Client Privacy Notice
PRIVACY NOTICE – clients and potential clients
Oracle is committed to protecting the individual privacy rights and choices of our candidates. Our Privacy Notice contains important information about the types of personal information we collect and process, what we do with it, who we may share it with and why; and your rights when it comes to the personal information you provide us with. If you have any questions about how we use your data, please contact our Data Protection Officer at DPO@oraclesolicitors.co.uk.
1. Controller
A controller is the organisation that makes the decisions about what data is processed and is responsible for your data.
Some of our solicitors operate as consultants, and this privacy notice is also provided to you on behalf of the consultant.
2. The data we collect about you
In your capacity as our client or prospective client, we may collect personal data from you. Personal data means any information about an individual from which that person can be identified. Our primary goal in collecting personal data from you is to help us:
- Verify your identity
- comply with our legal obligations
- deliver our services
- improve, develop and market new services
- investigate or settle enquiries or disputes
- comply with any applicable law, court order, other judicial process, or the requirements of a regulator;
- and enforce our agreements with you.
We use different methods to collect data from and about you, including through:
Direct interactions | You may give us your personal data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you: apply for further information about our services using our contact form or call us; subscribe to our newsletters request marketing to be sent to you; give us some feedback engage our services |
Automated technologies or interactions | As you interact with our website, we will collect data about your device, your browsing actions and patterns when you consent to our use of cookies. |
Third parties or publicly available sources | We may receive personal data about you from various third parties and public sources including those set out below: Land Registry Companies House The Insolvency Service Electoral Roll Publicly available sources Other professionals, including surveyors, accountants, solicitors or barristers.
|
3. Individual clients
If you are an individual client in receipt of our services or a prospective individual client, we will collect the following data below:
- Name and job title
- Address, email, and phone number
- Gender and date of birth
- Contact information including the company you work for and email address, where provided
- Payment information, if necessary
- Information that you provide to us as part of us providing the services to you, which depends on the nature of your instructions to us, but that could include information about other people
- Relevant information, such as proof of address or identity, as required by anti-money laundering (AML). We need to check that you are using our services legally. To do this, we use providers that perform various checks for us in relation to AML, fraud and other due diligence checks.
- The following searches are made:
- Electoral roll
- Postcode address files
- Consent databases
- Telephone directories
- Mortality registers
- Politically Exposed Persons (PEP) Intelligence databases
- Sanctions databases
- Birth Index Register
- Age range
- Bank account validation and verification.
We need this data in order to provide you with our services; without it, we are unable to provide our services to you. We will continue to process personal data to satisfy our client due diligence obligations throughout the time that you are our client.
4. Corporate clients
When we are engaged by corporate entities, those providing instructions are not data subjects. However, as part of such instructions, personal data may be provided to us (e.g. personal data relating to officers or personnel of our corporate client).
We will ask you to provide us with personal data of the owners, directors, partners and persons with significant control of the business and we may require you to provide us with additional personal data as you use our services.
We will collect, store and process the following personal data of the above-named individuals:
- Full name
- Email address
- Date of birth
- Home address
- Proof of address
- Proof of identity
- Other client due diligence information as required to on-board the company and meet our legal requirements, such as AML, fraud prevention, conflict checks and PEP checks.
We need to check that you are using our services legally. To do this, we use providers that perform various checks for us in relation to AML, fraud and other ‘know your client’ related checks. The following searches are made:
- Electoral roll
- Postcode address files
- Consent databases
- Telephone directories
- Mortality registers
- PEP Intelligence databases
- Sanctions databases
- Birth Index Register
- Age range
- Bank account validation and verification
We need this data in order to provide you with our services; without it, we are unable to provide our services to you. We will continue to process personal data to satisfy our client due diligence obligations throughout the time that you are our client.
For all sole traders, limited companies or partners in unincorporated partnerships we will also collect: billing information, including bank account information and payment information.
5. Third parties
We may also need to process personal data in relation to third parties instructed either by our own clients or other persons or companies involved with us providing the services to our client (for instance other law firms, experts etc.).
This is a non-exhaustive list which is reflective of the varied nature of the personal data processed as part of a law firm providing legal services.
6. If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract that we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service that you have with us but we will notify you if this is the case at the time.
7. How we use your personal data and legal basis for doing so
We may use your information for the following purposes:
Action | Reason | Legal basis |
Responding to enquiries | Our website allows you to request information about our services using an electronic enquiry form.
Contact information is required in each case, together with details of other personal data that is relevant to your service enquiry.
This information is used to enable us to respond to your requests. | We are using your data with your consent to respond to your enquiry. |
Fulfilment of ser vices | We collect and maintain personal data that you voluntarily submit to us to enable us to provide our services. In order to do this, we need to enter your data onto our systems. | Legitimate interest. |
Fulfilment of services | It is necessary for us to process your information to perform our obligations in accordance with any contract that we may have with you. This includes recording how much time we spend on your matter(s) and taking payment information. | We have a contract with you. |
Resolving complaints or disputes | We need to be able to resolve any complaints or disputes with you. | Legitimate interest. |
Legal compliance | We use your personal data to comply with our legal obligations, including anti- money laundering, conflicts and our regulatory and statutory obligations. | It is our legal obligation to use your personal data to comply with any legal obligations imposed upon us. |
Marketing communications | For clients and prospects, we use your personal data to send you information about our services which may be of interest to you. We may also conduct surveys to improve our services. | It is in our legitimate interest to use your personal data for marketing purposes and you can unsubscribe at any time. |
Our business requirements – legitimate interests
Action | Reason for processing – legitimate interest |
Managing our global business and marketing strategies (including recording and reporting on our business development activities).
| We need to have business development and marketing strategies. |
Purchasing, maintaining and claiming against our insurance policies. | We need to protect our business. |
Continuously reviewing and improving our services and developing new ones. | We use your feedback to improve our services. |
Obtaining legal advice, establishing, defending and enforcing our legal rights and obligations in connection with any legal proceedings or prospective proceedings.
| We need to understand our obligations and establish and defend our legal rights. |
Monitoring and producing statistical information regarding the use of our platforms and analysing and improving their functionality.
| We need to ensure that our website and other platforms are working properly. |
Maintaining the security of our systems, platforms, premises and communications, including detecting and preventing threats.
| We need to ensure that our premises and our platforms are secure. |
Managing the proposed sale, restructuring, transfer or merging of any or all part(s) of our business, including responding to queries from the prospective buyer or merging organisation.
| We need to be able to manage or sell parts of our business, if we choose to do so. |
We have a legitimate interest in using your personal data for the above purposes. We have balanced your rights and freedoms against our business needs. Please inform us if you object to our processing.
8. Special category data
The UK GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
Special category data needs more protection because it is more sensitive than regular personal data, such as name and email.
In order lawfully to process special category data, the controller must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. These do not have to be linked
Our reasons for processing your special category data
Action | Reasons for processing |
Accidents or emergencies while you are at our office. | it is necessary for us protect your vital interests or when you are incapable of giving consent. |
Providing you with legal advice. | It is necessary for the establishment, exercise or defence of legal claims. |
Investigating, evaluating, demonstrating, monitoring, improving and reporting on our compliance with our legal and regulatory requirements (such as AML and client verification checks). | Substantial public interest |
Complying with regulatory requirements involving steps being taken to establish the existence of any unlawful act, dishonesty, malpractice or other serious improper conduct. | Substantial public interest |
Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities or sharing information (on a voluntary basis) with the same. | Substantial public interest |
Obtaining legal advice, establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings, including prospective proceedings. | Substantial public interest |
9. Who we share your personal data with
We may share personal data with a variety of the following categories of third parties as necessary:
Entity | Legal basis for sharing |
Our professional advisers such as lawyers and accountants. | Legitimate interest. |
Government or regulatory authorities or law enforcement. | Legal obligation. |
Professional indemnity or other relevant insurers. | Legitimate interest. |
Regulators/tax authorities/corporate registries. | Legal obligation. |
Third parties to whom we outsource certain services such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT support service providers, document and information storage providers. | Legitimate interest. |
Third parties engaged in the course of the services we provide to clients such as counsel, arbitrators, mediators, clerks, witnesses, cost draftsmen, court, opposing party and their lawyers, document review platforms and experts such as tax advisers or valuers. | Legitimate interest or a contractual requirement to provide our services. |
Third party service providers to assist us with client insight analytics, such as Google Analytics. | Consent. |
Please note this list is non-exhaustive and there may be other examples where we need to share personal data with other parties in order to provide our services as effectively as we can.
We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal data appropriately and according to our legal and regulatory obligations.
Further, we may appoint external data controllers where necessary to deliver the services (for example, accountants, barristers or other third party experts). When doing so we will comply with our legal and regulatory obligations in relation to the personal data and put appropriate safeguards in place.
10. International transfers
Oracle has law firms operating around the world. As such, we will sometimes need to transfer your personal data to recipients in jurisdictions other than your own. Some of these jurisdictions may not provide the same level of protection to your personal data as provided in your jurisdiction. If we transfer your personal data outside the United Kingdom or the European Union, we will only make that transfer if:
- that country ensures an adequate level of protection for your personal data;
- we have put in place appropriate safeguards to protect your personal data, such as a contract with the person or entity receiving your personal data which incorporates specific provisions as directed by the European Commission and the UK government;
- the transfer is permitted by applicable laws; or
- you explicitly consent to the transfer.
If you would like to see a copy of any relevant safeguards used by us to protect the transfer of your personal data, please contact our Data Protection Officer at: DPO@oraclesolicitors.co.uk
11. Data security
We are committed to keeping the personal data provided to us secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal data that we have under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful destruction or accidental loss.
All of our partners, employees, consultants, workers and data processors (i.e. those who process your personal data on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal data, are obliged to respect the confidentiality of such personal data.
12. Retention of personal data
We retain data for the following periods:
- information in a matter file or related to a matter or instructions to us such as information on our case management system will usually be kept for a period of six years after the case or matter ends unless it is required to be kept for longer (for instance, the information is required for another or related case or matter or where the person is currently under the age of eighteen, in which case data will need to be held for six years after they reach the age of eighteen), or we have another legal basis to process that information. This is because we are required to keep client files for that period by our Regulator and/or by the SRA. This also protects you should you be unhappy with our services and want to complain or even sue us after your case ends
- data obtained for compliance with crime or fraud prevention has to be retained by us to meet our legal or regulatory obligations for five years from the close of the individual matter or the end of our business relationship with a relevant person, whichever is later
- enquiries where we do not take on your case are kept for only 18 months
- any complaints files for six years after the complaint is concluded (with the associated matter file(s)
- financial information and any financial transactions will be kept for a period of 7 years to comply with HMRC requirements except for cardholder data which will generally be destroyed immediately after the transaction is processed.
13. How to access your information and your other rights
You have the following rights in relation to the personal data that we hold about you:
- Your right of access: if you ask us, we will confirm whether we are processing your personal data and, if necessary, provide you with a copy of that personal data (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
- Your right to rectification: if the personal data that we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we have shared your personal data with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Your right to erasure: you can ask us to delete or remove your personal data in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal data with others, we will let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we will also tell you who we have shared your personal data with so that you can contact them directly.
- Your right to restrict processing: you can ask us to ‘block’ or suppress the processing of your personal data in certain circumstances, such as where you contest the accuracy of that personal data or you raise an objection with us. If you are entitled to restriction and if we have shared your personal data with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we will also inform you who we have shared your personal data with so that you can contact them directly.
- Your right to data portability: you have the right, in certain circumstances, to obtain personal data that you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Your right to object: you can ask us to stop processing your personal data, and we will do so, if we are:
- relying on our own or someone else’s legitimate interests to process your personal data, except if we can demonstrate compelling legal grounds for the processing; or
- processing your personal data for direct marketing purposes.
- Your right to withdraw consent: if we rely on your consent (or explicit consent) as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
- Your right to lodge a complaint with the Supervisory Authority: if you have a concern about any aspect of our privacy practices, including the way we have handled your personal data, you can report it to the Supervisory Authority in your country. We would, however, appreciate the chance to deal with your concerns before you approach the Supervisory Authority, so please contact us in the first instance.
Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data, or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.