Privacy Notice
Privacy Notice - General Data Protection Regulation – Kevin Holder
Please read the following information carefully.
This privacy notice contains information about the information collected, stored and otherwise processed about you and the reasons for the processing. It also tells you who I share this information with, the security mechanisms I have put in place to protect your data and how to contact me in the event you need further information.
Who Am I?
Kevin Holder is a barrister practising at 33 Bedford Row Chambers, 33 Bedford Row, London, WC1R 4JH. I collect, use and am responsible for personal information about you (personal information being any information about an individual from which that person can be identified). When I do this I am the ‘controller’ of this information for the purposes of the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018. If you need to contact me about your data or the processing carried out you can use the contact details at the end of this document.
What do I do with your information?
Information collected
When carrying out the provision of legal services or otherwise providing services to you I collect personal information that you provide that includes, but is not limited to, the following:
a. personal details (including copies of documents such as passports and driving licences)
b. family details
c. lifestyle and social circumstances
d. goods and services
e. financial details
f. education, training and employment details
g. other personal data relevant to, or included in, instructions to provide legal services, including data specific to the instructions in question and data included in documents provided to me as part of instructions or otherwise.
In relation to (g) such information may include personal information relating to family members, associates, agents, employees, shareholders or beneficial owners. Where you provide such personal information to me, you confirm that you are authorised to do so. It is not reasonably practicable for me to provide to these individuals the information set out in this Privacy Notice. Accordingly, where appropriate, you are responsible for providing this information to any such individuals.
Similarly, where you are a professional client and provide me with personal data relating to your client (including any information referenced in (f) above) you confirm that you are authorised to do so.
Information collected from other sources
The personal information I obtain may include information which has been obtained from:
- other legal professionals
- other professional services providers (including accountants)
- experts and other witnesses
- prosecution authorities
- courts and tribunals
- trainee barristers
- lay clients
- family and associates of the person whose personal information I am processing
- in the event of complaints, the Head of Chambers, other members of Chambers who deal with complaints, the Bar Standards Board, and the Legal Ombudsman
- other regulatory authorities
- current, past or prospective employers
- education and examining bodies
- business associates, professional advisers and trade bodies, e.g. the Bar Council
- the general public in relation to the publication of legal judgments and decisions of courts and tribunals data processors, such as my Chambers staff, IT support staff, email providers, data storage providers
- public sources, such as the press, public registers and law reports.
In particular, I may collect information from a solicitor or accountant or other professional adviser that instructs me on your behalf to provide legal services.
How I use your personal information:
Purposes I may use your personal information for the following purposes:
- to provide legal services to my clients, including the provision of legal advice and representation in courts, tribunals, arbitrations, and mediations
- to keep accounting records and carry out office administration
- to take or defend legal or regulatory proceedings or to exercise a lien
- to respond to potential complaints or make complaints
- to check for potential conflicts of interest in relation to future potential cases
- to promote and market my services
- to carry out anti-money laundering and terrorist financing checks
- to train other barristers and pupils, and when providing work-shadowing opportunities ix. when procuring goods and services
- to publish legal judgments and decisions of courts and tribunals
- as required or permitted by law.
Whether information has to be provided by you, and why
If I have been instructed by you or on your behalf on a case, your personal information has to be provided to enable me to provide legal services to you, and to enable me to comply with my professional obligations, and to keep accounting records. If you do not provide the personal information requested, it may delay or prevent me providing services to you.
The legal basis for processing your personal information
I rely on the following as the lawful bases on which I collect and use your personal information:
If you have consented to the processing of your personal information, then I may process your information for the Purposes set out above to the extent to which you have consented to me doing so.
If you are a client, processing is necessary for the performance of a contract for legal services or in order to take steps at your request prior to entering into a contract.
In relation to information which is regarded as “special category data” for GDPR purposes which includes personal information revealing a person’s racial or ethnic origin, religious or philosophical beliefs or data concerning age) I rely on your consent for any processing for the purposes set out in purposes (ii), (iv), (vi) and (viii) above. I need your consent to carry out processing of this data for these purposes. However, if you do not consent to processing for purposes (iv) (responding to potential complaints) I will be unable to take your case. This is because I need to be able to retain all the material about your case until there is no prospect of a complaint.
In relation to information regarded as “special category data” for GDPR purposes I am entitled by law to process the information where the processing is necessary for legal proceedings, legal advice, or otherwise for establishing, exercising or defending legal rights.
In relation to information which is not regarded as “special category data” for GDPR purposes, I rely on my legitimate interest and/or the legitimate interests of a third party in carrying out the processing for the purposes set out above.
In certain circumstances processing may be necessary in order that I can comply with a legal obligation to which I am subject (including carrying out anti-money laundering or terrorist financing checks).
The processing is necessary to publish judgments or other decisions of courts or tribunals.
Where I rely on legitimate interests as a lawful basis for processing your personal information, I will carry out a balancing test by reference to your interests and fundamental rights and freedoms. I will only use your personal information for the purposes for which I collected it, unless I reasonably consider I need to use if for another reason and that reason is compatible with the original purpose.
Who will I share your personal information with?
Other people If you are a client, some of the information you provide will be protected by legal professional privilege unless and until the information becomes public in the course of any proceedings or otherwise. As a barrister I have an obligation to keep your information confidential, except where it otherwise becomes public or is disclosed as part of the case or proceedings.
It may be necessary to share your information with the following:
- other professional advisers such as other legal professionals and accountants
- experts and other witnesses
- prosecution authorities
- courts and tribunals
- the staff in my Chambers
- pupils
- lay clients
- family and associates of the person whose personal information I am processing
- in the event of complaints, the Head of Chambers, other members of Chambers who deal with complaints, the Bar Standards Board, and the Legal Ombudsman
- other regulatory authorities
- current, past or prospective employers
- education and examining bodies
- business associates, professional advisers and trade bodies, e.g. the Bar Council
- professional indemnity insurers or brokers
- the general public in relation to the publication of legal judgments and decisions of courts and tribunals If you have engaged other professional advisers to instruct me on your behalf on the matters on which I am providing legal services to you, I shall assume that I may disclose your personal information to them unless you tell me otherwise.
During my first three years of practice, the Bar Standards Board requires there to be a “relevant qualified person” in Chambers to provide me with guidance in relation to the provision of legal services and I may therefore need to share personal information with that qualified person in order to obtain such guidance. In all such cases, the other member of Chambers will be required to respect the terms of this policy and to treat your information as confidential. I may be required to provide your information to regulators, such as the Bar Standards Board, the Financial Conduct Authority or the Information Commissioner’s Office. In the case of the Information Commissioner’s Office, there is a risk that your information may lawfully be disclosed by them for the purpose of any other civil or criminal proceedings, without my consent or yours, which includes privileged information.
I may also be required to disclose your information to the police or intelligence services, where, acting in good faith, I consider it required or permitted by law.
Data Processing
I use a number of different service providers (acting as ‘data processors’) who provide administration and IT-related services to enable me to operate my business and provide services to clients. Your personal information is transferred to (and stored by) these data processors, who generally fall under the following categories:
- my Chambers
- Document and data storage service providers
- Practice Management Service providers
- IT service providers (which may include cloud-based storage providers)
- Accounting service providers
- Email providers
Please contact me using the details at the end of this document if you want further information on specific data processors or the types of personal data they process for me.
If you would like more information about the systems operated by Chambers in acting as a data processor for me, please contact the Senior Clerk.
Transfer of your information outside the European Economic Area (EEA)
This privacy notice is of general application and as such it is not possible to state whether it will be necessary to transfer your information out of the EEA in any particular case or for a reference. However, if you reside outside the EEA or your case or the role for which you require a reference involves persons or organisations or courts and tribunals outside the EEA then it may be necessary to transfer some of your data to that country outside of the EEA for that purpose.
If you are in a country outside the EEA or if the instructions you provide come from outside the EEA then it is inevitable that information will be transferred to those countries. If this applies to you and you wish additional precautions to be taken in respect of your information please indicate this when providing initial instructions.
Some countries and organisations outside the EEA have been assessed by the European Commission and their data protection laws and procedures found to show adequate protection. The list can be found here. Most do not.
If your information has to be transferred outside the EEA, then it may not have the same protections and you may not have the same rights as you would within the EEA.
I may transfer your personal information to the following which are located outside the European Economic Area (EEA):
- cloud data storage services based in the USA who have agreed to comply with the EU-U.S. Privacy Shield, in order to enable me to store your data and/or backup copies of your data so that I may access your data when they need to. The USA does not have the same data protection laws as the EU but the EU-U.S. Privacy Shield has been recognised by the European Commission as providing adequate protection. To obtain further details of that protection see https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacyshield_en, or
- cloud data storage services based in Switzerland, in order to enable me to store your data and/or backup copies of your data so that I may access your data when I need to. Switzerland does not have the same data protection laws as the EU but has been recognised by the European Commission as providing adequate protection; see https://ec.europa.eu/info/law/law-topic/dataprotection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
If I decide to publish a judgment or other decision of a Court or Tribunal containing your information then this will be published to the world.
I will not otherwise transfer personal information outside the EEA except as necessary for providing legal services or for any legal proceedings.
If you would like any further information please use the contact details at the end of this document.
How long will I store your personal data?
I will normally store all your information:
- until at least 1 year after the expiry of any relevant limitation period (which will usually be 6 years, but may be 12 years, or longer where the case includes information relating to a minor), from the date of completion of instructions (being the later of when the last item of work has been carried out and when the final payment for my services is received). This is because it may be needed for potential legal proceedings At this point any further retention will be reviewed and the data will be marked for deletion or marked for retention for a further period. The latter retention period is likely to occur only where the information is needed for legal proceedings, regulatory matters or active complaints. Deletion will be carried out (without further notice to you) as soon as reasonably practicable after the data is marked for deletion.
- I will store some of your information which I need to carry out conflict checks for the rest of my career. However, this is likely to be limited to your name and contact details and the name of the case. This will not include any information that is “sensitive information” for GDPR purposes.
- Information related to anti-money laundering checks will be retained until five years after the completion of the transaction or the end of the business relationship, whichever is the later;
- Names and contact details held for marketing purposes will be stored indefinitely or until I or my clerks become aware or /are informed that the individual has ceased to be a potential client.
If, when reviewing the personal information I hold, I determine that it is no longer necessary for me to retain such personal information, I will take appropriate steps to either anonymise it or delete it.
(Please note that personal information does not include data where the relevant person’s identity has been removed (ie anonymous data).)
Consent
As explained above, I am relying on your explicit consent to process any of your personal information e that is “sensitive information” for GDPR purposes. You provided this consent when you agreed that I would provide legal services. In addition, there may be other circumstances in which I rely on your explicit consent to process other personal information. . Where the lawful basis on which I can process your personal information is consent, you have the right to withdraw this consent at any time. If you withdraw you consent this will not affect the lawfulness of any processing activity I have carried out prior to you notifying me of the withdrawal of your consent. Further, withdrawal of your consent will not affect the lawfulness of processing on any other applicable lawful basis, (for example, if you have asked me to work for you and I have spent time on your case, you may owe me money which I will be entitled to claim). To withdraw consent, you should notify me by contacting me as set out at the end of this document.
Your Rights
Under the GDPR, you have a number of rights that you can exercise in certain circumstances. These are free of charge. In summary, you may have the right to:
- Ask for access to your personal information and other supplementary information;
- Ask for correction of mistakes in your data or to complete missing information I hold on you;
- Ask for your personal information to be erased, in certain circumstances (though please note that I may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request).
- Receive a copy of the personal information you have provided to me or have this information sent to a third party (note this applies to certain data only). This will be provided to you or the third party in a structured, commonly used and machine readable format,
- Object at any time to processing of your personal information for direct marketing; ! Object in certain other situations to the continued processing of your personal information;
- Restrict my processing of your personal information in certain circumstances;
- Request not to be the subject to automated decision-making which produces legal effects that concern you or affects you in a significant way. If you want more information about your rights under the GDPR please see the Guidance from the Information Commissioners Office on Individual's rights under the GDPR.
If you want to exercise any of these rights, please contact me using the contact details at the end of this document. Please provide a contact address so that you can be contacted to request further information to verify your identity and in addition:
- Provide proof of your identity and address;
- State the right or rights that you wish to exercise. I may also need to ask you to provide other information to help me confirm your identity. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. I will try to respond to all legitimate requests quickly, but in any event within one month. If your request is particularly complex or you have made a number of requests, it may take me longer than one month. In this case, I will notify you and keep you updated.
Keeping your data secure
I use reasonable technical and organisational security measures to prevent personal information from being accidentally lost or destroyed, or used or accessed in an unauthorised way. In this connection, Chambers, as data processor, acting on my behalf, will only process your personal data on my instructions and are subject to a duty of confidentiality.
Marketing Emails
As above, I may share your personal data with Chambers who may in turn use that data to notify you by email, telephone or post about invitation to seminars and similar events. You may opt out of receiving any such marketing communications at any time by using the “unsubscribe” link in any emails. In relation to how Chambers uses such data, please see Chambers’ privacy policy. Other than sharing personal data with Chambers as described above, I will not share your information with any other third party for marketing purposes.
How to make a complaint?
The GDPR also gives you the right to lodge a complaint with the Information Commissioners’ Office if you are in the UK, or with the supervisory authority of the Member State where you work, normally live or where the alleged infringement of data protection laws occurred. The Information Commissioner’s Office can be contacted at http://ico.org.uk/concerns/.
Future Processing
I do not intend to process your personal information except for the reasons and purposes stated within this privacy notice. If this changes, this privacy notice will be amended and placed on Chambers website.
Changes to this privacy notice
This privacy notice was last updated on 7 October 2019. I may change this policy from time to time. When I do it will be placed on Chambers website.
Contact Details
If you have any questions about this privacy notice or the information I hold about you, please contact me or my clerks. The best way to contact me is to write to me at my Chambers address (33 Bedford Row, London, WC1R 4JH) or contact my clerks by email at clerks@33bedfordrow.co.uk or by telephone at +44 (0) 20 7242 6476.