Privacy Notice

1. Why are we providing this notice?

By law, businesses like ours must provide certain information to clients, website users, staff, suppliers and third parties in relation to their personal data.

2. Purpose of this notice

The purpose of this notice is to explain what personal data we collect, how, why and on what basis we process it, and your rights in relation to such data and processing.

3. Accountability

Urquharts is the trading name of A & W M Urquhart, a Scottish partnership having its place of business at 16 Heriot Row, Edinburgh, EH3 6HR.

We are the data controller in relation to the personal data we process and are responsible for ensuring, and demonstrating, compliance with relevant data protection laws.

Our Data Protection Officer is Stephen Webster: stephenwebster@urquharts.co.uk

4. What is “personal data”?

“Personal data” is any information relating to an identified or identifiable natural person. An “identifiable natural person” is a living person who can be identified, directly or indirectly, in particular by reference to an identifier (such as a name or address) or to factors specific to that person (such as physical characteristics or cultural identity).

Personal data includes “special categories” (or “sensitive”) data. This is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a person’s sex life or sexual orientation.

5. Examples of “personal data”

5.1 Clients
Personal data will include the personal identity information we obtain when opening our client files, and all information (such as personal, family, financial, professional and business details) held in our client files from which the identity of a living person can be established. This may include sensitive personal data.

5.2 Users of our website
Personal data will include the personal identity information we collect or receive through our website (such as IP addresses collected automatically, and contact information contained in enquiries submitted online) from which the identity of a living person can be established. This may include sensitive personal data provided by such users through our website.

5.3 Staff
Personal data will include personal identity information, education and employment history, references, family information (such as next of kin and dependants), background checks, financial information (such as bank and taxation, student loan and pension details), holiday, absence, grievance and disciplinary records, performance reviews, expenses claims, time sheets, records of use of IT and information services held from time to time in our personnel and other business records from which personal identity can be established. This may include sensitive personal data.

5.4 Third parties
Personal data will include the personal identity information we obtain through our dealings with third parties. This may include sensitive personal data.

In this notice “third parties” means persons other than us and our clients, website users, and staff, and includes (as appropriate but without limitation) accountants, advocates, agents, auditors, banks, consultants, contractors, experts, financial advisors, governmental bodies (such as the DWP, HMRC, Registers of Scotland and Revenue Scotland), insolvency practitioners, IT consultants, lenders, marketing consultants, money-laundering check resources, pension administrators and providers, property marketing platforms (such as the ESPC) regulatory bodies, search companies, Sheriff Officers, other solicitors, stockbrokers, surveyors and tax and pension advisors).

5.5 Suppliers
Personal data will include the personal identity information we obtain through our business relationships with our suppliers. This may include sensitive personal data.

In this notice “suppliers” means third parties who supply goods and/or services to us.

6. What is “processing”?

“Processing” is any operation (or set of operations) performed on personal data (or sets of personal data); it includes collecting (or obtaining), recording, storing (or holding), disclosing and using it.

7. Do I have to provide personal data?

7.1 Clients
If you are (or wish to become) a client the provision of following personal data is a requirement necessary to enter into and maintain a contract with us and (to that extent) you are obliged to provide it:-

Personal data required for the purposes set out below under the headings “Providing our legal services” and “Complying with our legal obligations”.

Failure to provide this data may affect our ability to provide our legal services to you.

7.2 Users of our website
If you are a user of our website you are not obliged to provide us with any personal data but, by using our website, we will collect automatically your device’s unique identifier (such as an IP address).

7.3 Staff
If you are (or wish to become) a member of our staff the provision of following personal data is a requirement necessary to enter into and maintain a contract with us and (to that extent) you are obliged to provide it:-

1) Personal data required for the purposes set out below under the heading “Staff administration” and “Complying with our legal obligations”.

Failure to provide this data may affect (1) our ability to (a) process your application for employment, and (b) perform our obligations under your contract of employment and comply with our legal obligations (such as by making salary, PAYE, national insurance and pension payments to you or on your behalf), and (2) your ability to perform your obligations under your contract of employment.

2) Personal data required for the purposes set out below under the heading “Providing our legal services”.

Failure to provide this data may affect your ability to perform your obligations under your contract of employment.

3) Personal data required for the purposes set out below under the heading “Marketing and promoting our business”, but only insofar as such purposes relate to existing and prospective clients and contacts.

Failure to provide this data may affect your ability to perform your obligations under your contract of employment, but your objection to the use of any photograph of you will not carry any consequence.

7.4 Third parties
If you are a third party (other than a third party who is also a supplier) you are not obliged to provide us with any personal information, but failure to do so may affect our ability to do business with you.

7.5 Suppliers
If you are a supplier the provision of following personal data is a requirement necessary to enter into and maintain a contract with us, and (to that extent) you are obliged to provide it:-

Personal data required for the purposes set out below under the headings “Complying with our legal obligations” and “General running of our business”.

Failure to provide this data may affect our ability to buy your goods and/or use your services.

8. What kinds of personal data will we process?

We obtain and process more personal data than you provide to us. Such additional personal data will be contained in information obtained in the course of the activities for which we have a lawful basis for processing.

1) Clients
In relation to our clients such additional personal data will be obtained by us either directly (e.g. companies house records, conveyancing searches and money-laundering checks), or from third parties (e.g. accounts, financial statements, mandated files, medical reports, mortgage instructions, survey reports and valuations).

2) Users of our website
In relation to users of our website such additional personal data is what is collected by us automatically through our website (i.e. your device’s unique identifier (such as an IP address)) or by cookies used by our website.

Please see our Cookie Notice (published on our website: www.urquharts.co.uk) for details of personal data which may be collected by cookies if you use our website.

3) Staff
In relation to our staff such additional personal data will be obtained by us either directly (e.g. background checks and records of use of IT and information services) or from third parties (e.g. personal references and doctors’ absence notes).

4) Third parties
In relation to third parties such additional personal data will be obtained by us either directly (e.g. contact details checks) or from other persons (e.g. by provision of contact details) in the course of business.

5) Suppliers
In relation to our suppliers such additional personal data will be obtained by us either directly (e.g. background checks) or from other persons (e.g. personal references) in the course of business.

9. Lawful bases for processing

This paragraph sets out our lawful bases for processing personal data under the headings of each of our main business activities.

9.1 Providing our legal services
We process personal data for the purposes of providing our legal services. This will include sharing personal data with third parties for these purposes.

1) Clients
In the case of our clients, our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the performance of a contract under or in respect of which we provide legal services to you (or in order to take steps at your request prior to entering into such a contract).

In the case of any sensitive personal data, our lawful basis for such processing is that it is (1) necessary for the purposes of carrying out your obligations and exercising your specific rights in the field of employment and social security and social protection law, or (2) necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent, or (3) necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in a judicial capacity.

2) Website users
If you are a user of our website (other than when we are acting for you as one of our clients), our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the purposes of our legitimate interests. We will not process your sensitive personal data under this heading except with your explicit consent.

3) Staff
If you are a member of our staff (other than when we are acting for you as one of our clients), our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the performance of your contract of employment. We will not process your sensitive personal data under this heading except with your explicit consent.

4) Third parties
If you are a third party (other than a third party who is also a supplier) our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the purposes of our legitimate interests. We will not process your sensitive personal data under this heading except with your explicit consent.

5) Suppliers
If you are one of our suppliers, our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the purposes of our legitimate interests. We will not process your sensitive personal data under this heading except with your explicit consent.

9.2 Complying with our legal obligations
We process personal data for the purposes of complying with legal obligations to which we are subject (such as data protection law, employment law, money laundering legislation, Law Society of Scotland rules and regulations, pensions law and tax law). This will include sharing personal data with third parties for these purposes.

Our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for compliance with such legal obligations.

In the case of any sensitive personal data our lawful basis for such processing is that it is necessary for the purposes of carrying out our obligations, and exercising our specific rights, in the field of employment and social security and social protection law.

9.3 Staff administration
We process personal data for the purposes of our staff administration (such as employing, managing and monitoring our staff, paying salaries, PAYE, National Insurance and pension contributions, maintaining our staff records, operating our pension scheme, and ensuring the security of our data). This will include sharing personal data with third parties for these purposes.

If you are (or wish to become) a member of our staff, our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the performance of your contract of employment (or in order to take steps at your request prior to entering into such a contract).

In the case of any sensitive personal data, our lawful basis for such processing is that it is necessary for the purposes of carrying out our or your obligations, and exercising our or your specific rights, in the field of employment.

9.4 Marketing and promoting our business
We process personal data for the purposes of marketing and promoting our business interests. This will include sharing personal data with third parties for these purposes.

Our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the purposes of these legitimate interests.

We will not process your sensitive personal data under this heading except with your explicit consent

9.5 General running of our business
We process personal data for the general purposes of running our business. This includes sharing personal data with third parties for these purposes.

To the extent that this is not included within a purpose for which we have already said we have a lawful basis for processing, our lawful basis for such processing (other than in the case of sensitive personal data) is that it is necessary for the purposes of our legitimate interests in these matters.

We will not process your sensitive personal data under this heading except with your explicit consent.

10. How we will process personal data

In processing personal data for all purposes we will:-

1) Collect and use it only for the purposes we have said we will.
2) Collect and use only what is relevant and necessary for such purposes.
3) Ensure that it is accurate and (where necessary) kept up-to-date.
4) Take every reasonable step to correct any inaccuracies without delay.
5) Keep it for no longer than is necessary for such purposes.
6) Ensure that it is kept appropriately secure.

We will require any sub-contractors or service providers who process personal data on our behalf to do the same. We will also require them to process such data only in accordance with our instructions.

We do not intend to transfer personal data to any country outside the EU, except where the EU Commission has decided that there is an adequate level of protection. Where that exception does not apply we will not make such transfers unless (1) the transfer is necessary for (a) the performance of a contract between us (or the implementation of pre-contractual measures taken at your request), or (b) the conclusion or performance of a contract concluded in your interest between us and another person, or (c) for the establishment, exercise or defence of legal claims, or (d) in order to protect the vital interests of you or of other persons, where you are physically or legally incapable of giving consent, or (2) you have explicitly consented to such transfer.

11. How long will we retain personal data?

We will normally retain personal data for up to 10 years. The relevant period will be determined with reference to Law Society of Scotland rules, regulations and guidance, employment law, tax law and any other relevant legal requirements.

12. Automated decision-making

We do not use personal data for the purposes of any automated decision-making process which produces legal effects concerning you or similarly significantly affects you.

13. Your Rights to Object

You have the following rights to object to the processing of your personal data by us:-

1) The right to object to processing for direct marketing purposes.
2) The right to object to processing based on our legitimate interests.

If you wish to exercise either of these rights please contact our Data Protection Officer.

14. Your Other Rights

You have the following rights in respect of your personal data processed by us:-

1) The right to access to it.
2) The right to request a copy of it.
3) The right to request that it be corrected if it is inaccurate.
4) The right to request its erasure.
5) The right to request a restriction on its processing.
6) The right to request not to be subject to automated decision-making based on it.
7) The right to withdraw any consent to processing it you have given.
8) The right to have it provided to you in a form you can take elsewhere.

If you wish to exercise any of these rights please contact our Data Protection Officer.

15. How to complain

If you have any complaint about how we have processed your personal data, please contact our Data Protection Officer in the first instance.

You have the right at any time to make any such complaint directly to the Information Commissioner:-

The Information Commissioner’s Office – Scotland
45 Melville Street
Edinburgh
EH3 7HL

Telephone: 0303 123 1115
Email: Scotland@ico.org.uk


Do NOT follow this link or you will be banned from the site!