HSR Law firmly respects the privacy of and rights of all individuals and businesses we deal with. The Data Protection ACT 1998 (DPA) and General Data Protection regulate our use of your personal data.
For the purposes of the DPA and GDPR the Data Controller in respect of any personal data controlled by HSR Law is Fabian Braithwaite.
Our address and registered office is:
HSR LAW Solicitors
7 South Parade
Confidentiality, Data Protection and Documents
1. The following terms shall have the meaning set out below:
a) “ Data Protection Legislation” means applicable legislation protection the “Personal Data” of natural persons, including in particular the Data Protection Act 1998 and any replacement to it (and, from 25 May 2018, the GDPR) together with binding guidance and codes of practice issued from time to time by relevant supervisory authorities.
b) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and Council of 27 April 2016 on the protection of natural persons with regard to the processing of “Personal Data” and on the free movement of such data including where applicable any local implement laws as updated from time to time.
c) The terms “Data Processor”, “Data Controller”, “Data Subject”, “Personal Data Breach” and “Supervisory Authority” shall have the meaning as described in the Data Protection Legislation.
2. Both You and the Company (“Parties”) shall comply with the applicable requirements of the Data Protection Legislation.
3. The Parties acknowledge that, for the purpose of the Data Protection Legislation, the Company is the Data Processor of any “Personal Data” provided by you under this retainer (“The Personal Data”).
4. The subject matter of the Personal Data being processed by the Company will be that of clients or potential clients, parties or individuals associated with clients or potential clients, recipients and beneficiaries of estates, and parties associated with any transactional work. Generally, the subject matter of personal data being processed will be from parties seeking legal advice, parties engaged in transactions, parties obtaining legal services, and any parties associated with them.
5. The duration for which the Company will process the Personal Data will be from the date that you provide us with the Personal Data for the instruction until a date determined in accordance with our file archiving process.
6. The nature and the purpose of the Personal Data being processed by the Company are such as to enable us to provide you with legal services or where applicable to communicate with the third parties in order to provide you with legal services, or to execute transactions pursuant to the provision of legal services. In order to do this the Personal Data will be uploaded on to our case management system, from where it shall be securely accessed by our employees in order to validate, review and further the service provided. We will where appropriate maintain both a hard copy and electronic copy of your data.
7. It is anticipated that the Personal Data contained within your instructions to provide legal services may include the following categories of Personal Data: names, addresses, dates of birth, financial records, details of medical conditions and medical records, personal identity documents and contact details such as telephone numbers and email addresses of you, your employees or persons engaged in litigation with you.
8. The company shall:-
a) Process the Personal Data only on your documented instructions, including with regard to transfers to Personal Data to a third country or an international organisation unless required to do so by Union or Member State law to which we are subject; in such a case, we shall inform you of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. As a matter of course the Company does not anticipate doing so;
b) Ensure that persons authorised to process The Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c) Take all measures required by Article 32 of the GDPR. Not engage other processors outside of the general written authorisation in clause 10.8 without your specific written authorisation and shall notify you of any intended charges concerning the addition or replacement of these other processors.
d) Assist you, taking into account the nature of the processing, by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising the Data Subject’s rights under the Data Protection Legislation;
e) Assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to us;
f) At your election and upon receipt of written notification from you, delete or return all “The Personal Data” to you after the end of provision of services.
9. You consent to the Company appointing those listed at Clause 10.8 to process “The Personal Data” on your behalf provided that:
a) The Company permits them access to “The Personal Data” only to the extent necessary for the performance of the contract to provide the services under this Retainer and not for any other purpose;
b) The conditions set out in Article 28(4) of the GDPR are met.
10. The rights and obligations contained in this Clause 10 shall continue not withstanding the expiry or termination of the Retainer.
11. The Company will only hold and use information about you, your clients, your employees and representatives to allow us to provide the legal services as set out in this Retainer. The Company may disclose this information to our employees or Agents who reasonably require it to allow us to provide the legal services set out in this Retainer.
12. The Company shall maintain a record of processing activities, in compliance with Article 30 of the GDPR.
13. In the event a breach of the Data Protection Legislation in respect of the Personal Data you have supplied the Company shall: –
a) Immediately notify you and provide such further information and assistance to you as may be reasonably requested by you in connection with the breach;
b) As soon as practicable after becoming aware of the breach, take all reasonable steps to investigate, correct the cause and remedy the breach;
c) promptly notify you of any communication received by the Company from the Information Commissioner’s Office, associated government body and Data Subject in respect of the Personal Data supplied by you or in connection with the Company’s obligations under the Data Protection Legislation pursuant to this Agreement; and
d) provide full co-operation and assistance to you with regard to any communication received by the Company pursuant to (c) above.
14. The Company will communicate with you by such method as you may request. The following methods of disseminating information shall be deemed to have an appropriate level of security for the purposes of compliance with the obligations contained herein:
a) Special or Recorded Delivery of First Class Post through Royal Mail;
b) Email or an email address provided by You;
e) Hand delivery or collection from the Company’s office with identification documentation; or
f) Courier service through a reputable courier company.
15. After the completion of the legal service, the Company will retain your file of papers or any copies of any documents or materials in relation to the work carried out for approximately six months where this is necessary for the purpose of prudent record keeping or regulatory and statutory requirements. Thereafter, the Company reserves the right to close the file, placing it in storage for 6 years or longer before destroying. In the alternative the file will be stored by us in digital form. Regulations require firms of solicitors to maintain an archive of files. In some instances files may be archived indefinitely.
16. Not withstanding clause 10.16 the Company will retain an electronic copy of any instruction letter for as long as necessary to meet our statutory and regulatory obligations.
17. The above provisions are subject to any obligations imposed on the Company or you by virtue of the rules on Disclosure, as contained in Civil Procedure Rules Part 31, or any similar provision or any relevant law or any order of any Court of competent jurisdiction.