BTO Solicitors LLP (“BTO”) is a Scottish law firm. We provide legal advice and services to individual and corporate clients and this privacy notice sets out how we process personal data in order to provide those services.
As a law firm, much of the personal data that we process is subject to an obligation we have to our clients to maintain confidentiality in relation to that information. This means that we will often be exempt from the obligation to provide fair processing information to the data subjects whose personal data is contained in the information.
This does not apply to the personal data of our individual clients, and other third parties who we use to assist us to provide legal services. This notice is to provide fair processing information when the processing we carry out is not subject to an obligation of confidentiality.
This privacy notice will also provide details about the rights that individuals have in relation to the personal data that BTO holds about them.
Who are we?
BTO is a data controller where we determine how we collect the data and why. We can be contacted in relation to the data that we process about you using the following details:
Address: Data Protection Manager, 48 St Vincent Street, Glasgow G2 5HS
Email: gdpr@bto.co.uk
Tel: 0141 221 8012
BTO’s data protection officer is RGDP LLP.
Address: One Edinburgh Quay, 133 Fountainbridge, Edinburgh EH3 9QG
Email: info@rgdp.co.uk
Tel: 0131 222 3239
We may need to amend this Privacy Notice and we will notify you of any significant changes that we make.
What personal data do we process?
As a full service law firm, BTO will have to collect, store, use and transfer information including personal data and, sometimes, special category data.
We have divided this up into different departments so that you can check the section that is relevant to you.
Legal Services
Anti-money laundering obligations
We store copies of identification documents in order to comply with our legal obligations as part of a regulated profession. We will store these in a secure part of our IT system. We use a third party, CallML, to check the identity of the individuals we require to carry out checks on. The documentation will be stored for five years once the transaction has been completed and then they will be disposed of securely.
The provision of legal services
In general we will rely on the following legal bases to process the personal data where that is necessary to provide legal services:
- For individual clients, to provide you with legal service under the contract we have with you or in order to take steps to ensure into such a contract (contract);
- To comply with the legal obligations we have as a regulated body to carry out anti-money laundering checks on clients, including those in control of our corporate clients (legal obligation); and
- As it is in our legitimate interest to process personal data to provide our legal services, where the individual is not a BTO client (legitimate interests).
In relation to special category data (data revealing racial or ethnic origin; political opinions, religious or philosophical beliefs, trade union membership, the processing of genetic or biometric information used to uniquely identify an individual, data concerning health or a person’s sex life or sexual orientation) we will process that as is necessary for the establishment, exercise or defence of legal claims.
In relation to criminal conviction or offence data, including information about the alleged commission of offences or proceedings for an offence including disposal and sentencing, we will process that as is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), or is necessary for the purpose of obtaining legal advice, or is necessary for the purposes of establishing, exercising or defending legal rights.
We will obtain your contact details prior to you becoming a client and thereafter, they will be stored in our system to allow us to contact you about your case, or the case we are dealing with on behalf of a third party.
We will also process the personal data that is required to provide you with advice and this will depend on the type of case we are dealing with. This could be financial information; special category personal data or any other personal data as is required.
Individual clients will be provided with information about how their data is being processed and, in particular, who the data will be shared with as the case progresses.
Once the case is complete and our legal services have ended, we will hold onto the personal data in your file for at least twenty years in line with the long prescriptive period. We will also comply with the Law Society of Scotland’s Guidance on the Destruction of Files. BTO has a data retention policy which reflects this approach.
Credit Card Payments
On occasion we may take payments via credit card or debit card either online or over the phone. Our processes are compliant with the Payment Card Industry Data Security Standard (PCI DSS) and no card details are stored by us. We do store bank details if required for the matter we are dealing with.
Keeping in touch
When you become a client of BTO we will use your email address to keep in touch and to send you information about our services, legal updates and information about our events. We will also use the contact details of employees of our corporate clients to do this. You will always be given the option to unsubscribe from receiving these emails and if you do not want to receive this information from BTO then please email marketing@bto.co.uk
You may also have given us permission to keep you informed about BTO’s services, legal updates and information about our events. You can withdraw your consent at any time by emailing marketing@bto.co.uk
If you are not a client of BTO but are a business contact and you have asked us to keep you up to date with information about our services, legal updates and events then we will hold your contact information to do that until we are asked not to. Again you can do this by emailing marketing@bto.co.uk at any time.
Suppliers
We will hold contact details of third parties and employees of third parties who provide service to assist us to provide legal services. This will be held and used as it is in our legitimate interests to process this data to provide services. This will generally be corporate contact details.
Third Parties
BTO uses a number of third parties to provide the following services: IT support; case and document management services; provision of “cloud” computing services; email marketing assistance and document storage and shredding services. We have appropriate contractual arrangements in place to ensure that these third parties do not use our data for their own purposes, will treat it with confidence and that they keep the data secure.
These third parties generally provide us with software services and we have appropriate contracts and confidentiality agreements in place. Our paper documents are stored by third parties with whom we have appropriate contracts in place.
If personal data is transferred outwith the EU we will ensure that adequate safeguards are in place, relying on an adequacy agreement or other contractual terms as appropriate.
Security
BTO uses appropriate standards of technology and operational security to protect personal data from being accidentally lost, used or accessed in an unauthorised way, or altered or disclosed.
We maintain confidentiality in relation to our clients. Operationally, access to personal information is restricted to authorised personnel who are under a duty to maintain the confidentiality and security of such information.
Your rights
As a data subject, you have a number of rights in relation to your personal data. These are listed in brief below and are set out in more detail in BTO’s Data Protection Policy/Data Subject Rights Policies. A fee will not generally be charged for exercising any of these rights unless your requests are manifestly excessive.
- The right to access information about the personal data BTO is processing and to obtain a copy of it;
- The right to require BTO to change incorrect or incomplete data;
- The right to request that BTO erases or stops processing your data in certain circumstances; and
- The right to object to the processing of your data where BTO is relying on its legitimate interests as the legal ground for processing.
If you would like to exercise any of these rights, or if you have any concerns about how your personal data is being processed, please contact us using the Data Protection Manager contact details above.
If you are still unhappy with the way that BTO has dealt with your personal data then you can contact the Information Commissioner. Contact details are available at www.ico.org.uk/concerns.
Policy last updated 24 May 2018.