1. Who we are
We are Mezzle Limited. We are a law firm regulated by the Solicitors Regulation Authority (registration no. 818199) and a company registered in England and Wales (company no.11768410). We offer legal services to both individuals over the age of 18 and company clients based internationally, and we are based in London, Birmingham and Manchester.
We reserve the right to update this notice at any time. The Privacy Notice will be available via our website and we will notify those affected by any substantial updates. Should any additional processing become necessary, we will notify those affected.
2. We are a Data Controller
This means that we are responsible for deciding how we use and hold personal information about you and explaining it clearly to you.
3. Who this Privacy Notice applies to
This Privacy Notice applies to all our current, former and prospective clients. For business clients, it applies to their employees, directors, partners and representatives as applicable.
OUR PROMISE:
- To do our best to keep your data safe.
- Never to sell, swap or rent your data to third parties.
- To give you ways to control the use of your data whenever we can.
4. Data Protection Contact
If you have any queries about how we use or hold your data or wish to request any of your rights below please contact our Data Privacy Manager, Tim Humpage at compliance@mezzlelaw.com.
5. How we collect information
We collect personal information directly from our clients, our referrers (such as estate agents), our business contacts, other parties in the matter, our electronic identity verification service and contractors both at the start of the relationship and throughout.
Where the personal data is not collected directly from the data subject, it will have been obtained from one of the following sources:
- The business client – both in relation to individuals in their own organisation and any related parties to the matter, the clients and any third party.
- The referrer – such as estate agents if the client informs the estate agent they wish to use our firm for their matter.
- Credit reference agencies and electronic identity verification systems – used to carry out due diligence on a client in accordance with our Anti Money Laundering obligations.
- Professional or regulatory website – such as the Law Society or the Financial Conduct Authority Registers
- Companies House – for due diligence information on business clients including individual personal data for Directors, Shareholders and Persons with Significant Control
- Other parties – during the course of a matter other parties involved may supply personal data.
- Mortgage companies – if your matter involves a mortgage company they may supply personal data to us.
- Other professions – if other professionals are involved in the matter they may provide personal data, including special category, this includes collection agents, surveyors, accountants, other legal professionals, medical professionals etc.
We may use public sources, such as online searches, news reports or social media.
6. Purpose for Processing Personal Data
We process personal data to discharge our contractual duties towards our clients for the legal matters they have instructed us upon and to give legal advice. We also process personal data in order to run our law firm effectively (such as issuing invoices) and to fulfil our legal and regulatory obligations.
Nothing in the Data Protection Act 2018 or the UK General Data Protection Regulations overrides our duty of confidentiality to our clients, to which we are bound by our professional bodies.
The personal data collected for all clients:
- Name
- Contact details such as: address, email address, mobile number, telephone number
- Date of Birth
- Information required for due diligence checks (such as passport number, driver’s number, nationality, full name, etc)
7. Special Category Personal Data
There are times when, to progress a matter, we need to collect and process special category personal data. We only do this where it is absolutely necessary. The type of information this may be and the reason we need to collect, hold and process it are as follows:
8. Children’s Information
We do not offer our services directly to those under the age of 18. However, where a matter involves information relating to a child or children, we only hold and process personal data in relation to children on instruction from a parent, guardian, public authority or a close relative. This may be in family matters, disputes involving the child, immigration matters or employment matters. Personal data relating to a child in relation to them being the beneficiary of a Will or trust will be given by the client making or executing the terms of a Will or trust. All processing of children’s personal data is on the basis of the contract with the client or legal obligation.
9. Lawful Basis for Processing
The majority of the processing of personal data we carry out is on a contractual basis, under instruction from our clients for legal advice or legal representation.
We also process personal data in accordance with our legal obligations. This includes special category personal data as detailed above. Where we do so, it may be without your knowledge or consent as required or permitted by law. This is due to the nature of a legal firm and our obligations under such legislation as the Anti Money Laundering Regulations, in addition to our duties to the Courts.
Occasionally we may carry out processing based on specific consent, such as with marketing.
10. The Legitimate Interests for the Processing
Occasionally we may process small amounts of personal data (name, contact details) in relation to individuals within potential business clients on the basis of Legitimate Interests. Information would be gained from publicly accessible sources, such as LinkedIn, Twitter, professional register, Companies House, Google or the company website (in compliance with the terms and conditions of the source).
11. The Recipients or Categories of Recipients of the Personal Data
We do not sell, swap or rent personal data to third parties.
We do not share personal data for marketing purposes.
We do not pass on or share personal data where there is no legal basis to do so.
We pass on personal data to third party suppliers and others in relation to the legal matters or advice we are instructed in relation to.
To meet our legal obligations we may pass personal data on to the Courts and Tribunals, Counsel, legal representatives of other parties involved in the matter, Government Agencies, such as the National Crime Agency or the Treasury and other legal professionals.
We use third party companies and consultants to assist with fulfilling our contractual and legal duties, such as in assisting us with our risk and compliance, our IT software and operating our financial ledgers. Some of these are our Data Processors, others are Data Controllers in their own right.
12. The Details of Transfers of the Personal Data to any Third Countries or International Organisations
In order to provide our legal services we do not generally need to transfer your personal data to locations outside the UK/European Economic Area (‘the EEA’) for the purposes set out in this privacy policy.
Where our third party service providers process personal data outside the UK/EEA in the course of providing services to us, our written agreement with them will include appropriate measures to ensure that your personal data remains protected and secure in accordance with applicable data protection laws.
It is sometimes necessary for us to share your personal data outside the UK/EEA, eg:
- with your and our service providers located outside the UK/EEA;
- if you are based outside the UK/EEA;
- where there is a European and/or international dimension to the services we are providing to you.
Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK/EEA where:
- the UK government [or, where the EU GDPR applies, the European Commission] has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
- there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
- a specific exception applies under data protection law.
Adequacy Decision
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:
- all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);
- Gibraltar; and
- Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.
The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.
Other countries [or international organisations] we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception.
13. The Retention Periods for the Personal Data
Due to the types of legal work we carry out on behalf of clients, our retention periods vary. We will keep personal information in accordance with our data retention practices, which apply appropriate retention periods for each category of personal information. In setting retention periods we take account of the purposes for which the personal information was collected, legal and regulatory obligations on us to retain information, limitation periods for legal action and our business purposes.
14. The Rights Available to Individuals in Respect of the Processing
You have the following rights in relation to the processing and holding of your personal data:
15.The Right to Withdraw Consent
Where processing is based on consent, you have the right to withdraw such consent whenever you choose.
Your rights in relation to terminating the contract are contained within the Terms of Business.
16. The right to lodge a complaint with a supervisory authority
Please let us know if you are unhappy with how we have used your personal information.
You also have the right to complain to the Information Commissioner’s Office.
Details of how to are available on their website: https://ico.org.uk/concerns/
Or you can contact the ICO at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
17. The details of whether individuals are under a statutory or contractual obligation to provide the personal data.
We are under a legal obligation (known as a statutory duty) to request personal data from our clients in relation to due diligence processes for anti-money laundering purposes. If this is not provided, we will not be able to act for the client.
The personal data we request from a client is so we can fulfil our contract to progress your legal matter or give advice, or as a legal obligation.
Thanks for taking the time to understand how Mezzle will use your data and thank you for trusting us with your personal data.