General Data Protection Regulation (GDPR)
This notice explains when and why we (Data Controller) collect personal information about you; how we use it, the conditions under which we may disclose it to others and how we keep it secure.
For clients of this firm, you should read this notice alongside our general terms and conditions which provide further information on confidentiality, data privacy etc.
Harjit Sarang is the Data Protection Officer and can be contacted at email@example.com/ 07980 917882 / 01727 884688.
Who we are
Surrogacy Lawyers provides advice, assistance and representation to adults in relation to all matters concerning fertility, donor conception and surrogacy in the UK and abroad. We do not advise children because they are represented by guardians or their parents.
What we need
Before we represent you, we will need to identify you therefore we will need identification information such as your passport and a utility bill. The rest of the information that we need will depend on what we are instructed to do for you. In most cases that we work on, very sensitive information will be required from you and processed including correspondence between us during your case.
If we have your personal data as a result of you being involved in a case with our client(s), we need to process your data to provide a service to our client(s).
If you phone or email us we will process your name, contact details and a very general description of your case.
Sources of information
Information about you may be gathered from a number or sources including from you and third parties that you authorise. You may provide us with information from organisations such as financial organisations, schools, healthcare providers, police, social services, fertility clinics and surrogacy agencies, hospitals and other relevant agencies. You may also instruct agents and lawyers outside of England and Wales to send us your data. You should check the data protection laws and procedures of the countries concerned.
Why we need it
The primary reason for asking you to provide us with your personal data, is to allow us to represent you which also includes business management and administration.
The following are some examples, although not exhaustive, of what we may use your information for:
Who has access to it
We request and strongly advise that you create a Google Drive or Drop Box file to allow us access to your data rather than e-mailing documents to us. You may then delete the folder at the end of your case and have complete control of who has access to it.
We have a data protection regime in place to oversee the effective and secure processing of your personal data. We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes. We make use of portable devices that remain with us including when we are abroad. This is to improve your ability to communicate with us. Our devices are all password protected.
However, there may be circumstances, in carrying out your legal work, where we may need to disclose some information to third parties; for example:
In the event any of your information is shared with the aforementioned third parties, we ensure that they comply, strictly and confidentially, with our instructions and they do not use your personal information for their own purposes unless you have explicitly consented to them doing so.
There may be some uses of personal data that may require your specific consent. If this is the case, we will contact you separately to ask for your consent which you are free to withdraw at any time.
How do we protect your personal data?
Occasionally we will require original documents from you to file with the court. We recognise that your information is valuable, and we take all reasonable measures to protect it whilst it is in our care. Your file with us will only be electronic (e-mails / Dropbox / Google Drive). Pleadings are filed with the court after which hard copies are not retained by us.
At the end of your case, our e-mail files are deleted and transferred to an external hard drive where they will be retained for 6 years.
We use computer safeguards such as firewalls.
How long will we keep it for?
Your personal information will be retained, usually in electronic files, only for as long as necessary to fulfil the purposes for which the information was collected; or as required by law; or as long as is set out in any relevant contract you may hold with us. For example:
What are your rights?
Under GDPR, you are entitled to access your personal data (otherwise known as a ‘right to access’). If you wish to make a request, please do so in writing.
A request for access to your personal data means you are entitled to a copy of the data we hold on you – such as your name, address, contact details, date of birth, information regarding your health etc.- but it does not mean you are entitled to the documents that contain this data.
Under certain circumstances, in addition to the entitlement to ‘access your data’, you have the following rights:
Complaints about the use of personal data
If you wish to raise a complaint on how we have handled your personal data, you can contact our Data Protection Officer who will investigate further.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).
We will never contact you for the purpose of direct marketing.
We will never send marketing communications via SMS or call you without your specific consent; nor do we ever pass on or sell your details to a third party.
How we collect personal data
The following are examples, although not exhaustive, of how we collect your personal information
How we protect your personal information
Sensitive information or specific details will never be used to target marketing communications.
Any questions regarding this notice and our privacy practices should be sent by email to the Data Controller at any time if you have any questions or requests.
Legal professional privilege
The listed GDPR provisions do not apply to personal data that consists of—
(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or
(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
Information required to be disclosed by law etc or in connection with legal proceedings
The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.
to the extent that the application of those provisions would prevent the controller from making the disclosure.