Amy Bisset oversees compliance with data
protection laws and this policy and provides guidance and advice to the firm as required.
Contact information for our Amy
Bisset is provided below under the heading How to contact us about this policy.
We may collect information from you in the
course of our business, including when you engage us to provide legal or other services, when you contact or request information from us, when you use our website or as a result of your relationship
with one or more of our staff and clients.
The personal information we may collect about
• Contact information such as your name, title,
address, telephone number, mobile phone number, job title, name of employer, fax number and email address. Address may include both business address and home address where you have provided that to
• Information relating to the matter in which
you are seeking our advice or representation;
• Further business information necessarily
processed in the context of a client contractual relationship with Orme Law or voluntarily provided by you or on your behalf, such as instructions given or payments made or to be made;
• Information provided to us by or on behalf of
our clients, or generated in the course of providing our services, which may include special category data;
• Information processed for relationship
management and file opening procedures such as name, business information, identification and your relationship to a person;
• Information about your use of our IT,
communication and other systems including your password(s), and other monitoring information, e.g. if using our online data rooms, or information relating to materials and communications we
send to you electronically;
• Information to enable us to check and verify
your identity, e.g. your date of birth or passport details;
• Payment data, such as data necessary for
processing payments and fraud prevention, including credit/debit card numbers, bank and building society details including security code numbers and other related billing information, as well as,
where applicable, information relating to the source of funds;
• Information collected from publicly available
resources and credit agencies or any other information needed to enable us to undertake a credit or other financial checks on you;
• Information about relevant and significant
litigation or other legal proceedings against you or a third party related to you and details of that third party’s relationship with you;
• Information provided to us for the purposes of
attending meetings and events, including information about access or dietary requirements;
• Other personal data regarding your preferences
where it is relevant to legal or other services that we provide;
• Details of your visits to our premises;
• Membership of a professional or trade
association or union.
In general, you will be able to choose whether
or not to provide us with your personal data. If you do not provide the personal data that we need to collect then this may affect our ability to act on your behalf or to provide services to you, for
example because this personal data is required to process your instructions or to carry out legally required compliance screening. If you do not provide personal data we ask for, it may delay or
prevent us from providing services to you.
We collect most of this information from
• When you or your organisation use or contact
us to provide legal or any other related client services;
• When you browse, provide information or use
• When you or your organisation make an enquiry
for our services or otherwise engage with our staff for business related purposes;
• Where you or your organisation provide
services to us.
We may also collect information from third party
• Publicly accessible sources such as Companies
House, Registers of Scotland or HM Land Registry;
• Credit reference agencies or government
• Third party organisations that you have or
have had dealings with.
We may also collect information via our website
or via our information technology (IT) and other systems, for example:
Case management, document management, data
rooms and time recording systems;
Automated monitoring of our websites and other
technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems.
Under data protection law, we can only use your
personal data if we have a proper reason for doing so.
This will be for one of the following
• For the performance of our contract with you
or to take steps at your request before entering into a contract, for example because processing is necessary for the performance of a client instruction;
• To comply with our legal and regulatory
• For our legitimate interests or those of a
• For the establishment, exercise or defence of
legal claims or proceedings; or
• Where you have given consent.
A legitimate interest is when we have a business
or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
We may process special category personal data
for the following reasons:
• Where you have given your explicit
• For compliance with a legal obligation;
• For the purposes of establishing, exercising
or defending legal claims;
• Where it is in your vital
• Where you have made the personal data public;
• For compliance with an employment law
There may be additional reasons which will be
notified to you where they apply.
When we refer to special category data we mean
information such as about race or ethnicity, religious beliefs, sexual orientation, marital status and health. Information about criminal convictions is also included within this type of data.
In the next section The basis on which we use
your personal data we give more information about the way in which your information is used.
We have explained our reasons for using your
personal data. We set out below more detail on the ways in which we use your personal data. We use your data:
• To provide legal advice or other services to
you, including technology solutions as requested by you or your organisation;
• To ensure the confidentiality of commercially
• To manage and administer your or your
organisation's business relationship with Orme Law, including use for the purposes of processing payments, accounting, auditing, billing and collection and other support services;
• To conduct checks to identify our clients and
verify their identity;
• To screen for financial and other sanctions or
embargoes, including credit reference checks with credit reference agencies;
• To comply with professional, legal and
regulatory obligations that apply to our business, e.g. rules issued by our professional regulators;
• Where necessary to gather and provide
information required by or relating to audits, enquiries or investigations by enforcement authorities, regulatory bodies, courts, tribunals and government agencies;
• To deal with any complaints received;
• To ensure business policies are adhered to,
e.g. policies covering security and internet use and to prevent unauthorised access and modifications to systems;
• For operational reasons, such as ensuring safe
working practices, improving efficiency, risk management, training, staff assessment and quality control;
• For statistical analysis to help us improve
our services and communications to you or the strength of our relationship with you or to manage our practice, e.g. in relation to our financial performance, client base, work type or other
• To update and enhance client records;
• For marketing our services to you;
• For the purposes of external audits and
quality checks, e.g. for Investors in People accreditation and the audit of our accounts;
• For insurance purposes;
• To complete statutory returns;
• To identify those who are authorised to deal
with Orme Law on behalf of our clients, suppliers and/or service providers;
• To ensure your needs are catered for in
connection with any event you may attend; and/or
• For recruitment. Where you apply for a job we
will give you further information about how your personal data will be used.
We will also process personal data which is
provided to us by or on behalf of our clients for the purposes of services we provide to them.
In relation to a number of uses of personal data
we refer to above we are using such personal data on the basis that it is in our legitimate interests or those of a third party for us to do so. These interests cover a number of aspects of our
business operations, namely:
• Ensuring that we are as efficient as we can be
so we can deliver the best service for you at the best price;
• To allow us to provide bespoke services where
requested by you;
• Protecting our commercially valuable
information and also our intellectual property;
• Preventing and detecting fraud and/or criminal
activity that could be damaging for us and for you;
• For credit control purposes and to make sure
our clients can pay for the services we provide;
• For the purposes of risk management and to
maintain our accreditations so we can demonstrate we operate to the highest standards; and
• Ensuring we are able to keep up to date with
our clients and contacts and developments in their organisations.
At a number of
points on our website you are asked to provide information, for example our contact page and our Careers page. At the point at which information is requested it is clear what the purpose of providing
the information is and we will only use the personal data you provide to us for that purpose.
website makes use of Site Analytics to look at how our website is used. This is done by placing small text files, known as session cookies, on your device to collect information about how visitors
use our website. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where
visitors have come to the site from and the pages they visited. This information is transmitted to and stored by Google on servers in the US.
We share personal data within Kirklands Law
Limited on a confidential basis where required for the purpose of providing legal advice or other products or services and for administrative, billing and other business purposes.
We also routinely share personal data
• Professional advisers who we instruct on your
behalf or refer you to, e.g. barristers or advocates, other legal specialists (including mediators), medical professionals, accountants, tax advisors or other experts;
• Foreign law firms for the purposes of
obtaining legal advice;
• Other third parties where necessary to carry
out your instructions, e.g. a lender, HM Land Registry, Registers of Scotland or Companies House;
• With our client(s) - if we have collected your
personal data in the course of providing legal or other services to any of our clients, we may disclose it to that client, and to others in the proper course of our duties or as required or permitted
• Companies providing services for money
laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and
regulatory bodies with whom such personal data is shared;
• Our insurers and brokers, external auditors,
banks and other third parties which provide services to us to allow us to fulfil our regulatory obligations and for risk management purposes;
• Courts, law enforcement authorities,
regulators or lawyers or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative
dispute resolution process or to comply with our legal and regulatory obligations;
• Third parties for the purposes of collecting
your feedback our service provision, to help us measure our performance and to improve and promote our services;
• External service suppliers, representatives
and agents that we use to make our business more efficient, e.g. technology service suppliers, marketing agencies, document collation, translators or analysis suppliers;
• Third parties involved in hosting or
organising relevant events to which you have been invited.
We will only allow our service providers to
handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use
your personal data to provide services to us and to you and to ensure compliance with data protection laws.
We may also, should the need arise, need to
share some personal data with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, information will be anonymised but this may not always be
The recipient of the information will be bound
by confidentiality obligations.
We may also use aggregated personal data and
statistics for the purpose of monitoring website usage in order to help us develop our website and our services.
Other than as set out above, we will only
disclose your personal data when you direct us or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or as required to investigate
actual or suspected fraudulent or criminal activities.
Personal data about other people which you
provide to us
If you provide personal data to us about someone
else (such as one of your directors or employees, a member of your family or someone with whom you have business dealings) you should ensure that you are entitled to disclose that personal data to us
We will hold your data for as long as is
retention periods for the types of information we hold.
The retention periods we apply take account
• Legal and regulatory requirements and
• Limitation periods that apply in respect of
taking legal action;
• Our ability to defend ourselves against legal
claims and complaints;
• Good practice; and
• The operational requirements of our
When it is no longer necessary to retain your
personal data, we will delete or anonymise it.
We also need to know that your information is
accurate and up to date so please advise of any changes on email@example.com
You should also use this email address if you want to cancel any request
you have made to us or you become aware of any inaccuracy in the data we hold about you.
We do not without express consent transfer Data
outside of the European Union unless otherwsie necessary in terms of these conditions.
We will take appropriate technical and
organisational measures to keep your personal data confidential and secure. We have appropriate security measures in place which take account, in particular, of the risks arising from accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Those processing your information will do so only in an authorised manner and are subject to a duty of
You have the following rights, which you can
exercise free of charge:
You can ask us to:
• Provide a copy of your personal data;
• Correct any mistakes in your personal
• Delete your personal data - in certain
• Restrict processing of your personal data - in
certain circumstances, e.g. if you contest the accuracy of the data; and
• Provide you with a copy of the personal data
you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party - in certain situations.
You can object:
• At any time to your personal data being
processed for direct marketing (including profiling);
• In certain other situations to our continued
processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.
Your objection (or withdrawal of consent) may
mean we cannot perform the services you have requested of us or you may not be able to use the services we offer. We will advise you where this is the case. In certain circumstances even if you
withdraw your consent we may still be able to process your personal information if required or permitted by law or for the purpose of exercising or defending our legal rights or meeting our legal and
You also have the right to complain to the
supervisory authority in the part of the European Union where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the
Information Commissioner who may be contacted at https://ico.org.uk/concerns
. We would, however, appreciate the chance to
deal with your concerns before you approach the Information Commissioner so please contact us in the first instance.
Our contact details can be found in the section
below How to contact us about this policy.
Please contact us if you have any questions
Our contact details are shown below:
Kirklands :Law Limited
20 Meeks Road