Client Privacy Notice

Contents

  1. Who we are
  2. We are a Data Controller
  3. Who this Privacy Notice applies to
  4. Data Protection Contact
  5. How we collect information
  6. Purpose for Processing Personal Data
  7. Special Category Personal Data
  8. Children’s Information
  9. Lawful Basis for Processing
  10. The Legitimate Interests for the Processing
  11. The Recipients or Categories of Recipients of the Personal Data
  12. The Details of Transfers of the Personal Data to any Third Countries or International Organisations
  13. The Retention Periods for the Personal Data
  14. The Rights Available to Individuals in Respect of the Processing
  15. The Right to Withdraw Consent
  16. The right to lodge a complaint with a supervisory authority
  17. The details of whether individuals are under a statutory or contractual obligation to provide the personal data.

1. Who we are

We are Mezzle Limited. We are a law firm regulated by the Solicitors Regulation Authority (registration no. 818199) and a company registered in England and Wales (company no.11768410). We offer legal services to both individuals over the age of 18 and company clients based internationally, and we are based in Birmingham, London and Manchester.

We reserve the right to update this notice at any time.  The Privacy Notice will be available via our website and we will notify those affected by any substantial updates. Should any additional processing become necessary, we will notify those affected.

2. We are a Data Controller

This means that we are responsible for deciding how we use and hold personal information about you and explaining it clearly to you.

3. Who this Privacy Notice applies to

This Privacy Notice applies to all our current, former and prospective clients. For business clients, it applies to their employees, directors, partners and representatives as applicable.

OUR PROMISE:

  • To do our best to keep your data safe.
  • Never to sell, swap or rent your data to third parties.
  • To give you ways to control the use of your data whenever we can.

4. Data Protection Contact

If you have any queries about how we use or hold your data or wish to request any of your rights below please contact our Data Privacy Manager, Raj Sumal on compliance@mezzlelaw.com.

5. How we collect information

We collect personal information directly from our clients, our referrers (such as estate agents), our business contacts, other parties in the matter, our electronic identity verification service and contractors both at the start of the relationship and throughout.

Where the personal data is not collected directly from the data subject, it will have been obtained from one of the following sources:

  • The business client – both in relation to individuals in their own organisation and any related parties to the matter, the clients and any third party.
  • The referrer – such as estate agents if the client informs the estate agent they wish to use our firm for their matter.
  • Credit reference agencies and electronic identity verification systems – used to carry out due diligence on a client in accordance with our Anti Money Laundering obligations.
  • Professional or regulatory website – such as the Law Society or the Financial Conduct Authority Registers
  • Companies House – for due diligence information on business clients including individual personal data for Directors, Shareholders and Persons with Significant Control
  • Other parties – during the course of a matter other parties involved may supply personal data.
  • Mortgage companies – if your matter involves a mortgage company they may supply personal data to us.
  • Other professions – if other professionals are involved in the matter they may provide personal data, including special category, this includes collection agents, surveyors, accountants, other legal professionals, medical professionals etc.

We may use public sources, such as online searches, news reports or social media.

6. Purpose for Processing Personal Data

We process personal data to discharge our contractual duties towards our clients for the legal matters they have instructed us upon and to give legal advice. We also process personal data in order to run our law firm effectively (such as issuing invoices) and to fulfil our legal and regulatory obligations.

Nothing in the Data Protection Act 2018 or the UK General Data Protection Regulations overrides our duty of confidentiality to our clients, to which we are bound by our professional bodies.

The personal data collected for all clients:

  • Name
  • Contact details such as: address, email address, mobile number, telephone number
  • Date of Birth
  • Information required for due diligence checks (such as passport number, driver’s number, nationality, full name, etc)

7. Special Category Personal Data

There are times when, to progress a matter, we need to collect and process special category personal data. We only do this where it is absolutely necessary.  The type of information this may be and the reason we need to collect, hold and process it are as follows:

Heath information this may be necessary for employment law matters, family cases, disputes, personal injury or medical negligence matters, the writing of Wills or probate and any matter for which this personal information is necessary. It may also be necessary to help us make reasonable adjustments for you under the Equalities Act.
Sex life or sexual orientation this could become relevant in employment matters, dispute matters, family matters, immigration matters, personal injury or medical negligence matters and drafting Wills and probate matters as necessary.
Religious or philosophical beliefs
Genetic data
Biometric data
Race or ethnic origin
Political opinions this may be processed during employment matters, immigration matters, dispute matters and family matters, as necessary.
Trade Union membership this will be processed where relevant in relation to employment matters, immigration matters, dispute matters or where you have assistance with funding from being a Trade Union Member.
Criminal convictions this may be processed during employment matters, family matters, dispute matters, immigration matters, personal injury or medical negligence matters and as necessary. It may also be relevant to dispute matters and Anti Money Laundering checks.

 

8. Children’s Information

We do not offer our services directly to those under the age of 18. However, where a matter involves information relating to a child or children, we only hold and process personal data in relation to children on instruction from a parent, guardian, public authority or a close relative. This may be in family matters, disputes involving the child, immigration matters or employment matters.  Personal data relating to a child in relation to them being the beneficiary of a Will or trust will be given by the client making or executing the terms of a Will or trust. All processing of children’s personal data is on the basis of the contract with the client or legal obligation.

9. Lawful Basis for Processing

The majority of the processing of personal data we carry out is on a contractual basis, under instruction from our clients for legal advice or legal representation.

We also process personal data in accordance with our legal obligations. This includes special category personal data as detailed above. Where we do so, it may be without your knowledge or consent as required or permitted by law. This is due to the nature of a legal firm and our obligations under such legislation as the Anti Money Laundering Regulations, in addition to our duties to the Courts.

 

Occasionally we may carry out processing based on specific consent, such as with marketing.

10. The Legitimate Interests for the Processing

Occasionally we may process small amounts of personal data (name, contact details) in relation to individuals within potential business clients on the basis of Legitimate Interests. Information would be gained from publicly accessible sources, such as LinkedIn, Twitter, professional register, Companies House, Google or the company website (in compliance with the terms and conditions of the source).

11. The Recipients or Categories of Recipients of the Personal Data

We do not sell, swap or rent personal data to third parties.

We do not share personal data for marketing purposes.

We do not pass on or share personal data where there is no legal basis to do so.

We pass on personal data to third party suppliers and others in relation to the legal matters or advice we are instructed in relation to.

To meet our legal obligations we may pass personal data on to the Courts and Tribunals, Counsel, legal representatives of other parties involved in the matter, Government Agencies, such as the National Crime Agency or the Treasury and other legal professionals.

We use third party companies and consultants to assist with fulfilling our contractual and legal duties, such as in assisting us with our risk and compliance, our IT software and operating our financial ledgers.  Some of these are our Data Processors, others are Data Controllers in their own right.

12. The Details of Transfers of the Personal Data to any Third Countries or International Organisations

In order to provide our legal services we do not generally need to transfer your personal data to locations outside the UK/European Economic Area (‘the EEA’) for the purposes set out in this privacy policy.

Where our third party service providers process personal data outside the UK/EEA in the course of providing services to us, our written agreement with them will include appropriate measures to ensure that your personal data remains protected and secure in accordance with applicable data protection laws.

It is sometimes necessary for us to share your personal data outside the UK/EEA, eg:

  • with your and our service providers located outside the UK/EEA;
  • if you are based outside the UK/EEA;
  • where there is a European and/or international dimension to the services we are providing to you.

Under data protection law, we can only transfer your personal data to a country or international organisation outside the UK/EEA where:

  • the UK government [or, where the EU GDPR applies, the European Commission] has decided the particular country or international organisation ensures an adequate level of protection of personal data (known as an ‘adequacy decision’);
  • there are appropriate safeguards in place, together with enforceable rights and effective legal remedies for data subjects; or
  • a specific exception applies under data protection law.

Adequacy Decision
We may transfer your personal data to certain countries, on the basis of an adequacy decision. These include:

  • all European Union countries, plus Iceland, Liechtenstein and Norway (collectively known as the ‘EEA’);
  • Gibraltar; and
  • Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay.

The list of countries that benefit from adequacy decisions will change from time to time. We will always seek to rely on an adequacy decision, where one exists.

Other countries [or international organisations] we are likely to transfer personal data to do not have the benefit of an adequacy decision. This does not necessarily mean they provide poor protection for personal data, but we must look at alternative grounds for transferring the personal data, such as ensuring appropriate safeguards are in place or relying on an exception.

13. The Retention Periods for the Personal Data

Due to the types of legal work we carry out on behalf of clients, our retention periods vary. We will keep personal information in accordance with our data retention practices, which apply appropriate retention periods for each category of personal information. In setting retention periods we take account of the purposes for which the personal information was collected, legal and regulatory obligations on us to retain information, limitation periods for legal action and our business purposes.

14. The Rights Available to Individuals in Respect of the Processing

You have the following rights in relation to the processing and holding of your personal data:

To be Informed this Privacy Notice tells you about the processing or personal data, your rights and our responsibilities. We will keep you informed of any changes to this Notice and where there are any issues that arise that affect you.
Access you can request from our Data Protection Contact on the above details to request what personal data is held about you. We will confirm that you are the correct Data Subject and it will take up to 30 days from the original request to send a full response.
Rectification if any of your data is incorrect or requires updating, please notify the Data Protection Contact on the above details and the data will be rectified with 72 hours.
Restrict Processing you have the right to request that the processing of your personal data be restricted. We may not have to grant this, such as where processing is for the purpose of contractual or legal obligations. Any request for restriction will receive a response within 14 calendar days.
Erasure (be forgotten) you have the right to request that data held on you be erased. Again, we may not have to grant this where it is needed for contractual / legal obligation or archiving purposes. We will let you know within 14 days.
Data Portability you have the right to request to take the personal data you have given to us with you. As a client, you have the right, separate to your rights under the GDPR, to request your file, as detailed in the Terms of Business. If there is personal data we hold under our legal obligations or that is confidential to another client, we may restrict the information we send to you.
Object to Processing you have the right to object to processing of your personal data. Again, we may not have to grant this where it is needed for contractual / legal obligation or archiving purposes. We will let you know within 14 days.
Rights in Relation to Automated Decision Making and Profiling you have rights in relation to automated decision making and profiling. We don’t use any automated decision making or profiling.

15.The Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw such consent whenever you choose.

Your rights in relation to terminating the contract are contained within the Terms of Business.

16. The right to lodge a complaint with a supervisory authority

Please let us know if you are unhappy with how we have used your personal information.

You also have the right to complain to the Information Commissioner’s Office.

Details of how to are available on their website:  https://ico.org.uk/concerns/

Or you can contact the ICO at:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

17. The details of whether individuals are under a statutory or contractual obligation to provide the personal data.

We are under a legal obligation (known as a statutory duty) to request personal data from our clients in relation to due diligence processes for anti-money laundering purposes. If this is not provided, we will not be able to act for the client.

The personal data we request from a client is so we can fulfil our contract to progress your legal matter or give advice, or as a legal obligation.

Thanks for taking the time to understand how Mezzle will use your data and thank you for trusting us with your personal data.