Privacy Policy - Castelo Notaries
0203 441 5095

Data Privacy Policy

1. Overview

1.1 Castelo Notaries (“the Company”) takes the security and privacy of data seriously and is committed to complying with its legal obligations under the Data Protection Act 2018 (the ́2018 ́ Act) and EU General Data Protection Regulation ( ́GDPR ́) in respect of data privacy and security. Our use of your personal data is subject to your instructions, the GDPR, other relevant UK and EU legislation, our professional duty of confidentiality and Solicitor ́s Code of Conduct.

1.2 Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share information about you. It also explains when and why we collect personal information about you, how this information is used, the conditions under which it may be disclosed to others and how it is kept secure.

1.3 This is our main privacy policy. We may provide additional, specific privacy information to you as you interact with us in different ways (e.g. that we will only use certain information for specific purposes) to the extent that any of that information differs from what we say below, those specific statements will apply in those circumstances.

1.4 This policy may change from time to time so please check this page occasionally to ensure that you’re happy with any changes.

2. Who we are

2.1 The Company is the “data controller” in relation to the processing activities described below. This means that we decide why and how your personal information is processed. Our registered address is 20 Victoria Street London, England SW1H 0NB. The company is authorised and regulated by the Solicitors regulation authority under number 573316.

3. Your queries and complaints

3.1 We have appointed a data protection manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact our data protection manager using the details set out below:

3.2 We hope that our data protection manager can resolve any query or concern you raise about our use of your information. However, if you feel that we have failed to address your concerns appropriately, you can contact the Information Commissioner at ico.org.uk/concerns/ or telephone: 0303 123 1113 for further information about your rights and how to make a formal complaint.

4. Scope

4.1 This privacy notice came into effect on the 25 May 2018.

4.2 This privacy notice aims to give you information on how the Company collects and processes your personal data when we act for you.

4.3 This policy applies to all data, whether it is stored electronically, on paper or on other materials.

5. Data protection principles

5.1 When processing your data, the Company will comply with the following data protection principles when processing information:

5.1.1 we will process personal information lawfully, fairly and in a transparent manner;

5.1.2 we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes;

5.1.3 we will only process the personal information that is adequate, relevant and necessary for the relevant purposes;

5.1.4 we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information is deleted or corrected without delay;

5.1.5 we will keep personal information in a form which permits identification of data subjects (you) for no longer than is necessary for the purposes for which the information is processed; and

5.1.6 we will take appropriate technical and organisational measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

6. How we define processing

6.1 The Company will process your personal data (including special categories of personal data and your criminal offence data) in accordance with our obligations under the 2018 Act.

6.2 ́Processing ́ means any operation which is performed on personal data such as:

6.2.1 collection, recording, organization, structuring or storage;

6.2.2 adaption or alteration;

6.2.3 retrieval, consultation or use;

6.2.4 disclosure by transmission, dissemination or otherwise making available;

6.2.5 alignment or combination; and

6.2.6 restriction, destruction or erasure.

6.2.7 this includes processing personal data which forms part of a filing system and any automated processing.

7. What data (information) we collect

7.1 The Company processes information about you (“data subjects”) for a number of specific lawful purposes and we seek to ensure that our data collection and processing is always proportionate. Given the nature of our business we may collect personal data as defined below:

7.1.1 “Personal data” is information which relates to a living person who can be identified from that data (data subject) on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymized data.

7.1.2 “Sensitive personal data” is sometimes referred to as “special categories of personal data” or “sensitive personal information” and it includes information about your: race, ethnic origin; politics; religion; trade union membership; genetics; biometrics (where used for ID purposes); health; sex life; or sexual information.

7.1.3 “Criminal offence data” is data relating to criminal convictions and offences, or related security measures.

7.2 The groups of data we will collect are:

7.2.1 “Identity data” includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.

7.2.2 “Contact data” includes addresses, email addresses and telephone numbers.

7.2.3 “Proof of identity” includes your driver license, birth certificate, proof of address, passport or ID card.

7.2.4 “Background data” includes details of your background information that you provide to us so that we can act for you. This could be the nature of your dispute, the parties involved, what you wish to achieve and what type of our assistance you need. It may include sensitive data and criminal offence data and data about others. The nature of data collected will depend on the type of matter that we are instructed on. It may also include the information that is provided during litigation about you by other parties, e.g. other side or their solicitors, their witnesses or experts instructed by them. For example:

7.2.4.1 “Employment matters”: your employment status and details including salary and benefits, your employment records including, where relevant, records relating to sickness and attendance, performance, disciplinary, conduct and grievances (including relevant special category personal data), e.g. if you instruct us on matter related to your employment or in which your employment records are relevant. We may collect sensitive data if you have instructed us to act for you in a discrimination matter;

7.2.4.2 “Family matter”: we may collect details of your spouse/partner and dependents or other family members, your income information, which may include relevant information in respect to your employment or your pension arrangements, your property both in the UK and abroad, shares and investment information;

7.2.4.3 “Child care matter”: we may collect details of your spouse/partner and dependents, guardians and other family members, your medical information, income information, criminal offence data and other sensitive data;

7.2.4.4 “Private client matter”: we may collect details of your spouse/partner and dependents or other family members, your national insurance, personal financial information such as your tax details, pension arrangements, your property both in the UK and abroad, shares and investment information;

7.2.4.5 “Property/Property litigation matter”: we may collect details of your mortgage provider, housing arrangements, your spouse/partner and dependent information;

7.2.4.6 “Commercial matter”: personal identifiable information such as your eye colour, parents name, etc., if you instruct us to incorporate a company for you;

Background data is any data that you would reasonably expect us to collect so that we can advise you or act for you as per your instructions.

7.2.5 “Transaction data” includes details about payments to and from you and other details of services you have purchased from us and your bank details that you provide to us.

8. Basis for processing data

8.1 We have set out below a description of what data we collect, where and how we obtain the data from, the purpose of collecting it, how we will use it and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate, what happens if you do not provide the information and who we may share it with and why.

8.2 We have to have a valid lawful basis in order to process your personal data. We will generally process your personal data in the following circumstances:

8.2.1 We need this information in order to take steps at your request prior to entering into a contact with you or for the performance of a contract to which you are a party.

8.2.2 Where it is necessary for our legitimate purposes (or those of a third party) and your interests and fundamental rights do not override those interests. Legitimate interest means the interest of our business in conducting and managing our business to enable us to give you the best service. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). Where we process your information under this lawful basis, we will specify legitimate interests accordingly.

8.2.3 Where we need to comply with a legal or regulatory obligation that we are subject to.

8.2.4 Where you have provided us consent. Generally, we do not rely on consent as a legal basis for processing your personal data but may in certain circumstances request for your explicit consent to process your data. If we do so, we will advise you on the purpose of that data collection, how we will process it and will request your explicit and clear consent for us to process that data for that purpose. Where we rely on your consent to process your data, you will be able to withdraw your consent at any time.

8.3 Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below.

8.4 The Company may from time to time need to process sensitive personal information. We will only process sensitive personal information if:

8.4.1 we have a lawful basis for doing so as set out in paragraph 8.2; and

8.4.2 one of the special conditions for processing sensitive personal information applies, e.g.:

8.4.2.1 you have given us explicit consent;

8.4.2.2 processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by law;

8.4.2.3 processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

8.4.2.4 processing relates to personal data which are manifestly made public by

you;

8.4.2.5 processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care systems and services on the basis of law;

8.4.2.6 the processing is necessary for the establishment, exercise or defence of legal claims; or

8.4.2.7 the processing is necessary for reasons of substantial public interest.

9. How we collect your data

9.1 We collect most of the information from you, by telephone, during our meetings, by email, by post or if you drop the information off at our offices. However, we may also collect information:

9.1.1 from publicly accessible sources, e.g Companies House or HM Land Registry; 9.1.2 directly from a third party (depending on the nature of your matter), e.g.:

9.1.2.1 local authority;
9.1.2.2 crown prosecution office and police;
9.1.2.3 credit referencing agencies;
9.1.2.4 your mortgage provider;
9.1.2.5 opponents in litigation;
9.1.2.6 referrers;
9.1.2.7 your bank or building society, another financial institution or advisor;
9.1.2.8 consultants and other professionals we may engage in relation to your matter;
9.1.2.9 your employer and/or trade union, professional body or pension administrators;

10. How we use your data

10.1 We will use your “Identity data”, “Contact data”, “Background data” and “Identity proof data” to verify your identity so that we can comply with our legal obligations and for legitimate business interests (to maintain appropriate records). We take it for the purpose of conducting checks to identify our clients and verify their identity, gathering and providing information required by or relating to audits, enquiries or investigation by regulatory bodies.

10.2 We will use the Transaction information to invoice you, to reply to your queries, to make payments that you instruct us to make on your behalf, or to enforce our contractual rights.

11. Data Retention

11.1 We generally keep your personal data so that we can:
11.2.1 respond to any questions, complaints or claims made by you or on your behalf;
11.2.2 show that we treated you fairly;
11.2.3 keep records required by law;
11.2.4 prevent fraud;
11.2.5 comply with our regulatory requirements.
11.2 We will not retain data for longer than necessary for the purposes set out in this policy.

12. Data Security

12.1 Information may be held at our offices. service providers. We have security measures in place to ensure that there is appropriate security for information we hold about.

12.2 We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an authorized way, altered or disclosed. In addition, we limit access to your personal information to those employees who have a business need-to-know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

12.3 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach were we are legally required to do so.

13. Your Rights

13.1 Under the legislation you may be entitled to the listed rights in certain circumstances as listed below.

13.2 The right to be informed about the collection and use of your personal data.

13.3 The right to access (Subject Access Request) to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. If you wish to exercise this right:

13.3.1 you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

13.3.2 we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

13.3.3 we try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

13.4 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. In certain circumstances we may refuse a request for correction.

13.5 Request erasure of your personal information. In certain circumstances you have the right to ask for some but not all of the information we hold and process to be erased (the right to be forgotten). This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

13.6 Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation, which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.

13.7 Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want to establish its accuracy or the reason for processing it.

13.8 Request for transfer of your personal information to another party.

13.9 Rights in relation to automated decision making and profiling

13.9.1 You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

13.10 If you want to exercise any of the above-mentioned rights please contact Data Protection Manager by telephone or in writing. We will respond to your request within one calendar month.