Privacy Notice

General Data Protection Regulation (GDPR)

ELDRIDGES SOLICITORS PRIVACY NOTICE

DATA CONTROLLER

Eldridges Solicitors is a Data Controller in respect of information it processes for its clients (past, current and prospective), employees, individual and business contacts, referrers, opposing parties and their advisers, suppliers and third party experts and consultants. This Notice explains how Eldridges collects, stores and uses your data. Please read it to ensure that you are aware of how and why we using your information. This Notice is available on our website at eldridges.co.uk and may be updated from time to time so please check occasionally to ensure that you are up to date.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes either during the course of our engagement, or after, if you think it will be relevant.

LAWFUL BASIS

We process personal information to enable us to provide legal services including advising and acting on behalf of our clients. We also process personal information in order to maintain our own accounts and records, promote our services and to support and manage our employees. We will use your information in a lawful, fair and transparent way in accordance with the GDPR. The Regulation sets out the lawful bases for processing information in certain circumstances. We will use your information:

•   In order to perform the contract which we have entered into with you
•   Where it is in our legitimate interests to process the data so that we can provide a service toor otherwise fulfil the purpose of our engagement with you, subject to your own rights under

  GDPR

•   In compliance with a legal obligation to which we are subject
•   Where you have consentedIt is also possible (but rare) that we would use your information to protect the vital interests of yourself or another, or where it is required by the public interest.

  If we need to use your information for any purpose other than that for which we collected it we will notify you and explain why.

DATA SUBJECTS

We process information about:

•   Clients
•   Suppliers and service providers
•   Complainants
•   Enquirers

 Advisers, consultants and professional experts

 Employees

TYPE OF INFORMATION

We process information relevant to the above reasons/purposes. This information may include:

•   Personal details
•   Family details
•   Lifestyle and social circumstances
•   Goods and services
•   and employment details

 Financial details
 Business of the person whose personal

information we are processing  Education

We may also process sensitive classes of information that may include:

•   Physical or mental health details
•   Racial or ethnic origin
•   Political opinions
•   Religious or other beliefs
•   proceedings, outcomes and sentencesINFORMATION SHARING

 Sexual life
 Trade union membership
 Offences and alleged offences  Criminal

We sometimes need to share the personal information we process with others. Where this is necessary we are required to comply with all aspects of Data Protection law. What follows is a description of the types of organisations we may need to share some of the personal information

we process with for one or more reasons. with:

 Third parties who provide services to us such as:

o Providers of I T support and maintenance services

o Auditors and accountants
o Professional Indemnity and other

insurers and brokers
o Confidential waste disposal o Website hosting

•   Search providers in property transactions
•   Providers of indemnity policies inproperty transactions
•   Regulatory authorities and bodies/tradeassociations such as the Solicitors’ Regulation Association; Law Society CQS scheme, Information Commissioner and Legal Ombudsman.

Where necessary or required we share information

 HMRC and other Government bodies  Courts and Tribunals
 Private investigators
 Credit reference agencies

 Debt collection and tracing agencies  Financial organisations
 Healthcare professionals, social and

welfare organisations
 Educators and examining bodies
 Current, past or prospective employers  Employment or recruitment agencies
 Business associates
 Family, associates or representatives of

the person whose data we are processing  Complainants/enquirers

2

TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)

All of the information we hold is stored on a server hosted by one of our IT services providers at a Data Centre facility in England. Our IT service provider is a data processor and relevant staff are trained in the requirements of Data Protection and confidentiality as well as appropriate procedures,andtheyalsosignaconfidentialityagreement. TheDataCentrefacilityisprotectedby 24×7 security guard patrols and CCTV Monitoring. Access control requires an access card, PIN and biometric identity check, with only zoned access granted. There is a fully controlled goods-in and out procedure.

Depending upon the software services contracted they may use sub-contractors to enable the delivery of certain functionality . All sub -contractors sign a non -disclosure agreement and/or suppliercontractwithincludesrequirementspertinenttodataprotectionrequirements. Theirstaff undergo full background checks. It may sometimes be necessary to transfer information overseas to a country outside the European Economic Area (EEA) in order to deal with support calls. This will be a sister company to our IT service provider and may involve controlled remote access to customer data which will be stored in the UK. The sub-contractor has signed a contract incorporating standard contractual clauses issued by the ICO (Information Commissioner’s Office) and also data protection clauses compliant with GDPR requirements. Access to the data is controlled by UK resources who only grant access to overseas resources on a role basis using individual login details and is terminated as soon as the support call is formally accepted as “closed” by ourselves. Any copies of data transferred for use by the sub-contractor will be deleted at the same time.

If you are based outside the EEA by instructing us you acknowledge and agree that transfers of information are necessary for us to provide services to you.

HOW LONG DO WE KEEP INFORMATION?

We will store information for as long as it is required to enable us to fulfil the purpose for which we collected it and/or in order to comply with our legal and regulatory obligations:

•   Client files are retained for a minimum period of 6 years although there are circumstances where they will be kept for longer because this is in the interest of the client or because we need to retain the file to continue to fulfil our obligations, e.g. a Trust, a Will matter or where the client is a minor or some other reason why there would be a legal obligation or legitimate interestinkeepingthefile. Afterexpiryoftheminimumperiodthepaperfileisextractedfrom storage and destroyed. The retention times are applied to the electronic version of the file which is deleted.
•   Accounts and payroll records are kept in accordance with HMRC requirements.
•   Personnel records are kept for a minimum of 3 years after the member of staff has left ouremployment after which both the paper file and the electronic record are destroyed.
•   Information obtained from job seekers is retained for six months and then destroyed. YOUR OWN RIGHTS

May 2018

3

•   You have the right to confirmation that we are processing your data, and if so to be given details of the information (copies would normally be supplied), the purpose for which it is being used and to whom it is being disclosed. This is called a Data Subject Access Request. You will not have to pay a fee for this, unless the request is unfounded or excessive or is on a repetitive basis.
•   If you believe that we are using inaccurate information you can write to us and request:

o that we correct the information that we are holding. If you are aware that the information we are holding has changed please let us know and we shall amend it within a reasonable time.

o that we erase your information so that it is removed from our records (there may be circumstances that mean we should keep the information but we will let you know if this applies).

o that we restrict processing so that we still hold the information but do not do anything with it (this could be whilst we are dealing with correction of inaccuracies for example).

•   Where we are using your information under the lawful basis of your consent you have the right to withdraw that consent at any time.
•   If you are unhappy with the way that we have dealt with your information please contact us using the contact details below. You may also contact the Information Commissioner’s Office which is the supervisory body for the GDPR. Their website address is www.ico.org.uk.CONTACT DETAILS

  Please email us at data@eldridges.co.uk or write to us at: The Accounts Manager
  36 St James’ Street
  Newport

  Isle of Wight PO30 1LF

  We are registered with the Information Commissioner’s Office under registration number Z4982534.

4

May 2018