1. INTRODUCTION

Purpose of this privacy notice

Acuity Law Limited ("Acuity", "we", "us", "our") respects your privacy and is committed to protecting your personal data. This privacy notice sets out how we collect and process your personal data when we provide services to you, when you communicate with us or when you visit our website or any other associated websites under our control ("websites") and tells you about your privacy rights and how the law protects you.

It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.

About us

Acuity Law Limited is the controller and is responsible for your personal data.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this privacy notice. If you have any such questions, including any requests to exercise your legal rights, please contact the DPO by emailing [email protected] or by writing to Data Protection Officer, 3 Assembly Square, Britannia Quay, Cardiff CF10 4PL or by calling 0333 016 3553.

You have the right to make a complaint at any time to the Information Commissioner's Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Changes to the privacy notice and your duty to inform us of changes

We reserve the right to update and change this privacy notice from time to time in order to reflect any changes to the way in which we process your personal data or changing legal requirements. In case of any changes, we will publish the changed privacy notice on our websites and may publish or bring it to your attention by other means. The changes will take effect as soon as they are posted on our website.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Personal data about other people which you provide to us

If you provide personal data to us about someone else (such as your directors or employees, or someone with whom you have business dealings) you must ensure you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this privacy notice. You must ensure that the individual concerned is aware of the various matters detailed in this privacy notice.

Third-party links

Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our websites, we recommend and encourage you to read the privacy notice of any other website you visit.


2. THE DATA WE COLLECT ABOUT YOU

Personal data, or personal information, means any information which is related to an identified or identifiable natural person (i.e. you as an individual). It excludes any data which does not relate to an identified or identifiable individual or personal data rendered anonymous in such a manner that you (as the data subject) are not identified or no longer identifiable (anonymous data).

“Special categories” of particularly sensitive personal information require higher levels of protection. We may need to be able to collect, store and use this type of personal information for the legal services we provide.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, maiden name, last name, job title, username or similar identifier used by you on any of our platforms or portals, marital status, title, date of birth and gender.

• Contact Data includes postal address (including home, business and billing addresses), email address, telephone numbers and fax numbers.

• Financial Data includes bank account, payment card details and other data necessary for fraud prevention and other related billing information.

• Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.

• Instruction Data includes business information necessarily processed in a project or client contractual relationship with us or voluntarily provided by you, such as instructions given, payments made, requests and retainer information.

• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites.

• Profile Data includes your username and password for any of our websites and portals, purchases or orders made by you, your interests, preferences, feedback and survey responses.

• Usage Data includes information about how you use our websites, products and services and visits to our offices.

• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

• Third Party Data includes information that you provide to us during the course of any instruction that relates to third parties that you are connected to (as per the statement above, this information may also be Personal Data relating to those third parties).

• Special Category Data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, data concerning health, data concerning sex life or sexual orientation. Although under the GDPR information relating to criminal offences and convictions is not included within the definition of special category data, for the purposes of this privacy notice we include reference to criminal convictions and offences under the category of “Special Category Data”.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.


3. HOW IS YOUR PERSONAL DATA COLLECTED?

We use different methods to collect data from and about you including through:

• Direct interactions. You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you or your organisation seek our products or services, create an account or use any service on our websites, subscribe to our services or publications, make an enquiry or otherwise interact on our websites, attend a seminar or other event, offer to provide or actually provide services to us, request marketing to be sent to you, enter a competition, promotion or survey or give us feedback.

• Automated technologies or interactions. As you interact with our websites, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.

• Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources including analytics providers such as Google based outside the EU; advertising networks; search information providers such as Creditsafe Business Solutions Limited, InfoTrack and Your Company Formations Ltd, who may be based inside and/or outside the EU; providers of technical, payment and delivery services such as banks; data brokers or aggregators such as Creditsafe Business Solutions Limited, InfoTrack and Your Company Formations Ltd, who may be based inside and/or outside the EU; publicly availably sources such as Companies House and HM Land Registry and the Electoral Register, who may be based inside and/or outside the EU; other lawyers, courts and regulators who may be connected to the matter that we are instructed to advise you on.


4. HOW WE USE YOUR PERSONAL DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

•  Where we need to perform the contract we are about to enter into or have entered into with you. This includes:

- Registering you as a new client.

- Processing and delivering products and services to you including managing payments, fees and charges and collecting and recovering money owed to us.

- Managing our relationship with you including notifying you about changes to our terms or privacy notice and asking you to provide a reference or take a survey.

- Enabling you to partake in a prize draw, competition or complete a survey or to attend an event that we are organising alone or jointly with others.

•  Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. This includes:

- Registering you as a new client and processing and delivering products and services to you – our legitimate interest is being able to provide legal services or products to you and/or being able to recover debts owed to us.

- Managing our relationship with you including notifying you about changes to our terms or privacy notice and asking you to provide a reference or take a survey – our legitimate interest is keeping our records updated and studying how clients use our products/services.

- Enabling you to partake in a prize draw, competition or complete a survey or to attend an event that we are organising alone or jointly with others – our legitimate interest is studying how clients use our products/services, developing them and growing our business.

- Administering and protecting our business and our websites – our legitimate interest is running our business, providing administration and IT services, network security, preventing fraud and in the context of a business reorganisation or group restructuring exercise.

- Delivering relevant website content and marketing to you and measuring or understanding the effectiveness of the marketing we serve to you – our legitimate interest is studying how clients use our products/services, developing them, growing our business and informing our marketing strategy.

 

- Using data analytics to improve our websites, products/services, marketing, client relationships and experiences – our legitimate interest is defining types of clients for our products and services, keeping our websites updated and relevant, developing our business and informing our marketing strategy.

- Making suggestions and recommendations to you about goods or services that may be of interest to you – our legitimate interest is developing our products/services and growing our business.

•  Where we need to comply with a legal or regulatory obligation or where the processing is necessary for the establishment, exercise or defence of legal claims. This includes:

- Registering you as a new client and processing and delivering products and services including collecting and recovering money owed to us.

- Managing our relationship with you including notifying you about changes to our terms or privacy notice and asking you to provide a reference or take a survey.

- Administering and protecting our business and our websites.

 

- Complying with legal or regulatory obligations (such as record keeping), compliance screening or recording (such as anti-money laundering and fraud and crime prevention) and court orders.

•  Where we need to carry out a task in the public interest (for example the prevention of fraud). This includes:

- Registering you as a new client and processing and delivering products and services to you.

- Complying with legal or regulatory obligations (such as record keeping), compliance screening or recording (such as anti-money laundering and fraud and crime prevention) and court orders.

• To carry out the obligations and exercise specific rights of the controller or of the data subject in the field of employment and social security and social protection law. This includes where we register you as a new client and process and deliver products and services to you.

Special Category Data

We will only use your Special Category Data when the law allows us to. Most commonly, we will use your Special Category Data in the following circumstances:

•  In limited circumstances, with your explicit written consent (or the consent of the relevant data subject if that is not you) for example when we process special category personal data in connection with the registration for and provision of access to an event or seminar. Specifically, we may ask for health information to identify and be considerate of any disability or dietary requirement. We use such information based on your consent. If you do not provide information about disabilities or dietary requirements we will not be able to take appropriate steps to accommodate your disabilities or dietary requirements. You have the right to withdraw consent to our use of special category personal data in connection with events and seminars by contacting us.

•  Where it is needed in the substantial public interest (for example to prevent fraud).

•  Processing relates to personal data which you or (if you are not the relevant data subject) the data subject has made public.

•  Processing is necessary for the establishment, exercise or defence of legal claims.

•  Less commonly, we may process this type of information where it is needed to protect your interests (or someone else's interests) and you are not capable of giving your consent.

Marketing

You may receive marketing communications from us if you have requested information from us or purchased products or services from us or if you provided us with details when you registered to take part in an event that we are organising either alone or in conjunction with others and, in each case, you have not opted out of receiving that marketing.

We will get your express opt-in consent before we share your personal data with any company outside the Acuity Group for marketing purposes.

You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase or other transactions. Opting out will not apply to any personal data that we are required to keep for regulatory, compliance or legal reasons.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.


5. COOKIES

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our websites may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.


6. DISCLOSURES OF YOUR PERSONAL DATA

We may have to share your personal data with third parties for the purposes set out in paragraph 4 above. The third parties we may share personal data with are:

•  Other companies in the Acuity Group who are based in the United Kingdom and undertake or provide complementary or similar legal and commercial support products and services.

•  Service providers acting as processors based in the United Kingdom who provide IT and system administration services.

•  Organisations who provide services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and organisations providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such personal data is shared.

•  Professional advisers including bankers, auditors and insurers based in the EEA or outside the EEA who provide consultancy, banking, insurance and accounting services.

•  HM Revenue & Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.

•  Barristers, other legal specialists (including mediators), consultants or experts based inside and outside the EEA as appropriate who provide consultancy services in relation to a client matter.


•  Foreign law firms based inside and outside the EEA as appropriate for the purpose of obtaining foreign legal advice.

• Courts, law enforcement authorities, regulators or attorneys or other parties based inside and outside the EEA as appropriate for the purpose (where it is reasonably necessary) of the establishment, exercise or defence of a legal or equitable claim, or for the purposes of dispute resolution.

•  Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.


7. INTERNATIONAL TRANSFERS

Some of our external third parties are based outside the European Economic Area (EEA) so their processing of your personal data will involve a transfer of data outside the EEA.

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

•  We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.

•  Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

•  Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.


8. DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.


9. DATA RETENTION

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with or identify you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.


10. YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights are to:

•  Request access to your personal data (commonly known as a "data subject access request").

•  Request correction of your personal data.

•  Request erasure of your personal data.


•  Object to processing of your personal data.

•  Request restriction of processing your personal data.

•  Request transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.

•  Withdraw consent at any time where we are relying on consent to process your personal data.

If you wish to exercise any of the rights set out above, please contact our DPO.