A A A

Privacy Policy

Data Protection Privacy Notice Clients of Fonseca Law

This notice explains what personal data (information) we will hold about you, how we collect it, and how we will use and may share information about you during the period of acting on your behalf in providing legal services and subsequently. We are required to notify you of this information under data protection legislation. Please ensure that you read this notice (generally referred to as a ‘privacy notice’) and any other similar notice we may provide to you from time to time when we collect or process personal information about you.

1. Our Details

Fonsecalaw Limited is a firm regulated by the Solicitors Regulation Authority and we are a data controller for the purposes of data protection legislation. We gather and use your personal information on the terms below. We can be contacted at our head office in the following ways:-

By telephone on 01495 303124, by email to enquiries@fonsecalaw.co.uk

Or in writing to New County Buildings, 59 Bethcar Street, Ebbw Vale, NP23 6HW

We have a designated Data Protection Manager who oversees the handling of your information and can be contacted using the above details.

2. Data protection principles

We have a Data Protection Policy which is available on request and we will comply with the general data protection principles from time to time in force.

3. About the information we collect

The table set out in the Schedule at Part A below summarises the information we may collect and hold on your behalf. Some of the information we request will only be collected in certain types of cases as detailed within the schedule. If you are uncertain as to the type of case you have with us then please ask. We seek to ensure that our information collection and processing is always proportionate. We will notify you of any changes to information we collect or to the purposes for which we collect and process it.

4. What information you must provide

You are not obliged by law to provide your personal information to us, however you will need to provide us with most, if not all, of the personal information we request from you at the outset of your case for us to be able to advise you fully and act on your behalf. The majority of information we require is a contractual requirement, you are entering into a contract with us upon instructing us and we require that information in order to perform the contract. Certain other information we request is required on a statutory basis, for example we are required to verify your identity in relation to property transactions to comply with money laundering regulations and for the purposes of avoiding fraud. If you do not provide us with the information we request we are unlikely to be able to continue acting for you.

5. Where information may be held

Information may be held at our offices in physical files, by our case management provider (which is cloud based), with service providers, with third party agencies, with representatives and agents as described in the Schedule. We will not transfer your data to third countries outside of the European Economic Area.

6. How long we keep your information

We keep the personal information that we obtain about you during your case for no longer than is necessary for the purposes for which it is processed. How long we keep your information will depend on the type of your case and is set out in part B of the Schedule below.

7. Your rights in relation to your information

You have the right to request the following in relation to the information we hold about you:-

Access to it – Should you wish to make a subject access request for the personal data we hold about you please contact the Data Protection Manager using the details above. It will be necessary for you to attend at our office in person before we will provide you with the information we hold about you, with evidence of your identity so that we can verify that the personal data belongs to you before we disclose it. We will provide you with the information requested within one month of receiving your request unless the request is complex in which case we may extend this period for a further two months.
Rectification of it if it is incorrect – if this is the case please let us know by using our contact details at point 1 above or advise the fee earner dealing with your case.
Erasure – to be forgotten – if you do not instruct us in any meaningful way we may be able to delete your information immediately – for example if your file is opened in error or if you do not formally provide us with instructions – if this is not the case then we may need to retain your information to comply with our legal obligations and for the purposes of defending any legal claims. Please contact us using our contact details at point 1 if you wish to exercise this right.
Restriction – You can restrict our processing of your data requiring your consent to enable us to process it or to use it only for establishing or defending legal claims in certain circumstances.
Data portability – this only really applies to automated means and we are unlikely to be able to electronically port your data to another solicitor but should you wish us to transfer we will seek to do so by alternative means as long as we are not holding files under a costs lien.
Object – You can object to our processing your data but in this case we would be unable to fulfil our contract to provide legal services and therefore would be unable to act for you.

8. Keeping your personal information secure

We have appropriate technical and organisational security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it and we will only pass your information to third parties where it is lawful to do so and in accordance with our terms of business or your instructions. The parties we will pass information to in a usual case will be our case management system providers (often referred to as ‘data processers’) for the purposes of keeping an electronic record of your case (always), our IT providers may also be provided with information if necessary (occasionally), and should we instruct a barrister or other legal representative to provide you with further advice (occasionally) then they will need your details. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. There will be no automated decision making in relation to your data. We will not process your data further than for the purposes of your existing case, and we will retain your data at the end of your case in accordance with Part B of the Schedule for those purposes detailed.

We also have procedures in place to deal with any suspected data security breach. We will notify you and the UK data protection regulator of a suspected data security breach where we are legally required to do so.

9. How to complain

If you wish to complain about the use of your information please raise this initially with our Data Protection Manager. If we cannot resolve your query or concern then you can contact the Information Commissioner at https://ico.org.uk/concerns/ or telephone: 0303 123 1113 for further information or advice.

10. Legal Statement

Your continuing instructions to us shall constitute acceptance by you of this Privacy Notice. If you have any queries in relation to this notice then please contact our Data Protection Manager using the details above.

SCHEDULE

PART A

Case Type (see part B)	The information we collect	How we collect the information	Why we collect the information	How we use and may share the information
PROP, PI, CRI, FAM, LIT, WIL, DCD, LPA, DO, EMP, CON	Your name and contact details (ie address, home and mobile phone numbers, email address)	From You or from an Estate Agent or intermediary who passes your details to us for the purposes of providing you with a quotation or legal services	To perform our contract with you.	To perform our contract with you. We will share it in accordance with your instructions and our legal obligations – for example to HMRC or the WRA when accounting for tax in property transactions and when dealing with estates, to our AML search provider to verify your identity. If you are using HTB funding we will be obliged to provide your personal details to Help to Buy. If you are purchasing a new build property with an NHBC guarantee we will pass these details on to NHBC to issue your warranty. In crime we often use agents to represent you and it is necessary for us to share your data with them. In family and Personal Injury cases we will need to pass your details on to mediators and experts (for example in assessing your injuries). If we instruct a barrister for any reason to advise you we will share your information with them.
PROP, PI, CRI, FAM, LIT, WIL, DCD, LPA, DO, EMP, CON	Your date of birth	From You	To verify your identity.	To verify your identity. We may share it with HMRC for accounting for any tax due, and with Help to Buy if you are using any Help To Buy Funding. We will also share it with agents if applicable.
PROP, PI, FAM.	Your bank details	From You	To verify the source of funds to comply with anti-money laundering legislation, and to make payments to you (to perform our contract with you).	To perform our contract with you. We will not share your bank details.
PROP, WIL, DCD, LPA, DO, CON	A copy of your identification documents (passport or driving licence and utility bill)	From You	To comply with our legal obligation to verify your identity and to prevent fraud.	To verify your identity. Information may be shared with our search providers to carry out an electronic AML search
PROP	The result of an AML search which reveals whether you are a company director and if so details of the company, if you are on the electoral role, details of any CCJs and insolvency, whether you may be a politically exposed person, your previous addresses.	From our search provider carrying out an online search with various agencies	To verify your identity and comply with Anti-Money Laundering Legislation	To verify your identity. We may share an adverse result with your mortgage lender with your consent.
PROP, WIL, DCD	Financial details of your case – for example in conveyancing that would be relevant property addresses, mortgage details, financial information, and your National Insurance Number, details of your assets.	From You	To Carry out the transaction and Accounting for tax	To advise you accordingly and deal with your transaction. We will share this with HMRC as required, Help to Buy, and in some instances your mortgage lender.
PI, CRI	Medical Records	From your GP upon instruction from you	To perform our contract with you and advise you and to establish your legal claim.	To advise you on your claim / defence. We shall share your medical records with the expert appointed to value your PI claim, and if relevant in a criminal matter we shall share them with any agents we instruct to appoint you.
CRI	Criminal Records	From the CPS	To perform our contract with you and advise you and to defend a legal claim against you.	We will share them with any agents or barristers we instruct to advise or represent you.

Please note that for audit purposes – for example accounting and regulatory purposes your data may be shared with the following bodies or their agents as being incidental to our audit and not specific to your case:-

Accountants, The Solicitors Regulation Authority, The Law Society, The Legal Aid Agency.

PART B

Case Types Retention Periods

Case Type Code

Case Type

Period of Physical File Retention

Period of Electronic File Retention

Reason

PROP

Residential or Commercial Conveyancing Purchase or Re-Mortgage

End of Matter plus 6 years

End of Matter plus 20 years

To comply with our legal obligations. To comply with any lender’s obligations. To defend any legal claims which may arise after 6 years.

PROP

Residential or Commercial Conveyancing Sale

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

PROP

Property Matter – You will still own the property at the end of the transaction

End of Matter

plus 6 years

End of Matter plus 20 years

To comply with our legal obligations. To comply with any lender’s obligations. To defend any legal claims which may arise after 6 years.

Personal Injury

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims

CRI

Crime

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

FAM

Family / Divorce / Contact

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

LIT

Litigation / Disputes

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

WIL

Wills

End of Matter plus 30 years

60 years

To comply with our legal obligations. To ensure your wishes are carried out and to defend any legal claims which might only arise after your death.

DCD

Probate

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

LPA

Powers of Attorney

End of Matter plus 6 years

60 years

To comply with our legal obligations. To defend any legal claims (in particular in the event of a dispute about your mental capacity).

Deputyship Applications

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

EMP

Employment

End of Matter plus 6 years

To comply with our legal obligations. To defend any legal claims.

CON

Contracts

End of Matter plus 6 years

Duration of Contract, or 10 years if shorter

To comply with our legal obligations. To defend any legal claims and deal with any contractual disputes if arising after 6 years.

Fonseca Law Data Protection Policy

The firm takes the protection of data extremely seriously and shall comply in all respects with the provisions of the EU General Data Protection Regulation 2016/679 (“GDPR”) or any subsequent enactment of legislation in relation to data protection. The general principles which shall apply to all of the personal data held by the firm in accordance with Article 6 of the GDPR are that:-

It shall be processed fairly and lawfully;
It shall be collected for specified, explicit and legitimate purposes;
It shall be adequate relevant and not excessive in relation to the purposes for which we hold it;
It shall be accurate and kept up to date and erased or rectified as appropriate;
And it shall be kept for no longer than necessary for the processes for which it is collected.

The firm is continuously aware of the risks to individuals when data is breached which can include the following:-

Physical, material and non-material damage;
The individual’s loss of control over his or her personal data;
Limitation of the individual’s rights;
Discrimination;
Identity Theft;
Fraud;
Financial Loss;
Unauthorised reversal of pseudonymised data;
Damage to reputation;
Loss of confidentiality of personal data protected by professional secrecy (for example medical records).

The firm has appointed a Data Protection Manager who is responsible for this policy and dealing with data protection within the firm.

The Grounds for Processing Data

The firm shall only process personal data on one of the following grounds in accordance with Article 6 of the GDPR as follows:-

With consent;
For the performance of a contract;
For compliance with a legal obligation; or
When in the legitimate interests of the firm.

It is not expected the firm will have reason to rely on either the grounds of it being in the vital interests of the data subject, or in the public interest.

Given the business of the firm is to provide legal advice and services it is anticipated that in the most part the firm shall be processing data for the performance of a contract, for the reason of providing legal services to clients or in relation to contracts of employment with staff members. Where the contract for legal services is with a child or elderly or vulnerable person the firm will consider the client’s competence to understand what they are agreeing to in relation to their personal data. It is also anticipated that data will be processed in accordance with legal obligations to which the firm is subject, and also in the legitimate interests of the firm. Such examples are when the firm is required to identify clients in accordance with Money Laundering Regulations from time to time in force, and to keep data and files for fixed periods of time in order to comply with mortgage lender’s requirements, and given the nature of the firm’s business data may need to be retained for the purposes of defending legal claims.

On the rare occasion when data is not initially obtained for the performance of a contract then specific informed consent to process the data will be obtained from the data subject making clear the purposes of the processing. The firm acknowledges that consent cannot be valid where there is a clear imbalance between the firm and the data subject, and that this imbalance is likely to apply to employees of the firm. The firm further acknowledges that where it is necessary to prove consent has been obtained to process data the burden of proof lies with the firm. In circumstances where consent is relied on the firm will refresh consent every two years in accordance with the ICO Consent Guidance. Where consent might be required from children (for example acting on their behalf in criminal cases) then the minimum age for the child to provide consent will be 13 or such older age as is passed in the UK Data Protection Bill if different.

Purpose Limitation

The firm shall only collect personal data for specified, explicit and legitimate purposes in accordance with Article 5(1)(b) of the GDPR and it shall not be further processed in a manner incompatible with those purposes. If the firm wishes to process personal data for a further purpose that further processing shall be compatible with the first. It is expected in the main that any further purpose for processing personal data shall be compatible with the original purpose and the firm shall consider the following factors when deciding this:-

Any link between the original purpose and the purposes of the intended further processing;
The context in which the personal data has been collected, and in particular the reasonable expectations of data subjects based on their relationship with the firm as to their further use.
The nature of the personal data;
The consequences of the intended further processing for the data subject; and
The existence of appropriate safeguards.

The circumstances the firm considers are likely to amount to further processing shall be marketing (instigated by the firm), defending potential negligence claims (instigated by the client or a lender) and providing information to parties such as the Official Receiver or lenders – where the firm shall often by under a legal duty to provide required information.

Where the firm intends to use data for marketing purposes it will require informed consent from clients every 6 months, and will also require consent of former clients before sending any marketing material.

Data Minimisation

The personal data collected by the firm shall be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed in accordance with Article 5(1)(c) of the GDPR. The firm shall ensure that it reviews its procedures annually to ensure excessive data is not being collected, which shall include for example checking the content of information to be obtained on client instruction forms (referred to as questionnaires in the conveyancing department). Any erasure or rectification of inaccurate personal data shall be made without delay.

Accuracy

The firm shall ensure that personal data is kept accurate and up to date (where possible in relation to previous clients who may change address etc without updating us). In the context of conveyancing clients this shall include updating a client’s address records on the day of completion should they be moving into or out of a property.

Storage Limitation

The firm shall not keep personal data in a form which permits the identification of data subjects for longer than is necessary. The periods of retention for the various types of personal data we hold are set out in our Register of Data Processing Activities. The firm notes that it will rarely be justifiable to hold personal data in a form that permits the identification of individual data subjects for an unlimited period, however there are some circumstances where the firm will need to store documents (for example Wills and files) for the lifetime of the data subject.

Integrity and Confidentiality

In accordance with Article 5(1)(f) of the GDPR the firm shall ensure that all personal data is processed in a manner that ensures appropriate security of it, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Accountability

The firm shall demonstrate compliance with the GDPR and data protection generally through the following measures:-

The existence of this data protection policy which shall be reviewed annually;
Maintaining records of processing activities;
Data protection training for staff;
Data protection audits; and
The incorporation of the principles of this policy in the firm’s data protection procedures are set out below in part 2.

Accountability - Data Protection Impact Assessments

The firm has considered the requirement for Data Protection Impact Assessments (DPIA) in accordance with Article 35(1) of the GDPR in order to identify and evaluate the likely data protection risks arising from a new activity that involves processing personal data, and in particular in relation to the processing of special categories of personal data. Whilst the firm will process sensitive data such as medical records and criminal records, it considers that the exemption under Recital 91 which states that a DPIA is not required for the processing of clients’ personal data by an individual lawyer applies and therefore no DPIA will be required at the present time. If the firm deploys new technology in the future which is likely to result in high risk to individuals then it will carry out a DPIA as required by the GDPR.

Processing Special Categories of Personal Data

The firm notes that there is a general prohibition on processing special categories of data in Article 9(1) of the GDPR which comprises of personal data which reveals the following types of information about individuals:-

Racial or ethnic origin;
Political opinions;
Religious or philosophical beliefs;
Trade union membership;
Genetic data;
Biometric data for the purpose of uniquely identifying a natural person;
Data concerning health; and
Data concerning sex life or sexual orientation

The firm does process several types of the above data for both clients and employees. Article 9(2) provides a list of circumstances in which the general prohibition may be lifted and the grounds covered on which the firm intends to rely are as follows:-

Employment – where the processing is necessary for carrying out the firm’s obligations and exercising specific rights in the field of employment, social security and social protection law – for example collecting the data of current or prospective employees for the purpose of ensuring and demonstrating equality and diversity in accordance with the Equality Act 2010.
Legal Claims – the processing is necessary for establishing, exercising, or defending legal claims – this ground will apply in the majority of instances.
Explicit consent – as a last resort if not covered under one of the grounds above.

Data Subjects’ Rights

The firm acknowledges that the rights of data subjects as set out in Chapter III of the GDPR are as follows:-

The right to transparency;
The right to information and access to personal data;
The right to rectification;
The right to erasure;
The right to restriction of processing;
The right to data portability;
The right to object to processing; and
Rights in relation to automated decision taking

In relation to the right to transparency the firm’s procedure is as set out below, although it is noted that transparency information need not be provided where the data subject is already aware of the processing activity or the recording or disclosure of personal data is expressly permitted by law (in accordance with Recital 62 of the GDPR).

In relation to the right to information and access to personal data the firm acknowledges the right of the data subject in accordance with Article 15 of the GDPR to be provided with the following information:-

The purpose of the processing;
The categories of personal data concerned;
The recipients of personal data or categories of recipient;
That there will be no recipients of the data in third countries (outside the EEA);
The period of period for which data will be stored or the criteria used to determine the retention period;
The existence of the data subject’s right to rectification, erasure, and restriction of processing and the right to object to processing;
Their right to complain to the supervisory authority, the ICO;
Where data are not collected from the them, information as to their source; and
The existence of any automated decision taking (none).

The data subject is entitled to make a request for details of their personal data held by the firm and this shall be referred to as a “subject access request”. The firm has considered whether to offer remote access to a secure system to provide data subjects with direct access to their personal data and has considered its current systems are not sufficient to allow this without a significant investment in time and money, so direct access to data will not yet be offered.

Article 17 of the GDPR introduces a new right to erasure. The firm notes this right, and will forget data subjects when their data is no longer necessary for the purposes for which it was collected. The firm will also erase data in the following circumstances:-

If the data subject withdraws consent and there is no longer a legal basis for processing;
If the data subject objects to the processing pursuant to the right expressed in Article 21;
If the personal data has been unlawfully processed;
If the firm is under a legal obligation to erase the data.

Where the firm removes data it will notify any other data controllers it has provided information to, to remove the data too.

Article 17(3) provides exceptions to the right to erasure where the processing is necessary as follows (the list below does not contain all of the exceptions in the GDPR, only those relevant to the firm):-

For compliance with a legal obligation to which the firm is subject or for the performance of a task in the public interest;
For the establishment, exercise or defence of legal claims.

The right to restriction of processing as per Article 18 of the GDPR may apply to the firm in the following circumstances:-

Where the data subject contests the accuracy of the data processing can be restricted for a period to enable the firm to verify whether the data is accurate;
If the processing was unlawful and the data subject opposes erasure of the data they may instead require restriction of processing;
If the firm no longer needs the data but the data subject requires the data for establishing, exercising, or defending legal claims; or
Where the data subject has exercised the right to object to processing pursuant to Article 21(1) referred to below, processing may be restricted for the period necessary to ascertain whether the firm’s legitimate grounds override those of the data subject.

Where a data subject exercises the right (other than for storage), the data may only be processed on the following terms:-

With the data subject’s consent;
For establishing, exercising, or defending legal claims;
For the protection of another natural or legal person’s rights; or
For reasons of important public interest of the UK.

The right to data portability is expected to apply to the firm when a client decides to appoint an alternative solicitor and asks the firm to transfer their file (data) to another solicitor. The firm shall comply with this request with regard to personal data, although complete files may still be subject to a lien in respect of costs. It is noted that the right applies only to automated means and it is unlikely the firm will have the technical ability to port its electronic data due to the specification of the case management system used, however the firm will hand over physical files.

The right to object to processing is set out in Article 21 of the GDPR. The firm acknowledges data subjects’ right to object on the following relevant grounds:-

Where the processing is based on the firm’s legitimate interests or performance of a task carried out in the public interest;
Where the processing is for the purpose of direct marketing.

Upon receiving an objection where the processing is based on the firm’s legitimate interests, the firm must cease processing unless able to prove that the legitimate interests override those of the data subject, or that the processing is necessary for establishing, exercising, or defending legal claims (Article 21(1))

Upon receiving an objection where the processing is for the purpose of direct marketing the firm must cease processing. The firm shall bring these rights to the data subject’s notice at the time of first communication.

Processing of Personal Data

Only personal data necessary for the specific purpose for which it was collected shall be processed. The quantity of data collected shall be proportionate to its purpose, the extent of the processing shall be kept to the minimum level as is necessary in accordance with the GDPR, the data shall be stored for as short a time as necessary in all the circumstances, and accessibility to such data shall only be made accessible to those requiring access to it for a legitimate purpose. The firm shall not provide any personal data to any parties outside of the firm for marketing purposes.

Processing of Personal Data by a third party

The firm shall use a case management system the use of which shall mean that a third party shall routinely be processing personal data on the firm’s behalf. The firm also uses agents to act on clients’ behalf in relation to court hearings / police station call outs and the provisions below shall also apply to them. The firm shall only use the services of data processors able to offer sufficient guarantees to implement technical and organisational security measures to ensure that the processing meets the requirements of the GDPR and ensures the protection of the rights of the data subjects.

The firm shall enter into a written agreement with all data processors and such contract will include the following provisions:-

The subject matter, duration, nature and purpose of the processing; and
The type of personal data, categories of data subjects, and obligations and rights of the data controller.
Obligations on the processer to:-

Process personal data only on documented instructions from the firm unless the processing is required by UK law in which case the processer must notify the firm;
Ensure persons authorised to process the personal data are bound by appropriate confidentiality agreements;
Implement appropriate security measures as required by Article 32 of the GDPR;
Observe these provisions relating to the appointment of sub-processers;
Assist the firm in dealing with the exercise of affected data subject’s rights;
Assist the firm in complying with its security and breach notification obligations;
At the end of the provision of services, either delete or return (at the firm’s option) all the personal data processed under the arrangement to the firm; and
Provide all such information to the firm as may be necessary to demonstrate compliance with its obligations (as set out in Article 28), and allow audits and inspections by the firm or its nominated auditor (Article 28(3)).

An obligation upon the data processor to notify the firm of any breach of personal data.

Records of Processing Activities

The firm shall maintain a register of data processing activities in accordance with Articles 30(2) of the GDPR. The register shall be in writing and available to the ICO upon request in order for the ICO to monitor the processing operations.

The register shall include the following information in accordance with Article 30(1) of the GDPR:-

The name and contact details of the firm;
The purposes of the processing;
A description of:-

The categories of data subjects; and
The categories of personal data;

The categories of recipients to which data have or will be disclosed;
(The firm will not transfer any data to third countries or international organisations so this requirement will not be applicable in the firm’s register whilst being a requirement of the GDPR);
The duration for which categories of personal data will be held prior to erasure; and
A general description of the applicable technical and organisational security measures.

Security of Personal Data

The firm shall keep data secure by implementing security measures as required by Article 32 and Recital 83 of the GDPR. The security measures technical and organisational are set out in Part 2 below. The firm shall train all staff to ensure that they act in accordance with the terms of this policy and procedure and any further data protection measures implemented from time to time. The firm shall also obtain confirmation from all data processers appointed that their processes comply with the GDPR.

Appointment of a Data Protection Officer

The firm has considered whether to appoint a Data Protection Officer in accordance with Article 37 of the GDPR. Whilst the firm’s core activities in providing legal services do necessitate processing a volume of personal data which includes criminal convictions (only in relation to clients engaging us in relation to criminal matters), the firm does not consider it processes this data on a large scale. Recital 91 states that processing should not be considered to be on a large scale if the processing concerns data from clients by an individual lawyer. The firm has few individual lawyers, not all of whom deal with personal data relating to criminal convictions. Therefore the firm will not at this time appoint a data protection officer. The firm has however appointed a Data Protection Manager who has overall responsibility for data protection in the firm and the implementation and review of this policy.

Data Breaches

A personal data breach is defined in Article 4(12) of the GDPR as:-

“a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.” The firm has identified the following risks of potential data breaches (and the list is not exhaustive):

Potential Breaches of Personal Data

Loss or theft of mobile telephone or laptop
Loss of physical file if removed from office
Burglary / Fire
Hacking Attack
Sensitive letter sent to the wrong address
Email sent to recipient in error

Part 2 below details the security measures in place to minimise the risk of them occurring.

If the firm suffers a personal data breach then the breach will be reported to the supervisory authority the ICO, and the affected data subjects (if the breach is high risk) in accordance with Articles 32 and 33 of the GDPR.

The firm has a data breach response procedure as set out in part 2 below and has trained staff in this procedure. The firm notes that data breach policies and processes should respond to the nature of the breach and risks arising from it, taking into account law enforcement authorities’ interests where early disclosure could hamper an investigation.

When becoming aware of a breach the firm shall promptly inform the ICO within 72 hours. If it is not possible to inform the ICO within 72 hours the firm shall account to the ICO for the delay. If the breach is unlikely to result in a risk to the rights and freedoms of natural persons then the obligation to report does not apply. (Article 33(1) GDPR).

In accordance with Article 33(3) of the GDPR the notification of any breach to the ICO shall include the following information:-

The nature of the personal data breach, including where possible the categories and approximate number of data subjects concerned, and the categories and approximate number of data records concerned;
The name and contact details of the Data Protection Manager;
The likely consequences of the personal data breach;
The measures taken, or to be taken by the firm to address the breach including any mitigation measures.

Where a personal data breach is likely to result in a high risk to the data subject the firm must notify the data subject without delay in accordance with Article 34(1) of the GDPR. The firm will notify the data subject in clear and plain language and include the following information:-

The name and contact details of the Data Protection Manager in the event that further information is required;
The likely consequences of the personal data breach; and
The measures taken, or to be taken by the firm to address the breach, including any mitigation measures.

However the firm does not need to inform the data subject of a breach in the following circumstances:

The personal data was subject to security measures that rendered it unintelligible to anyone not authorised to access it, such as encryption;
The firm has taken measures to ensure the high risk to data subjects is no longer likely to materialise; or
It would involve a disproportionate effort, in which case there must be a public communication.

If the firm has not already communicated the breach to the affected data subjects the ICO may direct the firm to do so and in which case the firm will comply with the direction.

The firm has commenced the installation of breach detection software on its electronic devices.

Data Transfers

The firm shall not transfer any personal data to third countries outside the European Economic Area. Articles 44 to 50 of the GDPR relate to transfers of data to third countries or international organisations; therefore these provisions shall not be relevant to the firm.