SRA Authorised law firm. DALIR LTD is also regulated and authorised by the UK Solicitors Regulation Authority under number 638609, and as such is subject to an additional level of confidentially and security obligations with respect to information, including personal data of its clients specifically.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
The personal data which we collect of you will very much depend on the reasons why we need your personal data and who you are (i.e. a visitor of our Website only; a Job Applicant; a prospective client who has not contacted us previously; a prospective client who wishes to instructs us; an existing client; a former client; a business partner or supplier), as is set out in the Table below.
|Visitor to our website||Job Applicant||Prospective Client who did not contact us||Prospective Client who wishes to instruct us||Existing Client||Former Client||Business Partner and/or Supplier|
|Technical Data automatically collected by our Website. See our Cookies Policy.||Basic Job Applicant Information.
Job Applicant Due Diligence Information.
|Basic Contact Details
(i.e. name, email and phone number)
|Basic Contact Details
Client Due Diligence Information
Case Related Information
|Basic Contact Details
Client Due Diligence Information
Case Related Information
|We do not specifically collect information from former clients other than what is necessary to comply with our legal and regulatory obligations of records keeping and keeping data up to date.||Basic Contact Details
Supplier/Partner Due Diligence Information
Basic Contact Details include the following personal data: name, email and/or phone number.
Basic Job Applicant Information may include the following personal data:
If you send us your CV and/or motivation letter in application for an advertised position or as spontaneous application:
- Your Basic Contact Details (i.e. name, email and phone number) or that of your referees
- Your Residential Address
- Identification Documents Information (e.g. place and date of birth, visa and immigration status, your picture, your genre)
- Your education and employment details
- Any other personal data that you volunteered in your communication with us, and which was not requested from you.
Job Applicant Due Diligence Information. If we decide to progress your job application with us, we may collect in addition to Basic Job Application Information additional personal data to establish and verify your identity, qualifications and fitness for the position. In such a case we will send you a specific privacy notice. If you sign a contract with us, and become an employee, contractor or worker, we will request additional personal data and will provide you in such case also with a specific privacy notice.
Client Due Diligence Information. If you decide to instruct us for our legal services Client Due Diligence Information may be collected (i) in relation to you if you are a private client, i.e. you are a private individual, or (ii) where the prospective or existing client is/will be a legal entity the information shall be collected in relation to its board of directors (or if there is no board, the members of the equivalent management body and the senior persons responsible for the operations of the legal entity), trustees in case of a trust, partners in case of a partnership, and where applicable in relation to the ultimate beneficial owners of the legal entity. The information may include the following personal data:
- Identification Documents Information (e.g. place and date of birth, visa and immigration status, your picture, your genre, passport or identity card numbers). As we are required not only to collect but also to verify the information provided we will require a related proof;
- Residential Address. As we are required not only to collect but also to verify the information provided we will require a related proof;
- We may also collect any other personal data which, as a regulated law firm, we are required to collect in order to comply with the applicable anti-money laundering and terrorism financing obligations as interpreted by the competent regulators.
Case Related Information may include different kinds of personal data, including the special category of personal data (i.e. personal data which is more sensitive and needs more protection), depending on your instruction to us and the scope of your legal matter.
Special category data will be processed only under certain conditions: you have given us your explicit consent; and/or the processing is necessary for establishment, exercise or defence of legal claims; and/or the processing is necessary in the context of employment law; and/or for reasons of substantial public interest; and/or the processing is necessary to protect your vital interests; and/or where you have manifestly made it public and we collect it as part of our work for you or our above-mentioned due diligence process. If you do not allow us to process your special category data, and such processing was based solely on your consent, this may mean that we are unable to enter and/or continue our contractual relationship with you. You must inform us in writing if you remove consent for us to process such personal data.
Supplier and/or Partner Due Diligence Information may include limited personal data on financial details, family details, life style and social circumstances, and/or political affiliations of the owners, leaders or employees of our suppliers and/or partners which might be collected to establish that they are running a sound and reliable business, and in order to prevent any reputational and other risk for our company in dealing with such suppliers and/or partners such as an unintentional affiliation with suppliers/partners which might be involved in bribery and corruption.
A special note about children. Our Website is not intended for children and we do not knowingly collect data relating to children. However, if your instruction to us as your lawyers relates to a matter which requires us to collect personal data of children, we will do so in compliance with the relevant legal requirements.
Refusal to provide personal data by you. Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract (e.g. to provide you with our professional legal advice) we have or are about to enter into with you. If we already have a contract in place, we may have to cancel a service or product you have with us.
Your personal data is collected using different methods as follows:
Information we may collect from you
Through your direct interactions with us. You may give us your personal data in person, by filling in forms or by corresponding with us by post, phone, email or using any other channels of communication such as social media (e.g. LinkedIn or Facebook).
This includes personal data you provide when you:
- request our services (e.g. professional legal advice) or products (e.g. training);
- subscribe to our services or publications;
- request marketing to be sent to you;
- request to be employed by us;
- request to provide service to us or otherwise do business with us;
- give us feedback;
- file a complaint.
Automatically through your visit to our Website. As you interact with our Website on your computer or other device, we may automatically collect technical data about your equipment and browsing actions.
Information collected from third parties or publicly available sources
We may receive personal data about you from various third parties and public sources, as set out below.
- Affiliates and affiliated individuals of our clients and/or prospective clients, where relevant;
- Third party introducers (referees) should you choose to interact with them;
- Social media platforms including but not limited when you interact with us on those platforms or access our social media content;
- Search information providers;
- Subscription services;
- Private and public providers of anti-money laundering and terrorism financing (AML/CTF) related information;
- Publicly available sources such as Companies House, the Electoral Register and other publicly available websites;
- Employment recruiters should you, as an applicant for a position with us, choose to interact with them;
- Credit reference agencies, where relevant.
We will only use your personal data when the law allows us to, namely on legal grounds (sometimes also referred to as lawful grounds or legal basis). Most commonly, we will use your personal data for the purposes set out in further detail below:
Based on the legal ground which is the performance of the contract or to take steps at your request prior to entering into a contract, we shall use your personal data for the following purposes:
- To respond to your request for a quotation for our services and/or products if you are a prospective or existing client, or acting on their behalf;
- To respond to your offer of services/products if you are a supplier and/or a partner, or acting on their behalf;
- To respond to your application if you are a job applicant;
- To manage and perform the contract we have with you or your organisation, as relevant;
- To update your records;
- To manage and collect payments, fees and charges, where relevant;
- To manage our relationship with you, including notifying you about changes to our terms of engagement if you are an existing client;
- To establish, exercise or defend legal claims.
Based on the legal ground which is to comply with a legal obligation, we shall use your personal data for the following purposes:
- To comply with our legal and regulatory obligations such as those imposed by the AML/CTF and anti-bribery laws and regulations and the requirements of our regulator, the Solicitors Regulation Authority (e.g. client due diligence and conflict checks, supplier due diligence);
- To comply with our data protection legal obligations to verify your identity before we respond to your data subject requests;
- To comply with our employment law obligations if you are a job applicant;
- For prevention of crime and fraud, where relevant;
- To respond to requests for information from the police and government bodies in case of a criminal investigation, subject to our obligations of non-disclosure resulting from lawyer/client legal privilege;
- To resolve any dispute in relation to our services, or your services to us as a supplier/partner.
Based on the legal ground which is the legitimate interest. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override our legitimate interests, we shall use your personal data for the following purposes:
- To respond to queries and complaints of our clients, prospective clients, suppliers and partners (which are not categorised as a dispute or a legal claim);
- For management information purposes to assist us improve our offering to our clients;
- To collect and recover money owed to us;
- To administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
- Subject to your marketing preferences, to make recommendations to you about the services and products that may be of interest to you.
Based on the legal ground which is your consent, we shall use your personal data for the following purposes:
- To send you marketing information via email, in line with your marketing preferences, about the services and products which might interest you; or
- To process special a category of data where our processing does not, or is likely not to, benefit from one of the legal exemptions; or
- For any other purpose which we will communicate to you when we request your consent.
When processing of your personal data is based on your consent only, you have the right to withdraw consent at any time by contacting us at email@example.com.
Please contact us if you need details about the specific legal ground we are relying on to process your personal data, or the specific purpose for which that data is used.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. While doing so we shall also comply with our marketing obligations and restrictions as solicitors which are set out in the Handbook published by the Solicitors Regulation Authority.
Marketing communication. You may receive marketing communications from us if you have requested information from us or purchased services or products from us, or if you provided us with your details when you registered for a promotion and, in each case, you have not opted out of receiving that marketing.
Third party services. We will never sell, rent or provide your personal data to third parties for marketing purposes. Apart from privacy laws, this would be a breach of our regulatory obligations requiring us as a law firm to keep the affairs of our clients confidential unless disclosure is required or permitted by law or the client consents.
Updating marketing preferences. You can ask us to stop sending you marketing messages at any time by updating your marketing preference following the opt-out links on any marketing message sent to you or by contacting us at any time.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not envisage that any decisions will be taken about you using solely automated means. However, we will notify you in writing if this position changes and will inform you of your rights as required by the applicable law.
In line with our professional and ethical obligations, and in particular that of the legal professional privilege, we will not disclose your personal data unless we are permitted, required or authorised under applicable law, or where we need to do so in order to conduct our business (for example where we outsource services or other people process data for us) or when disclosure of your information is in your interest.
Only in the above-mentioned cases of disclosure, will we share with and/or allow access to information to the following categories of third-parties as relevant:
- suppliers and service providers (such as information technology providers, system administration services, web-hosting companies, mailing vendors, analytics providers, event hosting services, but also professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services);
- Government bodies and agencies in the UK and overseas (e.g. with regulators such as the Solicitors Regulation Authority, the National Crime Agency, Her Majesty’s Revenue and Customs, the Information Commissioner’s Office, the Financial Conduct Authority, and the Competition Market Authority, or with an ombudsman such as the Legal Ombudsman or the Financial Services Ombudsman);
- courts and tribunals, to comply with legal requirements and the administration of justice;
- complainants, enquirers;
- financial organisations;
- fraud prevention agencies, debt collection and tracing agencies, and credit reference agencies;
- private investigators;
- family, associates or representatives of the person whose personal data we are processing, where relevant;
- current, past or prospective employers, employment and recruitment agencies, educators and examining bodies;
- healthcare professionals, social and welfare organisations;
- trade associations and professional bodies;
- anyone else where we have your consent, or we are required by law.
We require all third parties with whom we share your personal data to respect your personal data and to treat it in accordance with the privacy and security obligations consistent with this policy and the applicable law. Where we share your personal data for the purpose of conducting our business, we take all reasonable steps to ensure that such third party enjoys a sound business reputation and provides at least the same level of privacy protection that we offer to our clients. We do not permit our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes identified by us and in accordance with our instructions.
DALIR Ltd. is based in the European Economic Area (EEA). However, we may have to share your personal data with third parties located outside of the EEA, or process your data ourselves, directly or through our affiliates, outside of the EEA in countries including but not limited to the United States of America. Any transfers made will be in compliance with all aspects of the Data Protection Act and the General Data Protection Regulation (GDPR).
When we do transfer your personal data out of the EEA, we will ensure that your personal data is transferred in accordance with the legal requirements, and in particular the GDPR. This means that, where your personal data is sent outside the EEA, we shall be:
- Transferring your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the EU. For further details, see the List of countries which provide an adequate level of protection; or
- Entering into specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see EU Commission: Model Contracts for the transfer of personal data to third countries, or
- Where we use providers based in the Unites States of America, we shall check if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the United States of America. For further details, see European Commission: EU-US Privacy Shield and the US-EU Privacy Shield List.
As permitted under the GDPR, please note however that there might also be cases where neither of the above applies, but the international transfer to a particular country of personal data can benefit from a legal derogation/exception such as one of the following.
The international transfer:
- is necessary to establish, exercise or defend legal claims;
- is necessary for the performance of the contract concluded between us and a third party in your interest;
- is necessary for the performance of the contract between you and us, or pre-contractual steps taken at your request;
- is necessary for important reasons of public interest, or is in your vital interest; or
- you have given us your explicit and informed consent for such an international transfer.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Unfortunately, no data transfer over the Internet or any other network can be guaranteed as entirely secured, but we take appropriate steps to try to protect your personal data. We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a strict duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breaches and will notify you and competent regulators of a breach where we are legally required to do so.
How long do we keep your personal data for (referred as ‘data retention’)?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for as set out in this policy, or for as long as we reasonably consider necessary to establish, exercise or defend our legal rights. In any event, we shall retain your personal data in accordance with the applicable statutory and regulatory requirements.
The specific statutory and regulatory criteria used to determine these retention periods include but are not limited to:
- our obligation of compliance with the regulatory retention requirements set out by the UK Solicitors Regulations Authority;
- our obligation of compliance with the statutory retention requirements set out by the UK Money Laundering Regulations;
- our obligation of compliance with the statutory retention periods for accounting records, as set out by the Companies Act and the HM Revenues and Customs.
Other commercially justifiable criteria may include, among others, our need to comply with the requirements of our professional indemnity insurer, our need to keep your personal data as long as necessary to resolve any query, complaint or dispute, our need to keep your personal data for as long as you might legally bring claims against us, and our need to enable us to provide you with the service. If you are an unsuccessful job applicant, we will keep your personal data for 6 months unless you ask us in writing to delete it sooner than that.
Please contact us if you want further information on the specific retention mechanism used in relation to a specific type of your personal data.
Warning regarding third-party links
Our Website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Website, we encourage you to read the privacy notice of the website which you visit.
Your duties to inform us of changes
It is important that the personal data that we hold is accurate and current. If you have a business relationship with us and you have provided us with personal data, or you have provided us with personal data on behalf of someone else, you are required to inform us as soon as possible if that personal data changes.
You already have certain rights under the UK Data Protection Act, and you shall be entitled to additional rights following the entry into force of the GDPR as of 25 May 2018. Under certain circumstances, by law, your rights are among others:
a) Your existing rights, by law, which further enhanced will continue after 25 May 2018
- Right of access to your personal data (commonly known as a “data subject access request”). This enables you, among others, to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Right to rectification of inaccurate and completion of incomplete personal data. This enables you to have any inaccurate or incomplete information we hold about you rectified or completed respectively.
- Right to object to processing of your personal data under specific conditions.
- Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you.
b) Your new and additional rights, by law, which will start as of 25 May 2018
- Right to erasure of your personal data (the “right to be forgotten”). This enables you to ask us to erase your personal data without undue delay under specific conditions. Please note that certain rights of erasure exist prior to 25 May 2018.
- Right to the restriction of processing of your personal data under specific conditions. Please note that certain rights of blocking personal data processing exist prior to 25 May 2018.
- Right to the transfer of your personal data to another party who is a data controller (“data portability”). Please note however that given a specific nature of client/lawyer relationship exceptions might apply.
If you wish to exercise any of the rights set out above, please contact our DPO at firstname.lastname@example.org
No fee usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Response Time. We will respond to all legitimate requests without undue delays and within one month of receipt of your request.
Furthermore, you also have the right to make a complaint at any time. If you would like to make a complaint, please contact our DPO at email@example.com. You also have a right to file a complaint to the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues (www.ico.org.uk).