Legal help for data breach compensation claims

Privacy Notice

"Your Lawyers Limited (“YLL”) offer a range of legal services to individuals covering a broad spectrum of civil claims including personal injury, consumer law, data breaches and multi-party actions."

In pursuance of your claim, by making an enquiry about pursuing a claim or by engaging with us on social media, personal data about you will be held by Your Lawyers Limited (“YLL”) of 18 Prospect House, Colliery Close, Staveley, Chesterfield, S43 3QE, and we shall determine the purpose and means by which that personal data is processed. We are a data controller within the meaning of the Data Protection Act 2018 (“DPA”) and the General Data Protection Regulations 2018 (“GDPR”). The firm has a dedicated Data Protection Officer; Steven Brooks.

This document explains our role as a data controller and the personal data that will be processed in pursuance of your claim.

The GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

It is important to note that the rights available to you under the GDPR depend upon the lawful bases for which we process the personal data. As such, not all rights are available to you.

This document explains your rights and explains about the collection and use of your personal data.

We reserve the right to update this Privacy Information Notice periodically. You should check this policy occasionally to ensure you are aware of the most recent version.

What is Personal Data?

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

The GDPR refers to sensitive personal data as “special categories of personal data”. The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.

Consent and your Contractual Obligation to provide the Personal Data

By instructing us to pursue a legal claim on your behalf, it is a term of our agreement with you that you are agreeing for us to collect personal data about you which we shall process in pursuance of your claim. We are unable to meet our contractual obligations to you without collecting and processing your personal data. A failure by you to provide the personal data which we require in order to meet our contractual obligations to you (or withdrawal of your consent for us to collect and process your personal data) will leave you in breach of the agreement you have with us with the effect that you will be liable for, and we will seek payment of, our fees from you as set out within our terms and conditions.

By contacting us/instructing/engaging with us on social media in relation to the legal services that we offer, you are agreeing to us contacting you by post, telephone, email, direct messaging (and any other form of social media messaging) and SMS in relation to your enquiry, your legal claim and in relation to the services that we offer and those of other companies that we work with. You can opt-out of receiving contact from us in relation to the services that we offer and those of other companies that we work with at any time by providing us with notice either verbally or in writing.

Purposes for Processing Personal Data

The purpose for which your personal data is processed is the pursuance of your legal claim. We are unable to fulfil our contractual obligations to you (providing legal services) without processing your personal data.

In order to pursue a legal claim, we are required to collect and process personal data in order to pursue the claim. The personal data collected is limited to that which is required for us to fulfil our contractual obligations to you. We collect personal data in accordance with the applicable data protection laws and our other statutory obligations. The processing of your personal data is necessary to establish and exercise a legal claim. This may include processing categories of sensitive information, outlined in this document, particularly when pursuing a claim for personal injury as this will often involve the obtaining of certain classes of records; medical records for example.

Your personal data will also be held when you contact us in contemplation of pursuing a legal claim, whether or not the claim proceeds. For all enquiries where we do not subsequently represent you, your personal data will be retained by us in accordance with our retention policy. Our reason for retaining such information is in order to defend any legal claim pursued against us.

Your personal data will also be held when you engage with us on one of our social media platforms. If you follow, like or comment on any of our social media pages or posts we may contact you via direct messaging (or another form of messaging as that platform allows) about the services that we offer. Unless you contact us further, our processing of your data in such a situation will be limited to sending you a direct message (or other form of message as available on that platform). You have the right to opt-out of receiving such messages as explained below.

We have a legitimate interest in retaining your personal data in order to contact you with regards to the services that we offer and those of other companies that we work with. You have the right to opt-out of receiving communications from us pertaining to our services and those of other companies that we work with.

Lawful Basis for Processing Personal Data

There are two main lawful bases for which we shall process personal data; contract and legitimate interest.

Contract

By providing instructions for us to act and represent you in relation to your claim, you have entered into a contract with us for legal services. We need to process your personal data in order to fulfil our contractual obligations to you; that is in order to represent you in pursuance of your claim. The processing of personal data in pursuance of a claim is necessary and the contract cannot be fulfilled in absence of processing personal data. It is a term of the agreement we have with you that you agree for us to collect personal data about you which we shall process in pursuance of your claim.

Legitimate Interest

We have a legitimate interest in processing your personal data in pursuance of your claim. A claim cannot be pursued without the processing of personal data, as identified above. The personal data which we will process shall be confined to what is reasonably required in pursuance of your claim. The necessity to process personal data in pursuance of a claim is one which cannot be achieved in any other way so as to avoid the need to process personal data.

We have a legitimate interest in retaining your personal data following the settlement of your claim or where a claim does not proceed, in accordance with our retention policy, in order to defend any legal claim that is pursued against us.

We have a legitimate interest in retaining your personal data in order to contact you with regards to the services that we offer and those of other companies that we work with. You have the right to opt-out of receiving communications from us pertaining to our services and those of other companies that we work with.

In certain circumstances it may be appropriate to apply to the Court for an anonymity order but that in itself would not circumvent the need to process your personal data as part of the claims process.

The Categories of Personal Data obtained

The personal data that we shall process will vary dependent upon the individual claim that you instruct us to pursue on your behalf. In most cases there will be a standard list of personal data that will be required to be processed, which includes:

  • Full Legal Name (including alias)
  • Address
  • Date of Birth
  • Contact Telephone Numbers/Email Address

Certain claims will require the processing of additional personal data which may include the obtaining/processing of:

  • National Insurance Number
  • Benefits Received
  • Wage Slips/Earnings Information
  • Medical Records
  • Employment/Personnel Records
  • Benefits Records
  • HMRC Records
  • Academic Records
  • Police Reports
  • Criminal Records

In pursuance of your claim, we may need to process more sensitive personal data, such as medical records. This is known as Special category data. As this personal data is more sensitive, it needs more protection. For example, information about an individual’s:

  • race;
  • ethnic origin;
  • politics;
  • religion;
  • trade union membership;
  • genetics;
  • biometrics (where used for ID purposes);
  • health;
  • sex life; or
  • sexual orientation.

In order to lawfully process special category data, we must identify both a lawful basis and a separate condition for processing special category data. These do not have to be linked. Our lawful bases are set out above. Our separate condition for processing special category data is for the establishment, exercise or defence of legal claims

The processing of personal data will be restricted to what is reasonably necessary in pursuance of the claim. We take extra safety measures when processing sensitive data which includes, using recorded/special delivery mail and using password protected electronic documents and links.

In cases involving children or patients where a Litigation Friend is appointed, the collection and processing of personal data will include that of the Litigation Friend in addition to the child/patient. Similarly, in cases being pursued on behalf of an Estate or where an Personal/Authorised Representative is instructed, the collection and processing of personal data will include that of the Estate, the deceased and the Personal/Authorised Representative.

The Sources of Personal Data

The majority of personal data that we collect is likely to be provided by you. However, in some cases, there will be a requirement for us to collect personal data from other sources in order to pursue your legal claim. For example, in a claim for personal injury, medical records will often be required. Those records are usually held by medical establishments such as your GP surgery, local health authority or hospital. Those records may be obtained by us directly or via the use of a medical agency whom we will hold a contract with in relation to their services. In such circumstances, the medical agency acts as a data processor and is subject to the obligations laid out in the DPA and GDPR for data processors. There may be various other sources of personal data from which we collect personal data in pursuance of a legal claim. Common examples are:

  • Employer
  • HMRC
  • Department for Work and Pensions
  • Compensation Recovery Unit
  • School/College/University
  • Rehabilitation/Treatment Provider
  • The opponent/their legal representative
  • Other Parties related to the case - for example, witnesses, enquiry agents, previous Solicitors’ firms or treatment providers

The obtaining of personal data from other sources is limited to that which is reasonably required for us to pursue your legal claim.

The Categories of Recipients of the Personal Data

In pursuance of a legal claim, it will be necessary for various categories of recipients to receive the personal data. The may include, but not be limited to:

  • The Opponent and their insurer/legal representatives
  • The Court
  • A medical agency
  • A medical expert or other expert witness
  • A barrister
  • Witnesses
  • Department for Work and Pensions
  • HMRC
  • Employer (past and present)
  • Other Parties related to the case - for example, enquiry agents, previous Solicitors’ firms, partner law firms, law firms acting as our agents or treatment providers

The personal data that is processed by us in pursuance of your claim will be limited to that which is reasonable required.

We use an electronic case management system (CMS) for the storage of case information. The CMS stores all of the above personal data in an individual case file and on our servers. The CMS is the product of a third-party company (the CMS provider (CMSP)), not YLL. From time to time there may be a requirement for the CMSP to access our servers at our or their request for the purpose of system upgrades, patches or to perform general maintenance. Further, there may be occasions when personal data is transferred to the CMSP secure servers. Such an occasion will be rare but may for example arise as part of a data transfer exercise if we were to transfer claims to another firm of solicitors who use the same CMS. The CMSP has its own obligations under the Data Protection Act 2018/the GDPR.

We store some personal data on servers owned, operated and maintained by third party providers. Those providers have their own duties under the GDPR as data processors. By providing instructions for us to act and represent you in relation to your claim, you are agreeing that we may store and process your personal data in accordance with the lawful bases identified above and in accordance with this notice.

If your claim requires online submission via the Ministry of Justice’s online portal, your personal data will be uploaded and communicated by the electronic portal as prescribed by the relevant pre-action protocols/rules. By providing instructions for us to act and represent you in relation to your claim, you are agreeing that we may process your personal data via the online portal submission in accordance with the lawful bases identified above and in accordance with this notice.

Our offices operate Closed Circuit Television Cameras (CCTV), installed for the purpose of preventing criminal activity and in order to protect our staff and visitors. As such, if you visit our offices, you may be captured on CCTV footage.

The Retention Periods for Personal Data

Personal data may be retained by us for a minimum period of fifteen years following settlement of your claim (including costs). Settlement of your legal claim means that the claim has been finally decided in your favour where your opponent has not appealed, has lost the right to appeal or has exhausted all avenues of appeal. If your claim is lost or discontinued, the retention period will run from the date of finalisation of the claim which will include any appeal up to the point where all avenues of appeal have been exhausted and settlement of any costs entitlement to the opponent.

Personal data may be removed from our case management system after case settlement. Such case data will remain secure for at least fifteen years prior to being securely erased, save for the retention of suppressed data as explained below.

These retention periods above apply to any claim/proposed claim which, for whatever reason, we do not pursue on your behalf. Your personal data is retained in these circumstances is in order to defend any legal claim which may be pursued against us. The fifteen-year period will commence from the time on which you contact us.

For claims on behalf of minors, the retention period will be fifteen years from the date of majority.

The retention periods for personal data are reasonable based upon the nature of our business. Any claim pursued against us carries with it a six-year limitation period. However, such a claim may be pursued on a date of knowledge basis which may extend beyond the normal limitation period and has a fifteen-year longstop. As such, we have conducted a balancing act between the rights of the individual and our interests in retaining the data. We consider fifteen years to be a reasonable retention period to ensure that our position is not prejudiced in relation to the defence of a legal claim and that, as the impact on the individual will be minimal, the retention periods that we have in place are suitable for all Parties.

Personal data may be retained by us beyond this retention period for the purpose of contacting you in relation to the services that we offer; such contact may be made by us or by agents acting on our behalf. . Your data will be suppressed at the fifteen-year point so that only your contact information remains for the purpose of such contact. You have the right to opt-out of receiving such communications but choosing to opt-out of communications relating to the services that we offer, and those of other companies that we work with, does not prevent us from retaining your personal data for fifteen years in accordance with our retention policy.

The Right of Access

You have the right to access your personal data. This is known as a “subject access request”. You can make a subject access request verbally or in writing.

You have the right to obtain the following from us:

  • confirmation that we are processing your personal data;
  • a copy of your personal data; and
  • other supplementary information:
    • the purposes of our processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient we disclose the personal data to;
    • our retention period for storing the personal data;
    • the existence of your right to request rectification, erasure or restriction or to object to such processing;
    • the right to lodge a complaint with the ICO or another supervisory authority;
    • information about the source of the data, where it was not obtained directly from the individual;
    • the existence of automated decision-making (including profiling); and
    • the safeguards we provide if we transfer personal data to a third country or international organisation.

All of the information that forms the “supplementary information” category is contained within his privacy information notice.

You are only entitled to your own personal data, and not to information relating to other people (unless the information is also about you or you are acting on behalf of someone).

In most cases, we will provide a copy of the information to you free of charge if you request the information. However, we can charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information. The fee will be based on the administrative cost of providing the information to you.

If you make a request, the information shall be provided without delay and at the latest within one month of receipt. However, we are able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform you within one month of the receipt of the request and explain why the extension is necessary.

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can:

  • charge a reasonable fee taking into account the administrative costs of providing the information; or
  • refuse to respond.

Where we refuse to respond to a request, we shall write to you without undue delay and at the latest within one month in order to explain why we are refusing your request and informing you of your right to complain to the supervisory authority (the ICO) and of your ability to seek to enforce this right through a judicial remedy.

If we have doubts about the identity of the person making the request we can ask for more information. We will let you know without undue delay and within one month that we need more information from you to confirm your identity. We do not need to comply with the request until we have received the additional information.

The Right to Rectification

You have a right to have inaccurate personal data rectified or completed if it is incomplete.

You can make a request for rectification verbally or in writing and we have one calendar month thereafter to respond to a request.

We can refuse to comply with a request for rectification if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

If we consider that a request is manifestly unfounded or excessive we can:

  • request a reasonable fee to deal with the request; or
  • refuse to deal with the request.

In either case we will write to you in order to justify our decision. The reasonable fee charged will be based on the administrative costs of complying with the request. In circumstances where we consider a reasonable fee is required, we will not comply with the request until we have received the fee.

Where we refuse to respond to a request, we shall write to you without undue delay and at the latest within one month in order to explain why we are refusing your request and informing you of your right to complain to the supervisory authority (the ICO) and of your ability to seek to enforce this right through a judicial remedy.

We can extend the time to respond by a further two months if the request is complex or we have received a number of requests from you. In those circumstances we will let you know without undue delay and within one month of receiving your request and explain why the extension is necessary.

If we have doubts about the identity of the person making the request we can ask for more information. We will let you know without undue delay and within one month that we need more information from you to confirm your identity. We do not need to comply with the request until we have received the additional information.

The Right to Erasure

The right to erasure is also known as ‘the right to be forgotten’. This right is not absolute and is not available where processing is necessary for the establishment, exercise or defence of legal claims

Personal data will be erased in accordance with our retention policy.

The Right to Restrict Processing

You have the right to request the restriction or suppression of your personal data. You can make a request for restriction verbally or in writing. It may be that your request prevents us from fulfilling our contractual obligations to you. If we consider that to be the case, we shall contact you to explain the position.

You have the right to request we restrict the processing of your personal data in the following circumstances:

  • you contest the accuracy of you personal data and we are verifying the accuracy of the data;
  • the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the GDPR) and you oppose erasure and request restriction instead;
  • we no longer need the personal data but you need us to keep it in order to establish, exercise or defend a legal claim; or
  • you have objected to us processing your data under Article 21(1) GDPR, and we are considering whether our legitimate grounds override yours

In most cases we will not be required to restrict your personal data indefinitely but will need to have the restriction in place for a certain period of time. Further, it may not be possible for us to fulfil our contractual obligations to you in performing legal services on your behalf, if we are subject to a restriction of our processing activities. If we consider this to be the case, we shall write to you explaining our position.

When processing is restricted, we are permitted to store the personal data, but not use it. We must not process the restricted data in any way except to store it unless:

  • we have your consent;
  • it is for the establishment, exercise or defence of legal claims;
  • it is for the protection of the rights of another person (natural or legal); or
  • it is for reasons of important public interest.

If we have disclosed the personal data in question to others, we will contact each recipient and inform them of the restriction of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, we will also inform you about these recipients.

The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

In many cases the restriction of processing will only be temporary, specifically when the restriction is on the grounds that:

  • you have disputed the accuracy of the personal data and we are investigating this; or
  • you have objected to us processing your data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of our legitimate interests, and we are considering whether our legitimate grounds override yours

Once we have made a decision on the accuracy of the data, or whether our legitimate grounds override your, we may decide to lift the restriction. If we do this, we will inform you before we lift the restriction.

We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:

  • request a "reasonable fee" to deal with the request; or
  • refuse to deal with the request.

In either case we will wrote to you in order to justify our decision. The reasonable fee charged will be based on the administrative costs of complying with the request. In circumstances where we consider a reasonable fee is required, we will not comply with the request until we have received the fee.

Where we refuse to respond to a request, we shall write to you without undue delay and at the latest within one month in order to explain why we are refusing your request and informing you of your right to complain to the supervisory authority (the ICO) and of your ability to seek to enforce this right through a judicial remedy.

We have one calendar month to respond to a request. However, we can extend the time to respond by a further two months if the request is complex or we have received a number of requests from you. We will let you know within one month of receiving your request and explain why the extension is necessary.

If we have doubts about the identity of the person making the request we can ask for more information. We will let you know without undue delay and within one month that we need more information from you to confirm your identity. We do not need to comply with the request until we have received the additional information.

The Right to Data Portability

The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.

The right only applies to information you have provided to us.

The right to data portability gives you the right to receive personal data that you have provided to us in a structured, commonly used and machine-readable format. It also gives you the right to request that we transmit this data directly to another data controller.

The right to data portability only applies to personal data. This means that it does not apply to genuinely anonymous data. However, pseudonymous data that can be clearly linked back to you is within scope of the right.

If the requested information includes information about others (e.g. third party data) we will need to consider whether transmitting that data would adversely affect the rights and freedoms of those third parties.

Providing third party data to you may not be a problem if you provided this data to us within the information that you provided to us in the first place. However, we will need to give careful consideration as to whether there will be an adverse effect on the rights and freedoms of third parties, in particular when we are transmitting data directly to another controller.

If the requested data has been provided to us by multiple data subjects (e.g. a joint bank account) we need to be satisfied that all parties agree to the portability request. This means that we may have to seek agreement from all the parties involved.

The right to data portability entitles you to:

  • receive a copy of your personal data; and/or
  • have your personal data transmitted from one controller to another controller.

You have the right to receive your personal data and store it for further personal use.

We can achieve this by either:

  • directly transmitting the requested data to you; or
  • providing access to an automated tool that allows you to extract the requested data yourself.

This does not create an obligation on us to allow you more general and routine access to our systems – only for the extraction of their data following a portability request.

If your personal data is transported, the data will be retained by us in accordance with our retention policy.

You have the right to ask us to transmit your personal data directly to another controller without hindrance. Without hindrance means that we should not put in place any legal, technical or financial obstacles which slow down or prevent the transmission of the personal data to you, or to another organisation. However, there may be legitimate reasons why we cannot undertake the transmission. For example, if the transmission would adversely affect the rights and freedoms of others. It is however our responsibility to justify to you why these reasons are legitimate and why they are not a ‘hindrance’ to the transmission.

If we provide information directly to you or to another organisation in response to a data portability request, we are not responsible for any subsequent processing carried out by you or the other organisation. We are responsible for the transmission of the data and will take appropriate measures to ensure that it is transmitted securely and to the right destination. If we provide data to you, it is possible that you will store the information in a system with less security than ours. You should ensure that any system that you store information on has adequate security.

When we receive personal data that has been transmitted as part of a data portability request, we will process this data in line with data protection requirements.

In deciding whether to accept and retain personal data, we will consider whether the data is relevant and not excessive in relation to the purposes for which we will process it. We shall also consider whether the data contains any third party information.

We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:

  • request a "reasonable fee" to deal with the request; or
  • refuse to deal with the request.

In either case we will wrote to you in order to justify our decision. The reasonable fee charged will be based on the administrative costs of complying with the request. In circumstances where we consider a reasonable fee is required, we will not comply with the request until we have received the fee.

Where we refuse to respond to a request, we shall write to you without undue delay and at the latest within one month in order to explain why we are refusing your request and informing you of your right to complain to the supervisory authority (the ICO) and of your ability to seek to enforce this right through a judicial remedy.

We have one calendar month to respond to a request. However, we can extend the time to respond by a further two months if the request is complex or we have received a number of requests from you. We will let you know within one month of receiving your request and explain why the extension is necessary.

If we have doubts about the identity of the person making the request we can ask for more information. We will let you know without undue delay and within one month that we need more information from you to confirm your identity. We do not need to comply with the request until we have received the additional information.

The Right to Object

Under the GDPR you have the right to object to the processing of your personal data. This effectively allows you to ask us to stop processing your personal data.

However, the right to object only applies in certain circumstances. Whether it applies depends on our purposes for processing and our lawful bases for processing.

You can object if the processing is for:

  • a task carried out in the public interest;

  • the exercise of official authority vested in us; or
  • our legitimate interests (or those of a third party).

In these circumstances the right to object is not absolute and you must give specific reasons why you are objecting to the processing of your data. These reasons should be based upon your particular situation. In these circumstances, we can continue processing if:

  • we can demonstrate compelling legitimate grounds for the processing, which override your interests, rights and freedoms; or
  • the processing is for the establishment, exercise or defence of legal claims.

If we are satisfied that we do not need to stop processing the personal data in question, we will write to you in order to let you know. We will explain our decision and inform you of your right to make a complaint to the ICO, or another supervisory authority, and of your ability to seek to enforce your rights through a judicial remedy.

Where we have received an objection to the processing of personal data and we have no grounds to refuse, we will stop processing the data. This may mean that we need to erase personal data as the definition of processing under the GDPR is broad and includes storing data. However, this will not always be the most appropriate action to take. Erasure may not be appropriate if we process the data for other purposes as we need to retain the data for those purposes.

If we are processing data for scientific or historical research, or statistical purposes, the right to object is more limited.

You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes. However, this does not automatically mean that we need to erase your personal data and in most cases it will be preferable to suppress your details. Suppression involves retaining just enough information about you to ensure that their preference not to receive direct marketing is respected in future.

We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If we consider that a request is manifestly unfounded or excessive we can:

  • request a "reasonable fee" to deal with the request; or
  • refuse to deal with the request.

In either case we will wrote to you in order to justify our decision. The reasonable fee charged will be based on the administrative costs of complying with the request. In circumstances where we consider a reasonable fee is required, we will not comply with the request until we have received the fee.

Where we refuse to respond to a request, we shall write to you without undue delay and at the latest within one month in order to explain why we are refusing your request and informing you of your right to complain to the supervisory authority (the ICO) and of your ability to seek to enforce this right through a judicial remedy.

We have one calendar month to respond to a request. However, we can extend the time to respond by a further two months if the request is complex or we have received a number of requests from you. We will let you know within one month of receiving your request and explain why the extension is necessary.

If we have doubts about the identity of the person making the request we can ask for more information. We will let you know without undue delay and within one month that we need more information from you to confirm your identity. We do not need to comply with the request until we have received the additional information.

Rights in relation to automated decision making and profiling.

The GDPR has provisions on:

  • automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

The nature of our business activities does not involve either of the above. If we intended to process your personal data in relation to either automated decision making or profiling, we would write to you in advance of the same to explain our position.

The Right to lodge a complaint with a Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”). The ICO are the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Rights in relation to Transfers of the Personal Data to any Third Countries or International Organisations

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

From time to time we may engage with the services of a US company named MailChimp which provides email services. Your personal data may be shared with MailChimp in progression of your claim. MailChimp have their own duties and responsibilities under the GDPR and, as a US company, are subject to stringent levels of data protection. By instructing us you are agreeing for us to use the services of MailChimp if we consider it appropriate to do so. You may contact us to tell us that you do not wish for us to use MailChimp at any time.

We offer a LiveChat facility on our websites. LiveChat is a US based company who have their own duties and responsibilities under the GDPR and, as a US company, are subject to stringent levels of data protection. Information provided by you via the LiveChat facility will be collected and processed by us under our lawful bases for processing personal data. If you do not wish for your data to be collected via LiveChat, please do not use the LiveChat facility.

We may utilise file storage facilities such as Dropbox, Google Drive and Microsoft One Drive. These are US based companies, that are subject to stringent levels of data protection. By instructing us you are agreeing for us to use those services if we consider it appropriate to do so. You may contact us to tell us that you do not wish for us to use those services at any time.

The Internet is a global medium and your information may therefore be transferred outside the European Economic Area (EEA) en route. Your information may be transferred to any country, including countries outside the EEA where the transfer is necessary for the purposes of establishing, exercising or defending legal rights, obtaining legal advice, or in connection with any legal proceedings.

Accountability and Governance

We take data protection and protecting your data extremely seriously. Our contact details together with details of our Data Protection Officer are contained within this document. Should you feel the need to make a complaint in relation to any aspect related to the processing of your personal data, you can do so via the firm’s Complaint Handling Procedure. Any complaint will be investigated by our Complaints Manager and Data Protection Officer and a full response provided within the timescales set out in our Complaints Handling Policy.

We have in place and implement comprehensive but proportionate processes, policies, records and logs for handling personal data including keeping records of what we do and why. Our combined approach ensures compliance with the DPA, GDPR and in accordance with our duties as a data controller. We ensure that our staff are fully aware and comply with the processes, policies, records and logs when processing data.

We implement technical and organisational measures to ensure, and demonstrate, compliance with the DPA, GDPR and in accordance with our duties as data controller. Those measures are risk-based and proportionate and are reviewed and updated as necessary.

Request a call back from our team

Fill out our quick call back form below and we'll contact you when you're ready to talk to us.
All fields marked with a * are required.

Your privacy is extremely important to us. Information on how we handle your data is in our Privacy Policy.
You have the right to object to the processing of your personal data.

Latest Blogs from The Data Leak Lawyers