Data Protection Policy

.

Data Protection Policy

Moon & Co is a data controller registered under under the General Data Protection Regulations and the Data Protection Act 2018 (“DPA”). Kirsten Moon is the Data Protection Manager. This data protection policy is directed mainly at us to tell us how to deal with data.

See also our

AND


  •  

    1        Definitions

    1.1           In this policy, the following words and phrases have the following meanings:

    1.1.1        “Contacts” means “data subjects” other than Clients whose personal data we process.

    1.1.2        “Client” means all current and former clients and anyone providing the Firm with personal information with a view to obtaining legal advice although giving us information purely as a result of an enquiry e.g. in a contact form or telephone enquiry, will not create a solicitor-client relationship between us.

    1.1.3        “Consent” means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify their agreement to the processing of personal data relating to them.

    1.1.4        “Criminal records personal data” means personal data relating to criminal convictions and offences and personal data relating to criminal allegations and proceedings.

    1.1.5        “Data protection legislation” means the EU General Data Protection Regulation (GDPR), the Data Protection Act 2018 and any other applicable primary or secondary legislation as may be in force in the UK from time to time.

    1.1.6        “Data controller’ Moon & Co Solicitors, “the Firm” is a data controller for the purposes of personal data it receives about prospective clients, clients, former clients, contacts, suppliers, their employees and other third parties who we deal with where we determine the purpose and means of the processing of that personal data.

    1.1.7        “Data Protection Manager” the Firm has appointed Kirsten Moon a partner a data protection manager to oversee compliance with this Data Protection Policy. If you have any questions about this Policy or about how we handle personal information, please contact her at Applewood House The Hill, Charing Kent, email kirsten@moon-and-co.co.uk, or tele 01233 714055

    1.1.8        “Data subject” means a living identified or identifiable individual about whom the firm holds personal data.

    1.1.9        “Staff” is any partner, employee, worker, agency worker, apprentice, intern, volunteer, contractor and consultant employed or engaged by the Firm.

    1.1.10     “Personal data” is any information relating to a data subject who can be identified (directly or indirectly) either from those data alone or by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that data subject. It excludes anonymised data, i.e. where all identifying particulars have been removed.

    1.1.11     “Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collecting, recording, organising, structuring, storing, adapting, altering, retrieving, using, disclosing, disseminating, restricting, erasing or destroying. It also includes transmitting or transferring personal data to third parties.

    1.1.12     “Third Party” other data processors or data controllers who may process data on our behalf or who we have provided with Contacts or Clients personal data in accordance with the Data Protection Policy or our Privacy Notices

    1.1.13     “Special categories of personal data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, data concerning the physical or mental health of a data subject or data concerning a data subject’s sex life or sexual orientation.

    2        Introduction

    2.1          This policy sets out how the Firm processes the personal data of data subjects, including the personal data of the partners and the personal data of prospective clients, clients, former clients, contacts, suppliers, their employees and other third parties.

    2.2          The Firm takes the security and privacy of personal data seriously. The Firm is committed to being clear and transparent about how we collect and use personal data and to complying with our data protection obligations. Protecting the confidentiality, security and integrity of the personal data that we process is also of paramount importance to our business operations. The Firm will process personal data relating to anyone in accordance with this policy, the data protection legislation and its latest privacy notices. The Firm issues the following Privacy Notices

    ·                   Privacy Notices for Clients and former clients

    ·                   Privacy Notices for Clients – Direct Marketing

    ·                   Privacy Notice for Contacts – Direct Marketing

    2.3          This policy applies to all personal data that we process, regardless of the media on which those personal data are stored, e.g. electronically, on paper or on other materials. The personal information may be stored in different places, including in a client files, accounts, and in other IT systems, such as the e-mail system.

    2.4          This policy applies to all Staff. It is non-contractual and does not form part of any employment contract, casual worker agreement, consultancy agreement or any other contract for services.

    2.5          Staff must always comply with it when processing personal data on the Firm’s behalf in the proper performance of their job duties and responsibilities. The data protection legislation contains important principles affecting personal data relating to data subjects. The purpose of this policy is to set out what we expect from Staff and to ensure that they understand and comply with the rules governing the processing of personal data to which they may have access in the course of work, so as to ensure that neither the Firm nor Staff breach the data protection legislation.

    2.6          The Firm takes compliance with this policy very seriously. Any breach of this policy or any breach of the data protection legislation will be regarded as misconduct. A significant or deliberate breach of this policy, such as accessing a data subject’s personal data without authority or unlawfully obtaining or disclosing a data subject’s personal data (or procuring their disclosure to a third party) without the Firm’s consent, constitutes a gross misconduct offence

    2.7          The Firm’s data protection manager has responsibility for data protection compliance within the business. You should contact them if you have any questions about the operation of this policy or you need further information about the data protection legislation, or if you have any concerns that this policy is not being or has not been followed. You must also contact them to seek further advice in the following circumstances:

    2.7.1        if you are in any doubt about what you can or cannot disclose and to whom

    2.7.2        if you are unsure about the lawful basis you are relying on to process personal data

    2.7.3        if you need to rely on consent to process personal data

    2.7.4        if you need to obtain or issue privacy notices

    2.7.5        if you are not clear about the retention period for the personal data being processed

    2.7.6        if you are unsure about what appropriate security measures you need to implement to protect personal data

    2.7.7        if you need assistance in dealing with any rights invoked by a data subject

    2.7.8        if you suspect there has been a personal data breach

    2.7.9        where you propose to use personal data for purposes other than that for which they were collected

    2.7.10     where you intend to engage in a significant new or amended data processing activity

    2.7.11     where you plan to undertake any activities involving automated decision-making, including profiling

    2.7.12     if you need assistance with, or approval of, contracts in relation to sharing personal data with Third Party service providers

    2.7.13     if you believe personal data are not being kept or deleted securely or are being accessed without the proper authorisation

    2.7.14     if you suspect there has been any other breach of this policy or any breach of the data protection principles

    3        Complaints

    3.1          If a data subject (including you) believes that the Firm has not complied with their data protection rights, or the Firms Policies are not being followed in respect of personal data the Firm holds about them, the matter should be raised with the Data Protection Manager

    3.1.1        If the person making the complaint (including you) is Staff member and the matter is not resolved to your or their satisfaction, it should be raised as a formal grievance under the Firm’s grievance procedure.

    3.2          Whether or not a complaint is raised with the Firm, data subjects and you have the right to make a complaint to the Information Commissioner’s Office (ICO) at any time. The ICO is the UK supervisory authority for data protection issues. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk ). This website has further information on data subject’s rights and our obligations.

    4        The data protection principles

    4.1          Under the data protection legislation, there are six data protection principles that the Firm and all Staff must comply with at all times in their personal data processing activities. In brief, the principles say that personal data must be:

    4.1.1        Processed lawfully, fairly and in a transparent manner in relation to the data subject (lawfulness, fairness and transparency).

    4.1.2        Collected only for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (purpose limitation).

    4.1.3        Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation).

    4.1.4        Accurate and, where necessary, kept up to date; every reasonable step must also be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (accuracy).

    4.1.5        Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed (storage limitation).

    4.1.6        Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (integrity and confidentiality).

    4.2          The Firm is responsible for, and must be able to demonstrate compliance with, these data protection principles. This is called the principle of accountability.

    5        Lawfulness, fairness and transparency

    5.1          Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.

    5.2          This principle means that both the Firm and Staff may only collect, process and share personal data lawfully and fairly and for specific purposes.

    • Lawfulness and fairness

    5.3          The data protection legislation provides that processing is only lawful in certain circumstances. These include where:

    5.3.1        the data subject has given consent to the processing of their personal data for one or more specific purposes

    5.3.2        the processing is necessary for the performance of a contract with the data subject, e.g. a contract with a client, or in order to take steps at the request of the data subject prior to entering into a contract

    5.3.3        the processing is necessary for compliance with our legal obligations

    5.3.4        the processing is necessary to protect the data subject’s vital interests (or someone else’s vital interests)

    5.3.5        the processing is necessary to pursue our legitimate interests (or those of a third party), where the data subject’s interests or fundamental rights and freedoms do not override our interests; the purposes for which we process personal data for legitimate interests must also be set out in an appropriate privacy notice

    5.4          he Firm and Staff must only process personal data on the basis of one or more of these lawful bases for processing. Before a processing activity starts for the first time, and then regularly while it continues, we will review the purpose of the processing activity, select the most appropriate lawful basis (or bases) for that processing and satisfy ourselves that the processing is necessary for the purpose of that lawful basis (or bases). When determining whether the Firm’s legitimate interests are the most appropriate basis for lawful processing, we will conduct a legitimate interests assessment, keep a record of it and keep it under review.

    5.5          Where the Firm relies on consent as the lawful basis for processing, this requires the data subject to have given a positive statement, active opt-in or clear affirmative action; pre-ticked boxes, inactivity or silence do not constitute consent. If consent is given in a document that also deals with other matters, the request for consent must be clearly distinguishable and kept separate from those other matters. In addition, consent must specifically cover the purposes of the processing and the types of processing activity, so you must ensure that you obtain separate consents for different types of processing, where appropriate. Data subjects also have the right to withdraw their consent to processing at any time, they must be advised of this right and it must be as easy for them to withdraw their consent as it was to give it.

    5.6          The data protection legislation also provides that the processing of special categories of personal data and criminal records personal data is only lawful in more limited circumstances where a special condition for processing also applies (this is an additional requirement; the processing must still meet one or more of the conditions for processing set out above). These include where:

    5.6.1        the data subject has given their explicit consent to the processing of their personal data for one or more specified purposes; explicit consent requires a very clear and positive statement and it cannot be implied from the data subject’s actions

    5.6.2        the processing is necessary for the purposes of carrying out obligations or exercising specific rights of either the Firm or the data subject under employment law or social security law

    5.6.3        in the case of special categories of personal data, the processing relates to personal data which are manifestly made public by the data subject

    5.6.4        the processing is necessary for the establishment, exercise or defence of legal claims

    5.7          We may from time to time need to process special categories of personal data and criminal records personal data. The Firm and Staff must only process special categories of personal data and criminal records personal data where there is also one or more of these special lawful bases for processing. Before processing any special categories of personal data and criminal records personal data, you must notify our data protection manager so that they may assess whether the processing complies with one or more of these special conditions. Processing of criminal conviction data will be consistent with our Criminal Conviction Policy.

    5.8          A clear record must be kept of all consents, including explicit consents, which covers what the data subject has consented to, what they were told at the time and how and when consent was given. This enables the Firm to demonstrate compliance with the data protection requirements for consent.

    • Transparency

    5.9          Under the data protection legislation, the transparency principle requires the Firm to provide specific information to data subjects through appropriate privacy notices. These must be concise, transparent, intelligible, easily accessible and use clear and plain language. Privacy notices may comprise general privacy statements applicable to a specific group of data subjects, e.g. employees, or they may be stand-alone privacy statements covering processing related to a specific purpose. Whenever we collect personal data directly from data subjects, including for employment purposes, we must provide the data subject with all the information required to be included in a privacy notice. This includes:

    5.9.1        the identity and contact details of the Firm (as data controller) and any representative

    5.9.2        where applicable, the identity and contact details of the data protection officer

    5.9.3        the purposes for which the personal data will be processed

    5.9.4        the lawful basis or bases for processing

    5.9.5        where we are relying on our legitimate interests (or those of a third party) as the lawful basis for processing, what those legitimate interests are

    5.9.6        the categories of personal data, unless they were obtained directly from the data subject

    5.9.7        the third-party sources that the personal data originate from, unless they were obtained directly from the data subject

    5.9.8        the recipients, or categories of recipients, with whom the personal data may be shared

    5.9.9        details of transfers to non-EEA countries and the suitable safeguards applied

    5.9.10     the retention period for the personal data or, if that is not possible, the criteria to be used to determine the retention period

    5.9.11     the existence of the data subject’s rights, i.e. subject access, rectification, erasure, restriction of processing, objection and data portability

    5.9.12     the right to withdraw consent to processing at any time, where consent is being relied on as the lawful basis for processing

    5.9.13     the right to lodge a complaint with the Information Commissioner’s Office

    5.9.14     whether the provision of personal data is part of a statutory or contractual requirement or obligation, or a requirement necessary to enter into a contract, and the possible consequences of failing to provide the personal data

    5.9.15     the existence of any automated decision-making, including profiling, and meaningful information about how decisions are made, the significance and consequences.

    5.10       We must issue a privacy notice, which can be by electronic means, when we first collect a data subject’s personal data from them. If the personal data have been obtained from third parties, we must provide the privacy notice information within a reasonable period of having obtained the personal data, but at the latest within one month. However, if the personal data are to be used to communicate with the data subject, the privacy notice information is to be provided, at the latest, when the first communication takes place, or if disclosure of the personal data to another recipient is envisaged, it is to be provided, at the latest, when the data are first disclosed. You must comply with these rules on privacy notices when processing personal data on the Firm’s behalf in the proper performance of your job duties and responsibilities.

    5.11       The Firm will issue privacy notices directly applicable to different data subjects or groups of data subjects from time to time including privacy notices to you.

    5.12       Privacy notices can also be obtained from the Firm’s Data Protection Manager.

    6        Purpose Limitation

    • Use of personal data and change of purpose.

    6.2          Personal data must be collected only for specified, explicit and legitimate purposes and they must not be further processed in any manner that is incompatible with those purposes.

    6.3          We can only use the personal data for the purposes for which we first obtained it and were disclosed to the data subject e.g. in an appropriate privacy notice, unless the data subject has been informed of the new  purposes and the terms of this policy are otherwise complied with, e.g. there is a lawful basis for processing. This also includes special categories of personal data and criminal records personal data.

    6.4          If we need to use personal information (including special categories of personal data and criminal records personal data)  for a different purpose, before we use it for the new purpose we will provide the data subject with information about the new purpose and the terms of this policy must be complied with. For example we will also explain the legal basis which allows us to process that personal information for the new purpose and we will provide then with any relevant further information. We may also issue a new privacy notice to them.

    7        Data minimisation

    7.1          Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

    7.2          We will only collect personal data to the extent that they are required for the specific purposes notified to the data subject. You must only process personal data where your job duties and responsibilities require it and you must not process personal data for any reason which is unrelated to your job duties and responsibilities. In addition, you must ensure that any personal data you collect are adequate and relevant for the intended purposes and are not excessive. This includes special categories of personal data and criminal records personal data.

    7.3          When personal data are no longer needed for specified purposes, you must ensure that they are destroyed, erased or anonymised in accordance with the Firm’s rules on data retention and destruction set out below.

    8        Accuracy

    8.1          Personal date must be accurate and, where necessary, kept up to date. In addition, every reasonable step must be taken to ensure that personal data that are inaccurate are erased or rectified without delay.

    8.2          It is important that the personal data we hold about data subjects is accurate and up to date. Please ensure your personal data is accurate and tell us if your personal data changes, e.g. you change your home address, so we can update our records. The Firm will not be responsible for any errors in your personal data or for any issues arising due to your failure to notify changes in your personal details. We will promptly update your personal data if you tell us that they have changed or are inaccurate.

    8.3          We must also ensure that the personal data we hold about other data subjects is accurate and up to date. This includes special categories of personal data and criminal records personal data. We will take all reasonable steps to check that personal data is accurate when it is collected and at regular intervals thereafter. We will also take all reasonable steps to destroy, erase or update outdated personal data and to correct inaccurate personal data.

    9        Storage limitation

    9.1          Personal data must not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data are processed.

    9.2          The Firm will only retain personal data for as long as is necessary to fulfil the legitimate business purposes for which they were originally collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements. This includes special categories of personal data and criminal records personal data. Staff must comply with the Firm’s rules on data retention and destruction set out below.

    • Retention, Clients and Contacts,

    9.3          The Firm will generally hold personal data, including special categories of personal data and criminal records personal data, belonging to Clients, and Contacts for the duration of our business relationship with them.

    9.4          We will only retain your personal information (including special category information or criminal conviction data)  for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.

    • Clients

    9.4.2        We will generally hold your personal information for the duration of your relationship with us as an active client and a further 7 years.

    • Exceptions to this include:

    9.4.2.b          Wills and lasting powers of attorney and files relating to the preparation of these documents will be kept indefinitely

    9.4.2.c          Trust records until the trust (and associated trusts) are wound up plus 7 years.

    9.4.2.d          Probate files may be needed in relation to a surviving spouse or civil partner (e.g. inh

    9.4.2        We will generally hold your personal information for the duration of your relationship with us as an active client and a further 7 years.

    eritance tax allowances). They will therefore be kept until 7 years after the death and administration of the estate of the surviving spouse/civil partner.

    9.4.2.e          Deeds relating to unregistered property will kept indefinitely

    9.4.2.f           minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records requiring us to keep the data longer, and

    9.4.2.g          the retention of some types of personal information for up to twelve years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, County Court or High Court.

    9.4.3        Where relevant we may thin out our files to remove information which is not relevant to the above exceptions six years after you cease to be an active client so that we only continue to retain for a longer period what is strictly necessary.

    • Contacts

    9.4.4        We will generally hold this personal information for the duration of their relationship with us and a further 3 years.

    • Exceptions to this include:

    9.4.4.b          Where we hold personal data of Contacts in connection with services provided to Clients we will hold the data for the periods as set out above at 9.4.2 for Clients

    9.4.4.c          minimum statutory or other legal, tax, health and safety, reporting or accounting requirements for particular data or records requiring us to keep the data longer, and

    9.4.4.d          the retention of some types of personal information for up to 12 years to protect against legal risk, e.g. if they could be relevant to a possible legal claim in a tribunal, County Court or High Court.

    9.5          Personal information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems and we will also require Third Parties to destroy or erase such personal information where applicable.

    9.6          In some circumstances we may anonymise your personal information so that it no longer permits your identification. In this case, we may retain such information for a longer period.

    9.7          For further details see our Data Retention Policy a copy is available from our data protection manager.

    • Destruction and erasure

    9.8          All personal data, including special categories of personal data and criminal records personal data, must be reviewed before destruction or erasure to determine whether there are special factors that mean destruction or erasure should be delayed. Otherwise, they must be destroyed or erased at the end of the retention periods outlined above. Staff responsible for maintaining personal data who are not clear what retention period should apply to a particular record, please contact our data protection manager for guidance.

    9.9          Personal data which are no longer to be retained will be permanently erased from our IT systems or securely and effectively destroyed, e.g. by cross-shredding of hard copy documents, burning them or putting them in confidential waste bins or by physical destruction of storage media. We will also require Third Parties to destroy or erase such personal data where applicable. The Firm and Staff will take all reasonable steps to destroy or erase personal data that we no longer require.

    9.10       In some circumstances we may anonymise personal data so that they no longer permit a data subject’s identification. In this case, we may retain such personal data for a longer period.

    10     Integrity and confidentiality

    10.1       Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

    10.2       The Firm takes the security of personal data seriously and we have implemented and maintain safeguards which are appropriate to the size and scope of our business, the amount of personal data that we hold and any identified risks. This includes encryption and pseudonymisation of personal data where appropriate. We have also taken steps to ensure the ongoing confidentiality, integrity, availability and resilience of our processing systems and services and to ensure that, in the event of a physical or technical incident, availability and access to personal data can be restored in a timely manner. We regularly test and evaluate the effectiveness of our technical and organisational safeguards to ensure the security of our processing activities.

    10.3       Staff must implement reasonable and appropriate security measures against unauthorised or unlawful processing of personal data and against their accidental loss, destruction or damage. They must be particularly careful in protecting special categories of personal data and criminal records personal data. Staff must follow all procedures, and comply with all technologies and safeguards, that we put in place to maintain the security of personal data from the point of collection to the point of destruction.

    10.4       Where the Firm uses Third Party service providers to process personal data on our behalf, additional security arrangements need to be implemented in contracts with those Third Parties to safeguard the security of personal data. We will only share personal data with Third Party service providers provided that certain safeguards and contractual arrangements have been put in place, including that:

    10.4.1     the Third Party has a business need to know the personal data for the purposes of providing the contracted services

    10.4.2     sharing the personal data complies with the privacy notice that has been provided to the data subject (and, if required, the data subject’s consent has been obtained)

    10.4.3     the Third Party has agreed to comply with our data security procedures and has put adequate measures in place in ensure the security of processing

    10.4.4     the Third Party only acts on our documented written instructions

    10.4.5     a written contract is in place between the Firm and the Third Party that contains specific approved terms

    10.4.6     the Third Party will assist the Firm in allowing data subjects to exercise their rights in relation to data protection and in meeting our obligations in relation to the security of processing, the notification of data breaches and data protection impact assessments

    10.4.7     the Third Party will delete or return all personal data to the Firm at the end of the contract

    10.4.8     the Third Party will submit to audits.

    10.5       Before any new agreement involving the processing of personal data by a Third Party service provider is entered into, or an existing contract is amended, it must be approved by our data protection manager.

    10.6       Personal data will only be shared with other Staff if they have a business need to know in order to properly perform their job duties and responsibilities.

    10.7       We will not make unnecessary copies of personal data and will keep and dispose of any copies securely. This applies however the data is held e.g. on paper or electronically.

    • Hard Copy

    10.8       Hard copy files which hold personal data are confidential and must be stored in locked filing cabinets. Only authorised Staff, who have a business need to know in order to properly perform their job duties and responsibilities, have access to these files.

    10.9       Files must not be removed from their normal place of storage without good reason. Paper containing personal data must not be left lying about.

    • Electronic Copies

    10.10     Personal data held in electronic format will be stored confidentially by means of password protection, encryption or pseudonymisation, and again only authorised Staff have access to those data. Computer screens should be locked when Staff are not at their desks.

    10.11     Personal data stored on removable storage media must be kept in locked filing cabinets or locked drawers and cupboards when not in use by authorised Staff

    10.12     The Firm has network backup procedures in place to ensure that personal data held in electronic format cannot be accidentally lost, destroyed or damaged. Personal data must not be stored on on personal devices including phones.

    • How to deal with data breaches

    10.13     We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of Staff or someone else) then we must take notes and keep evidence of that breach.

    10.14     The data protection legislation requires the Firm to notify any personal data breach to the Information Commissioner’s Office within 72 hours after becoming aware of the breach.

    10.15     If a breach poses a “high risk” to the rights and freedoms of individuals we must also to notify the affected individuals without undue delay. High risk situations are likely to include breaches which have the potential for the individuals to suffer significant detrimental effect, for example, discrimination, damage to reputation, financial loss or any other significant economic or social disadvantage.

    10.16     A personal data breach is any breach of security which leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed and includes any act or omission that compromises the confidentiality, integrity or availability of personal data or the safeguards that we, or our Third Party service providers, have put in place to protect them.

    10.17     The Firm has procedures in place to deal with any suspected personal data breach and Staff are required to comply with these.

    10.18     If Staff know or suspect that a personal data breach has occurred, they must immediately contact our data protection manager, retain any evidence in relation to the breach and follow the Firm’s data breach policy and response plan.

    11     Accountability

    11.1       The Firm is responsible for, and must be able to demonstrate compliance with, the data protection principles. This means that we must implement appropriate and effective technical and organisational measures to ensure compliance and we also require Staff to fully assist and co-operate with the Firm in this regard. In particular, we have:

    11.1.1     appointed a data protection manager to be responsible for data protection compliance and privacy matters within the business

    11.1.2     kept written records of personal data processing activities

    11.1.3     implemented a privacy by design approach when processing personal data and we will conduct and complete data protection impact assessments (DPIAs) where a type of data processing, e.g. the launch of a new product or the adoption of a new program, process or IT system, in particular using a new technology, is likely to result in a high risk to the rights and freedoms of data subjects

    11.1.4     integrated data protection requirements into our internal documents, including this data protection policy, other related policies and privacy notices

    11.1.5     introduced regular reviews of our privacy measures and our policies, procedures and contracts and regular testing of our systems and processes to monitor and assess our ongoing compliance with the data protection legislation and the terms of this policy in areas such as security, retention and data sharing.

    11.1.6     We also keep records of our personal data processing activities and you are required to assist us in ensuring these records are full, accurate and kept up to date.

    12     Privacy by design and data protection impact assessments

    12.1       We are required to implement privacy by design measures when processing personal data by implementing appropriate technical and organisational measures in an effective manner to ensure compliance with the data protection legislation. We will assess what privacy by design measures can be implemented on all processes or systems that process personal data.

    12.2       Where a type of data processing, e.g. the launch of a new product or the adoption of a new program, process or IT system is likely to result in a high risk to the rights and freedoms of data subjects, Staff must assist in conducting and completing a DPIA. This includes (but is not limited to):

    12.2.1     systematic and extensive automated processing and automated decision-making activities, including profiling, and on which decisions are based that have legal effects, or similar significant effects, on data subjects

    12.2.2     large-scale processing of special categories of personal data or criminal records personal data

    12.2.3     large-scale systematic monitoring of publicly accessible areas, e.g. using CCTV.

    12.3       Before any form of new technology, program, process or system is introduced, our data protection manager will ensure that a DPIA is carried out.

    12.4       A DPIA will comprise a review of the new technology, program, process or system and it must contain a description of the processing operations and the purposes, an assessment of the neces     Automated processing is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, and automated decision-making occurs when an electronic system uses an individual’s personal data to make a decision without human intervention.

    13.2       The Firm does not carry out any automated processing and does not take any decisions based solely on automated decision-making, including profiling.

    sity and proportionality of the processing in relation to those purposes, an assessment of the risks to individuals and the measures in place to address or mitigate those risks and demonstrate compliance.

    13     Automated processing and automated decision-making

    13.1       Automated processing is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, and automated decision-making occurs when an electronic system uses an individual’s personal data to make a decision without human intervention.

    13.2       The Firm does not carry out any automated processing and does not take any decisions based solely on automated decision-making, including profiling.

    14     Direct marketing

    14.1       The Firm is subject to certain rules when marketing our Clients and Contacts. It must comply with the Firm’s guidelines and Privacy Notices on this. In particular, a data subject’s prior consent is required for electronic direct marketing in most circumstances. There is a limited exception for existing clients which allows us to send marketing texts and e-mails if we have obtained their contact details in the course of a sale to that person, we are marketing similar products or services to them and we gave that person an opportunity to opt out of marketing when first collecting their details and in every subsequent message.

    14.2       We do not cold call.

    14.3       We do not sell, distribute or give Clients or Contacts personal information to third parties for marketing purposes.

    14.4       If a data subject objects to direct marketing, it is essential that this is actioned in a timely manner and their details should be suppressed as soon as possible. We will retain just enough information to ensure that marketing preferences are respected in the future.

    15     Transferring personal data outside the European Economic Area

    15.1       The data protection legislation restricts transfers of personal data to countries outside the European Economic Area (EEA) in order to ensure that the level of data protection afforded to data subjects is maintained.

    15.2       The Firm does envisage transferring personal data to countries outside the EEA and will act to ensure that we comply with this rule. If Staff have any concern about this speak to the data protection manager

    15.3       If there is any transfer of personal data to countries outside the EEA this may only occur provided one of the following applies:

    15.3.1     there is an adequacy decision by the European Commission in respect of the particular country, i.e. that country is deemed to provide an adequate level of protection for personal data

    15.3.2     appropriate safeguards are in place, such as binding corporate rules or standard data protection clauses approved by the European Commission

    15.3.3     the data subject has provided their explicit consent to the proposed transfer after being informed of any potential risk.

    16     Data subject rights to access personal data “SAR”

    16.1       Under the data protection legislation, data subjects (including Staff) have the right, on request, to obtain a copy of the personal data that the Firm holds about them by making a written data subject access request SAR. This allows the data subject to check that we are lawfully processing their personal data. The data subject has the right to obtain:

    16.1.1     confirmation as to whether or not their personal data are being processed

    16.1.2     access to copies of their specified personal data

    16.1.3     other additional information.

    16.2       The other additional information (which should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language) comprises:

    16.2.1     the purposes of the processing and the categories of personal data concerned

    16.2.2     the recipients, or categories of recipients, to whom the personal data have been or will be disclosed, in particular recipients in non-EEA countries

    16.2.3     where the personal data are transferred to a non-EEA country, what appropriate safeguards are in place relating to the transfer

    16.2.4     the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

    16.2.5     the existence of the data subject’s rights to request rectification or erasure of their personal data or restriction of processing of their personal data or to object to such processing

    16.2.6     their right to lodge a complaint with the Information Commissioner’s Office if they think the Firm has failed to comply with their data protection rights

    16.2.7     where the personal data are not collected from them, any available information as to their source

    16.2.8     the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the envisaged consequences of such processing for them.

    16.3       When a data subject makes a SAR, we will log the date on which the request was received and confirm their identity. Where we have reasonable doubts concerning the data subject’s identity, we will request them to provide such additional information necessary to confirm their identity before complying with their SAR. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

    16.4       We will then search databases, systems and other places where the personal data which are the subject of the SAR may be held. Where we process a large quantity of personal data about a data subject, we may ask them to first specify the information that their SAR relates to.

    16.5       If the data subject makes their SAR electronically, the Firm must provide a copy of the personal data in a commonly used electronic format, unless they specifically request otherwise. If the data subject wants additional copies of the personal data, the Firm may charge a reasonable fee, which is based on our administrative costs of providing the additional copies.

    16.6       We must respond to requests and provide copies of the personal data within one month unless the request is complex or numerous requests are made by the data subject in which case the period in which we must respond can be extended by a further two months. If we intend to extend the time limit, we will contact the data subject within one month of the SAR’s receipt to inform them of the extension and to explain why it is necessary.

    16.7       Before providing the personal data to the data subject making the SAR, we will

    16.7.1     Review the personal data requested to see if they contain the personal data of other data subjects. If they do, we will redact the personal data of those other data subjects prior to providing the data subject with their personal data, unless those other data subjects have consented to the disclosure of their personal data

    16.7.2     check whether there are any statutory exemptions from disclosure that apply to the personal data that are the subject of the SAR. If a statutory exemption applies to any of the personal data, those personal data may not be disclosed

    16.8       Normally there is no fee for an SAR. However, we reserve the right to

    16.8.1     charge a reasonable fee, based on our administrative costs of providing the personal data, when a SAR is manifestly unfounded or excessive, particularly if it repeats an SAR to which we have already responded or

    16.8.2     where an SAR is manifestly unfounded or excessive, we reserve the right to refuse to respond altogether. Where we refuse to act on a request in this way, we will set out our written reasons why to the data subject within one month of receipt of their SAR. We will also inform them of their right to complain to the Information Commissioner’s Office or to seek a judicial remedy in the courts.

    16.9       Data subjects who want access rights should put the request in writing

    16.9.1     They can use (but don’t have to use) our Subject Access Request Form available from our data protection manager or put the request in an e-mail or write request and

    16.9.2     and send it to our data protection manager as follows: Kirsten Moon, partner Applewood House The Hill, Charing Kent, email kirsten@moon-and-co.co.uk, tele 01233 714055]. We will inform the data subject if we need to further verify your identity.

    16.10     If we receive a SAR from another data subject, it must be forwarded immediately to our data protection manager and she will deal with responding to it.

    • Other data subject rights in relation to their personal data

    16.11     Data subjects have a number of other rights in relation to their personal data. When we process data subjects’ personal data, we will respect those rights. It is the Firm’s policy to ensure that requests by data subjects to exercise their rights in respect of their personal data are handled in accordance with the data protection legislation.

    16.12     Subject to certain conditions, and in certain circumstances, data subjects have the right to:

    16.12.1  be informed – this is normally satisfied by issuing them with an appropriate privacy notice

    16.12.2  request rectification of their personal data – this enables them to have any inaccurate or incomplete personal data we hold about them corrected or completed, including by their providing a supplementary statement

    16.12.3  request the erasure of their personal data – this enables them to ask us to delete or remove their personal data where there’s no compelling reason for their continued processing, e.g. it’s no longer necessary in relation to the purpose for which they were originally collected or if there are no overriding legitimate grounds for the processing

    16.12.4  restrict the processing of their personal data – this enables them to ask us to suspend the processing of their personal data, e.g. if they contest the accuracy and so want us to verify the accuracy or the processing is unlawful but they don’t want the personal data to be erased

    16.12.5  object to the processing of their personal data – this enables them to ask us to stop processing their personal data where we are relying on the legitimate interests of the business as our lawful basis for processing and there is something relating to their particular situation which makes them decide to object to processing on this ground

    16.12.6  data portability – this gives them the right to request the transfer of their personal data to another party so that they can reuse them across different services for their own purposes

    16.12.7  not be subject to automated decision-making, including profiling – this gives them the right not to be subject to a decision based solely on the automated processing of their personal data, if such decision produces legal effects concerning them or similarly significantly affects them

    16.12.8  prevent direct marketing – this enables them to prevent our use of their personal data for direct marketing purposes

    16.12.9  be notified of a data breach which is likely to result in a high risk to their rights and freedoms.

    16.13     If, as a data subject, you wish to exercise any of these rights, please contact our data protection officer manager.

    16.14     If a data subject invokes any of these rights the data protection manager will take steps to verify their identity, log the date on which the request was received. The following response procedures apply as applicable:

    16.14.1  response to requests to rectify personal data – unless there is an applicable exemption, we will rectify the personal data without undue delay and we will also communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed, e.g. our Third Party service providers, unless this is impossible or involves disproportionate effort

    16.14.2  response to requests for the erasure of personal data – we will erase the personal data without undue delay provided one of the grounds set out in the data protection legislation applies and there is no applicable exemption (and, where the personal data are to be erased, a similar timetable and procedure to that applying to responding to SARs will be followed). We will also communicate the erasure of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort. Where we have made the personal data public, we will take reasonable steps to inform those who are processing the personal data that the data subject has requested the erasure by them of any links to, or copies or replications of, those personal data

    16.14.3  response to requests to restrict the processing of personal data – where processing has been restricted in accordance with the grounds set out in the data protection legislation, we will only process the personal data (excluding storing them) with the data subject’s consent, for the establishment, exercise or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest. Prior to lifting the restriction, we will inform the data subject that it is to be lifted. We will also communicate the restriction of processing of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort

    16.14.4  response to objections to the processing of personal data – where such an objection is made in accordance with the data protection legislation and there is no applicable exemption, we will no longer process the data subject’s personal data unless we can show compelling legitimate grounds for the processing which overrides the data subject’s interests, rights and freedoms or we are processing the personal data for the establishment, exercise or defence of legal claims. If a data subject objects to the processing of their personal data for direct marketing purposes, we will stop processing the personal data for such purposes

    16.14.5  response to requests for data portability – unless there is an applicable exemption, we will provide the personal data without undue delay if the lawful basis for the processing of the personal data is consent or pursuant to a contract and our processing of those data is carried out by automated means (and a similar timetable and procedure to that applying to responding to SARs will be followed)

    16.14.6  In the limited circumstances where the data subject has provided their consent to the processing of their personal data for a specific purpose, they have the right to withdraw their consent for that specific processing at any time. This will not, however, affect the lawfulness of processing based on consent before its withdrawal.

    16.14.7  If, Staff as a data subject, wish to withdraw consent to the processing of your personal data for a specific purpose, please contact our data protection manager. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose you originally agreed to, unless we have another lawful basis for processing.

    16.15     If a data subject invokes their right to withdraw their consent, the data protection manager will review whether other grounds for processing apply.

    16.16     Data subjects also have the right to make a complaint to the Information Commissioner’s Office at any time.

    17      Staff and Third Party obligations in relation to personal data

    17.1       Staff and any Third Party with access to personal data must comply with this policy and the data protection principles at all times in their personal data processing activities where acting on behalf of the Firm in the proper performance of their job duties and responsibilities or providing services.

    17.2       Under the data protection legislation, Staff and Third Parties should also be aware that they are personally accountable for their actions and can be held criminally liable. It is a criminal offence for a person to

    17.2.1     knowingly or recklessly keep, obtain or disclose personal data (or to procure their disclosure to a third party) without the consent of the Firm or

    17.2.2     to sell, or offer to sell, illegally obtained personal data.

    17.2.3     where data has been “de-identified” (so that it can no longer be attributed to a specific data subject) to knowingly or recklessly re-identify that personal data (so that data subjects can again be identified from it) or to process personal data which has been unlawfully re-identified by someone else

    17.2.4     to alter, block, erase, destroy or conceal personal data with the intention of preventing their disclosure to a data subject following a data subject access request.

    • This would include, for example,

    17.2.5     taking clients’ or contacts contact details or other personal data without the Firm’s consent on the termination of employment, a service contract or otherwise or

    17.2.6     misusing or stealing personal data held by the Firm.

    17.3       Where unlawful activity is suspected, the Firm will report the matter to the Information Commissioner’s Office for investigation into the alleged breach of the data protection legislation and this may result in criminal proceedings being instigated. The Firm may also need to report the alleged breach to a regulatory body. This conduct would also amount to a gross misconduct and could lead to the summary termination of a contract with the relevant Third Party.

    18     Additional Guidelines on Processing Personal Data for the Firm

    18.1       The Firm, Staff and Third Parties must also comply with the following guidelines at all times:

    18.1.1     only access personal data that you have authority to access and only for authorised purposes, e.g. if you need them for the work you do for the Firm, and then only use the data for the specified lawful purpose for which they were obtained

    18.1.2     only allow other Staff  or Third Parties to access personal data if they have the appropriate authorisation and never share personal data informally

    18.1.3     do not disclose personal data to anyone except the data subject. In particular, they should not be given to someone from the same family, passed to any other unauthorised third party, placed on the Firm’s website or posted on the Internet in any form. unless the data subject has given their explicit consent to this

    18.1.4     be aware that those seeking personal data sometimes use deception to gain access to them, so always verify the identity of the data subject and the legitimacy of the request

    18.1.5     where the Firm provides you with code words or passwords to be used before releasing personal data, you must strictly follow the Firm’s requirements in this regard

    18.1.6     only transmit personal data between locations by e-mail if a secure network is in place, e.g. encryption is used for e-mail

    18.1.7     if you receive a request for personal data about another Staff member or data subject, you should forward this to the Firm’s data protection manager

    18.1.8     ensure any personal data you hold are kept securely, either in a locked non-portable filing cabinet or drawer if in hard copy, or password protected or encrypted if in electronic format, and comply with Firm rules on computer access and secure file storage

    18.1.9     do not access another Staff members personal data, e.g. their personnel records, without authority as this will be treated as gross misconduct and it is a criminal offence

    18.1.10  do not obtain or disclose personal data (or procure their disclosure to a third party) without authority or without the Firm’s consent as this will be treated as gross misconduct and it is a criminal offence

    18.1.11  do not write down (in electronic or hard copy form) opinions or facts concerning a data subject which it would be inappropriate to share with that data subject

    18.1.12  do not remove personal data, or devices containing personal data, from the Firms premises with the intention of processing them elsewhere unless this is necessary to enable you to properly carry out your job, duties or responsibilities, you have adopted appropriate security measures (such as password protection, encryption or pseudonymisation) to secure the data and the device and it has been authorised by the Firm’ data protection manager

    18.1.12.a    ensure that, when working on personal data as part of your job, duties or responsibilities when away from the Firm’s premises and with the authorisation of the data protection manager, you continue to observe the terms of this policy and the data protection legislation, in particular in matters of data security.

    18.1.12.b    Be aware of and comply with the terms of the Firm’s other policies which may affect processing personal data (including special category data and criminal records personal data including the Firm’s Email Internet, Computer and Telephone Policy and Data Security Policy

    18.1.13  do not store personal data on local computer drives, your own personal computer or on other personal devices including phones

    18.1.14  do not make unnecessary copies (hard or electronic )of personal data and keep and dispose of any copies securely, e.g. by cross-shredding hard copies

    18.1.15  ensure that you attend all mandatory data protection training

    18.1.16  refer any questions that you may have about the data protection legislation or compliance with this policy to our data protection manager

    18.1.17  remember that compliance with the data protection legislation and the terms of this policy is your personal responsibility.

    19     Changes to this policy

    19.1       The Firm will review this policy at regular intervals and we reserve the right to update or amend it at any time and from time to time. We will circulate any modified policy to Staff and Third Parties, where appropriate, we may notify you of changes by e-mail.

    19.2       It is intended that this policy is fully compliant with the data protection legislation. However, if any conflict arises between the data protection legislation and this policy, the Firm will comply with the data protection legislation.

    19.3       This policy may also be made available to the Information Commissioner’s Office on request.

    return to top

    What else?

    For more about what we can do, see data protection, computer keyboard, regulation

    Other Legal Regulation

    Legal information about us | Costs  | Complaints
    Questions about Data Protection – call

    01233 714055

    Kirsten Moon – Solicitor Partner
    Or write to me at Moon & Co Solicitors, Applewood House, The Hill, Charing, Kent TN27 0LU


    Our Services | Terms of Use| Contact Us