
• the existence of your right to request rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing
• your right to lodge a complaint with the Information Commissioner’s Office
• where your personal data are not collected from you, any available information as to their source
• the existence of automated decision making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you
• where your personal data are transferred to a non-EEA country, what appropriate safeguards are in place relating to the transfer.
• We will provide you with the data in written form. If you wish this will be provided in appropriate electronic form.
20.1 If you believe that we have not complied with your data protection rights, or our Privacy Notices are not being followed in respect of personal data we hold about you, you should raise the matter with Kirsten Moon our Data Protection Manager. If the matter is not resolved to your satisfaction, it should be raised as a complaint under our Complaints Procedure a copy of which is provided to you when you become a client, is available here on our web site or will be provided if you request a copy from Kirsten Moon our Data Protection Manager.
20.2 Whether or not you raise the issue with us you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk ). This website has further information on your rights and our obligations.
21 Transferring personal information outside the European Economic Area
21.1 We do not envisage transferring your personal information to countries outside the European Economic Area. If this position changes we change this Privacy Notice
21.2 If we or a third parties who we share personal information were to transfer data outside the EU (other than to a country which the EU considers has adequate data protection), we require the recipients to take appropriate measures to protect such data. The measures would be consistent with the requirements of the GDPR for example, an appropriate approved data transfer agreement. Details of such transfers and measures would be available from our Data Protection Manager.
22 Automated decision making
22.1 Automated decision making occurs when an electronic system uses your personal information to make a decision without human intervention. We do not envisage that any client decisions will be taken about clients based on automated decision making. However, we will notify you in writing if this position changes.
23 Changes to this Privacy Notice
23.1 We reserve the right to update or amend this Privacy Notice at any time, including where we intend to further process your personal information for a purpose other than that for which the personal information was collected or where we intend to process new types of personal information. We will issue you with a new Privacy Notice when we make significant updates or amendments. We may also notify you about the processing of your personal information in other ways.
24 Other Privacy Notices and Policies
24.1 As well as this Privacy Notice for Clients and Former Clients we have a:-
• A “Privacy Note – Direct Marketing to Contacts”
• A “Privacy Notice – Direct Marketing to Clients”.
24.2 Other policies which relate to personal data include our
24.2.1 Data Protection Policy for partners (and any other staff) – setting out how we should deal with other data subjects personal data
24.2.2 Data Security Policy
24.3 Generally these documents can be obtained from our web site or Kirsten Moon our data protection manager. However we will not disclose full details of our security measures/policy where that might put security at risk.
Moon & Co September 2020