Curry Popeck

Data Protection Notice

1. Introduction

This document sets out the obligations of Curry Popeck LLP (our ‘Firm’) regarding data protection and your rights as our client (data subjects) in respect of your personal data under the UK General Data Protection Regulation (UK GDPR) which sits alongside the Data Protection Act 2018 (DPA 2018).

We take your privacy very seriously. Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

The UK GDPR defines “personal data” as any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

This document sets our Firm’s obligations regarding the collection, processing, transfer, storage, and disposal of your personal data. Our Firm has implemented procedures and policies for our employees, agents, contractors, or other parties working on behalf of our Firm to follow at all times. 

Our Firm is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

 

2. Lawful, Fair, and Transparent Data Processing

The UK GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights as the data subject.

As you are a client of our Firm and have contracted with us to provide you with the necessary legal assistance, under the UK GDPR we are allowed to process your personal data as a necessity for the performance of the contract. 

We collect and use your personal data to provide legal services. If you do not provide personal data we ask for, it may delay or prevent us from providing those services.

3. The Data Protection Principles

The UK GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

4. Keeping You Informed

The UK GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:

Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

5. How Your Personal Data Is Collected

We collect most of this information from you direct. However, we may also collect information:

6. How and Why We Use Personal Data

Under data protection law, we can only use your personal data if we have a proper reason, e.g.:

A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

The table below explains what we use your personal data for and why.

What we use your personal data for

Our reasons

Providing services to you

To perform our contract with you or to take steps at your request before entering into a contract

Preventing and detecting fraud against you or us

For our legitimate interest, ie to minimise fraud that could be damaging for you and/or us

Conducting checks to identify our clients and verify their identity
Screening for financial and other sanctions or embargoes
Other activities necessary to comply with professional, ]legal and regulatory obligations that apply to our business, eg under health and safety law or rules issued by our professional regulator

To comply with our legal and regulatory obligations

To enforce legal rights or defend or undertake legal proceedings

Depending on the circumstances:
—to comply with our legal and regulatory obligations;
—in other cases, for our legitimate interests, ie to protect our business, interests and rights

Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies

To comply with our legal and regulatory obligations

Ensuring policies are adhered to, eg policies covering security and internet use

For our legitimate interests, ie to make sure we are following our own internal procedures so we can deliver the best service to you

Operational reasons, such as improving efficiency, training and quality control

For our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price

Ensuring the confidentiality of commercially sensitive information

Depending on the circumstances:
—for our legitimate interests, ie to protect trade secrets and other commercially valuable information;
—to comply with our legal and regulatory obligations

Statistical analysis to help us manage our business.

For our legitimate interests, ie to be as efficient as we can so we can deliver the best service to you at the best price

Preventing unauthorised access and modifications to systems

Depending on the circumstances:
—for our legitimate interests, ie to prevent and detect criminal activity that could be damaging for you and/or us;
—to comply with our legal and regulatory obligations

Protecting the security of systems and data used to provide services

To comply with our legal and regulatory obligations
We may also use your personal data to ensure the security of systems and data to a standard that goes beyond our legal obligations, and in those cases our reasons are for our legitimate interests, ie to protect systems and data and to prevent and detect criminal activity that could be damaging for you and/or us

Updating client records

Depending on the circumstances:
—to perform our contract with you or to take steps at your request before entering into a contract;
—to comply with our legal and regulatory obligations;
—for our legitimate interests, eg making sure we can keep in touch with our clients about existing and new services

Statutory returns

To comply with our legal and regulatory obligations

Ensuring safe working practices, staff administration and assessments

Depending on the circumstances:
—to comply with our legal and regulatory obligations;
—for our legitimate interests, eg to make sure we are following our own internal procedures and working efficiently so we can deliver the best service to you

Marketing our services to:
—existing and former clients;
—third parties who have previously expressed an interest in our services;
—third parties with whom we have had no previous dealings

For our legitimate interests, ie to promote our business to existing and former clients

Credit reference checks via external credit reference agencies where applicable

For our legitimate interests, ie to ensure our clients are likely to be able to pay for our services

External audits and quality checks.

Depending on the circumstances:
—for our legitimate interests, ie to maintain our accreditations so we can demonstrate we operate at the highest standards;
—to comply with our legal and regulatory obligations

To share your personal data with members of our group and third parties that will or may take control or ownership of some or all of our business (and professional advisors acting on our or their behalf) in connection with a significant corporate transaction or restructuring, including a merger, acquisition, asset sale or in the event of our insolvency. In such cases information will be anonymised where possible and only shared where necessary

Depending on the circumstances:
—to comply with our legal and regulatory obligations;
—in other cases, for our legitimate interests, ie to protect, realise or grow the value in our business and assets

7. How and Why We Use Your Personal Data - Special

Certain personal data we collect is treated as a special category to which additional protections apply under data protection law:

 

Where we process special category personal data, we will also ensure we are permitted to do so under data protection laws, e.g.:

8. Sharing of Personal Data

During our retainer with you we may share your information with the following entities: -

 

Where we oursource to third party providers, we only allow those organisations to handle your personal data if we are satisfied they take appropriate measures to protect your personal data.][ We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you.

 

9. Marketing

We will use your personal data to send you updates (by email, text message, telephone or post) about our services, including exclusive offers, promotions or new services.

We have a legitimate interest in using your personal data for marketing purposes. This means we do not usually need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.

You have the right to opt out of receiving marketing communications at any time by.

We may ask you to confirm or update your marketing preferences if you ask us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We will always treat your personal data with the utmost respect and never sell OR share it with other organisations for marketing purposes.

 

10. Personal Data Collected, Held, and Processed

The following personal data is collected, held, and processed by our Firm:

Data Ref.

Type of Data

Purpose of Data

Client Name

Your Name

To identify you

Address

Your Address

To send letters to you

Email address

Your email address

To send communication via email

Mobile telephone

Your mobile telephone number.

To communicate with you by phone and/or by text.

Date of Birth

Your date of birth

To identify you

Passport Number

Your passport details

To identify you and comply with Anti-Money Laundering Regulations – where applicable

Driving licence number

Your driving licence details

To identify you and comply with Anti-Money Laundering Regulations – where applicable

Utility Bill

Your utility bill (s)

To identify you and comply with Anti-Money Laundering Regulations – where applicable

Matter Information

Matter history and associated information.

Information relating to the matter in which you are seeking our advice or representation

Credit Check]

Your finance/credit information.

Information to enable us to undertake a credit or other financial checks on you

Financial Data

 

Your financial information.

Your financial details so far as relevant to your instructions, eg the source of your funds if you are instructing on a purchase transaction.

Client Service Data

Your access to our communication systems.

Information about your use of our IT, communication and other systems, and other monitoring information.

 

11. Personal Data Collected for Compliance with the Firm's Regulatory Responsibilities

Pursuant to Regulation 41 of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and The Money Laundering and Terrorist Financing (Amendment) Regulations 2019, the Firm will not use any personal data provided for the purpose of complying with the regulation for any purpose other than for the prevention of money laundering or terrorist financing. 

 

12. Where Your Personal Data Is Held

Personal data may be held at our offices and those of our third party agencies, service providers, representatives and agents as described above (see ‘Sharing of Personal Data’).

 

13. How Long Your Personal Data Will Be Kept For

We will not keep your personal data for longer than we need it for the purpose for which it is used or as agreed with you.

As a general rule, if we are no longer providing services to you, we will delete or anonymise your account data after [seven] years. However, different retention periods apply for different types of personal data and for different services as set out in out Client Care letter and Terms and Conditions.

Following the end of the of the relevant retention period, we will delete or anonymise your personal data.

 

14. Your Rights (As a Data Subject)

The UK GDPR sets out the following rights applicable to data subjects (please refer to the parts of this notice indicated for further details):

 

15. Data Subject Access Requests

You may make Subject Access Requests (“SARs”) at any time to find out more about the personal data that our Firm holds about you, what it is doing with that personal data, and why.

If you wish to make a SAR you may do so in writing.  SARs should be addressed to the Firm's Data Compliance Manager, who is Lionel Curry. You should send your request by: email to lionelcurry@currypopeck.com or post to Devonshire House, 582 Honeypot Lane, Stanmore, Middlesex HA7 1JS.

Responses to SARs shall normally be made within one month of receipt, however, we may extend by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, you shall be informed.

All SARs received shall be handled by the Firm’s Data Compliance Manager.

Our Firm does not charge a fee for the handling of normal SARs. However, we reserve the right to charge reasonable fees for additional copies of information that has already been supplied to you, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

 

16. Rectification of Personal Data

You have the right to require us to rectify any of your personal data that is inaccurate or incomplete.

Our Firm shall rectify the personal data in question, and inform you of that rectification, within one month of you informing our Firm of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, you shall be informed.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

 

17. Erasure of Personal Data

You have the right to request that our Firm erases the personal data it holds about you in the following circumstances:

Unless our Firm has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and you will be informed of the erasure, within one month of receipt of your request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, you shall be informed.

In the event that any personal data that is to be erased in response to your request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

 

18. Restriction of Personal Data Processing

You may request that our Firm ceases processing the personal data it holds about you. If you make such a request, our Firm shall retain only the amount of personal data concerning you (if any) that is necessary to ensure that the personal data in question is not processed further.

In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

 

19. Objections to Personal Data Processing

You have the right to object to our Firm processing your personal data based on legitimate interests and direct marketing (including profiling). 

Where you object to our Firm processing your personal data based on its legitimate interests, our Firm shall cease such processing immediately, unless it can be demonstrated that the Firm’s legitimate grounds for such processing override your interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.

Where you object to our Firm processing your personal data for direct marketing purposes, our Firm shall cease such processing immediately.

 

20. Withdrawing Consent

If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time.

You may withdraw consents by contacting our Data Compliance Manager via email lionelcurry@currypopeck.com or by post Devonshire House, 582 Honeypot Lane, Stanmore, Middlesex HA7 1JS.

Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

 

21. More Information on How to Exercise Your Rights

To find more information on how you may exercise your rights as a Data Subject, please see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

 

22. Keep Your Personal Data Secure

We have appropriate security measures to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

 

23. How to Complain

Please contact us if you have any queries or concerns about our use of your personal data (see below ‘How to Contact Us’). We hope we will be able to resolve any issues you may have.

You also have the right to lodge a complaint with The Information Commissioner in the UK;

The UK’s Information Commissioner may be contacted using the details at https://ico.org.uk/make-a complaint or by telephone: 0303 123 1113.

 

24. Changes to this Notice

We may change this notice from time to time, if we do we will inform you.

 

25. How to Contact Us

You can contact us and/or our Data Compliance Manager by post, email or telephone if you have any questions about this notice or the information we hold about you, to exercise a right under data protection law or to make a complaint. Details of how to contact us can be found on our website - https://www.currypopeck.com/