This is the Privacy Notice of Adam Tucker, trading as A Tucker & Co (referred to as ‘we’ in this Notice). We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and who to contact in the event you have a complaint.
- We do not use your personal information for any marketing or promotional purpose.
- We do use it for the purposes of running our practice – on-boarding you as a client, carrying out work for you, getting paid by you, keeping you informed and for insurance and regulatory purposes.
- We use a number of external providers to help power the practice – some of these are in the US and Switzerland. Also, if you come to us through Lexoo, we share some status information with them.
- You have a range of rights in respect of your personal data processed by us – they’re summarised in this notice, and you should contact us if you want to exercise them.
Please email us at firstname.lastname@example.org if you have any questions about any of this.
Who we are
We collect, use and are responsible for certain personal information about you. When we do so we are regulated under the General Data Protection Regulation which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws. We are also regulated by the Solicitors Regulation Authority (“SRA”). This notice is directed to our clients and prospective clients. We do not provide legal advice to individuals in their private capacity – only businesses.
The personal information we collect and use
Information collected by us
We collect the following personal information when you get in touch with us regarding legal work, or we are asked to provide you a quote for providing legal work:
- Your contact details including name, business name, email address and street address.
- Details of the work you are asking to be undertaken.
- Research we undertake about your business – including reviewing your website, news items about you, and your publicly-available social media profiles and activity.
- Information we ask for in the context of our client due diligence activities, such as your date of birth and home address.
- Further information you provide to us in emails and phone calls with you in the course of our work with you.
- Invoicing and billing details.
- Any feedback you provide regarding our service.
Information collected from other sources
We also obtain personal information from other sources as follows:
- Where you ask us for a quote via Lexoo, Lexoo will provide us with your name, details of your quote request, and the name of your business.
- On some occasions, you are referred to us by existing clients or other law firms, in which case we will receive your name, contact details and (sometimes) basic details about the matter you want help with.
- As part of our client due diligence, we may receive a response from our external ID verification provider.
How we use your personal information
We use the information we receive from you for the following purposes. References to the basis of processing (e.g. “Basis: Legitimate Interest”) are a reference to basis set out in the General Data Protection Regulation under which we undertake the processing in question. More information is provided on the different bases for processing below.
- Providing a quote or estimate for your work, and undertaking your work. Basis: Performance of Contract; Legitimate Interest.
- If you have come to us via Lexoo, keeping Lexoo updated on whether you have instructed us, and when you pay us. Basis: Legitimate Interest.
- Sending you information the SRA requires us to send you: Basis: Legal Obligation.
- Collecting and processing our charges. Basis: Performance of Contract; Legitimate Interest.
- Keeping archived records of the work we’ve done for you, and records of quotes given and invoices sent. Basis: Legal Obligation; Legitimate Interest.
- Confirming the identity of you and your business, and assessing the likelihood of any money laundering or terrorism financing in relation to your business and the work you’ve asked us to carry out. Basis: Legitimate Interests; Legal Obligation.
- Avoiding conflicts of interest between your business and that of other clients. Basis: Legal Obligation.
- Dealing with any complaints you may have, and defending any claims against us. Basis: Legal Obligation; Legitimate Interest
- Keeping up our professional indemnity insurance and processing any insurance claims. Basis: Legal Obligation; Legitimate Interest.
- To notify you of any changes to this policy which materially affect you: Legal Obligation
Legitimate Interest: means the interest of our practice in conducting and managing our business to enable us to give you the best, most user-friendly and secure experience we can. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at email@example.com.
Performance of Contract: means processing your data where it is necessary for the performance of a contract between us and you or to take steps at your request before entering into such a contract.
Legal Obligation: means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to (including requirements of the SRA).
Who we share your personal information with
We use external providers to provide communication and hosting services – this involves them processing and storing all the personal data we collect from you and from others about you. We need to do this in order to provide our service – for example, we use a remote server to host and back up our client files, and an email service provider to allow us to send and receive emails. We use a calendar utility provider to help us schedule appointments with you in a way that’s convenient for you. On very rare occasions, if requested by you, we will use Stripe to process payment from you. Those providers have all agreed terms with us that in their capacity as data processors, they process your information confidentially and in accordance with our instructions.
If you have come to us via Lexoo, we let them know whether you have instructed us, and when you pay us.
We may also be required to disclose your information to our professional indemnity insurer in relation to any actual or potential claims, and we may also be required to disclose it to the SRA.
If our practice, or part of it, should ever be put up for sale, or we re-structure our practice, we may allow potential buyers or transferees, to have access to your personal data and matter files after they have signed confidentiality agreements which restrict their use of it to that transaction.
We will share personal information with law enforcement or other authorities if required by applicable law.
If we close the practice, we will have to provide details of client matters and associated records to our insurers.
Whether information has to be provided by you, and if so why
You decide what personal data you provide to us. Obviously, the more relevant information you give us about your legal matter, the better the chances of a good outcome, and if you withhold any relevant information our advice may be deficient as a result. We may even need to stop work on your matter or decline to advise you if you don’t give us the information we need to do the job.
How long your personal information will be kept
- We will hold quotes for work and our completed work, including our notes of our discussions and any documents and emails we exchange as part of the job, for 10 years from the time that we consider that you are no longer an existing client. If you asked for a quote and the matter didn’t proceed, we’ll delete any personal data in your quote request after 1 year (in case you want to follow up).
- We keep any information you provide, and provided by our external verification provider about you, for a period of 5 years from the end of our relationship with you.
- We have an information retention policy which we can provide to you on request – it contains more details about our retention practices.
Transfer of your information out of the EEA
We may transfer your personal information to the following service providers which are located outside the European Economic Area (EEA) as follows:
- Calendly, which is located in the USA. They use your email address if you use it to schedule an appointment with us.
- Google, which is located in the USA. They host our email server.
- Stripe, which transfers data to the US for the purposes of transacting payments from you if you are unwilling to use any method other than card payment.
- Tresorit, which is located in Switzerland. They operate our remote back up service.
The European Commission has not given a formal decision that Switzerland provides an adequate level of data protection similar to those which apply in the United Kingdom and EEA; see here for more details – https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
The USA does not have the same data protection laws as the United Kingdom and EEA. Any transfer of your personal information will be subject to our providers’ use of the EU-US Privacy Shield, or our having agreed clauses in our agreements with them which are prescribed by the EU to safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information. To obtain a copy of the privacy safeguarding mechanism used by us in respect of any of our US providers, please contact us at firstname.lastname@example.org.
Under the General Data Protection Regulation you have a number of important rights free of charge. In summary, those include rights to:
- access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address
- require us to correct any mistakes in your information which we hold
- require the erasure of personal information concerning you in certain situations
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- object at any time to processing of personal information concerning you for direct marketing
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- object in certain other situations to our continued processing of your personal information
- otherwise restrict our processing of your personal information in certain circumstances
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please:
- email us at email@example.com
- let us have enough information to identify you,
- let us have proof of your identity and address, and
- let us know the information to which your request relates.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The General Data Protection Regulation also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
Changes to this privacy notice
This privacy notice was published on 25 May 2018.
We may change this privacy notice from time to time, when we do we will inform you via email if the changes are material.
How to contact us
Please contact us at firstname.lastname@example.org if you have any questions about this privacy notice or the information we hold about you. Our street address is Suite 6.2, 74 Oak Rd, Bristol BS7 8RZ – you can write to us using that address if you prefer.
Do you need extra help?
If you would like this notice in another format (for example: audio, large print) please contact us (see ‘How to contact us’ above).