Privacy Notice to Client Firms and Individual Customers
Effective 31st December 2020 – V5 – 1st July 2024
Cpm21 (21st Century Professional Management) is a Trading Name of PXJ Consulting Ltd
Valley View
38 Lletty Dafydd,
Clyne
SA11 4BG
Telephone No: 01443 742895
E-Mail Address: paul.jones@cpm21.co.uk
UK Data Privacy/Data Protection Law changed significantly on 25th May 2018.
The General Data Protection Regulation (or GDPR for short) was a positive step towards individuals having more control over how their data is used and how they are contacted.
At 11pm on 31st December 2020, EU GDPR will no longer apply to personal data held or processed within the UK. Instead, “UK GDPR” will apply to such data. The provisions of UK GDPR are essentially the same as EU GDPR and therefore the following rights continue to apply.
We use Stripe for payment, analytics, and other business services. Stripe collects and processes personal data, including identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection and prevention. You can learn more about Stripe and its processing activities via privacy policy at: https://stripe.com/privacy
Individuals have the right under the UK GDPR:
The changes will also help to better protect Personal Data. We have therefore updated our privacy notice to reflect these changes.
When providing consultancy support and guidance we usually enter into a contract with a “client firm” (e.g. solicitors or other professional services firms) and will provide services under the current version of cpm21 Terms and Conditions of Business in force at that time. Our updated Terms and Conditions of Business now address our obligations as “data processors” under GDPR in line with ICO guidance. We rely on the client firm to obtain any necessary consents from staff, clients etc when sharing their personal data with us or our Associates.
When we receive data from an “individual customer” we will hold and process it as a Data Controller e.g. where an individual books onto a training course. Please note that if a firm books a course on behalf of an individual then their name and details will be shared with the firm e.g. the delegate’s name will appear on our invoice.
We will only use personal data to help us provide an excellent service.
We will respect the privacy of individuals and client firms and work hard to ensure we meet strict regulatory requirements.
We will not sell personal data to third parties.
We will hold, and process data based on contract (with an individual customer), legal obligation, and legitimate interest.
Where the client firm or their staff or third parties provide us with sensitive or special category data we will rely on the client firm to obtain the necessary explicit consents e.g. in relation to medical data or diversity data.
We will provide individuals with easy ways to manage and review their marketing choices if they receive direct marketing communications from us. Please note that our CPD/CPC course sign-in sheets currently invite delegates to share personal data and ask you whether you wish to OPT-IN to future marketing and updates. However, from 25th May 2018, we will generally no longer use sign-in sheets for either in-house or external courses. For in-house courses, it will be for the hosting firm to arrange their own record of attendees. We will generally, no longer issue training certificates. However, we will for Legal Aid Supervision Courses continue to invite delegates to sign in and will issue training certificates to those that sign in and successfully complete their course. We have minimised the personal data we collect on these forms, but delegates should be aware that their personal data may be seen by other delegates.
Please note that when a delegate is booked on a course, we will record their details and the details of their firm on a current Course Booking Register.
As we work principally in the legal sector, and are Law Society Approved LEXCEL consultants, confidentiality is already part of the fabric and culture of our company to keep your information private and secure.
We would ask you to help us keep your data secure by carefully following any guidance and instructions we give e.g. by password protecting any documentation you send to us electronically such as an Excel or Word document.
Lawful Bases for Processing your Data
The new law states that we are allowed to use personal information only if we have a proper and lawful reason to do so. This includes sharing it with others outside the company e.g. an auditor of a relevant Quality Standard, the Law Society and Associate Consultants, Tutors and Administrators.
The GDPR says we must have one or more of these reasons:
A legitimate interest is when we have a business or commercial reason to use your information.
Here is a list of the ways that we may use your personal data, and which of the reasons we rely on to do so.
Use of your Personal Data |
Our reason/justification for processing
|
Legitimate Business Interest |
Opening, progressing, closing, archiving and storing a client firm folder.
Updating our Course Booking Registers |
· Contract
· Legitimate Interest · Legal Obligation |
Fulfilling a client firm’s instructions and providing services and training to individual customers
Complying with regulations and the law
|
Direct marketing to you | · Legitimate Interest | Keeping our records and database up-to-date, working out which of our products and services may interest you and telling you about them
Providing news articles and information on changes in the law and regulation and inviting you to contact us for support |
• To make and manage payments. • To manage fees and charges• To collect and recover money that is owed to us. |
· Contract
· Legitimate Interest · Legal Obligation |
Keeping our accounts systems up-to-date
Effective and efficient management of a sustainable business |
• To manage risk for us and our client firms. • To comply with laws and regulations that apply to us. • To respond to complaints and seek to resolve them. |
· Contract
· Legitimate Interest · Legal Obligation |
Complying with regulations that apply to us.
Being efficient about how we fulfil our legal and contractual duties. |
To run our business in an efficient and proper way. This includes managing our financial stability, business capability, planning, communications, corporate governance, and audit. | · Legitimate Interest
· Legal Obligation
|
Complying with regulations that apply to us
Being effective and efficient about how we run our business
To allow Associate Consultants, Tutors, Administrators and Auditors to inspect a client firm’s client files and other personal data e.g. staff records such as appraisals
|
To exercise our rights and comply with obligations set out in agreements or contracts | · Legitimate Interest
· Legal Obligation
|
Complying with contractual requirements e.g. our obligations as A Law Society Approved LEXCEL Consultants |
Types of Personal Data we process
Type of Personal Information
|
Description |
Financial | Your Bank account details and your financial status and information |
Contact Information | How to contact you |
Socio-Demographic | This includes details about your work or profession, nationality etc. |
Transactional | Details about payments to and from your bank accounts |
Contractual | Details about the products or services we provide to you |
Behavioural | Details about how you use our services |
Communications | What we learn about you from letters, emails, and conversations between us |
Social Relationships | Family friends and other relationship e.g. via Facebook, Linked-in etc. |
Open Data and Public Records | Details about you that are in public records such as the Law Society and SRA records. |
Documentary Data | Details about you that are stored in documents in different formats, or copies of them. This could include things like Annual Accounts, Audit Reports, Management and Accounts Reports etc. |
Special types of data | The Law and other regulations treat some types of personal information as a special category. We will only collect and use these types of data if the law allows or requires us to do so:
· Racial or ethnic origin · Religious or philosophical beliefs · Trade union membership · Genetic and bio-metric data · Health data including gender · Criminal convictions and offences
|
Consents | Any permissions, consents or preferences that you give us. This includes things like how you want us to contact you. |
National Identifier | A number or code given to you by a government department to identify who a person is, such as a National Insurance Number |
Legal Aid Application and Bill | Information required to submit an application for public funding and to claim fees under any legal aid certificate |
HR Records | Curriculum Vitae Staff Lists, Performance Appraisals, Induction and Recruitment Records |
File Review Records | Information on the performance of a fee earner/caseworker and details of the client’s case or matter |
Sources of Data
We collect personal data from various sources:
Data |
Source |
Purpose
|
Data you give us when you instruct us to advise/support/train you | Client Firm/Individual Customer | To enable us to decide whether to accept your instructions and assist you |
Data you give us by letter/phone/email and other documents | Client Firm/Individual Customer | To enable us to decide whether to accept your instructions and assist you |
Data you give us when you visit our website, via a messaging service or social media | You | To enable us to deal with your query or request and to contact you if appropriate |
Data given to us during interviews/meetings etc. | Client Firm/ Client Firm Staff Member/Individual Customer | To enable us to assist You/Member of your Firm |
Data you give us in client surveys | Client Firm/Individual Customer | To enable us to improve our services and respond to any expressions of dissatisfaction |
Data provided to us by referrers and introducers | Referrers | To enable us to contact you |
Audit preparation and audit report documents | Audit Body or Auditor | To enable us to assist and support you |
Public Bodies | Law Society / SRA | To enable us to assist and support you |
The Legal Aid Agency Reports e.g. Peer Review | You/Your Firm | To enable us to assist and support you |
Who we share your Data with
We may share your personal data with (and sub-contract processing of that data to):
Automated Decision-Making
We do not use automated decision-making systems.
Personal Data we use
We typically will use the following types of personal data:
Sending Data outside the European Economic Area (EEA) and the UK
We will store the bulk of your documents and information on Dropbox for Business which is therefore outside the EEA, namely in the USA.
On 1 August 2016 the European Commission issued its formal decision that the EU-US Privacy Shield provided adequate protection to allow personal data to be transferred to the United States. However, this no longer provides adequate protection following the Schrems II Judgement in July 2020 (ruling the United States Privacy Shield was no longer a valid safeguard under EU GDPR and Data Protection Rules). We anticipate that the same will apply for the time being to UK GDPR.
We have therefore, a Data Processing Agreement with Dropbox which contains EU Standard Contractual Clauses as required by EU GDPR. These will be reviewed and updated as UK GDPR develops but for the time being should satisfy UK GDPR.
Likewise, we use several software packages within Microsoft (Office) 365 (such as WORD and EXCEL) to process data and, where possible, use passwords for individual documents. However, Microsoft has also included EU Standard Contractual Clauses within its Privacy agreements.
Following a risk assessment, we are in direct contact with Intuit QuickBooks (which also stores data in the USA) and which we use to process accounts data, to ensure they have similar safeguards in place.
You or a member of your firm’s refusal to provide Personal Data requested
If you or they refuse to provide the information requested, then it may cause delay and we may be unable to continue to assist and support you as requested.
Marketing Information
We may from time to time send you letters or emails about changes in the law/regulations and make suggestions about actions that you might consider taking in the light of that information e.g. updating your policies and procedures. We will send you this marketing information either because you have consented to receive it or because we have a “legitimate interest”.
You have the right to object and to ask us to stop sending you marketing information by contacting us at any time. You can of course change your mind and ask us to send the information again.
How long we keep your personal information
We are legally obliged to keep certain information for at least 6 years e.g. accounts data and typically store your documents for 18 months from when we last assisted you.
We will keep your name and personal contact details on our database until you tell us that you would like them to be removed.
How to get a copy of your Personal Information
If you wish to access your personal data, then write to:
Mr Paul Jones
Data Protection Manager
Cpm21 (21st Century Professional Management)
Valley View
38 Lletty Park,
Clyne
SA11 4BG
Telling us if your Personal Information is incorrect (The right to rectification)
If you think any information we have about you is incomplete or wrong, then you have the right to ask us to correct it. Please contact us as above.
Other Rights
As mentioned above you also have other rights, namely
You have the right to ask us to delete (erase) or stop us using your data if there is no longer any need for us to keep it (e.g. under a legal obligation).
In terms of data portability, if your file is in electronic format we will take reasonable steps to export the file to a “portable format” where possible.
Consent
GDPR in some cases requires us to obtain your explicit consent i.e.
(a) The racial or ethnic origin of the data subject,
(b) Their political opinions,
(c) Their religious beliefs or other beliefs of a similar nature,
(d) Their membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
(e) Their physical or mental health or condition,
(f) Their sexual life,
(g) The commission or alleged commission by them of any offence, or
(h) Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Where assisting and supporting a client firm involves us processing such data we will seek confirmation from the firm that they have the explicit consent of the individual. If we are dealing with the personal data of an individual customer e.g. when we plan to obtain their medical records, we will ask for explicit consent.
The individual has the right to withdraw their consent by contacting us as stated above.
How to Complain
If you are unhappy about how we are using your Personal Data then you can complain to us using the contact information above.
You also have the right to complain to the Information Commissioner’s Office (ICO). Further details on how to raise a concern with the ICO can be found on the ICO’s website: https://ico.org.uk/concerns
Cookies
Our current Cookie Policy can be found here.
Updating this Notice
We will, from time to time, update this Privacy Notice to reflect emerging ICO and Working Party 29 guidance, requirements of the new Data Protection Act 2018 and any other relevant changes in the law or regulations. We will also seek to learn from any published cases of Data Protection breaches.