Carbon Law Partners and Carbon are trading names of CLP Group Limited. Carbon cares deeply about delivering an exceptional service to our clients. This includes looking after your data. We want you to know what personal data we process and why.
This privacy notice contains information about what personal data we collect and store about you, how we use it, the legal basis for using it and how long we keep it. It also tells you who we share this information with, what we do to protect your data and how to get in touch with us. This privacy notice is relevant to our dealings with our clients and prospective clients, our staff, our solicitors and candidates considering a career with Carbon.
WHO WE ARE.
Carbon collects and is responsible for personal information about you. When we do this we are the ‘controller’ of this personal information for the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Rob Heaton is our Data Protection Manager and is responsible for overseeing all aspects of our data governance.
WORKING WITH US.
Carbon is a commercial law firm. As a client, we are at your service and have all the knowledge and experience you need to succeed. As a staff member, solicitor or supplier, we work with you to deliver services to our clients. When working with you, we will have access to and process data. We want to tell you what we have, why we have it and how long we will keep it for.
Carbon may collect the following personal information that you provide to us:
Your name, date of birth and contact details (including your address, email and phone numbers);
Information about you such as your personal circumstances, lifestyle and employment;
Identification documents such as driving license, passport, photo ID, utility statements and bank statements;
Details of goods and services relevant to your matter that may include personal information;
Personal information given to us in our relationship to working at Carbon such as your CV, answers to any tests or assessments, education, training, employment history and personal information given in interview and meetings we may have with you;
Any personal details included in the matter you are instructing us on;
Personal information relating to any companies or ventures involved in a matter, such as staff and directors’ details;
Financial information about you such as your employment status, position and remuneration packages and bank details, especially in the case of engagements involving a transfer of assets;
Information about your family or next of kin that you give to us in relation to your matter or to the work you do with Carbon;
Personal information held in wills, deeds and trust arrangements.
You may also give us personal information that is classifies as ‘special categories’ under GDPR:
Racial or ethnic origin;
Religious, philosophical or other beliefs;
Trade union membership;
Sex life or sexual orientation;
Information about any criminal convictions.
More information on special categories of data can be found on the ICO’s website here.
INFORMATION COLLECTED FROM OTHER SOURCES.
We may also collect the same categories of information from third parties such as expert witnesses, other professional advisors you have instructed, members of the public, your family and friends, witnesses, courts, suppliers of goods and services, investigators, government departments, regulators, recruiters, information on professional networking sites and public records. Often, but not always, we receive information in this way when we are working with another party that you are involved with, such as other professional advisers, accountants, recruiter, other solicitors, your employer and property agents.
Even if we have not had direct contact with you and are processing data given to us by a third party for a purpose and with a legal basis outlined below, the contents of this privacy notice will still be in effect. We look after all personal data in the same way, regardless of where it has come from.
HOW WE USE YOUR PERSONAL INFORMATION.
We use your personal information for the following purposes:
To provide you with legal services;
To comply with our legal responsibilities to the SRA and under relevant regulation;
To promote and market the services of Carbon;
To engage with and recruit talented individuals to work at Carbon;
To engage with partners that supply us with good and services;
To manage any queries or complaints you have about the services you receive;
To train and develop Carbon members in order to provide you with a better service;
To monitor the quality of service we deliver to you, and ensure it meets your expectations;
To comply with legal obligations to act in the public interest and uphold the rule of law.
WHETHER INFORMATION HAS TO BE PROVIDED BY YOU, AND WHY?
Some of the personal information you may need to give us, such as your personal details and financial information, is so that we can carry out requirements that are statutory obligations for Anti-money Laundering purposes, Solicitors Regulatory Authority (SRA) regulations, HMRC requirements, Land Registry requirements and requirements of the Courts of England and Wales. If you do not give us this information we may not be able to provide you with legal services or complete your matter.
LEGAL REASONS WE COLLECT AND USE YOUR PERSONAL INFORMATION.
We have a legal basis for all the data we process. We rely on a different legal basis depending on the personal information we are processing and the reason we are processing it. We rely on the following legal basis in these circumstances:
In some cases you will give us consent to use your personal information in a certain way. If you have given us consent to use your data in a certain way, and we have no other legal basis for doing so, we will rely on your consent. There is more information below on your rights regarding consent. The activities where we rely on your consent are:
Keeping in touch with you and sending you information about how our services can help. We will also let you know about what is going on at Caron and developments in the industry. We will always give you an option to opt-out of future communications.
If you are thinking about working with us and have applied for a role either directly or through a recruiter, we will rely on your consent to process your application. If you chose to withdraw your consent in these circumstances, then please be aware we may not be able to process your application and will only keep personal information that we are required to by law or to defend a legal claim.
If you are giving us any special categories of data, we may need your explicit consent to do so. We will let you know if this happens and explain it all to you.
You always have the right to withdraw your consent at any time. If consent relates to electronic communications (such as a newsletter or invitations to events) then we will always give you an ‘Opt-Out’ option in every communication. You can also email us at email@example.com or contact us using any of the details below (‘Get in touch’) to withdraw consent.
As an SRA regulated firm, Carbon is bound by regulations that we adhere to which will require us to process your personal information. The activities where we have a legal obligation to process data are:
Processing information about you for Anti-money Laundering purposes and to stop terrorist financing.
Running conflict of interest checks when acting for you and for our other clients.
Complying with our obligation to the SRA, which includes the commitment to maintain a high level of service quality, including activities such as file audits, safeguarding the interests of our clients, and compliance with the SRA’s handbook.
Complying with obligations to HMRC regarding records keeping of our financial activity, including information relating to transactions, billing and payments.
Investigating, managing and resolving any expression of dissatisfaction that relates to any of the regulated activity we carry out, or relevant to any regulations we are bound by.
Keeping adequate records of our work with you to satisfy the insurance cover we need to have in place by law, and to defend Carbon in the unlikely event of a legal claim being brought against us.
Performance of a Legal Contract
We will process personal information that relates to the services we are providing you with, or receiving from you, that are bound by our engagement with you (legal contract). The areas where we are processing personal information to enter into, or fulfil a legal contract are:
Providing legal services to you or discussing our services with you to arrange an engagement. We will process any personal information relating to your matter under this legal basis. We may also be processing personal information given to us by a client to fulfil a contract, even through the personal information is not the client’s but of related parties such as family, next of kin or staff details at a related company.
When working with you in partnership to deliver services we may process personal information, such as information in agreements and on invoices, required to fulfil our obligations under those contracts.
Tasks carried out in the Public Interest
There may be some cases when we have a legal obligation to act in the public interest in relation to the detection and reporting of suspected crime. We can’t rely on your consent and may not be able to tell you when we are processing your personal information in this way so as not to prejudice those purposes.
We rely on legitimate interests to engage with talented individuals that may be great fit for Carbon. We may use personal information that you have made public and shown an interest to discuss opportunities with you (for instance on CV sites and professional networking sites).
We rely on legitimate interests in some cases to invite you to certain events such as networking events or hospitality events. Our legitimate interest is to thank our clients and bring likeminded people together. We will use your contact information when we do this and can provide more information on the assessments we have gone through to make sure the use of your information in this way is fair on request (see ‘get in touch’ below).
WHO WILL WE SHARE YOUR PERSONAL INFORMATION WITH?
We work closely with selected partners and consultants that we share personal information with to deliver you the service you expect from us. We share personal information to:
Perform the services you have instructed us on that may require us to share data with expert consultants, counsel and advisors as required to complete your matter;
Operate our back and middle office services which are managed by Carbon Managed Services Ltd;
Professional services business that help us to manage Carbon, maintain business quality and manage compliance with regulations;
Search providers used to perform due diligence searches, anti-money laundering searches and any other searches required by law or to undertake your matter;
Credit reference agencies used to perform searches required by law or to undertake your matter;
Certain processors and providers of services and software that make up the platforms and systems we use at Carbon to deliver services;
Storage and archiving providers to ensure your personal information is protected securely and backed up.
Any partners, suppliers or third parties we share data with will be bound by strict agreements that meet the requirements of GDPR and will be monitored for performance with those agreements.
We will share personal information with official bodies if required by law including the SRA, ICO, the police, law enforcement and intelligence agencies.
TRANSFER OF YOUR INFORMATION OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA).
It may be necessary to transfer your personal information outside the EEA or to an international organisation in order to perform your instructions. We do not routinely transfer data outside of the EEA, and when we do we will notify you of the reasons, the legal basis for doing so, any relevant risk assessments that we want to make you aware of, and the appropriate safeguards in place to protect your rights and freedoms.
If you would like any further information on transfers outside of the EEA, or would think as part of your matter you will want us to transfer your data outside of the EEA, then please contact our Data Protection Manager, Robert Heaton (see ‘Get in touch’).
HOW LONG WILL WE STORE YOUR PERSONAL DATA?
We will only keep your personal information for as long as necessary to complete the purposes we have described above. We use the following retention periods and review these periodically to make sure we are only keeping what we need (If information can be kept for two different periods, we will keep it for the longer of those two periods):
Matter information – Information about you and any personal information relating to your matter we will keep for a period of 7 years after the matter has ended, or 1 year after any relevant limitation period, whichever is longer. This is to comply with our requirements to our insurance provider to have records available in the case we need to defend a legal claim, and to comply with the SRA obligations regarding record keeping.
Identification and Due Diligence – Information relating to Anti-money Laundering checks and due-diligence we will keep for a period of 5 years from the end of the last matter undertaken for you to comply with our Anti-money Laundering obligations. If you continue to work with us we will update this information at least every 3 years.
Financial Transactions – Information about you and any financial transactions, including fees paid and payments for services, we will keep for a period of 7 years to comply with HMRC requirements to keep accurate records that can be audited.
Contact information used in marketing with your consent and to pursue a legitimate interest will be kept for 30 days once you have withdrawn your consent.
Information that we delete may be kept in an encrypted, secure and ‘beyond reach’ backup for a period of 6 years after deletion. We need to maintain backups of our systems to comply with article 32 of the GDPR (security and resilience).
Under the General Data Protection Regulation, you have a number of important rights that you can exercise free of charge. In summary, these rights are:
Transparency over how we use your personal data and fair processing of your information (which includes the right to be given the information in this notice);
Access to your personal information and other supplementary information;
Require us to correct any mistakes or complete missing information we hold on you;
Require us to erase your personal information in certain circumstances;
Receive a copy of the personal information you have provided to us or have this information be sent to a third party, this will be provided to you or the third party in a structured, commonly used and machine readable format;
Object at any time to processing of your personal information for direct marketing;
Object in certain other situations to the continued processing of your personal information;
Restrict our processing of your personal information in certain circumstances;
Request not to be subject to automated decision making which produce legal effects that concern you or affect you in a significantly similar way
If you want more information about your rights under the GDPR please see the Guidance from the Information Commissioners Office on Individual's rights under the GDPR.
If you want to exercise any of these rights, please contact us (see ‘get in touch’ for contact details) and let us know who you are and what right you want to exercise. We may need to ask for additional information regarding your identity, and we may also need some information from you on specific categories of data, types of processing activities or periods of processing activities that you wish to focus your request around.
We will respond to you no later than one month from when we receive your request. Please note if you wish to unsubscribe from any email you can do so by emailing firstname.lastname@example.org.It may take 10 working days for this to become effective.
HOW TO MAKE A COMPLAINT.
If something does go wrong or you are in anyway unhappy with how we have treated your data then please do not hesitate to contact our Chief Executive, Michael Burne.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where the alleged infringement of data protection laws occurred. The UK supervisory authority if the Information Commissioner’s Office who can be contacted at https://ico.org.uk/concerns/.
Carbon is a modern law firm and has invested significantly in our process, systems and controls to safeguard your data. We keep your personal information secure through:
Training all of our staff and Partners on the importance of information security and the processes we have in place to do so;
Review by external advisers who will help us to understand and manage emerging threats to information;
Policies and procedures that are enforced across all of Carbon and Carbon Partners;
Security functions in systems;
Audits and checks on the performance of controls;
Risk management processes that identify and mitigate risks and threats to your information;
Encrypted backups taken periodically to make sure data is always available;
Encryption on devices that hold data;
Password policies for any systems that hold data;
Administrative control and oversight to any systems or networks that hold data.
We do not intend to process your personal information for any reason other than stated within this privacy notice. If this changes, we will update this privacy notice on our website and in any documentation we send you, or tell you by email when we start processing your data in a new way.
CHANGES TO THIS PRIVACY NOTICE.
This privacy was published in May 2018. It is due for review no later than May 2019. We regularly review our internal privacy practices and may change this policy from time to time. When we do we will inform you by updating our website and telling you in any documentation or messages we send you.
GET IN TOUCH.
If you have any questions about this privacy notice or the personal information we hold about you, please contact us.
By Post: Carbon Law Partners, Creative Quarter, Morgan Arcade, Cardiff, CF10 1AF
By Email: email@example.com
By Phone: 0292 167 1990
If it would be helpful to have this notice provided in another format please contact us (see ‘Get in touch’ above).