Grigor & Young LLP Privacy Notice
Grigor & Young LLP (“we”, “us, “our”) respects your privacy and are committed to protecting your personal data. This Privacy notice sets out the ways in which we collect, use and store your personal data. It also explains the legal rights you have in relation to your personal data.
Grigor & Young LLP is a limited liability partnership of Solicitors, registered in Scotland (No. SO306314), having its registered office at 1 North Street, Elgin, Moray IV30 1UA and places of business at that address and at 100 High Street, Forres, Moray IV36 1PD.
You can contact us at the above address, addressing any request to the Data Protection Officer. You can also contact us by email at firstname.lastname@example.org
Our commitment to you
We process your personal data in accordance with the overarching principles and requirements set out in the UK General Data Protection Regulation and the Data Protection Act 2018 (‘Data Protection Law’). What this means is that Grigor & Young processes your data in a way that is:
- Lawful, fair and transparent;
- Compatible with the purposes that we have told you about;
- Adequate and necessary, i.e. we only use the data we need to use for the reason we told you;
- Accurate and up to date;
- Not excessive, i.e. we only keep your data for as long as we need it; and
- Secure and protected.
Why we process your personal data
We are a full service law firm and we need to process personal data for a number of reasons to deliver legal services. This privacy notice explains how we process your personal data if you are a client or prospective client of the firm, a professional contact, a website or office visitor, or if you receive marketing materials from us. This privacy notice also applies if you are a non-client, whose personal data we capture in the course of our work, including but not limited to a client’s relative, the other side of the transaction, beneficiaries in executries, trustees, etc.
Ways we collect your personal data
There are a number of ways in which we may collect personal data about our clients, prospective clients, professional contacts, visitors and non-clients. These include:
- From you or your representatives directly where you contact us in writing, by e-mail, when you meet with our team in person or by video call, by telephone, contact us via our online portal, website or social media platforms. You may contact us to seek legal advice, to register to attend our events or subscribe to publications issued by us or to express an interest to work with us.
- For clients and non-clients, we may receive information about you from relatives, agents or third parties where you may be involved in a matter we are instructed in for example as a beneficiary, trustee, buyer, seller, debtor, defender, pursuer, witness, employee or employer.
- Organisations with whom we have a professional relationship may share your information with us when they refer you to us. These organisations may be other professional advisers such as solicitors, accountants, financial advisers, insurance companies, or financial institutions.
- Your doctor or other health service providers.
- Online public sources or registers such as Companies House.
- Where you apply for a position with us, we may receive information about you from a recruitment agent, your current and/ or former employers and/ or referees.
- Providers of identity verification services and compliance services.
- CCTV operating in any of our office sites or buildings.
- The devices you use when you access our website and use our online chat service.
What personal data do we process?
|Client/Prospective Client Contact Personal Data
Email address (personal and/or business)
Your relationship to other persons
|Identity Verification Data
|Date of birth
Other identity evidence as required to meet our regulatory obligations.
|Special Category Data (race, ethnic origin, politics, religion, trade union membership, genetic, sex life, sexual orientation)
|This information is not routinely collected but may be needed for certain types of legal work (immigration, employment, family, litigation). We use this information in relation to our own employees to ensure meaningful equal opportunity monitoring and reporting.
|Health and Medical Data (also special category data)
|This information may be needed for certain types of legal work (personal injury claims, employment, immigration, matrimonial, eldercare, vulnerable clients (for those arranging powers of attorney) and other forms of dispute resolution. If you visit our offices, we may collect information about your health in order to make adjustments to support your visit.
|Biometric Data (also special category data)
|Facial similarity checks are run when completing your ID verification with our Due Diligence Supplier. The biometric technology compares an image of your face to the image on your ID document.
|Political Data (also special category data)
|Checks for political information about you are run when completing our due diligence.
|Criminal Convictions Data
|This type of personal information may be processed in relation to litigation cases, employment, matrimonial, and other cases. We also undertake criminal record checking as part of our recruitment processes. Checks for adverse information about you are run when completing our due diligence.
|Information about your financial affairs, assets and liabilities may be required if it is relevant to matters upon which you wish us to advise you or to enable us to comply with our regulatory obligations relating to anti-money laundering. Information about third-parties’ financial affairs, assets and liabilities may be required if it is relevant to matters upon which you wish us to represent you
|Our office locations may operate CCTV and, where they do, this is clearly signposted. If you visit our offices, your images may be captured on CCTV for security purposes.
|Video telecommunication and collaborative platform Data
|When invited to and participating in a virtual meeting, a webinar, a presentation or a collaboration on a channel, the following types of information may be recorded: your registration and participant information such as name, email address, company name and other contact/profile details; direct interactions generated in meetings such as audio, video, Q&A, chat messaging content, comments; indirect interactions such as your attendance status, download of our presentation material.
By default, virtual meetings between client and solicitor are not recorded but webinars are. When recording, not all virtual meetings enable participants to be viewed and heard. You will be told when invited or at the very latest at the beginning of the video call if: it is recorded and whether you’ll be heard and seen. You can ask us for more details about what information will be/has been captured as it will vary from platform to platform.
|Call Recording Data
|If calling the following teams, your call may be recorded: Our Personal Injury team may record calls for training and quality monitoring purposes. Information about your contact details, identification details and health/ medical data may be discussed. Our Estate Agency may record calls for training and quality monitoring purposes including in case of complaints. Information about your contact details, identification details, financial data and property data may be discussed. Credit/debit card details will be not be recorded.
|Personal Data within correspondence
|Copies of letters, e-mails received or sent by us, and information you have provided us in letters, e-mails, texts and audio recordings taken in relation to personal injury matters. We may also keep notes and records of matters we discuss or advise upon.
|In order to pay and transmit funds in the course of client transactions or collection of our own fees. We adhere to PCI–DSS standards and do not store credit or debit card details.
|Includes your communication preferences for receiving marketing from us.
|Personal data you provide when you make an enquiry to us via our website or via social media.
|Professional Adviser Personal Data
|Name Business Postal address Business Email address Business Phone Numbers Occupation Professional Credentials Information to verify identity
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may not be able to perform our obligations but we will notify you if this is the case at the time.
Why we use your personal data
We will use your personal data where it is necessary for us to:
- enter into and perform contract with you;
- comply with our legal obligations; or
- fulfil our legitimate interests.
We may ask for your consent to process your personal data under certain circumstances and where we do we ensure that it is freely given, specific, informed and unambiguous. You may withdraw your consent at any time by emailing email@example.com.
Purposes of Processing
|Lawful Basis of Processing
|To communicate with our clients or their representatives regarding instructions, questions, concerns or complaints and to provide legal advice and other information.
|Performance of a Contract Legitimate Interests – to contact you to respond to communications from you.
|Sharing information with other professionals (advocates, expert witnesses, accountants, medical professionals, other solicitors acting as local agents, insurers etc.)
|Performance of Contract – where necessary to ensure appropriate representation or information-gathering. Legitimate Interests – where appropriate to provide clients with the best service.
|To collect third-party information directly/indirectly from the third-party (i.e. non-clients) to assist with a client’s legal claim or proceedings
|Legitimate Interests – where the information is essential to provide clients with the best service; or Your consent – where the information is desirable to assist clients with a legal claim; or Your consent – where you disagree with our use of Legitimate Interests at the point we collect your information; or Legal obligation – to ensure our business is carried out in compliance with Anti Money Laundering and Terrorist Financing Regulations.
|To prevent financial crime – to comply with our legal obligations to prevent financial crime including the prevention of fraud and money laundering under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.
|Legal Obligation – to ensuring our business is carried out in compliance with the law Substantial Public Interest – processing that is necessary for preventing fraud and suspicion of terrorist financing or money laundering.
|Legal obligation – we are required to retain certain information about you to comply with legal requirements.
|If you are not a client of the firm but you complete the “make an enquiry” form or speak to us via “live chat” or contact us via social media, then we capture personal data that you supply, such as your name, address, business name, e-mail address, home telephone number and work telephone number. We will use this personal data to respond to your enquiry.
|Legitimate interests – it is necessary for us to process your personal data to respond to your request for information or assistance.
|To record calls with our clients in specific teams for the purpose of training and quality monitoring.
|Legitimate interests – it is necessary for us to ascertain or demonstrate the standards which ought to be achieved by our people when you call us, including where there is a complaint. Legal obligation
|Video telecommunication platforms: To liaise with registrants and enable them to join the video call. To evidence or accurately capture what was discussed in meetings or as a record keeping of legal work. To make available a record of the event to our attendees for interactive or informative purposes. To capture analytics and data insight from webinars in relation to registrants and attendees for business development opportunities.
|Legitimate interests – It is necessary for us to process your personal data in order for you to attend our video calls. Legitimate interests – it is necessary for some legal cases with complex elements to record a meeting. Legitimate interests – it is necessary to make some events available to our employees and attendees for informative or interactive reasons Legitimate interests – It is necessary for the development of our service to measure our clients’ engagement in the context of our marketing activity. Consent – For non-clients signing up to webinars. You may withdraw your consent at any time by clicking here.
|Client Marketing – if you have engaged us to provide a legal service to you, we may use your personal data to send you information about our legal services that we feel may be of interest or benefit to you. In doing so we will add you to our marketing database and will send you marketing materials from time to time. We will also seek your feedback upon completion of the legal work we carry out for you to help us improve our services.
|Legitimate Interests. You have the right to object to use of your data for marketing at any time by clicking here.
|Non-Client Marketing – if you have consented to receiving marketing communications via our website or other communications, we may use your personal data for this purpose. In doing so we will add you to our marketing database and will send you marketing materials from time to time. Non-Client Business Marketing – to promote our business with business representatives unconnected with the Firm, by showing targeted ads online.
|Consent. You may withdraw your consent at any time by clicking here. Legitimate Interest. You have the right to object to use of your data for marketing at any time by clicking here.
|Events – if you sign up to attend one of our events at our offices or online, we will process personal data about you to register you for the event and we may contact you after the event to gather feedback from you.
|Legitimate Interest – it is necessary for us to process your personal data in order for you to attend our events as a guest and for use to evaluate our events.
|Online payments – we do not currently offer an online payment system though we have plans to introduce this. If you choose to use this system, once operational, to make debit or credit card payments to us your card details will be handled exclusively by our payment provider. We already comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will not store card details.
|Performance of Contract
|Debt Recovery – we may give your personal data to and receive personal information from third parties where necessary to recover debts due by you to us, for example sheriff officers.
|Legitimate Interests – we have a legitimate interest to pursue unpaid fees and charges.
|Legitimate Interests – functional cookies which are necessary for the operation of our website. Consent – cookies which track how you interact with our website.
|IT and Security – we may use personal data to administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and to carry out system upgrade or system replacement.
|Legitimate Interests – to ensure our website is secure and functioning. Legitimate Interests – to ensure we use the most appropriate systems.
|Professional Services – if you provide professional services to the Firm, or to our clients on our behalf, we will process personal information about you in order to receive professional services from you.
|Performance of a Contract Legitimate Interest – to develop our professional relationship with you
Where we store your personal data and information security
We take appropriate technical and organisational measures to secure your personal information and protect it against unauthorised or unlawful processing as well as against its accidental loss or destruction or damage. Some of these measures include:
- Using secure cloud-based servers to store your personal data, based in the UK.
- Verifying the identity of individuals that access your personal data.
- Regular review of our Information Security Management System.
- Utilising a number of anti-virus and anti-malware systems at the gateway, on email and on endpoints to protect against cyber threats and encryption technologies to protect personal data where appropriate.
- We have deployed data loss prevention software from Egress to help detect and mitigate the risk of data loss.
- Restricting access only to those employees who need to know the information in order to deliver the service to you.
- Providing regular data protection and information security training to all our employees.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted.
Once we have received your personal data, we will use strict procedures and security features as outlined above to try to prevent unauthorised access to your personal data. As above, we cannot be held responsible for the security of your personal data collected by websites that our site may link to. Such third parties shall have their own privacy notices and you should read these carefully.
Sharing personal data
If we share personal information with external third parties, we shall keep this to a minimum and take reasonable steps to ensure that recipients shall only process the disclosed personal data for those purposes and in accordance with our instructions.
In the course of certain types of work, we may be required to share your personal data with advocates, other solicitors, expert witnesses and other professional persons who may be controllers of that data. We may also be required to instruct local agents to handle certain court-based activities from time to time for reasons of cost-effectiveness and efficiency.
We will not transfer your personal data to anyone else without your permission, except:
- Where we are obliged by law or regulatory obligations.
- Where we share your information with third party service providers.
- Where we share your information with third parties who provide essential services.
- Where some or all of our assets are purchased by a third party.
- Where we share your information with data controllers, when we are instructed as a data processor.
We will never sell your information or disclose it for direct marketing purposes.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes.
The types of organisations/groups that we may share personal data with are set out below:
- suppliers and service providers, such as call, video telecommunication and messaging platforms; cloud-based servers and systems for data storage, call recording, case management, secure file sharing, payment solutions, digital identity verification solutions; marketing services providers (i.e. Grigor & Young’s websites and consumer review services)
- financial organisations
- government departments
- the courts
- other professional advisers and consultants
- regulatory authorities
We do not transfer your personal data outside the United Kingdom unless we have appropriate safeguards in place to afford your personal data with an adequate level of protection.
When we use Zoom Video Conferencing, some personal data is transferred to the EEA and also to the US. When transferring personal data to the EEA countries, the appropriate safeguards we rely upon are covered by the UK Adequacy Regulations, which provide a similar protection to the UK data protection regime. When transferring personal data to Zoom in the US, the appropriate safeguards we rely upon when transferring personal data to them are Standard Contractual Clauses (‘SCCs’), which incorporate standard data protection clauses recognised by the UK data protection regime. For further details, see the global Zoom Data Processing Addendum at https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf
Mergers and Acquisitions
If our firm enters into a joint venture with, acquires or merges with, another business entity, your information may be disclosed to us as the joint or new data controller. If this is the case, we will notify you within one month of receiving your personal data and explain who we are and what are your rights – such as your right to object to Grigor & Young processing your personal data. If we are using your personal data for a different or extended purpose from your previous firm, we will seek separate consent from you to do so.
Any retained personal data from your previous firm is administered by Grigor & Young until the end of the retention period where it will be securely destroyed or deleted. We will also keep safe custody of the Wills or Title Deeds from those firms. Grigor & Young will assist with any Data Subject Rights requests for any legacy personal data, which you can direct to firstname.lastname@example.org.
How long we will keep your personal data for
We do not hold information for longer than is necessary. We have a Records Management and Retention Policy which sets out the periods and rules for retaining and reviewing all data that we hold. This sets out different retention periods depending upon the nature of the information. In some cases, the Law Society of Scotland, which regulates us, recommends minimum periods of record retention and we comply with those. This can be made available on request by contacting email@example.com
Changes in personal information
It is important that the personal data we hold about you is accurate and up-to-date. Please keep us informed if your personal information changes during your working relationship with us.
Questions and concerns
If you have any questions or concerns on how we collect, handle, store or secure your personal data, please contact our Data Protection Officer by email at firstname.lastname@example.org or by post to the Data Protection Officer, Grigor & Young LLP, 1 North Street, Elgin IV30 1UA.
You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think we have infringed your rights. The ICO’s contact details are as follows:
Information Commissioner’s Office
Cheshire SK9 5AF
Telephone: 0303 123 1113
You have various rights under data protection law. As an individual you have the following rights:
|Right to be informed
|This Privacy Notice provides you with details as to how we collect and use your personal data
|Right to access
|You have a right to request access to the personal data we hold about you by making a “subject access request”. You will be provided with a copy of all personal information that we hold about you. There will be no charge for providing you with this information
|Right of rectification
|You have a right to request that we correct or complete any inaccurate or incomplete personal data we hold about you
|Right of erasure
|You have the right to ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for retaining it. If we are required to keep your personal data to comply with our legal or regulatory obligations or legitimate interests in legal proceedings or claims, then we may have to decline your request
|Right to restrict processing
|You have the right to request that we restrict the processing of your personal data that we hold about you for specific reasons. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or the protection of the rights of another person, or for an important public interest, then we may have to decline your request
|Right to data portability
|You have a right to obtain and reuse the personal data that we hold about you for your own purposes in certain circumstances
|Right to object
|You have a right to object to us processing your personal data. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or can demonstrate our compelling legitimate interests or our appropriate safeguards in place for the specific purpose of scientific, historic research or statistics necessary for the performance of a task carried out in the public interest, then we may have to decline your request
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time Limit to respond
We try to respond to all legitimate requests within one month from the date we receive it. Occasionally we may extend the time for response by up to two months if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Changes to our privacy notice
We may be required to update this Privacy Notice from time to time. The up-to-date version will always be on our website and we will communicate material updates to our clients from time to time. We will not process your personal data for purposes other than those set out in this document or which may be prejudicial to your interests without letting you know and giving you the opportunity to review and object to any such amended processing.
If you have any questions regarding this Privacy Notice, please contact our Data Protection Officer, Grigor & Young LLP, 1 North Street, Elgin IV30 1UA or by e-mail – email@example.com
If you apply for a position at Grigor & Young LLP advertised on this website, your curriculum vitae or other information you provide to us will be used solely for considering your application and for recruitment purposes.
In acknowledging an application, Grigor & Young LLP is not verifying the content, accepting the application or making any offer of employment or engagement. Grigor & Young LLP is not obliged to accept any applications.
Grigor & Young LLP is an equal opportunity employer (in accordance with applicable legislation) and does not discriminate on the grounds of gender, race, ethnic origin, age, religion, sexual orientation, disability or any other basis covered by local legislation. All employment-related decisions are made entirely on merit.
It is our policy to conduct pre-employment checks. Any offer of employment extended will be subject to completion of satisfactory checks in respect of previous employment, education, membership of relevant professional bodies, identity, right to work, criminal record and financial background. We reserve the right to make changes to the list of checks at any time without notice. It may be necessary to conduct repeat or follow-up pre-employment checks should employment commence 12 months or more after any original check.