1. About this Policy
During the course of our activities, Jurit LLP will process personal data (which may be held on paper, electronically, or otherwise) about our partners, consultants, clients and other relevant persons. We recognise the need to treat personal data in an appropriate and lawful manner, in accordance with relevant data protection legislation. The purpose of this Policy is to state how we will handle such personal data.
This Policy does not form part of any contract and we may amend it at any time.
2. Data Protection Principles
2.1 We will comply with the Data Protection Principles in the EU General Data Protection Regulation (“the GDPR”), which say that personal data must be:
(a) Processed fairly, lawfully and in a transparent manner.
(b) Processed for Specified, explicit and legitimate purposes.
(c) Adequate, relevant and limited to what is necessary for the purpose.
(d) Accurate and, where necessary, kept up to date.
(e) Not kept longer than necessary for the purpose.
(f) Processed in a manner which ensures appropriate security.
2.2 “Personal data” means information relating to an identified or identifiable natural person. It may include contact details, other personal information, photographs, expressions of opinion or indications as to our intentions about a person.
“Processing” means doing anything with personal data, such as accessing, disclosing, storing, destroying or using the data in any way.
3. Fair and Lawful Processing
3.1 We will usually only process personal data for the purposes of our legitimate interests in conducting our business. In a few cases, such as some uses for direct marketing, our processing may be based on the consent of individuals. We may also need to process personal data where it is necessary to do so in order to comply with our legal obligations.
3.2 We will only process “sensitive personal data” (e.g. about racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, health, sex life, genetic information, biometric information, criminal proceedings or convictions), where permitted under data protection legislation. Usually this will mean that individuals have given their explicit consent, or that the processing is legally required or permitted in connection with the individual’s relationship with Jurit.
3.3 We will inform individuals about the processing of their data and about the rights they enjoy in that respect.
4. How we are likely to use Personal Data
4.1 We will process data about individuals for the purposes of conducting our legal practice, for legal, personnel, administrative and management purposes, and to enable us to meet our legal obligations, for example to pay charges, monitor performance and to confer benefits in connection with the individual’s relationship with Jurit.
4.2 We may process sensitive personal data relating to individuals including, as appropriate:
(a) information about an individual’s physical or mental health or condition in order to monitor sick leave and take decisions as to the individual’s fitness for work;
(b) the individual’s racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
(c) in order to comply with legal requirements and obligations to third parties.
5. Data Retention
We will not keep personal data for longer than is necessary for the purpose for which the data was collected. This means that data will be destroyed or erased from our systems when it is no longer required. For guidance on how long certain data is likely to be kept before being destroyed, please contact our Data Protection Compliance Officer, Robert Marcus.
6. Processing in line with the Rights of Individuals
An individual has the right to:
(a) Request access to any personal data we hold about them.
(b) Prevent the processing of personal data for direct-marketing purposes.
(c) Ask to have inaccurate data held about them amended or corrected.
(d) Ask for erasure of data on the grounds specified in Article 17 of the GDPR (“the right to be forgotten”), for example where processing is based on consent and the consent has been withdrawn, or where the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(e) Object to any decision that significantly affects them being taken solely by a computer or other automated process.
(f) Complain to an appropriate supervisory authority, such as the UK Information Commissioner.
(g) Exercise other rights laid down in the GDPR, such as right to restriction of processing, the right to object to processing, and the right to data portability.
7. Data Security
7.1 We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
7.2 We have in place procedures and technologies to maintain the security of personal data from the point of collection to the point of destruction. We will only transfer personal data to a third party if it agrees to comply with those procedures and policies, or if it puts in place adequate measures.
7.3 Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
7.4 Any known or suspected breach of data security must be notified immediately to our Data Protection Compliance Officer, Robert Marcus, who will decide whether it is necessary in the circumstances to notify affected individuals and/or supervisory authorities.
8. Providing Information to Third Parties
We will not disclose personal data to a third party without the relevant individual’s consent unless we are satisfied that the third party is legally entitled to the data. Where we do disclose personal data to a third party, we will have regard to the provisions of the GDPR.
9. Subject Access Requests
If an individual wishes to exercise their rights under data protection legislation they may do so by writing to us at 4 Lombard Street, London EC3V 9HD. All such written requests should be forwarded to our Data Protection Compliance Officer, Robert Marcus.
10. Privacy Impact Assessments
We will undertake privacy impact assessments in the event that we propose to undertake data processing of a more intrusive nature. At the date of this policy, no such processing is carried out.
11. Breaches of this Policy
If anyone considers that this Policy has not been followed in respect of personal data about themselves or others the matter should be promptly raised with our Data Protection Compliance Officer, Robert Marcus. Any breach of this Policy will be taken very seriously.