Guarino & Thomson, a Limited Company registered in Scotland No. SC378918 with an office at E201 Edinburgh House, Princes Square, East Kilbride, South Lanarkshire G74 1LJ.
Data Protection Officer
Guarino & Thomson collects and processes personal data relating to its clients, potential clients and other relevant individuals such as witnesses and beneficiaries in order to manage the business relationship. The company is committed to being transparent about how it collects and uses data and to meeting its data protection obligations.
What information does the company collect?
The company collects, stores, transfers and processes a range of information about you and/or your business. This includes personal data and sometimes special category data:
- your name, address and contact details, including email address, telephone number, date of birth, national insurance number and gender;
- the terms and conditions of the working relationship, as contained within the Letter of Engagement and related Appendices, which may be updated or amended during the course of this relationship in line with any changes in the structure or make-up of your business or range of services in which we become engaged in;
- information about your personal or business finances as part of the service provision;
- information about your business such as company registration number;
- details of your bank account; and
- VAT reference numbers, where applicable.
The company may collect this information in a variety of ways. For example, data might be collected and obtained from your passport or other identity documents such as your driving licence; from forms completed by you at the start of our business relationship and required in order to comply with Anti Money Laundering legislation (as applicable at that time); from third party organisations linked to conveyancing work or government/legal enforcement agencies in relation to criminal law work; and from other correspondence provided by you during the business relationship.
Data will be stored in a range of difference places, including in electronic and/or paper format and in other IT systems including the company’s email system.
Why does the company process personal data?
The company needs to process data to enter into a business contract with you and to meet its obligations under this business contract. The company needs to process your personal data to provide you with a service in accordance with the business contract. This may be relevant to legal services provided in the context of criminal law or conveyancing.
In some cases, the company needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check that personal data is current and correct in order to comply with HMRC and legal obligations as determined by the Law Society of Scotland.
In other cases, the company has a legitimate interest in processing personal data before, during and after the end of the business relationship. Processing client data allows the company to:
- maintain accurate and up to date personal records and contact details.
Who has access to data?
Your information may be shared internally, including with directors, managers and other members of staff, as allocated to you in the course of the business relationship. Your information may also be accessed by appropriate IT professionals if access to the data is necessary for the performance of their role.
The company may share your data with third parties in the context of the business relationship such as government bodies, other solicitors, the Law Society of Scotland, estate agents and court officials as approved by the company. In such circumstances the data will be subject to confidentiality controls.
The company also shares your data with third parties that process data on its behalf in connection with legal and conveyancing services. This information is shared in order to comply with its obligations under the lawful basis mentioned above.
Your data will be stored in accordance with the rules governing entities within the European Union (EU). Transfer of data to companies outside the EU will be secured by ensuring that the business has adequate provision in place for the safety of data held under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
How does the company keep data?
Where the company engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
We do not current process your personal data on an automated basis but if we were to make such decisions which significantly affect you, you have the right to ask that the decision be reviewed by an individual to whom you may make representations and contest the decision. This right only applies where we use your information with your consent or as part of a contractual relationship with you.
Where we use your personal information with your consent you may withdraw that consent at any time and we will stop using your personal information for the purpose(s) for which consent was given.
For how long does the company keep data?
The company will hold personal data for the duration of the business relationship. The period for which other data is stored, in order to fulfil the service provisions engaged with you, shall vary in relation to the purpose for which the personal data is being stored and consideration shall therefore be given in this regard to determine the appropriate retention period in order to ensure that personal data is retained for as long as the company is legally required to retain such data and there being no other business or legal basis for retaining such data beyond this period. The company shall ensure that personal, sensitive and special category data is confidentially destroyed or if in electronic format deleted from our computer network.
Data Subject Rights
As a data subject you have a number of rights. You can:
- access and obtain a copy of your data on request;
- require the company to change incorrect or incomplete data;
- require the company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- object to the processing of your data where the organisation is relying on its legitimate interests as the legal grounds for processing.
You have the right to object at any time and to request that we stop using your personal information for direct marketing purposes. In addition, where we use your personal information to perform tasks carried out in the public interest then, if you ask us to, we will stop using that personal information unless there are overriding legitimate grounds to continue.
In some cases, you may ask us to restrict how we use your personal information. This right might apply, for example, where we are checking the accuracy of personal information about you that we hold or assessing the validity of any objection you have made to our use of your information. The right might also apply where this is no longer a basis for using your personal information but you don’t want us to delete the data. Where this right to validity is exercised, we may only use the relevant personal information with your consent, for legal claims or where there are other public interest grounds to do so.
What if you do not provide personal data?
You have some obligations under the business contract to provide the company with data. In particular, you are required to provide personal data for legal and conveyancing purposes, and business data for the provision of financial services. Failing to provide the data may mean that you are unable to comply with these statutory requirements.
Changes to this Privacy Notice
We keep this privacy notice under regular review and will update and publish this accordingly.
We seek to resolve directly all complaints about how we handle personal information but you also have the right to lodge a complaint if we have not complied with your data protection rights. You can do so by contacting the Information Commissioner’s Office, whose contact details are as follows:
Information Commissioner’s Office
Telephone: 0303 123 1113 or 01625 545 745
Note: This document reflects the requirements of the General Data Protection Regulation (GDPR) which is effective from 25 May 2018 and the UK Data Protection Act 2018.