Registration number: ZA264336
Data controller: Colaw Limited
Address: Unit 19, The Office Village, North Road, Loughborough, LE11 1QJ
1.1 This policy is intended to meet the requirements of the Data Protection Act 2018 (the 2018 Act) and the EU General Data Protection Regulation (GDPR) and comply with our legal obligations in respect of data privacy and security under the 2018 Act and the GDPR.
1.2 This policy is divided into three parts: Part 1 containing the Principal Policy, Part 2 containing the Data Retention Policy and Part 3 containing the Data Security Policy.
1.3 CoLaw Limited is a ‘Data Controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data. CoLaw Limited also trades as CoLaw.
1.4 CoLaw Limited has appointed Andrew Robinson (Director) as the person with responsibility for data protection compliance within the Company. Andrew Robinson should be contacted at [email protected] concerning questions or requests for further information, about this policy.
1.5 This policy explains how CoLaw Limited will hold and process your information. It explains your rights as a data subject. It also explains our obligations when obtaining, handling, processing or storing personal data in the course of your instructions to CoLaw Limited.
1.6 This policy does not form part of your contract with CoLaw Limited (or contract for services if relevant) and can be amended by CoLaw Limited at any time. It is intended that this policy is fully compliant with the 2018 Act and the GDPR. If any conflict arises between those laws and this policy, the Company intends to comply with the 2018 Act and the GDPR.
PART 1 – PRINCIPAL DATA PROTECTION POLICY
2. PURPOSE AND SCOPE
2.1 CoLaw Limited takes the security and privacy of your data seriously. We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. We have a duty to notify you of the information contained in this policy.
2.2 This policy applies to current, potential and former clients. You are a ‘data subject’ for the purposes of this policy. You should read this policy alongside any other notice we issue to you from time to time in relation to your data.
2.4 We hold data for specified periods of time appropriate to the type of data. These periods of time are contained in Part 2 of this policy in the Data Retention Policy. We will only hold data for as long as necessary for the purposes for which we collected it.
2.5 We have measures in place to protect the security of your data in accordance with our Data Security Policy. These security measures are contained in Part 3 of this policy.
3. DATA PROTECTION PRINCIPLES
3.1 Personal data must be processed in accordance with six ‘Data Protection Principles’. It must:
• Be processed fairly, lawfully and transparently.
• Be collected and processed only for specified, explicit and legitimate purposes.
• Be adequate, relevant and limited to what is necessary for the purposes for which it is processed.
• Be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay.
• Not be kept for longer than is necessary for the purposes for which it is processed.
• Be processed securely.
We are accountable for these principles and must be able to show that we are compliant.
4. DEFINING PERSONAL DATA
4.1 ‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
4.2 This policy applies to all personal data whether it is stored electronically, on paper or on other materials.
4.3 This personal data might be provided to us by you, or someone else (such as a credit reference agency), or it could be created by us. It could be provided or created during the course of your instructions or after its conclusion.
4.4 We will collect and use the following types of personal data about you:
• Your contact details and date of birth.
• Your correspondence address and email addresses (if different)
• Your gender.
• Any other category of personal data which we may notify you of from time to time
• Your employees personal data, including Names, Dates of Birth, Employment Status, Health Records, Race, Ethnic Origin, Religion, trade union membership, sex life and sexual orientation for the purposes of Martial status to fulfil our contract with you and to defend any potential legal claims.
• Contact data includes billing address, delivery address, email address and telephone numbers.
• Financial data includes bank account and payment card details
• Marketing and communications data includes your preferences in receiving marketing from us and our third parties.
5. DEFINING SPECIAL CATEGORIES OF PERSONAL DATA
5.1 ‘Special categories of personal data’ are types of personal data consisting of information as to:
• Your racial or ethnic origin.
• Your political opinions.
• Your religious or philosophical beliefs.
• Your trade union membership.
• Your genetic or biometric data.
• Your health.
• Your sex life and sexual orientation.
• Any criminal convictions and offences.
We may hold and use any of these special categories of your personal data in accordance with the law.
6. DEFINING PROCESSING
6.1 ‘Processing’ means any operation which is performed on personal data such as:
• Collection, recording, organisation, structuring or storage.
• Adaption or alteration.
• Retrieval, consultation or use.
• Disclosure by transmission, dissemination or otherwise making available.
• Alignment or combination.
• Restriction, destruction or erasure.
This includes processing personal data which forms part of a filing system and any automated processing.
7. DATA SECURITY
We take the security of client-related personal data seriously. CoLaw Limited have internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed except by employees in the proper performance of their duties. A Data Security Policy is contained in Part 3 of this Data Protection Policy.
Where the Company engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
8. HOW PERSONAL DATA WILL BE PROCESSED
8.1 CoLaw Limited process your personal data (including special categories of personal data) in accordance with our obligations under the 2018 Act.
8.2 We will use your personal data on a lawful basis for:
• Contractual – performing the basis of your instructions and advising on Employment Law and HR related matters.
• Legal Obligation – complying with any legal obligation.
• Where necessary to assist in the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
• Legitimate Interest – if it is necessary for our legitimate interests (or for the legitimate interests of someone else), namely to fulfil our obligations to you as a client. However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing. See details of your rights in Clause 12 below.
8.3 The table below sets out in further detail how we will utilise personal data.
|Activity||Types of Data||Lawful Basis|
|Carrying out business with you in accordance with our contractual retainer||Contact Details, Financial Data, Data relating to your employees including special categories of data as defined at Clause 5||
|To suggest goods or services that may benefit your business||Contact details, marketing data||Necessary for our legitimate interests to grow our business and offer further services|
|Advise you of changes to our services policies or procedures||Contact Details and technical data||Necessary for our legitimate interests to manage our contract with you and Performance of our contract with you|
|To provide you with updates on Employment Law & HR or other services you instruct us on||Contact Details and technical data||Performance of our contract with you|
We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
If you choose not to provide us with certain personal data you should be aware that we might not be able to carry out certain parts of the contract between us. It might also stop us from complying with certain legal obligations and duties which we have.
9. REASONS FOR PROCESSING PERSONAL DATA
9.1 We have to process your personal data in various situations during your instructions in order to fulfil our contract with you to provide HR and Employment Law advice.
9.2 We might process special categories of your personal data and your employees personal data.
9.3 We do not need your consent to process special categories of your personal data when we are processing it for the following purposes, which we may do:
• Where it is necessary for carrying out rights and legal obligations.
• Where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent.
• Where you have made the data public.
• Where processing is necessary for the establishment, exercise or defence of legal claims.
9.7 Automated decision-making
We do not take automated decisions about you using your personal data or use profiling in relation to you or your instructions. However, you will be notified if this position changes.
10. SHARING PERSONAL DATA
10.1 Sometimes we might share your personal data with group Companies or our contractors and agents to carry out our obligations under our contract with you or for our legitimate interests, this includes CoLaw Limited, EHL Group (UK) Limited and Edward Hands and Lewis Limited.
10.2 We require those Companies to keep your personal data confidential and secure and to protect it in accordance with the law and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions.
10.4 Transfer of Data outside the European Economic Area
We will not transfer your data to Countries outside the European Economic Area without your express consent. If this changes you will be notified of this and the protections which are in place to protect the security of your data will be explained.
11. PROCESSING PERSONAL DATA FOR THE COMPANY
11.1 CoLaw Limited has responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Company’s Data Security and Data Retention Policies.
11.2 The person named in sub-clause 1.4 of this policy is responsible for reviewing this policy and updating the Board of Directors on the Company’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.
11.3 We will only access personal data covered by this policy if needed for the work carried out on behalf of the Company and only if they are authorised to do so. The Company should only use the data for the specified lawful purpose for which it was obtained.
11.4 We will not share personal data informally.
11.5 We will keep personal data secure and not share it with unauthorised people.
11.6 We regularly review and update personal data which we have to deal with for work.
11.7 We will not make unnecessary copies of personal data and should keep and dispose of any copies securely.
11.9 Personal data will never be transferred outside the European Economic Area except in compliance with the law and authorisation of the person responsible for data protection compliance or with your explicit consent.
12. DATA BREACHES
12.1 We have robust measures in place to minimise and prevent data breaches from taking place. Should a breach of personal data occur (whether in respect of you or someone else) then we must take notes and keep evidence of that breach. If the breach is likely to result in a risk to the rights and freedoms of individuals then we must also notify the Information Commissioner’s Office within 72 hours.
12.2 If you are aware of a data breach you must contact Andrew Robinson immediately and keep any evidence you have in relation to the breach.
13. SUBJECT ACCESS REQUESTS
13.1 Data subjects can make a ‘subject access request’ (SAR) to find out the information we hold about them. This request must be made in writing. If you wish to make a Subject Access Request you should forward it to the person responsible for data protection compliance at [email protected] who will coordinate a response.
13.2 We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
13.3 There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.
14. DATA SUBJECT RIGHTS
14.1 You have the right to information about what personal data we process, how and on what basis as set out in this policy.
14.2 You have the right to access your own personal data by way of a subject access request (see above).
14.3 You can correct any inaccuracies in your personal data. To do this you should contact the Fee Earner responsible for your matter.
14.4 You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact [email protected]
14.5 While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact [email protected]
14.6 You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.
14.7 You have the right to object if we process your personal data for the purposes of direct marketing.
14.8 You have the right to be notified of a data security breach concerning your personal data.
14.9 In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact [email protected]
14.10You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.
PART 2 – DATA RETENTION POLICY
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The Company will therefore:
• Review the length of time its keeps personal data.
• Consider the purpose or purposes it holds the information for in deciding whether (and for how long) to retain it.
• Securely delete information that is no longer needed for this purpose or these purposes.
• Update, archive or securely delete information if it goes out of date.
16. DELETING DATA
Discarding data too soon would be likely to disadvantage CoLaw Limited and quite possibly, inconvenience the people the information is about as well.
Personal data will be regularly reviewed and anything no longer needed will be deleted. Information that does not need to be accessed regularly, but which still needs to be retained, will be safely archived or put offline.
In retaining data, we will take account of any professional rules or regulatory requirements that apply. The retention periods will be regularly reviewed to consider whether it is being held too long or conversely if it is being deleted prematurely. However, if any records are not being used, consideration will be given to whether they need be retained.
17. PERSONAL DATA AT THE END OF ITS RETENTION PERIOD
At the end of the retention period, or the life of a particular record, it will be reviewed and deleted, unless there is some special reason for keeping it.
Where appropriate a record may not be permanently deleted and it may be archived instead. If a record is archived, this will reduce its availability and the risk of misuse or mistake. However, a record will only be archived (rather than deleted) if it is considered essential to retain it. In order to comply with data protection principles subject access to it will still be permissible. If a record is deleted from a live system, it will also be deleted from any back-up of the information on that system.
18. DATA RETENTION PERIODS
We will only hold data for as long as necessary for the purposes for which we collected it and will hold data for specified periods of time appropriate to the type of data.
18.1 Statutory Retention Periods
The main UK legislation regulating statutory retention periods is summarised below. If the Company is in doubt, it will retain records for at least 6 years, to cover the time limit for bringing any civil legal action.
18.2 Recommended (Non-Statutory) Retention Periods
For many types of records, there is no definitive retention period, therefore it is up to the Company to decide how long to keep them. The Company has therefore considered the necessary retention period for them, depending on the type of record.
The UK Limitation Act 1980 contains a 6-year time limit for starting many legal proceedings. So, where documents may be relevant to a contractual claim, the Company will retain them for at least a corresponding 6-year period.
PART 3 – DATA SECURITY POLICY
This policy outlines behaviours expected of CoLaw Limited when dealing with data and provides a classification of the types of data with which they should be concerned.
We must protect personal, restricted, confidential and sensitive data and ensure it is processed in accordance with the data protection principles contained in the Principal Data Protection Policy.
We shall use reasonable endeavours to ensure Data Security by ensuring:
a) Only staff who are authorised to use the information can access it.
b) Information is accurate and suitable for the purpose for which it is processed.
c) Authorised persons can access information if they need it for authorised purposes.
d) Personal information is secured throughout the period that we hold or control it, from obtaining to destroying the information.
e) Securely disposing of confidential information.
In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics.
As a rule, cookies will make your browsing experience better. However, you may prefer to disable cookies on this site and on others.
The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at the About Cookies website which offers guidance for all modern browsers