This privacy notice (together with our Terms and Conditions and any other documents referred to therein) aims to give you information on how Davidson-Smith & Co. collects and processes your personal data through your use of this website.
Davidson-Smith & Co. is the controller and responsible for your personal data. The appointed Data Protection Manager is:-
Name: Michelle Davidson-Smith
Address: 1, Rush Court, Bedford, MK40 3JT
Tele: 01234 351971
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
The Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) and (EU General Data Protection Regulation (EU GDPR) governs the use of personal information by businesses and other organisations. It seeks to regulate how personal information is used and requires it to comply with their principles or rules of good information handling. The UK GDPR applies to personal information. Appropriate security measures must be taken against unlawful or unauthorised processing of personal data and against accidental loss of, or damage to, personal data. These include both technical measures, e.g. data encryption and the regular backing-up of data files and organisational measures, e.g. staff data protection training.
UK GDPR states that when the firm holds information about identifiable people (known as “data subjects”) this gives rise to obligations under the UK GDPR and applies whether such information is held in electronic form or in a paper filing system.
Data Subjects have rights if the firm holds information about them. These includes the right to be informed what the firm holds, the right to have errors corrected and the right to have data deleted if the form has no justification for holding it. The firm may be liable in various ways if it fails to hold data appropriately. This may include liability in damages for negligence and breach of confidentiality or even criminal liability. The firm may also be subject to professional sanctions for breach of the SRA Code of Conduct.
1.2. Data protection principles
In processing personal data we must be able to demonstrate that we comply with the “data protection principles”. These require that that personal data must be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
- adequate, relevant and limited to what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- kept with appropriate security
1.3 Grounds for Processing Personal Data
The firm will only process personal data if we have a legitimate justification for doing so. Often the justification will be the consent of the person concerned. But note that in the case of someone under the age of 16 they cannot give that consent themselves and instead consent is required from a parent, or other person holding ‘parental responsibility’.
Otherwise we may be entitled to proceed without consent on a number of grounds. Those which most often apply are the following:
It is necessary for the performance of a contract to which the person concerned is a party.
It is necessary for compliance with a legal obligation.
It is necessary to protect someone’s vital interests.
It is necessary for our legitimate interests or those of a third party, except where such interests are overridden by the interests or rights of the person concerned.
1.4 Sensitive Personal Data
Sensitive personal data (referred to in the UK GDPR as “special categories of personal data”) can only be processed under strict conditions. Sensitive personal data includes information about someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life and sexual orientation, genetic data and biometric data. The usual grounds which entitle the firm to process such sensitive data are the following.
Explicit consent of the data subject.
It is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
Data manifestly made public by the data subject.
It is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.