PRIVACY NOTICE FOR CONTACTS
Date: 2 April 2019
What is the purpose of this document?
Wrigleys Solicitors LLP (registered number OC318186) of 19 Cookridge Street, Leeds, West Yorkshire, LS2 3AG is committed to protecting the privacy and security of the personal information of the people (Data Subjects) we deal with in the course of: raising awareness about/promoting, and then holding or participating in, the events/activities that we (or others) may hold/undertake; raising awareness about/promoting the services that we (or others) may provide; or providing legal (and other) information, insights and updates that we (or others) may publish (together Firm Activities).
This privacy notice describes how we collect and use personal information about Data Subjects before, during and after we undertake our Firm Activities in accordance with the General Data Protection Regulation (GDPR) and relevant regulations (including the Privacy and Electronic Communications Regulations (PECR). It applies to all Data Subjects (whether current or former).
Wrigleys is a "data controller". This means that we are responsible for deciding how we hold and use personal information about Data Subjects. We are required under data protection legislation to notify Data Subjects of the information contained in this privacy notice.
This notice does not form part of any contract to undertake our Firm Activities. We may update this notice at any time.
It is important that Data Subjects read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about Data Subjects, so that they are aware of how and why we are using such information.
Data protection representatives
We have appointed three data protection representatives (DPRs) to oversee compliance with this privacy notice and the processing by us of personal information about Data Subjects. If you have any questions about this privacy notice or how we handle the personal information referred to in it, please contact our DPRs (via firstname.lastname@example.org). If you have any complaints about the processing of the personal information referred to in this privacy notice, you have the right to make a complaint to the Information Commissioner's Office (ICO) (www.ico.org.uk), the regulator and supervisory authority for data protection in the UK.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about Data Subjects must be:
The kind of information we hold about Data Subjects
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are "special categories" of more sensitive personal data which require a higher level of protection.
We may collect, store, and use the following categories of personal information about Data Subjects in the course of undertaking our Firm Activities:
- Personal contact details such as name, title, addresses, telephone numbers and email addresses.
- Employment details.
- Opinions and feedback relating to our Firm Activities.
- Information about use of our information and communication systems.
We may also collect, store and use the following "special categories" of more sensitive personal information about Data Subjects:
- Information about race or ethnicity, religious or philosophical beliefs, sexual orientation, trade union membership and political opinions.
- Information about physical and/or mental health (including information about disabilities and access and dietary requirements which we need to cater for at events.
How is personal information about Data Subjects collected?
We typically collect personal information about Data Subjects either directly from the Data Subject or sometimes from third parties such as other professional advisers.
We will collect additional personal information about Data Subjects in the course of undertaking our Firm Activities. For example, it may be necessary for a Data Subject to provide to us with personal information about other Data Subjects (including "special category" personal information (see below).
How we will use information about Data Subjects
We will only use personal information about Data Subjects when the law allows us to do so. Most commonly, we will use personal information about Data Subjects in the following circumstances:
We may also use personal information about Data Subjects in the following situations, which are likely to be rare:
Situations in which we will use personal information about Data Subjects
We process the categories of information in the list above (under the heading The kind of information we hold about Data Subjects) where we have received the freely given, specific, informed and unambiguous consent to do so by the Data Subject [*], or to pursue legitimate interests of our own or those of third parties [**], provided the interests and fundamental rights of the Data Subject do not override those interests. We may also process personal information in order to allow us to properly review, consider and respond to enquiries and requests for our advice and services prior to entering into, or to perform, a contract with the Data Subject [***]. The situations in which we will process personal information about Data Subjects in respect of our Firm Activities are listed below. We have indicated by asterisks the purpose or purposes for which we are processing or will process personal information about Data Subjects.
- Sending communications about our Firm Activities to Data Subjects in line with their requests and preferences*
- Ensuring that we hold accurate contact and other information about Data Subjects through centralised and secure databases and filing systems. For these purposes we use software licensed to us by a third party software provider [see footnote 1]**
- Processing enquiries and requests for our advice and services, and reviewing, considering and responding to those enquiries and requests***
- Obtaining dietary and other special requirements relating to a Data Subject's health in connection with the events/activities that we (or others) may hold/undertake and sharing this information where necessary in order to ensure that any such requirements are accommodated and catered for*
- Sharing information with third party hosts or organisers of events that we may hold or participate in. We will only do so if we have notified you in advance of the identity of any such host or organiser**
- Undertaking internal quality control of our Firm Activities. This will include processing opinions and feedback relating to our Firm Activities and maintaining records relating to the same**
- Administering and managing the events that we hold, the activities that we undertake and the legal (and other) information, insights and updates that we publish, as a firm. This will include processing personal information in booking and mailing list sign-up forms. For these purposes we use software licensed to us by a third party software provider [see footnote 1]**
- Administering and sending occasional postal communications to mark customary occasions**
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of personal information about Data Subjects.
We will only process "special categories" of personal information in accordance with the paragraph below headed How we use particularly sensitive information.
Change of purpose
We will only use personal information about Data Subjects for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use the personal information of Data Subjects for an unrelated purpose, we will tell them about the legal basis which allows us to do so.
Please note that we may process personal information about Data Subjects without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How we use particularly sensitive personal information
"Special categories" of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of personal information about Data Subjects with the explicit written consent of the Data Subject.
Less commonly, we may process this type of information where:
Where we use the personal information of Data Subjects for direct marketing purposes (e.g. to inform them about Firm Activities) and we have previously either provided similar services to them (e.g. they have attended one of our events) or they have enquired about the use of our services, we may send direct marketing via email on the basis that it is in our legitimate interests to do so. We may also send direct marketing to Data Subjects via email on this basis where the email would be classified as a business to business communication.
Where we send emails for direct marketing purposes on the basis of our legitimate interests, we will always give Data Subjects the opportunity to opt-out of receiving future direct marketing communications from us.
In all other cases, we will only undertake direct marketing activities via email where we have the Data Subject's consent to do so.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in relation to Data Subjects in the following circumstances:
If we make an automated decision in relation to Data Subjects on the basis of any particularly sensitive personal information, we must have either the explicit written consent of the Data Subject or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard the rights of the Data Subject.
Data Subjects will not be subject to decisions that will have a significant impact on them based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified them.
We do not envisage that any decisions will be taken about Data Subjects using automated means. However, we will tell them if this position changes.
In order to undertake our Firm Activities, we may have to share personal information about Data Subjects with third parties, including third-party service providers.
We require third parties to respect the security of personal information about Data Subjects and to treat it in accordance with the law.
We may transfer personal information about Data Subjects outside the EU. If we do, Data Subjects can expect a similar degree of protection in respect of their personal information.
We do not sell personal information about Data Subjects to any third party.
Why might we share personal information about Data Subjects with third parties?
We may share personal information about Data Subjects with third parties where required by law, where it is necessary for us to perform a contract with a Data Subject relating to our Firm Activities, or where we have another legitimate interest in doing so.
Which third-party service providers process personal information about Data Subjects?
The following activities are carried out by third-party service providers:
- marketing automation platform and email marketing services [see footnote 1 and 2]
- off-site archiving and storage facilities [see footnote 1];
- IT (including back-up) services [see footnote 1]; and
- banking facilities [see footnote 1].
How secure is personal information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect personal information about Data Subjects in line with our policies. We do not allow our third-party service providers to use the personal data of Data Subjects for their own purposes. We only permit them to process such personal data for specified purposes and in accordance with our instructions.
What about other third parties?
We may share personal information about Data Subjects with other third parties. For example, we may need to share such personal information with a regulator or to otherwise comply with the law.
Transferring information outside the EU
We use MailChimp, operated by Rocket Science Group, to help us administer our email marketing activities. Their servers and offices are located in the USA, so the personal information about Data Subjects may be transferred to, stored, or processed in the USA.
MailChimp takes steps to protect the privacy of Data Subjects. MailChimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework. They are committed to subjecting all personal information about Data Subjects received from European Union member countries in reliance on the Privacy Shield Framework, to the Framework’s applicable principles.
The measures taken by MailChimp ensure that the personal information of Data Subjects is treated in a way that is consistent with and which respects the EU and UK laws on data protection. For further information, please see MailChimp's privacy notice which can be found here: www.mailchimp.com/legal/privacy/.Data security
We have put in place measures to protect the security of personal information about Data Subjects. Details of these measures are available upon request.
Third-party service providers will only process personal information about Data Subjects on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent personal information about Data Subjects from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal information about Data Subjects to those employees, agents, contractors and other third-party service providers who need to know. Third-party service providers will only process personal information about Data Subjects on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from our DPRs.
We have put in place procedures to deal with any suspected data security breach and will notify a Data Subject, the ICO and any other applicable regulator of a suspected breach where we are legally required to do so.
How long will we use information for?
We will only retain personal information about Data Subjects for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different aspects of personal information about Data Subjects are available in our Data Retention and Destruction Policy which is available from our DPRs. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise or pseudonymise personal information about Data Subjects so that it can no longer be associated with them, in which case we may use such information without further notice to them. Once a person has ceased to be a Data Subject (because, for example, they have removed themselves from our mailing lists) we will retain and securely destroy his/her personal information in accordance with our Data Retention and Destruction Policy.
Rights of access, correction, erasure, and restriction
Data Subjects' duty to inform us of changes
It is important that the personal information we hold about Data Subjects is accurate and current. We ask that Data Subjects keep us informed if their personal information changes during the course of our undertaking of our Firm Activities.
Data Subjects' rights in connection with personal information
Under certain circumstances, a Data Subject has the right to:
- Request access to his/her personal information (commonly known as a "data subject access request"). This enables him/her to receive a copy of the personal information we hold about him/her and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about him/her. This enables him/her to have any incomplete or inaccurate information we hold about him/her corrected.
- Request the erasure of his /her personal information. This enables him/her to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to processing of his/her personal information where we are relying on a legitimate interest (or those of a third party) and there is something about his/her particular situation which makes him/her want to object to processing on this ground. A Data Subject also has the right to object where we are processing his/her personal information for direct marketing purposes.
- Request the restriction of processing of his/her personal information. This enables him/her to ask us to suspend the processing of personal information about him/her, for example if he/she wants us to establish its accuracy or the reason for processing it.
- Request the transfer of his/her personal information to another party.
If a Data Subject wants to review, verify, correct or request erasure of his/her personal information, object to the processing of his/her personal data, or request that we transfer a copy of his/her personal information to another party, please contact our DPRs in writing.
No fee usually required
Data Subjects will not have to pay a fee to access their personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if their request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from Data Subjects
We may need to request specific information from Data Subjects to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
Where a Data Subject may have provided his/her consent to the collection, processing and transfer of his/her personal information for a specific purpose, he/she has the right to withdraw his/her consent for that specific processing at any time. To withdraw a consent, a Data Subject should contact our DPRs (see below). Once we have received notification that a Data Subject has withdrawn his/her consent, we will no longer process his/her information for the purpose or purposes originally agreed to, unless we have another legitimate basis for doing so in law.
 To protect the security of our data, we do not name the providers of such services to us in this privacy notice. However, a list of our service providers is available from our DPRs on written request. We reserve the right to withhold details of our service providers if we think such request might prejudice the security of our data.
 As at the date of this privacy notice, we use MailChimp, operated by Rocket Science Group, to help us administer our email marketing activities. MailChimp's privacy notice can be found here: www.mailchimp.com/legal/privacy/.
Changes to this privacy notice
We review this privacy notice annually and reserve the right to update it at any time, and we will make a new privacy notice available to Data Subjects when we make any substantial updates. We may also tell Data Subjects in other ways from time to time about the processing of their personal information.
If you have any questions about this privacy notice, please contact our Data Protection Representatives, via email at email@example.com, post to 19 Cookridge Street, Leeds, LS2 3AG or telephone 0113 244 6100.