Privacy Policy

PRIVACY NOTICE

1 Introduction
1.1 This privacy notice gives you information on how WJM collects and processes personal data. It is important you read this privacy notice together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.
1.2 “We” and “WJM” refers to Wright Johnston & Mackenzie LLP, its subsidiaries and other partnerships, corporations undertakings and entities which are authorised to practice using the name WJM and/or Wright, Johnston & Mackenzie.
1.3 WJM is a data controller within the meaning of the GDPR and we process personal data. The firm’s contact details are as follows: 319 St Vincent Street, Glasgow G2 5RZ. Tel. 0141 248 3434 Fax. 0141 221 1226. Data Protection Officer (‘DPO’): Billy Kemmett (dpo@wjm.co.uk).
1.4 We may amend this privacy notice from time to time. If we do so, we will supply you with and/or otherwise make available to you a copy of the amended privacy notice.

2 What personal information do we collect about you?
2.1 We will collect personal information in the course of our business, including through your use of our website, when you engage our legal or other services, and when you request information from us or contact us.
2.2 The personal information we process includes:
2.2.1 Basic information: such as your name, prefix/ title, the entity you work for, your position and your relationship to a person.
2.2.2 Banking and financial information: such as payment information, or to establish the source of funds where a transaction is involved and ensure we have the correct details.
2.2.3 Business information: such as data identifying you in relation to matters on which you instruct us or in which you are involved, or otherwise generated or provided to us in the course of providing services to our clients – which may include special categories of data.
2.2.4 Contact details: such as postal address, email address and phone numbers.
2.2.5 Events data: such as information in relation to attendance for fire regulations/security purposes, access and dietary requirements, feedback forms etc.
2.2.6 Information from public and directory type sources: such as information from Companies House, Registers of Scotland, the Land Registry, LinkedIn and other similar professional networks directories or internet publications.
2.2.7 Information in connection with investigations or proceedings: where this is relevant to our services.
2.2.8 Logon IDs and passwords: for access to any WJM client services or other platforms online (such as the Hub or our dataroom).
2.2.9 Photographic identification and other background identification information: to allow us to carry out due diligence, comply with our matter opening procedures or comply with anti-money laundering regulations.
2.2.10 Social media: such as likes, posts, tweets and other interactions with us online.
2.2.11 Subscription information: such as when you subscribe to our legal briefings, updates or newsletters, and any consent preferences in relation to areas/services/sectors of interest.
2.2.12 Supplier information: such as contact and other information relating to services provided to WJM.
2.2.13 Technical and online information: such as information from your visits to our website (including IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, device type, hardware model), unique identifiers and mobile information, or applications or in relation to materials and communications sent to you electronically (such as whether you click on certain links or open our emails) and interaction information (e.g. scrolling, clicks) Please see our cookies policy for further details.

3 How is your personal data collected?
3.1 We collect personal information from and about you using different methods, for example:
3.1.1 Direct interactions: when you provide us with information or interact directly with us such as by engaging with our staff in any way (including during our business relationship with you, during the provision of legal services to you or where you are involved in a legal matter), when you attend meetings or events hosted by us, or when you sign up or register with us or our website for one of our services such as the Hub or dataroom)
3.1.2 Automated technologies or interactions: if you interact with our website or other electronic communications such as emails we may issue to you, we may automatically collect internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs and other similar technologies. Please see our cookie policy for further details. Where both we and you agree to use third party communications providers (such as conference call providers), they may automatically collect information such as call recordings.
3.1.3 Third parties or publicly available sources: we obtain information from public registries, directories and publications, in addition to information from third parties such as other parties involved in any legal proceedings (including other solicitors, other professional services firms (e.g. accountants and tax specialists), credit reference agencies, government agencies and analytics providers such as Google (based outwith the EU).

4 The purposes for which we intend to process personal data
4.1 We intend to process personal data for the following purposes:
4.1.1 To enable us to supply and improve our professional services to our clients (including handling the personal information of others on behalf of our clients).
4.1.2 To better understand you and your needs, and to determine how these may best be met.
4.1.3 To provide information requested by you.
4.1.4 To manage our relationship with you and any legal matter in which you may be involved.
4.1.5 To maintain and manage our client files, internal administrative records, business records about services, payments and business contacts and keep WJM’s records up to date (e.g. automated processing and profiling may be used to process any payments by you and to carry out credit checks whether by WJM or third parties such as credit reference agencies and payment service providers).
4.1.6 To fulfil our obligations under relevant laws in force from time to time (including but not limited to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (“MLR 2017”)).
4.1.7 To verify identity and establish the source of funding in any transaction.
4.1.8 To comply with professional, regulatory, ethical or risk management obligations to which we or our staff are subject as solicitors or other regulated professionals, including establishing, exercising or defending legal claims.
4.1.9 To seek advice from third parties in connection with your matter such as Counsel or solicitor advocates.
4.1.10 To use in the investigation, process and/or defence of potential or actual complaints, disciplinary proceedings and legal proceedings.
4.1.11 To enable us to invoice you for our services and investigate/address any attendant queries or disputes that may have arisen.
4.1.12 To market and promote our services, including sending legal updates, publications and details of events.
4.1.13 To contact you about other services we provide which may be of interest to you if you have consented to us doing so.
4.1.14 To provide you with legal updates which we believe are relevant to you and/or your business.
4.1.15 To provide and improve our website and other technology services, including auditing and monitoring its use (e.g. automated processing and profiling may be used in relation to the assessment of technical and online information).
4.1.16 For the purposes of recruitment.
4.1.17 For statistical and research purposes so we can analyse figures to help us manage our business, plan for the future and review or develop the service we offer (again automated processing and profiling may be used to fulfil these legitimate interests).

5 The legal bases for our intended processing of personal data
5.1 Our intended processing of personal data will have at least one of the following legal bases:
5.1.1 At the time you instructed us to act, you gave consent to our processing your personal data for the purposes listed above.
5.1.2 The processing is necessary for the performance of a contract with you (such as to provide legal or other services).
5.1.3 The processing is necessary for compliance with legal and regulatory obligations;
5.1.4 The processing is necessary for the purposes of our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests:
5.1.4.1 the proper delivery of professional services to our clients;
5.1.4.2 managing our business and relationship with you or your company or organisation;
5.1.4.3 understanding and responding to client demands, enquires, requests and feedback;
5.1.4.4 improving our service;
5.1.4.5 the discharge of legal, professional, regulatory or ethical obligations to which we or our staff are subject as solicitors or other regulated professionals;
5.1.4.6 the investigation, process and/or defence of potential or actual complaints, disciplinary proceedings and legal proceedings;
5.1.4.7 the proper processing of financial transactions for the purposes of our business including credit control and debt recovery;
5.1.4.8 to enforce our terms of business and contracts;
5.1.4.9 to manage our supply chain;
5.1.4.10 to ensure our systems and premises are secure;
5.1.4.11 sharing data in connection with any acquisition or transfer of part of our business or re-organisation; and
5.1.4.12 the marketing and promotion of our business services (including the use of suppression lists to exclude you from any direct marketing should you unsubscribe).
5.2 It is a requirement of our contract with you that you provide us with the personal data that we request. If you do not provide the information that we request, we may not be able to provide professional services to you or may inadvertently give you incorrect advice. In any such case, we may not be able to commence acting or may need to cease to act.

6 Marketing and withdrawing consent.
6.1 Where you have given consent. If you agree, Wright, Johnston and Mackenzie LLP may, but without being bound to, inform you (by post, telephone, e-mail, SMS text or otherwise) about such of our services as we believe may be of interest to you.
6.2 Where there is no consent in relation to marketing. Marketing will not happen if you have not given or give but later withdraw your consent (you can contact us at any time to withdraw your consent). Wright, Johnston & Mackenzie LLP do however, reserve the right to contact you by post, telephone, email, SMS text or by other means in connection with any services we are contracted to provide to you.

7 How we use sensitive personal data
7.1 “Special categories” of personal data (also known as sensitive personal data) include personal information in relation to religious/philosophical beliefs, political opinion, gender or sexual orientation, genetics, identifying biometrics, health, racial or ethnic origin. We may process special categories of personal data where:
7.1.1 we have your explicit consent;
7.1.2 processing is necessary to protect the vital interests of an individual or of another natural person, such as where the individual is physically or legally incapable of giving consent;
7.1.3 processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
7.1.4 processing is needed for reasons of public interest, such as for equal opportunities monitoring or in relation to any employee pension scheme;
7.1.5 processing relates to data which are manifestly made public by the individual data subject; or
7.1.6 such processing is otherwise permitted by applicable law.

8 Persons/organisations to whom we may give personal data
8.1 We may need to share your personal data with some third parties in order to comply with our legal obligations, including our legal obligations to you, and where we have a legitimate interest in doing so and in the course of providing our services.
8.2 The following list includes (but is not limited to) recipients that we may share your personal data with:
8.2.1 our subsidiaries, to provide you with certain of our legal or other services;
8.2.2 courts, tribunals, other dispute resolution bodies or other competent authorities in accordance with our services, legal or regulatory requirements or good practice;
8.2.3 Government bodies (such as HMRC, Registers of Scotland or the Land Registry);
8.2.4 any third parties with whom you require or permit us to correspond;
8.2.5 third parties in relation to legal services being provided to you (for example Companies House, Sheriff Officers, Messengers-at-Arms, or High Court Enforcement Officers)
8.2.6 third parties who help facilitate hosting or events to which you have been invited and indicated you wish to attend;
8.2.7 third parties in relation to any acquisition or transfer of any part of our business or any reorganisation of it;
8.2.8 IT subcontractors and suppliers who provide us with their services, screening service providers (so as to comply with anti-money laundering obligations and checks in relation to sanctions), any outsourced business support, marketing and advertising agencies;
8.2.9 an alternate appointed by you in the event of incapacity or death;
8.2.10 our insurers, professional indemnity insurers, auditors, banks and others who provide services to us;
8.2.11 other professional advisors or agents instructed on your behalf, or in relation to the legal matter in which you may be involved (such as solicitors, accountants, tax advisors, Counsel and solicitor advocates, foreign law firms and barristers);
8.2.12 solicitors and other professionals or agents acting for their clients on the other side of a transaction or dispute concerning you;
8.2.13 regulatory bodies (e.g. The Law Society of Scotland, The Solicitors Regulation Authority, Information Commissioner’s Office (“ICO”), the Office of Professional Body Anti-Money Laundering Supervisors (OPBAS) in relation to practice assurance and/or the requirements of MLR 2017 (or any similar legislation)’;
8.2.14 the police and law enforcement agencies.

8.3 Occasionally we are required to disclose your information to comply with legal or regulatory requirements,.
8.4 All third party service providers are required to take appropriate measures to protect your personal information.
8.5 If you ask us not to share your personal data with such third parties we may need to cease to act.

9 Transfers of personal data outside the EU
Where your data is processed outside of the EEA, we will ensure that your personal data is protected with appropriate safeguards and that we comply with the conditions for transfer as set out in applicable legislation.

10 Retention of personal data
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Details of retention periods for different types personal data are contained in our data retention policy which is available on request from our DPO. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer a client of WJM we may retain and/or securely destroy your personal data in accordance with our data retention policy and our retention and disposal schedule.

11 Your duty to inform us of changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

12 Your rights in connection with personal data
12.1 Under certain circumstances, by law you have the right to:

12.1.1 Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
12.1.2 Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
12.1.3 Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing.
12.1.4 Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
12.1.5 Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
12.1.6 Request the transfer of your personal data to another party.

12.2 If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact our DPO in writing.

13 No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

14 What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

15 Withdrawal of consent
15.1 Where you have consented to our processing of your personal data, you have the right to withdraw that consent at any time. Please inform us immediately if you wish to withdraw your consent.

15.2 Please note:
15.2.1 the withdrawal of consent does not affect the lawfulness of earlier processing;
15.2.2 if you withdraw your consent, we may not be able to continue to provide services to you;
15.2.3 even if you withdraw your consent, it may remain lawful for us to process your data on another legal basis (e.g. because we have a legal obligation to continue to process your data).

16 Data protection officer (DPO)
We have appointed a DPO to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal data, please contact the Data Protection Officer.

17 Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

18 Complaints
18.1 If you have requested details of the information we hold about you and you are not happy with our response, or you think we have not complied with applicable data protection legislation in some other way, you can complain to us.

18.2 Please send any complaints to The DPO, 319 St Vincent Street, Glasgow G2 5RZ or alternatively email us at dpo@wjm.co.uk. If you are not happy with our response, you also have the right to lodge a complaint with the ICO (www.ico.org.uk).