Client Privacy Notice

Who we are

We are Melyn Legal Limited. We are a law firm regulated by the Solicitors Regulation Authority (SRA) (registration no. 8003011) and a company registered in England and Wales (company no.14462144). We offer legal services to individuals in England and Wales and our offices are based in Cardiff.

We reserve the right to update this notice at any time. The Privacy Notice will be available via our website and we will notify those affected by any substantial updates. Should any additional processing become necessary, we will notify those affected.

We are a Data Controller

This means that we are responsible for deciding how we use and hold personal information about you and explaining it clearly to you.

Who this Privacy Notice applies to

This Privacy Notice applies to all our current, former and prospective clients.

Our promise:

To do our best to keep your data safe.
Never to sell, swap or rent your data to third parties.
To give you ways to control the use of your data whenever we can.

Data Protection Contact

If you have any queries about how we use or hold your data or wish to request any of your rights below please contact our Data Privacy Manager, Elizabeth Saxby on Elizabeth.saxby@melynlegal.com

How we collect information

We collect personal information directly from our clients, our referrers, our business contacts, other parties in the matter, our electronic identity verification service and contractors both at the start of the relationship and throughout.

Where the personal data is not collected directly from the data subject, it will have been obtained from one of the following sources:

Credit reference agencies and electronic identity verification systems – used to carry out due diligence on a client in accordance with our Anti Money Laundering obligations.
Professional or regulatory website – such as the Law Society or the Financial Conduct Authority Registers
Other parties – during the course of a matter other parties involved may supply personal data.
Other professions – if other professionals are involved in the matter they may provide personal data, including special category, this includes collection agents, surveyors, accountants, other legal professionals, medical professionals etc.

We may use public sources, such as online searches, news reports or social media.

Purpose for Processing Personal Data

We process personal data to discharge our contractual duties towards our clients for the legal matters they have instructed us upon and to give legal advice. We also process personal data in order to run our law firm effectively (such as issuing invoices) and to fulfil our legal and regulatory obligations.

Nothing in the Data Protection Act 2018 or the UK General Data Protection Regulations overrides our duty of confidentiality to our clients, to which we are bound by our professional bodies.

The personal data collected for all clients:

Name
Contact details such as: address, email address, mobile number, telephone number
Date of Birth
Information required for due diligence checks (such as passport number, drivers number, nationality, full name, etc)

Special Category Personal Data

There are times when, to progress a matter, we need to collect and process special category personal data. We only do this where it is absolutely necessary. The type of information this may be and the reason we need to collect, hold and process it are as follows:

Heath information

This may be necessary for family cases and disputes. It may also be necessary to help us make reasonable adjustments for you under the Equalities Act.

Sex life or sexual orientation
Religious or philosophical beliefs
Genetic data
Biometric data
Race or ethnic origin

This could become relevant in family cases and disputes.

Political opinions

This may be processed during family cases and disputes.

Criminal convictions

This may be processed during family cases and disputes. It may also be relevant to Anti Money Laundering checks.

Children’s Information

We do not offer our services directly to those under the age of 18. However, where a matter involves information relating to a child or children, we only hold and process personal data in relation to children on instruction from a parent, guardian, public authority or a close relative. All processing of children’s personal data is on the basis of the contract with the client or legal obligation.

Lawful Basis for Processing

The majority of the processing of personal data we carry out is on a contractual basis, under instruction from our clients for legal advice or legal representation.

We also process personal data in accordance with our legal obligations. This includes special category personal data as detailed above. Where we do so, it may be without your knowledge or consent as required or permitted by law. This is due to the nature of a legal firm and our obligations under such legislation as the Anti Money Laundering Regulations, in addition to our duties to the Courts.

Occasionally we may carry out processing based on specific consent, such as with marketing.

The Legitimate Interests for the Processing

Occasionally we may process small amounts of personal data (name, contact details) in relation to individuals within potential business clients on the basis of Legitimate Interests. Information would be gained from publicly accessible sources, such as LinkedIn, Twitter, professional register, Companies House, Google or the company website (in compliance with the terms and conditions of the source).

The Recipients or Categories of Recipients of the Personal Data

We do not sell, swap or rent personal data to third parties.

We do not share personal data for marketing purposes.

We do not pass on or share personal data where there is no legal basis to do so.

We pass on personal data to third party suppliers and others in relation to the legal matters or advice we are instructed in relation to.

We will share personal information with official bodies if required by law including the SRA, ICO, the police, the government, law enforcement and intelligence agencies.

We use third party companies and consultants to assist with fulfilling our contractual and legal duties, such as in assisting us with our risk and compliance, our IT software and our accounting requirements. Any partners, suppliers or third parties we share data with will be bound by strict agreements that meet the requirements of GDPR and will be monitored for performance with those agreements.

The Details of Transfers of the Personal Data to any Third Countries or International Organisations

It may be necessary to transfer your personal information outside the EEA or to an international organisation in order to perform your instructions. We do not routinely transfer data outside of the EEA, and when we do we will notify you of the reasons, the legal basis for doing so, any relevant risk assessments that we want to make you aware of, and the appropriate safeguards in place to protect your rights and freedoms.

If you would like any further information on transfers outside of the EEA, or would think as part of your matter you will want us to transfer your data outside of the EEA, then please contact our Data Protection Manager.

The Retention Periods for the Personal Data

Matter information – information about you and any personal information relating to your matter we will keep for a period of 7 years after the matter has ended, or 1 year after any relevant limitation period, whichever is longer. This is to comply with our requirements to our insurance provider to have records available in case we need to defend a legal claim, and to comply with the SRA’s obligations regarding record keeping.
Identification and Due Diligence – information relating to Anti Money Laundering checks and due diligence we will keep for a period of 7 years from the end of the last matter undertaken for you and it will be kept with your Matter information. This is to ensure we comply with our Anti Money Laundering obligations.
Financial Transactions – information about you and any financial transactions, including fees paid and payments for services, we will keep for a period of 7 years to comply with HMRC requirements to keep accurate records that can be audited.
Financial Transactions – information about you and any financial transactions, including fees paid and payments for services, we will keep for a period of 7 years to comply with HMRC requirements to keep accurate records that can be audited.

The Rights Available to Individuals in Respect of the Processing

You have the following rights in relation to the processing and holding of your personal data:

To be Informed

This Privacy Notice tells you about the processing of personal data, your rights and our responsibilities. We will keep you informed of any changes to this Notice and where there are any issues that arise that affect you.

Access

You can request from our Data Protection Manager on the above details to request what personal data is held about you. We will confirm that you are the correct Data Subject and it will take up to 30 days from the original request to send a full response.

Rectification

If any of your data is incorrect or requires updating, please notify the Data Protection Contact on the above details and the data will be rectified with 72 hours.

Restrict Processing

You have the right to request that the processing of your personal data be restricted. We may not have to grant this, such as where processing is for the purpose of contractual or legal obligations. Any request for restriction will receive a response within 14 calendar days.

Erasure (be forgotten)

You have the right to request that data held on you be erased. Again, we may not have to grant this where it is needed for contractual / legal obligation or archiving purposes. We will let you know within 14 days.

Data Portability

You have the right to request to take the personal data you have given to us with you. As a client, you have the right, separate to your rights under the GDPR, to request your file, as detailed in the Terms of Business. If there is personal data we hold under our legal obligations or that is confidential to another client, we may restrict the information we send to you.

Object to Processing

You have the right to object to processing of your personal data. Again, we may not have to grant this where it is needed for contractual / legal obligation or archiving purposes. We will let you know within 14 days.

Rights in Relation to Automated Decision Making and Profiling

You have rights in relation to automated decision making and profiling. We don’t use any automated decision making or profiling.

The Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw such consent whenever you choose.

Your rights in relation to terminating the contract are contained within the Terms of Business.

The right to lodge a complaint with a supervisory authority

Please let us know if you are unhappy with how we have used your personal information.

You also have the right to complain to the Information Commissioner’s Office.

Details of how are available on their website: www.ico.org.uk/concerns/

Or you can write to the ICO at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow, Cheshire
SK9 5AF

The details of whether individuals are under a statutory or contractual obligation to provide the personal data.

We are under a legal obligation (known as a statutory duty) to request personal data from our clients in relation to due diligence processes for anti-money laundering purposes. If this is not provided, we will not be able to act for the client.

The personal data we request from a client are all so we can fulfil our contract to progress your legal matter or give advice, or as a legal obligation.

Thanks for taking the time to understand how Melyn Legal will use your data and thank you for trusting us with your personal data.