2. Data Protection Officer
2.1. The firm’s Data Protection Officer (DPO) is Omar Sadique.
3. Links with other websites
4. Information collected and how we use it
4.1. When you access or sign up to any of the Firm’s services including newsletters, bulletins, competitions, webinars etc., we may collect and process personal information such as your name, address, telephone number, email address and other information relating to you.
4.2. We will ensure any use of personal data is justified using at least one of the conditions for processing and this will be specifically documented. All staff who are responsible for processing personal data will be aware of the conditions for processing. The conditions for processing will be available to data subjects in the form of a privacy notice.
4.3. We will process personal data in compliance with all six data protection principles.
4.4. We will document the additional justification for the processing of sensitive data, and will ensure any biometric and genetic data is considered sensitive.
4.5. The data that we collect is subject to Legitimate Interest or active consent by the data subject. This consent can be revoked at any time.
4.6. Any criminal record checks are justified by law. Criminal record checks cannot be undertaken based solely on the consent of the subject.
5. Data Portability (Subject Access Requests)
5.1. Upon request, a data subject will have the right to receive a copy of their data in a structured format. These requests will be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. A data subject may also request that their data is transferred directly to another system. This must be done for free.
5.2. Any Subject Access Request must be referred to the Data Protection Officer. He will then review where the data is held and comply with the request in a timely fashion.
6. Right to be Forgotten
6.1. A data subject may request a copy of any information that we hold on them as well as requesting that the data is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
6.2. Any Requests to be Forgotten must be referred to the Data Protection Officer. He will then review where the data is held and comply with the request in a timely fashion.
7. Privacy By Design and Default
7.1. Privacy by design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.
7.2. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
8. International Data Transfers
8.1. No data may be transferred outside of the EEA without first discussing it with the data protection officer. Specific consent from the data subject must be obtained prior to transferring their data outside the EEA.
9. Data Audit and Register
9.1. Regular data audits to manage and mitigate risks will inform the data register. This contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
10. Reporting Breaches
10.1. All members of staff have an obligation to report actual or potential data protection compliance failures to the Data Protection Officer.
10.2. He will then:
• Investigate the failure and take remedial steps if necessary
• Maintain a register of compliance failures
• Notify the Information Commissioners Office (ICO) of any compliance failures that are material either in their own right or as part of a pattern of failures
10.3. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the ICO, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the ICO is not made within 72 hours, it shall be accompanied by reasons for the delay.
11. Consequences of Failing to Comply
11.1. We take compliance with this policy very seriously. Failure to comply puts both you and the firm at risk.
11.2. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. A solicitor in breach of Data Protection responsibility under the law or the Code of Conduct may be struck off.
11.3. If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.
© Copyright 2019 Sadique & Uddin Solicitors Ltd. All rights reserved.