Who we are
Shulmans LLP (Shulmans/the firm) is a full service law firm based in Leeds. We are registered at Companies House with Company No. OC348166. We are regulated by the Solicitors Regulation Authority (SRA) with Registration No. 533273. Our address is 10 Wellington Place, Leeds LS1 4AP.
We have chosen to appoint a Data Protection Officer – this is Mel Bulmer, who is our Head of Operational Excellence. For any data protection queries Mel can be contacted by email (email@example.com), by phone (+44 (0)113 245 2833), or by writing to the above address.
Working with us
Shulmans will collect information about you as our client when we are providing legal services. We will treat any information given to us in line with our obligations under data protection regulation, including the provisions of Regulation (EU) 2016/679 (the General Data Protection Regulation or GDPR) and the Data Protection Act 2018, and will work on the basis that any information you have provided to us has been provided to us lawfully. We will collect different types of information about you for different reasons, as described below.
Information collected by us
Shulmans may collect the following personal information that you provide to us:
- Your name, date of birth and contact details (including your address, email and phone numbers);
- Information about you such as your personal circumstances, lifestyle and employment;
- Identification documents such as driving licence, passport, photo ID, utility statements and bank statements;
- Details of goods and services relevant to your matter that may include personal information;
- Any personal details included in the matter you are instructing us on;
- Personal information relating to any companies or ventures involved in a matter, such as staff and directors' details;
- Financial information about you such as your employment status, position and remuneration packages and bank details, especially in the case of engagements involving a transfer of assets, employment-related matters and investment-related matters;
- Information about your family or next of kin that you give to us in relation to your matter or to our engagement with you at Shulmans;
- Information about your personal circumstances and financial statuses relating to any debt-related matters;
- Details of your bank and mortgage arrangements that may be provided to us by your mortgage provider;
- Information about any legal agreements you have entered into that may involve you and other individuals also included in the agreement;
- Details of any care arrangements in place for you;
- Personal information held in any wills, deeds or trust arrangements, and details of nominated officers including trustee details and beneficiary details;
- Information recorded on phone calls to specific business units (we will tell you when calls are being recorded);
- Information relating to events, such as any dietary requirements;
- CCTV images and signatures.
You may also give us information that is classified under special categories of data as detailed in GDPR:
- Health information, including accessibility information;
- Racial or ethnic origin;
- Political opinions;
- Religious, philosophical or other beliefs;
- Trade union membership;
- Sex life or sexual orientation.
More information on special categories of data can be found on the ICO's website here.
Information collected from other sources
We may also collect the same categories of information from third parties. The third parties that may provide us with personal information and the other sources we may gather your information from are:
- Witnesses and information contained in witness statements and other court documents;
- Other professional advisors you have a relationship with such as financial advisers, mortgage advisers, accountants, debt advisers and debt advisory services;
- The Court of Protection and Office of the Public Guardian;
- Your family, friends, colleagues and other members of the public;
- Suppliers of goods and services;
- Government bodies, including the courts;
- Information you make public on professional networking sites;
- Public records and official documents;
- Information provided by your bank, mortgage adviser or property agent.
In some areas of the work we do we will routinely be given information as a data processor that relates to you as an individual. In QCAS (our conveyancing division), we may be given information about your property sale, purchase or remortgage by your lender. In debt recovery we will be given information about a debt you may owe to our client that we have been instructed to investigate and recover.
Even if we have not had direct contact with you and are processing data given to us by a third party, the contents of this privacy notice will still be in effect. Shulmans looks after all personal data in the same way, regardless of where it has come from.
How we use your personal information
We use your personal information for the following purposes:
- To provide you with legal services;
- To comply with our legal responsibilities to the SRA, HMRC, the Court of Protection and any other relevant official bodies;
- To manage any queries or complaints you have about the services you receive;
- To recruit partners and other colleagues at Shulmans;
- To engage with service and goods providers;
- To train and develop our colleagues and partners;
- To monitor the quality of service we deliver to you, and ensure it meets your expectations;
- To comply with legal obligations to act in the public interest and uphold the rule of law;
- To host seminars and events that you are attending;
- To promote the services we offer and the people at Shulmans;
- To introduce you to other professional service providers that can meet your needs;
- To invite you to networking events and hospitality events that we think are relevant to you;
- To protect our colleagues, visitors and offices, and to detect and report crime at our offices.
Working at Shulmans
- We may collect personal information that relates to applications for a role at Shulmans. Personal information may be given to us by you or third parties relating to an application for a role or opportunity at Shulmans, such as your C.V., answers to any tests or assessments, education, training, employment history and personal information given in interviews and meetings we may have with you. We may collect this information from you directly, from recruiters, individuals that have introduced you to us and from public professional networking and job advertising websites. We may share this information with recruiters you are working with.
- We will process your application with your consent. If you choose to withdraw your consent then please be aware that we will not be able to process your application and in this case will only keep information that we are required to keep by law or to defend a legal claim. If you are successful in your application to Shulmans, we will keep some of this information on your personnel file using a different legal basis.
- To withdraw consent please contact our HR team at firstname.lastname@example.org.
- We will keep any information relating to an application process for a period of 12 months after the relevant position opening has been closed.
Whether information has to be provided by you, and why
Sometimes you may need to give us personal information, such as your personal details and financial information, so that we can carry out our statutory obligations under anti-money laundering and prevention of terrorist financing regulations, SRA regulations, HMRC requirements, Land Registry requirements and requirements of other official and government bodies. In cases where you do not provide this information if needed, we may not be able to complete or undertake an engagement.
Legal reasons we collect and use your personal information
GDPR requires us to have a legal basis (a reason that is acceptable in law) to process your data. We rely on a different legal basis depending on the data we are processing and the reason we are processing it. We rely on the following legal bases in these circumstances:
Consent is where you give us permission to use your data for a certain purpose. If you have given us consent to use your data in a certain way, and we have no other legal basis for doing so, we will rely on your consent. There is more information below on your rights regarding consent. The activities where we rely on your consent are:
- We may send newsletters, sector-briefing emails, articles and invitations to events using consent. We will gather your consent by you signing up to our newsletters online, or by verbally giving consent to one of our colleagues, most commonly given during or at the end of a matter, or at networking and hospitality events. We will always give you an option to opt-out of future communications.
- If you are giving us any special categories of data, we may need your explicit consent to process it when performing our services. We will let you know if this happens and explain it to you.
- If we are relying on your explicit consent for other types of processing (such as transfer of data outside of the EEA in certain circumstances), then you can contact us using any of the details below (Get in touch) to withdraw consent.
- You always have the right to withdraw your consent at any time. If consent relates to electronic communications (such as a newsletter or invitations to events) then we will always give you an option to opt-out of future communications. You can also email the Business Development team at Shulmans at email@example.com to opt-out of future communications.
- If you have given us your information by post or email and we are processing it with your consent, then you can contact us using any of the details below ('Get in touch') to withdraw consent.
Shulmans is a professional regulated firm and is bound by regulations specific to a solicitors practice and by general regulations applicable to all UK businesses. Parts of these regulations require us to process your data. The activities where we have a legal obligation to process data are:
- Processing information about you for Anti-money Laundering purposes and to stop terrorist financing;
- Running conflict of interest checks when starting to work with clients;
- Complying with our obligations to the SRA, which include the commitment to maintain a high level of service quality, including activities such as file audits, safeguarding the interests of our clients, and compliance with the SRA's handbook;
- Complying with obligations to HMRC regarding record keeping of our financial activities, including information relating to transactions, billing and payments;
- Adhering to instructions from courts and other government bodies;
- Adhering to instructions from data controllers given to us when we are contracted as a data processor in relation to processing personal data;
- Investigating, managing and resolving any expression of dissatisfaction that relates to any of the regulated activity we carry out, or relevant to any regulations we are bound by;
- Keeping adequate records of our work with you to satisfy the insurance cover we need to have in place by law, and to defend Shulmans in the unlikely event of a legal claim being brought against us;
- Acting as a trustee to act in the interests of beneficiaries.
Performance of a Legal Contract
We will process information that relates to the services we are providing you with, or receiving from you, that we are bound to process by our engagement with you (legal contract). The areas where we are processing data to enter into, or fulfil a legal contract are:
- Providing legal services to you, or discussing our services with you to enter into an engagement. We will process any information relating to your matter under this legal basis. We may also be processing personal data given to us by a client of ours to fulfil a contract with them, even though the personal data is not the clients personal data but that of related parties such as family, next of kin or staff details at a related company;
- When working with you in partnership to deliver services we may process personal information, such as information in agreements and on invoices, required to fulfil our obligations under those contracts.
Tasks carried out in the Public Interest
There may be some cases when we have a legal obligation to act in the public interest in relation to the detection and reporting of suspected crime. We can't rely on your consent and may not be able to tell you when we are processing your information in this way so as not to prejudice those purposes.
We rely on legitimate interest to:
- invite you to certain events, such as networking events or hospitality events. Our legitimate interest is to share our expertise and industry awareness for the benefit of our clients and professional contacts, and to develop the Shulmans' professional network. We will use this legal basis when inviting members of our professional network (individuals at organisations that we regularly work or collaborate with) and corporate clients (individuals at organisations we work with) that we have an ongoing instruction with;
- keep you informed of developments in relevant legal sectors and at the firm. Our legitimate interest is to promote the growth and success of the firm, keep clients and contacts up to date with the firm's developments and to support our clients in their relevant sector. We will use this legal basis when inviting members of our professional network (individuals at organisations that we regularly work or collaborate with) and corporate clients (individuals at businesses we work with) that we have an ongoing instruction with;
- carry out debt recovery services. Our legitimate interest is the provision of services to our clients;
- evaluate matters relating to Court of Protection work before an appointment is made by a court. When appointed by the Court of Protection to become a deputy we will be processing data relying on our legal obligations to the court and the client. Our legitimate interest in these cases is to enter into Court of Protection work;
- collect information and use CCTV at our premises. Our legitimate interest is the safeguarding of our offices, protection of our colleagues and the detection and reporting of crime.
Who will we share your personal information with?
We have relationships with a number of third parties that we routinely share information with in order to:
- perform the services you have instructed us on by sharing data with expert consultants, counsel and advisors as required to undertake your matter;
- manage the day-to-day operations of the firm and gain advice from legal, financial and other professional advisers;
- carry out audit and quality control of work in line with the SRA requirements for good firm management, and the requirements of Lexcel, by engaging with 3rd party auditors and consultants;
- operate the infrastructure of the firm by engaging with software and service providers used to undertake your matter including: case management providers; time recording providers; document storage providers; file sharing providers and conferencing providers;
- host events which may require us to share data with venues;
- engage with storage and archiving providers to ensure your information is protected securely and backed up.
Any partners, suppliers or third parties we share data with will be bound by strict agreements that meet the requirements of GDPR, and will be monitored for performance with those agreements.
We will share personal information with official bodies if required by law including the SRA, ICO, the police, law enforcement and intelligence agencies.
Transfer of your information outside the European Economic Area (EEA)
It may be necessary to transfer your personal information outside the EEA or to an international organisation in order to undertake your matter. We do not routinely transfer data outside of the EEA, and when we do we will notify you of the reasons, the legal basis for doing so, any relevant risk assessments that we want to make you aware of, and the appropriate safeguards in place to protect your rights and freedoms.
If you would like any further information on transfers outside of the EEA, or if you think that, as part of your matter, you will want us to transfer your data outside of the EEA, then please contact the person at Shulmans that you are working with (see 'Get in touch').
How long will we store your personal data for?
We will only keep your information for as long as necessary to complete the purposes we have described above. We use the following retention periods and review these periodically to make sure we are only keeping what we need (If information can be kept for two different periods, we will keep it for the longer of those two periods):
- Matter information – we will keep information about you and any information relating to your matter for a period of seven years after the matter has ended or one year after any relevant limitation period, whichever is longer. This is to comply with our requirements to our insurance provider to have records available in case we need to defend a legal claim, and to comply with SRA obligations regarding record keeping;
- Identification and Due Diligence – we will keep information that we need to complete anti-money laundering and due diligence checks for a period of five years from the end of the last matter we worked on for you; this is in order to comply with our anti-money laundering obligations. If you continue to work with us, we will update this information at least every three years;
- Financial Transactions – we will keep information about you and any financial transactions, including fees paid and payments for services, for a period of seven years, in order to comply with HMRC requirements to keep accurate records that can be audited;
- Contact information used for marketing purposes - with your consent and/or to pursue a legitimate interest will be retained for 30 days once you have withdrawn your consent.
Information that we delete may be kept in an encrypted, secure and 'beyond reach' backup for a period of six years after deletion. We need to maintain backups of our systems to comply with Article 32 of GDPR.
Under GDPR, you have a number of important rights that you can exercise free of charge. In summary, these rights are:
- The right to transparency over how we use your personal data, and the right to the fair processing of your information (which includes the right to be given the information in this notice);
- The right to access to your personal information and other supplementary information;
- The right to require us to correct any mistakes or complete missing information we hold on you;
- The right to require us to erase your personal information in certain circumstances;
- The right to receive a copy of the personal information you have provided to us or have this information be sent to a third party, such information to be provided to you or the third party in a structured, commonly used and machine-readable format;
- The right to object at any time to processing of your personal information for direct marketing;
- The right to object in certain other situations to the continued processing of your personal information;
- The right to restrict our processing of your personal information in certain circumstances;
- The right to request not to be subjected to automated decision making which produces legal effects that concern you or affect you in a significant way.
If you want more information about your rights under GDPR, please see the guidance from the Information Commissioners Office on Individual's rights under the GDPR.
If you want to exercise any of these rights, please:
- Email, call or write to our data protection officer (see 'Get in touch' below);
- When doing so please provide us with the information we need to identify you such as your name, address, email address and matter reference. We may need to contact you to request:
- further information to verify your identity;
- proof of your identity and address;
- details of the right or rights that you wish to exercise;
We will respond to you no later than one month from when we receive your request. If we are processing significant amounts of data for you, or numerous categories of data, we may ask you to define the categories of data to which you are exercising your rights.
What to do if you are not happy
Shulmans strives to provide clients with the very best service in all areas, including data governance. However, if something goes wrong or you are dissatisfied with anything relating to the data Shulmans is processing you should tell us immediately.
To make a complaint, please write to our data protection officer who can be contacted by email (firstname.lastname@example.org), by phone (+44 (0)113 245 2833), or by writing to her at Shulmans LLP, 10 Wellington Place, Leeds LS1 4AP.
GDPR also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where the alleged infringement of data protection laws occurred. The UK supervisory authority is the Information Commissioner's Office who can be contacted at https://ico.org.uk/concerns/.
Shulmans is a modern law firm and has invested significantly in processes, systems and controls to safeguard your data. We keep your information secure through:
- training all our colleagues and partners on the importance of information security and the processes we have in place;
- review by external advisers who help us to understand and manage emerging threats to information;
- policies and procedures that are enforced across all of Shulmans;
- security functions in systems;
- audits and checks on the performance of controls;
- risk management processes that identify and mitigate risks and threats to your information;
- encrypted backups taken periodically to make sure data is always available;
- encryption on devices that hold data;
- password policies for any systems that hold data;
- administrative control and oversight of any systems or networks that hold data.
We do not intend to process your personal information for any reason other than stated within this privacy notice. If this changes, we will update this privacy notice on our website and in any documentation we send you, or we will tell you by email when we start processing your data in a new way.
Changes to this privacy notice
This privacy notice was published in May 2018. It is due for review no later than May 2019. We constantly review our internal privacy practices and may change this policy from time to time. When we do we will inform you by updating our website and telling you in any documentation or messages we send you.
Get in touch
If you have any questions about this privacy notice or the information we hold about you, please contact us:
By post: Data Protection Officer, Shulmans LLP, 10 Wellington Place, Leeds LS1 4AP.
By email: email@example.com
By phone: +44 (0)113 245 2833
If it would be helpful to have this notice provided in another format (for example: in another language, audio, braille) please contact us (see 'Get in touch' above).
24 May 2018
We also have a Complaints Policy in place.