Our Privacy Notice describes the categories of personal data we process and for what purposes. We are committed to collecting and using such data fairly and in accordance with the requirements of applicable data protection legislation.
This Privacy Notice became effective on 02 November 2018 and was last updated on 13 February 2023.
1. Introduction
1.1 This Privacy Notice explains your privacy rights and how we gather, use and share your personal information. That includes the personal information we already hold about you now and the further personal information we might collect about you, either from you or from a third party. How we use your personal information will depend on the services we provide to you.
1.2 This Privacy Notice provides information about how we use your personal information and will update any previous information we have given you about using your personal information (also referred to as personal data).
1.3 We are the controller of your personal information under applicable data protection legislation, unless otherwise stated in this Privacy Notice or otherwise provided for in applicable data protection legislation.
1.4 If you have any queries regarding our use of your personal information, please contact us at [email protected] or by post at Data Protection Officer, Harper Macleod LLP, The Ca'd'oro, 45 Gordon Street, Glasgow, G1 3PE.
1.5 If your personal details change or if you change your mind about any of your marketing preferences, please contact us at [email protected], by post to Marketing Department, Harper Macleod LLP, The Ca'd'oro, 45 Gordon Street, Glasgow, G1 3PE, or through our client portal.
1.6 In this Privacy Notice, the terms "we", "us" and "our" refer to Harper Macleod LLP.
2. Your Privacy Rights
2.1 You can exercise any of your rights by contacting us at [email protected] or by post to Data Protection Officer, Harper Macleod LLP, The Ca'd'oro, 45 Gordon Street, Glasgow, G1 3PE.
2.2 Any requests received by Harper Macleod LLP will be considered under applicable data protection legislation. If you remain dissatisfied, you have a right to raise a complaint with the Information Commissioner's Office at ico.org.uk.
Right to be informed | This Privacy Notice informs you about the collection and use of your personal information. |
Right to access | You have a right to request access to the personal information that we hold about you by making a "subject access request". |
Right of rectification | If you believe that any of the personal information that we hold about you is inaccurate or incomplete, you have a right to request that we correct or complete that personal information. |
Right of erasure | If you wish us to delete the personal information that we hold about you, you may request that we do so in certain circumstances. |
Right to restrict processing | You have a right to request that we restrict the processing of the personal information that we hold about you for specific purposes. |
Right to object | You have a right to object to us processing your personal information in certain circumstances. |
Right to portability | You have a right to obtain and reuse the personal information that we hold about you for your own purposes in certain circumstances. |
Rights related to automated decision-making | Where we undertake any automated decision-making and profiling, you have certain rights in relation to such processing. |
3. The categories of personal information we use
3.1 Harper Macleod LLP is a full service law firm, and therefore we use a variety of personal information depending on the services we deliver.
3.2 In all cases, we need to use your name, address, date of birth, contact details and information to allow us to check your identity.
Contact and socio-demographic information | In all cases, we need to use your name and contact details, including your postal address, email address and phone number. We will use this data and your date of birth to allow us to check your identity to meet our legal obligations. We may also use your date of birth to allow us to determine how long we will retain historic wills. |
Race, ethnic origin, politics, religion, trade union membership, sex life, sexual orientation | These special categories of personal information may be required in employment cases, for example if you are raising a claim for discrimination or unfair dismissal. They may also be used in matrimonial cases (for example, divorce) and other forms of dispute resolution and litigation. |
Health and medical information | This personal information will be used in various cases, including personal injury cases, employment cases, matrimonial cases, cases where we are supporting individuals who have a vulnerability (for example arranging powers of attorney), other forms of dispute resolution. |
Criminal offence data | This personal information may be processed in relation to litigation cases, employment cases, matrimonial cases and other cases. This information may also be used in all cases in relation to due diligence required for fraud prevention, and/or anti-money laundering to meet our legal obligations. |
Information relating to financial status or position | Including salaries, pensions, dividends and other earnings, data used to make assessments of an individual’s ability to meet existing or potential financial obligations, information received from credit reference agencies, information about money an individual owes or could owe, information about an individual's assets. This personal information will be used in a wide range of legal matters including debt recovery, litigation, other forms of dispute resolution, matrimonial, employment, personal tax, trusts, wills, business creation/acquisition/disposal, property matters, lending, borrowing, other financing. |
Information relating to payment, credit and debits. | Funds received from or for an individual or made in relation to a client's matter (e.g. to pay for the legal service, to pay for outlays incurred by us on your behalf, to pay in settlement of a claim, property purchase/sale, other asset purchase/sale). We do not store credit or debit card details, but will use them to process payments in line with PCI-DSS standards. |
Personal information contained in communications with individuals across different channels. | Copies of letters received by or sent to us, information relating to emails received by or sent by us, file notes, other information or logs about when communication has taken place (rather than the content of that communication), and/or information you supply when contacting us through one of our websites. Audio recordings are made in relation to cases within our Personal Injury & Reparations department for training and to ensure and improve the quality of service delivery, and to resolve queries and issues. |
Social relationships | Personal information relating to an individual's family and social relationships including status of spouse/partnerships, wider family including parental and caring status may be used in range of types of cases. |
Open data and public records | Personal information relating to individuals that are, or can be, collected from public or open sources. These do not necessarily have to be collected from open data/public records, and may come from other sources (e.g. from you directly, or from your other advisors or solicitors on the other side of the transaction). This may include information about an individual's bankruptcy, information about a public office held by an individual, information about inhibitions, information about ownership of land held by the Land Register, Register of Inhibitions, Companies House, information from courts or tribunals, information from credit agencies to verify an individual's identity, information from Royal Mail and/or other data sources which we use to verify the accuracy of our client postal addresses. |
Consents | Personal information relating to permissions, consents or preferences given to us by individuals, including marketing permissions, contact permission, marketing preferences, mandates to contact employers, other solicitors, and/or GPs and other medical specialists. |
National Identifiers | Unique identifiers attributed to an individual from a government department, such as Tax ID, National Insurance Number, and/or passport number. This information may be used as part of our customer due diligence measures for identifying individuals to meet our legal obligations. The information may also be used in different types of cases including trusts, personal tax, and employment. |
Technical | When you visit our websites and use other systems, we may collect personal information to monitor usage. This could include your IP address, operating system and browser type. This will be used to improve our websites, systems, and for research into service delivery. If you use our e-signature system, our system provider will collect and provide us with your IP address and digital signature. We use CCTV on our premises to ensure the safety and security of our staff and customers. |
4. How we gather personal information
4.1 We are a full service law firm, engaged with a large number of stakeholders. We obtain personal information from a wide range of sources:
4.1.1 Directly from you or your representative, for example when you register for our client portal, submit details through our websites, sign up for estate agency mailing lists, sign up to an event or to receive marketing communications, complete a survey which we provide for research purposes, contact us in writing, by email, in person, by telephone, or by any other method. Click here to see our Recruitment Privacy Notice.
4.1.2 From information you or your representative have made publicly available.
4.1.3 From other people you know, including family members, and people you are financially linked to, and their representatives. This also includes organisations and individuals who are our clients in circumstances where you are party to, or otherwise involved in, a matter on which we are instructed, for example as a witness, beneficiary, guarantor, buyer, seller, debtor, defender, pursuer, employee, or employer.
4.1.4 From other organisations which have referred you to us, for example estate agents, accountants, financial advisers, other solicitors, insurance companies, banks.
4.1.5 From open data and public records, for example from various registers (Land Register, Register of Inhibitions, Companies House, OSCR, etc.), credit agencies and from Dow Jones to verify the identity of our clients and beneficial owners to assist us in complying with our legal obligations.
5. How we use your personal information
5.1 To respond and communicate
5.1.1 We use personal information to allow us to respond to you and communicate with you regarding your instructions, questions, comments, support needs, complaints or concerns.
5.2 Using client information
5.2.1 When you become our client, we will collect, store and use the personal information that you provide to us in your instructions and during the course of our solicitor/client relationship.
5.2.2 We need to collect personal information so that we can perform our obligations under our service agreement with clients. We will use such personal information to:
5.2.2.1 provide clients with legal advice, including communicating with them by email, letter and/or telephone, etc. in connection with the services that we provide;
5.2.2.2 represent clients as their solicitors in connection with such services;
5.2.2.3 provide clients with legal advice in respect of the matter(s) upon which we are instructed to provide advice; and/or
5.2.2.4 process and make payments in connection with such matter(s).
5.2.3 If clients do not provide us with all of the personal information that we need to collect in order to perform our obligations under our service agreement, then this may affect our ability to provide them with legal advice and/or represent them as their solicitors.
5.2.4 We may also process personal information for purposes relating to the provision of services we provide including updating, reviewing and enhancing client records and undertaking analysis for management purposes.
5.3 Business clients and other stakeholders
5.3.1 For business clients (including bodies corporate, public bodies and/or charities) and other stakeholders including suppliers, we will use personal information about key individuals in the business, so that we can operate and administer the services which we provide.
5.3.2 To comply with our legal obligations to prevent financial crime (see 5.4 below) we will complete due diligence steps by using personal information about key individuals who are either a sole trader of the business or are a proprietor, director, company secretary, shareholder, partner, member, committee/board member, trustee, charity trustee, controller, beneficial owner or authorised signatory to the account of the business.
5.4 To comply with our legal obligations to prevent financial crime
5.4.1 To comply with our legal obligations to prevent financial crime including money laundering under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, we will use personal data including name, address, date of birth, country of residence/citizenship, personal identification (which may include details of your passport, driving licence, or national identity card), information about your source of funds and / or source of wealth, information about any criminal convictions, information about roles held in public office, and information about your status as or your relationship and association with a politically exposed person.
5.4.2 We will give personal information to and receive personal information from third parties where that is necessary to meet our legal obligations, including credit reference agencies, fraud prevention agencies, the police and other law enforcement and government agencies, and regulators.
5.4.3 We will use the personal information described in 5.4.1 above in either or both of the following:
5.4.3.1 A system supplied by SmartSearch UK to verify the identity of individuals (against Experian and Equifax data sources) and to check if they are on a Financial Sanctions watch list or if they are a politically exposed person or a relative or close associate of a politically exposed person (from Dow Jones data sources). This does not affect individual's credit history or rating.
5.4.3.2 A system supplied by Amiqus Resolution Ltd (“Amiqus”) to verify the identity of individuals (against data sources accessed by Amiqus) and to check credit ratings and / or if they are on a Financial Sanctions watch list and / or if they are a politically exposed person or a relative or close associate of a politically exposed person. This does not affect an individual's credit history or rating but such details may be used by Amiqus and / or the operators of such data sources to assist other companies for verification purposes.
5.5 To comply with regulatory obligations
5.5.1 We may provide our regulators and statutory organisations, including the Law Society of Scotland and Scottish Legal Complaints Commission with your personal information where required to do so.
5.6 Other parties
5.6.1 We will process personal information of individuals who are not our client, but have a relationship with our client as described in 4.1.3 above.
5.6.2 We will obtain such personal information from the sources described in 4 above, which will include the same categories of information described in 3 above.
5.6.3 We will use this information to comply with our duty as a legal adviser to our client, which is a regulatory requirement on us as a firm of solicitors regulated by the Law Society of Scotland. We may have a duty to disclose information to our client where relevant to their case (for example information about earnings in a divorce matter).
5.7 Financial management and debt recovery
5.7.1 We may give personal information to and receive personal information from third parties where that is necessary to recover debts due by you to us, for example, credit reference agencies and sheriff officer or bailiff services.
5.8 To market services to you
5.8.1 Where we have collected your personal information from you directly, an event or the website of your business, we collect, store and process your name; business address; email address and your image if contained in photographs from our events and seminars. If you attend one of our events, we may share your name and organisation details to other attendees either prior to or following the event, unless you ask us not to.
5.8.2 Where we wish to publish a photograph of you with other personal information online, including on social media, this may be accessed outside of the EU and we may seek to obtain your consent if we consider it to be necessary.
5.8.3 We process your personal information for marketing purposes to update you from time to time on topical Scots Law developments, which we believe will be of interest to you; invite you to relevant events and seminars; and grow our business through the publication of promotional material for our events, seminars and services in hard copy, online and on social media.
5.8.4 We may send you communications and/or invitations; ask you for your feedback on our events so that we can seek to improve; and grow our business by using your image and/or name in any promotional material that we publish.
5.9 Automated decision making and profiling
5.9.1 We do not use personal information to make decisions solely by automated means without any human involvement.
5.9.2 As described in 5.4.3 above, we use systems to evaluate individuals to assist us in complying with our legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.
5.10 Online Activity
5.10.1 Our websites may, from time to time, contain links to and from other websites operated by third parties. These are provided for your information and convenience only. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
5.10.2 We may collect information about your computer, including where available your IP address, operating system and browser type, for system and business administration and for usage monitoring.
5.10.3 Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Most browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit the official cookies website (allaboutcookies.org).
5.10.4 Click here to see details of cookies we use from third parties.
5.11 Other uses of your personal information
5.11.1 We may ask you if we can process your personal information for additional purposes. For example, when you connect your phone or other device to our guest Wi Fi.
5.11.2 Where we do so, we will provide you with an additional privacy notice with information on how we will use your personal information for these additional purposes.
5.12 COVID-19 UPDATE
5.12.1 As a result of the worldwide Coronavirus pandemic, we may need to record information regarding whether you have Covid-19, have any symptoms of Covid-19, have been in recent contact with anyone who has tested positive or is displaying symptoms of Covid-19 or have been advised to shield. This is to ensure safety of our colleagues in relation to meetings or sharing facilities.
5.12.2 If we do need to process additional health information, this will be for reasons of public interest in the area of public health, including protecting against serious cross-border threats to health, where we have a legal duty of confidentiality to our clients, or where you are not a client, with your explicit consent (if required).
6. Our legal basis for using your personal information
6.1 We only use your personal information where that is permitted by the applicable data protection legislation. We only use personal information where:
6.1.1 we have your consent (if consent is needed);
6.1.2 we need to use the information to comply with our legal obligations, including our regulatory obligations as solicitors;
6.1.3 we need to use the information to perform a contract with you, including taking steps to enter into a contract with you;
6.1.4 we need to use the information to exercise official authority or perform a specific task in the public interest that is set out in law; and/or
6.1.5 it is fair to use the personal information either in our interests or someone else's interests, where there is no disadvantage to you – this can include the provision of legal services; protection of the confidentiality, availability and integrity of our systems; managing and developing our business relationships; where it is in our interests to promote our services by sending clients communications with information for upcoming events and legal updates; inviting clients as guests to our events.
6.2 Where we use personal information under 6.1.5 above, you may contact us at [email protected] to opt out of receiving communications or select the types of communications that you would like to receive or update your preferences through our client portal or otherwise exercise your right to object by contacting us at [email protected].
6.3 Where we have your consent, you have the right to withdraw it at any time.
6.4 We may also process special categories of personal data, such as health data or data about criminal convictions and will only process such data where we have a legal basis under 6.1 above and a special condition applies under applicable data protection legislation.
7. Sharing personal information
7.1 Where necessary for the purposes of managing our working relationship with our clients or to represent our clients as their legal agents, we may share personal data with our clients where you are providing information in respect of client matters.
7.2 We may be required to share personal information with statutory or regulatory authorities and organisations to comply with statutory obligations imposed both upon us and upon you in respect of the matter(s) upon which we advise. Such organisations include the Law Society of Scotland, Department of Work & Pensions, HMRC, Scottish and UK courts, Registers of Scotland and / or local authorities.
7.3 We may also share personal data with our or your other professional advisors for the purposes of taking advice and the event of any legal claims.
7.4 Where we employ third party suppliers to provide services on our behalf, including mailroom, archiving, event organisation and reception services, these suppliers may process personal data on our behalf as "processors" and are subject to written contractual conditions to only process that personal data under our instructions and protect it.
7.5 We may be required to share personal information with other organisations, which during the course of our providing services on a matter may be contracted to supply a service related to such matter, which we are not in a position to provide. Depending on the nature of your instruction to us, this may include sheriff officers, property search companies, Companies House, expert witnesses, translators, local agents, accountants and / or auditors.
7.6 In the event that we do share personal information with external third parties, we will only share such personal data strictly required for the specific purposes and take reasonable steps to ensure that recipients shall only process the disclosed personal data in accordance with those purposes.
8. Storing personal information
8.1 We will protect your personal information in order to prevent unauthorised access to, or use or disclosure of, your personal information through a number of organisational and technical security measures. Your personal information is stored on our systems to which access is both physically and electronically controlled. We have been assessed and certified as meeting the requirements of ISO/IEC 27001:2013.
8.2 For the purposes of IT hosting and maintenance, the personal information we hold is located on servers within the European Economic Area, unless specified below. Where the personal data is not located in the European Economic Area, Harper Macleod LLP will have a contract in place with its processor which incorporates the European Commission's standard contractual clauses, which help to protect personal data when it leaves the European Economic Area:
8.2.1 We use MailChimp, a US-hosted third party provider, to send out some of our marketing email communications. For further information, please read MailChimp's privacy policy and MailChimp's standard terms of use.
8.2.2 We use Hubspot, a US-hosted third party provider, to collect and manage enquiries made through our website. For further information, please see Hubspot's privacy policy.
8.2.3 We use Bevy, as US-hosted third party provider, to allow clients, guests and staff to sign up to and participate in virtual conference and community events. For further information, please see Bevy’s privacy policy.
8.3 Our staff receive data protection training and we have detailed data protection and information security procedures in place.
9. How long do we keep your personal information for
9.1 We will retain your personal information for as long as is required to comply with our obligations set out above, unless you ask us to return any copies of it to you or send it to a third party.
9.2 We have a data retention policy that sets out the periods and rules for retaining and reviewing all information that we hold. This sets out different retention periods, which depend upon the nature of the information, and you can request details by contacting us at [email protected].
9.3 When Wills are returned to a client or transferred to another solicitor under mandate, a scanned copy of the Will is retained for one year after return or transfer. The copy will be used only to reconstitute the Will if required and will be deleted from HM systems after one year.