Privacy Notice

Wallace LLP (hereinafter referred to as “Wallace”, we”, “us”, “our”) is committed to protecting and respecting your privacy and complying with the applicable data protection legislation, including the Data Protection Act 2018 and the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) (together “Data Protection Legislation”).

For the purposes of the UK GDPR:

  1. Wallace is a data controller. Wallace is a limited liability partnership incorporated and registered in England and Wales under company number OC305907 with its registered office at 27 Mortimer Street, London, England, W1T 3JF.  We are authorised and regulated by the Solicitors Regulation Authority (SRA) under SRA number 401300 and registered with the Information Commissioner’s Office under registration number Z8936233;

  2. a data subject is a person who can be identified directly or indirectly from personal data;

  3. personal data means any information that relates to and identifies a data subject.

This Privacy Notice sets out how and why Wallace collects, stores and uses personal data and confirms the principal lawful bases for our processing of personal data pertaining to data subjects.

Should you have any questions in relation this Privacy Notice or our processing of personal data, please contact our data privacy manager, Alexander Egerton, Partner and Head of Commercial, IP and Technology, at alexander.egerton@wallace.co.uk.

WALLACE’S PROCESSING OF PERSONAL DATA

As a commercial law firm, the majority of our clients are corporations or commercial entities (Corporations) rather than individuals. The personal data we collect when acting for Corporations is limited and relates to the officers, shareholders, members, or other employees acting on behalf of the Corporation (together “Officers”). Corporations might also provide us with personal data related to certain individuals involved in the matter (e.g. personal information about an individual leaseholder when acting for the freeholder of a block of flats) (together “Counterparties”). When we are acting for private individuals (“Individuals”), the collection and processing of the personal data, depending on the matter, might be more extensive.

In this privacy policy, a reference to:

  1. you” or “your” is either a reference to Individuals, Officers and/or Counterparties, as applicable.

  2. Client” is a reference to a Corporation or Individual, as applicable.

PERSONAL DATA WE WILL COLLECT ABOUT YOU

The personal data we collect about you depends on the matter in which you or the Corporation with which you are involved are seeking our advice or representation on. It may include:

  • first and last names, date of birth (if you instruct us to incorporate a company or LLP then this may extend to other identifying information such as your parents’ (maiden) name, town of birth etc) (“Identity Data”);

  • contact details such; as postal and email addresses and mobile phone number (“Contact Data”);

  • information to enable us to check and verify your identity and address such as; a copy passport or driving licence, a copy bank statement or utility bill, and financial details so far as relevant to your instructions (e.g. the source of your funds and source of wealth if you (whether personally or via a Corporation) are instructing us on a transactional matter) and to enable us to undertake a credit or other financial checks (“Compliance Data”);

  • financial details in relation to payments made from and to you or the Corporation (“Transaction Data”);

  • personal information relating to the matter in which you are seeking our advice or representation, such as; employment status, employment records and further details including salary and benefits if you instruct us on a matter related to your employment or data regarding racial or ethnic origin, gender and sexual orientation, religious or similar beliefs etc. if you instruct us on a discrimination claim (“Case Data”).

HOW PERSONAL DATA IS COLLECTED

We collect the majority of personal data directly from the Client. This is typically collected via email, written correspondence, video call or a call. We may also collect or receive personal data from:

  • publicly accessible sources (e.g. Companies House or HM Land Registry);

  • third party service providers (e.g. sanctions or anti-money-laundering screening providers, credit rating agencies or client due diligence service providers);

  • a particular third party with your prior consent (e.g. your employer or your bank); and

  • as part of a disclosure exercise in the course of litigation.

ANTI-MONEY LAUNDERING INFORMATION

In the United Kingdom there are laws and regulations designed to combat money laundering. Broadly, money laundering can arise if a person acquires, retains, transfers, uses or controls the proceeds of crime. It is closely associated with the crime of terrorist financing and references to money laundering include terrorist financing.

In order to fulfil our obligations, we are required to verify the identity of new Clients and, in certain circumstances, existing Clients. In addition, our internal requirements may, from time to time, require that we conduct background checks on new or existing Clients. These may necessitate procedures to verify the identity and good standing of our Clients, Officers or a Corporation’s current or proposed shareholders, beneficial owners or management. This may include evidence of source of funds or source of wealth, at the outset of and possibly, from time to time, throughout our relationship with the Client. The sources for such verification may comprise documentation which we request from the Client or prospective Client, third party sources or through the use of online sources.

In some circumstances we may decline to, or may not be permitted to, proceed to act until such procedures have been completed. In other circumstances we may agree to commence acting whilst these procedures are carried out. We reserve the right to decline to act or, if appropriate, cease to act should these procedures not be completed to our satisfaction. We may also be required to make detailed enquiries about any unusual transactions such as the transfer of large amounts of cash.

Where we instruct counsel or other professionals on behalf of the Client they may request us to that we provide them with copies of evidence of identity of the Client in question or their representatives which we have obtained from you or from other sources. We will be entitled to send such copies to them if we so decide, unless you specifically advise us not to do so.

IF YOU CHOOSE NOT TO PROVIDE US WITH PERSONAL DATA

If you refuse or fail to provide us with personal data we have requested., we will not be able to provide our services to the Client. To illustrate:

  • Compliance Data and Identity Data are necessary for us to conduct the mandatory Anti-Money-Laundering and Know-Your-Customer checks;

  • Transaction Data and Case Data are necessary for us to represent the Client.

COOKIES

Our website does use cookies but the information collected through these cookies is not personal data.

HOW WE USE YOUR PERSONAL DATA

Under Data Protection Legislation, we can only use your personal data if we have a proper reason for doing so, such as:

  1. to comply with our legal and regulatory obligations;

  2. for the performance of our contract with you or to take steps at your request before entering into a contract;

  3. for our legitimate interests or those of a third party. A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests; or

  4. where you have given consent.

The table below explains how we use personal data, what data subjects and categories are concerned and the reason/lawful basis for doing so.

PURPOSE

DATA SUBJECTS

DATA CATEGORY

LAWFUL BASIS

Conducting identity and address checks

  • Officers
  • Individuals
  • Identity Data
  • Contact Data
  • Compliance Data

Compliance with legal and regulatory obligations

Preventing money laundering or terrorist financing (e.g. screening for financial and other sanctions embargos)

  • Officers
  • Individuals
  • Identity Data
  • Contact Data
  • Compliance Data

Compliance with legal and regulatory obligations

Providing legal services to our clients, including case management, document management, time recording systems

  • Individuals
  • Counterparties
  • Officers

Depending on the instructions/matter:

  • Identity Data
  • Contact Data
  • Case Data
  • Transaction Data

Performance of a contract – if our client is an Individual

Legitimate interest – if our client is a Corporation

Providing you with updates on legal developments that might be of interest to you, event invites etc (“Marketing”)

  • Officers
  • Individuals
  • Identity Data
  • Contact Data

Legitimate interest (promoting our business to existing clients)


OPTING OUT OF MARKETING

You can ask us to stop sending you Marketing at any time by contacting our data privacy manager Alexander Egerton by email (see above). If you opt out of receiving Marketing, you will still receive service-related communications that are essential for the provision of our legal services.

DISCLOSURE OF YOUR PERSONAL DATA

Wallace may share personal data with:

  • professional advisers who we instruct on your behalf or refer you to, such as barristers, accountants, tax advisors, expert witnesses or other experts;

  • third parties where necessary to carry out your instructions, such as Companies House or HM Land Registry;

  • third party service providers like sanctions or anti-money-laundering screening providers, credit rating agencies or client due diligence service providers where necessary to comply with our legal and regulatory obligations;

  • our insurers and brokers;

  • our auditors;

  • our banks;

  • counterparties, their professional advisors and courts/tribunals in contentious matters (including litigation and alternative dispute resolution).

Please Note:

  • If we sell all or part of our business (i.e. we are acquired by or merge with a third party) then the personal data we hold about you may be one of the transferred assets. Your file may also be reviewed in a due diligence exercise relating to the sale or transfer of all or part of our business, the acquisition of another business by us or the acquisition of new businesses. You may let us know if you do not wish your file to be used in this way.

  • We may also disclose your personal data if we are under a duty to disclose your personal data in order to comply with any legal obligation, to enforce our engagement letter and other agreements or to protect the rights, property or safety of our partners, staff or others.

INTERNATIONAL TRANSFERS

To deliver services to you, it is sometimes necessary for us to share your personal data with your and our service providers located outside the EEA.

Other than the above, we do not transfer personal data to a country outside the UK unless we are explicitly instructed by the Client to do so, such as when instructing foreign counsel on their behalf.  Where the recipient country is deemed inadequate (article 45), the provisions of article 49 (1) (a) will govern this transfer of personal data.

DATA SECURITY

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed, altered or disclosed in an unauthorised way. In addition, we ensure that all personnel who have access to and/or process your personal data are obliged to keep the personal data confidential.

DATA RETENTION

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected and have received it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

YOUR LEGAL RIGHTS

You have a number of rights under Data Protection Legislation in relation to your personal data. These are to:

  1. Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of the personal data we hold about you.

  2. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

  3. Request erasure of your personal data in certain circumstances (“right to be forgotten”). This enables you to ask us to delete or remove personal data in certain situations, such as when there is no good reason for us continuing to process it. However, please note that we may not always be able to comply with your erasure request for specific legal reasons which will be notified to you at the time of your request (if applicable).

  4. Object to processing of your personal data where we are relying on a legitimate interest as the lawful basis for a particular use of your personal data. In some cases, we may demonstrate that we have lawful grounds to process your information which override your right to object. However, you do have the absolute right to object any time to the processing of your personal data for direct marketing purposes (see OPTING OUT OF MARKETING above).

  5. Request the transfer of your personal data to you or to a third party (“data portability”). We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used and machine-readable format. However, please note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  6. Withdraw consent at any time where we are relying on consent to process your personal data (see the table above for details of when we rely on your consent as the legal basis for using your data). However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

  7. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in certain scenarios (e.g. If you contest the accuracy of the personal data we hold).

If you wish to exercise any of the rights set out above, please:

  • contact our data privacy manager Alexander Egerton by email (see above);

  • inform us of what personal data you require and why (this allows us to more quickly action your request and does not compromise your statutory rights); and

  • provide us with proof of identity and address.

Please note that we may refuse to:

  1. provide all or some of the requested information and, depending on the circumstances,

  2. comply at all if the request is manifestly unfounded or manifestly excessive.

You will not have to pay a fee to exercise any of these rights. However, we may charge a reasonable fee if your request is manifestly unfounded or excessive or you request further copies.

We try to respond to all legitimate requests within one month. If your request is particularly complex or you have made a number of requests, it could take us longer than a month. In such cases, we will notify you and keep you updated.

COMPLAINTS

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, we would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

CHANGES TO THIS PRIVACY NOTICE

We may revise this Privacy Notice from time to time and publish the latest version on our website. The Privacy Notice does not form a contract between an individual and Wallace.