It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are aware of how and why we are using such information.
By agreeing and proceeding with your application through the Magrath Sheldrick Global Reach portal you are confirming that you and any family member dependants have read and understood this Privacy Notice and that you expressly consent to the processing of personal data and sensitive personal data as detailed in this Privacy Notice.
Personal data is information or data from which you can be identified and is about you. Magrath Sheldrick LLP (“Magrath”) is a “data controller” (someone that decides how to hold and use personal data) in relation to the personal data that we receive in connection with your application, case, submission, claim or instructions (“Matter”). We are required under data protection legislation, including the General Data Protection Regulation (“GDPR”), to notify you of the information contained in this privacy notice and it is important that you understand it. If there is anything in this notice that you do not understand please contact our Data Protection Officer by email to email@example.com.
THE INFORMATION THAT WE HOLD ABOUT YOU
In order that we can provide our services to you, we will collect, store, and process some or all of the following categories of personal data, depending on your instructions in connection with the Matters that we are acting on for you:
Personal Contact Details
Name, title, addresses, telephone numbers, personal email addresses, next of kin, emergency contact information
Date of birth, gender, marital status, dependants
Bank account details, payroll records, National Insurance number, tax status information
References, CV or cover letter, application form, interview notes, right to work documents, visa documentation
Dates of employment, job titles, work history, working hours, training records, professional memberships, location of workplace
Salary, benefits, bonuses, pension information, other information about your remuneration
Performance information, disciplinary and grievance information, annual leave records, family leave information, sickness absence records
Driving licence, passport, photographs
We may also collect, store and process more Sensitive Personal Data, known as ‘Special Categories of Data’ under the GDPR, which require a higher level of protection, including:
Sensitive Personal Data
· Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
· Information about your health, including any medical conditions, and health and sickness records.
· Information about criminal convictions and offences.
· Trade union membership details.
· Biometric data.
The personal data that we will collect and process about you will depend on the Matter that we are dealing with for you. For example if you are an individual to whom we are providing immigration law services (Applicant) we will collect and process significantly more personal data than if you work within a corporate client managing immigration services on behalf of that client (“HR User / Manager”). If you are a HR User / Manager the personal data that we will collect will normally be limited to name, contact details and job role.
HOW DO WE COLLECT AND USE YOUR PERSONAL DATA?
We collect personal data about Applicants (including applicable family members where we are acting for more than one family member) either directly from Applicants or sometimes from an employer, prospective employer or background check provider. We may sometimes collect additional data from third parties including former employers, other parties involved in a matter (such as other lawyers), supporting witnesses, agents and experts. We collect personal data about HR User / Managers either directly from the HR User / Manager themselves or sometimes from their employer.
Most commonly, we will process your personal data in order to perform the contract we have entered into with you (providing our services), where we need to comply with a legal obligation or where it is necessary for our legitimate business interests (or those of a third party) and your personal rights and interests do not override those business interests. Rarely we may process your personal data where we need to protect your interests (or someone else’s interests) or where it is needed in the public interest or for official purposes. See below additional provisions applicable to Sensitive Personal Data.
Sensitive Personal Data
The law requires that we need to have further justification for collecting, storing and using Sensitive Personal Data as described above. Most commonly we will process Sensitive Personal Data with your explicit written consent or where it is necessary for the purposes of establishing or exercising a legal claim or defence. Less commonly, we may process this type of data where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.
Why do we Process your Personal Data?
We primarily need all the categories of personal data in the lists above to enable us to perform our contract with you and provide you with services and to enable us to comply with legal obligations. The situations in which we anticipate we will process your personal data are listed below:
If you are happy for us to do so we may also use it to provide you with information and updates about or services.
If you fail to provide certain personal data when requested, we may not be able to perform the contract we have entered into with you, it may delay performance of that contract, or we may be prevented from complying with our legal obligations.
We will only process your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you.
Please note that we may process your personal data without your knowledge or consent, in compliance with data protection legislation where this is required or permitted by law.
Information about criminal convictions
We will only process data relating to criminal convictions where the law allows us to do so, which will usually be where such processing is necessary to progress your matter(s) or carry out our legal obligations and provided we do so in line with our Data Protection Policy. Less commonly, we may use information, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.
We will only collect data about criminal convictions if it is appropriate given the nature of your matter(s). Where appropriate, we will collect data about criminal convictions from you, or from the Disclosure and Barring Service or from agents and/or co-counsel.
We have in place appropriate policies and safeguards which we are required by law to maintain when processing such data.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using automated means.
We may transfer your personal data outside the EU. If we do, we will put in place appropriate measures so that you can expect a similar degree of protection in respect of your personal data, to the protection that you receive in the UK.
We may have to share your personal data with third parties, including co-counsel, contractors and agents and other third-party service providers, and also with other entities in the Magrath Sheldrick Group. We require third parties to respect the security of your personal data and to treat it in accordance with the law.
We will share your personal data with third parties where it is necessary to administer the working relationship with you, where we have another lawful legitimate interest in doing so. We may also need to share your personal data with a regulator or to otherwise comply with the law. Rarely we may share your personal data with other third parties, for example in the context of the possible sale or restructuring of the business.
We will share your personal data with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
Transferring information outside the EU
We may transfer the personal data we collect about you outside the EEA in order to perform our contract with you. Only necessary information will be transferred to progress your matters. However, it is important that you understand that countries outside the EEA may not offer an adequate level of protection for personal data under EU Law.
To ensure that your personal data receives an adequate level of protection we endeavour to only work with parties who are on our Approved Supplier List or with whom have in place appropriate contractual measure(s) which require that your personal data is treated by those third-parties in a way that is consistent with and which respects the EU and UK laws on data protection. In some instances the necessity for speed may mean that it is not possible to work with a party from our Approved Supplier List. However, such situations should be rare and should they arise any risks to your personal data will be explained to you in advance. If you require further information about this you can request it from our Data Protection Officer by email to firstname.lastname@example.org.
We have in place a Data Protection Policy and appropriate technological and organisational security measures to protect the security of your personal data and prevent it from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We currently retain data for a period of 7 years from the date on which we cease providing services to you.
In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once you are no longer a client of the firm we will retain your personal information in accordance with our data retention policy and then securely destroy it. Please ensure you keep appropriate copies of all relevant documents.
YOUR DATA RIGHTS
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.
Under certain circumstances, by law you have the right to:
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact our Data Protection Officer in writing via email to email@example.com.
Depending on the circumstances, we may request information to confirm your identity before processing your request. We may also charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
RIGHT TO WITHDRAW CONSENT
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Protection Officer via email to firstname.lastname@example.org. Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so.
DATA PROTECTION OFFICER
We have appointed a Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal data, please contact the Data Protection Officer by email to email@example.com. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
CHANGES TO THIS PRIVACY NOTICE
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
If you have any questions about this privacy notice, please contact the Data Protection Officer by email to firstname.lastname@example.org or on 020 7495 3003.
By selecting that you have read and agree then you are confirming that you (and any dependant family members) have read and understood this Privacy Notice and you expressly consent to the processing of personal data and sensitive personal data as detailed in this Privacy Notice.
Revision 1.0, 24/05/2018