Give us a call
Email us

Privacy policy

We have developed this privacy notice in order to demonstrate our firm commitment to the privacy of your information. We are committed to safeguarding the privacy of your data while providing a personalised and valuable service.

This policy doesn’t apply to how we use the information of our employees, former employees, and people to whom we make job offers. If any of those apply to you, please contact [email protected] for a copy of our employee privacy notice.

If anything in this notice isn’t clear, or you think this notice doesn’t deal with how we use your information, or you have any other queries, please contact us.

1.1 You can contact us:
1.1.1 By email at [email protected]
1.1.2 By phone on +44 (0)1892 515 121
1.1.3 By post at Data Compliance Officer, Cripps LLP, Number 22, Mount Ephraim, Tunbridge Wells, Kent TN4 8AS
1.2 We are Cripps LLP, our registered office is at Number 22, Mount Ephraim, Tunbridge Wells, Kent, TN4 8AS and we are a limited liability partnership registered in England and Wales under registered number OC311169.
 
2.1 We may collect your name and contact details (such as your email address, phone number or address) in order to send you information about our legal services, as well as more general updates on areas of law which we think are relevant to you. We might collect this at an event which you attend or as part of our initial engagement with you (or your organisation) as a client, or you may have given us this information to subscribe to our blog updates or make other contact with us.
2.2 If you are an individual (or otherwise are not a “corporate entity”), we will only send direct marketing emails to you as an individual if (a) we have your consent, or (b) you are an existing client, the emails concern our similar services, and we gave you an opportunity to opt out of marketing (usually in our client agreement with you). In some circumstances, we may also send you marketing information (including invitations to events) by post, or contact you by phone (if you are an existing client). We send out marketing communications as necessary for our legitimate interests in marketing our services to you (where we believe they are relevant to your requirements), and maintaining a list of clients, potential clients and other contacts. We may also contact you by post, email or phone as part of our services to you.
2.3 If you work for a “corporate entity” (such as a company or limited liability partnership), we may use your contact details as necessary for our legitimate interests in marketing our services to your organisation and maintaining a list of clients, potential clients and other contacts. If we do send marketing to you, it will be to your work email address (or address) and will be addressed to you only in your capacity as a representative of your organisation. We may also receive your contact details from a third-party marketing agency. If that’s the case we will require them to only provide us with your contact details if they are entitled to under data protection law. We may also have been provided with your contact details by one of your colleagues.
2.4 You can always stop receiving our marketing. You can do this at any time by contacting us or by emailing [email protected]. If we send you any marketing emails, we will always provide an unsubscribe option to allow you to opt out of any further marketing emails. If you “opt-out” of our marketing materials you will be added to our suppression list to ensure we do not accidentally send you further marketing. We may still need to contact you for administrative or operational purposes, but we will make sure that those communications don’t include any marketing materials.
2.5 We never share your name or contact details with third parties for marketing purposes. We do use third-party service providers to send out some of our marketing, but we only allow them to do this on our instructions, and they must have agreed to treat the information confidentially and to keep it secure.
2.6 If we are sending you marketing, we retain your details on our marketing list until you “opt-out” or we decide that our marketing will no longer be relevant to you, at which point we remove you from that marketing list and (if you have “opted-out”) add you to our suppression list and delete any other information we hold on you in relation to that marketing. We keep that suppression list indefinitely to comply with our legal obligations to ensure we don’t accidentally send you any more marketing.
2.7 When we send marketing emails to you, those emails may include “web beacons” which tell us when you open the email, your IP address and browser or email client type, and other similar information. We do this to produce aggregate statistical information as necessary for our legitimate interests in reviewing and considering our direct marketing activities. We keep your information for six months following collection, after which any personal information is deleted and only aggregate statistics are kept.
 
3.1 When we talk about acting for “you” in this privacy notice, this includes situations in which we are acting for your organisation, or someone who represents you.
3.2 “Client Due Diligence” / “Know your client”. As part of these processes, we will usually need to collect certain information as a legal requirement to ensure we can act for you. We will tell you about this when we collect the information, but we will generally need your name, date of birth, residential address, and identification documents (such as passports, driving licences, identity cards, bank statements or utility bills) to confirm your identity. Without this information, we won’t be able to act for you as a client. We use third-party referencing services (Acuris and GBG) and public sources (Companies House, professional registers such as the FCA, and standard web searches) to verify this information, and we will receive information about you from them. Usually this will be a simple confirmation that they have verified your identity, although in some circumstances we may decide we are not able to act for you.
3.3 “Source of funds”. If we are holding or transferring money for you as part of our services (for instance, if we are helping you buy a house), then we may need to collect more information from you, including “source of funds” details about where the money is coming from, and documents (such as bank statements, pay slips, mortgage statements or wills) to verify that. We will let you know if this information is required.
3.4 Why we do this. If we do request this information, it will be because we are legally required to conduct “anti-money laundering” checks, and we will not be able to act for you as a client in relation to that matter without it.
3.5 Third-party source of funds. If you are providing a gift, investment or funding on a transaction to one of our clients, we may need to collect similar “Know your client” and “source of funds” information about you to comply with our obligations.
3.6 We keep this information for seven years from the end of our business relationship with you (or, if you are a third-party source of funds, from the end of our business relationship with the relevant client).
Other information:
3.7 More generally, you will provide us with information when we act for you, such as your name, contact details and details of the matter we are helping you with. We also may receive information about you from third parties, such as:
3.7.1 other professional advisors you have put us in contact with or who have referred you to us;
3.7.2 other firms of solicitors or professionals involved in your matter; and
3.7.3 other individuals or organisations we contact as part of your matter (for instance: claimants, defendants, witnesses or other interested parties in disputes; buyers, landlords, sellers, tenants, banks and other interested parties if we are helping you with a transaction; beneficiaries or executors if we are helping you with a will; and your family or colleagues).
3.8 We will let you know what types of information we receive from third parties as part of updating you on your matter, unless it is already clear from our interactions with you. That information may include:
3.8.1 Wills and probate matters. Information about your relationship with beneficiaries, executors, or other interested parties, details of your activities or responsibilities, and other information about you which relates to the matter we are dealing with.
3.8.2 Disputes. Information about your relationship with a defendant, claimant, witness or other interested parties in a dispute, details of your activities in relation to the dispute, details of your opinions and opinions about you from other interested parties, descriptions and images of you, and other details about you which relate to the dispute. This may include “special categories” of information (as described in the Special Categories of Information section below). We use those special categories of information only as necessary to establish, exercise or defend legal claims.
3.8.3 Transactions. Information about your relationship with a buyer, landlord, seller, tenant or other interested party, details of your activities in relation to the transaction, and other details about you which relate to the transaction.
3.9 If you have provided your bank details in order for us to make a payment to you, we will only use these as necessary to make that payment, and will not share those details with any third parties other than as necessary to make the payment or comply with regulatory or legal requirements.
3.10 We also sometimes use consultants to gather data or insight from our clients or contacts (for example by carrying out client satisfaction interviews or sending our client surveys), this may include your opinions about our services, and details of how we have acted for you. This will always be done based on your consent. Any information you provide the consultants will be shared with us, unless you ask for it not to be.
3.11 We will keep and use the information described above to carry out our contract with you, to comply with any legal requirements for us to maintain certain records and/or for our legitimate interests in managing our relationship with you and improving our services and as set out in the Our Legal Claims section below.
3.12 Please see Retention Of Your Information below for information about how long we keep the information set out above.
4.1 When we say “your organisation” in this section, we mean the organisation you work for or are otherwise involved with, whether as a member, volunteer, owner or otherwise.
4.2 When we act for your organisation, you (or your colleagues) may provide us with information about you, such as your name, contact details, job title, and other details relevant to the matter we are helping your organisation with. We also may receive information about you from third parties, such as:
4.2.1 other professional advisors you or your organisation have put us in contact with or who have referred your organisation to us;
4.2.2 other firms of solicitors involved in the relevant matter; and
4.2.3 other individuals or organisations we contact as part of the relevant matter (for instance: claimants, defendants, witnesses or other interested parties in disputes; and buyers, landlords, sellers, tenants, banks and other interested parties if we are helping your organisation with a transaction).
4.3 We will let you know what types of information we receive from third parties as part of updating you on the relevant matter, unless it is already clear from our interactions with you or your organisation.
4.4 We may also obtain information about your ownership of your organisation (or your position at that organisation) from Companies House or your organisation’s website.
4.5 We will keep and use the information described above to comply with any legal requirements for us to maintain certain records and/or as necessary for our legitimate interests in carrying out our contract with your organisation, managing our relationship with your organisation, and as set out in the Our Legal Claims section below.
4.6 Corporate Transactions. If we represent your organisation in relation to a corporate transaction, your organisation may provide us with information about you which is relevant to that transaction. In particular, details of your salary, role (and your activities within that role), employment or service contract, length of service, loans from or to the organisation, disputes or disciplinary matters you have been involved in, and any special category data which will be required for the interested parties to comply with their employment law obligations. That information will be used by us and shared with other parties to the transaction (and their professional advisors) as necessary for our client’s legitimate interests in providing information about the organisation and complying with any disclosure requirements agreed within the transaction, and for our legitimate interests in advising and representing our client. We or our client take steps to redact or pseudonymise information before it is shared as required by data protection law. Where information is not redacted or pseudonymised we take other steps to ensure the security of that information. We generally share information through an online data room, which is hosted in Canada. Canada has its own data protection legislation relating to commercial organisations which the EU has decided provides an adequate data protection regime. Your information may otherwise be shared outside of the EU if any of the other parties to the transaction (or their professional advisors) are based outside of the EU (for more information, please see the Where We Store Your Information section below).
4.7 Please see Retention Of Your Information below for information about how long we keep the information set out above.
5.1 We may act for an interested party regarding a matter which you are involved in. In particular:
5.1.1 Wills and probate matters. You may be a beneficiary, executor, or other interested party in relation to an estate we are dealing with. In those circumstances, we may hold your name, address and other contact details, information about your relationship with our client or other interested parties, details of your activities or responsibilities as an executor, information about what is being gifted to you as part of an estate, and other information about you which relates to the matter we are dealing with.
5.1.2 Disputes. You may be a claimant, defendant, witness or other interested party in relation to a dispute which we are dealing with. If that is the case, we may hold your name, address and other contact details, information about your relationship with our client or other interested parties, details of your activities in relation to the dispute, details of your opinions and opinions about you from other interested parties, descriptions and images of you, and other details about you which relate to the dispute. This may include “special categories” of information (as described in the Special Categories of Information section below). We use those special categories of information only as necessary for us to establish, exercise or defend legal claims.
5.1.3 Transactions. You may be a buyer, landlord, seller, tenant or other interested party in relation to a transaction which we are dealing with. If so, we may hold your name, address and other contact details, information about your relationship with our client or other interested parties, details of your activities in relation to the transaction, and other details about you which relate to the transaction.
5.1.4 Corporate transactions. If we represent a party in a corporate transaction which concerns the organisation you work for or an organisation which holds your information, we may be provided with information about you which is relevant to that transaction. In particular, details of your salary, role (and your activities within that role), employment or service contract, length of service, loans from or to the organisation, disputes or disciplinary matters you have been involved in, and any special category data which will be required for the interested parties to comply with their employment law obligations. That information will be used by us and shared with our client as necessary for our client’s legitimate interests in learning about that organisation and for our legitimate interests representing and advising our client. That organisation or its solicitors should take steps to redact or pseudonymise information before it is shared with us as required by data protection law.
5.2 We may receive this information directly from you, or from third parties, such as:
5.2.1 our client;
5.2.2 your solicitors, or other professional advisors involved in the relevant matter; and
5.2.3 other individuals or organisations we contact as part of the relevant matter (for instance, claimants, defendants or other interested parties in disputes and buyers, landlords, sellers and tenants in relation to transactions).
5.3 Enquiry agents. We may also engage enquiry agents or process servers to find out your latest address or other information which is relevant to a dispute you are involved in. We only do this where it is necessary for our own or our client’s legitimate interests in establishing, exercising or defending legal claims, or our legitimate interests in representing our client. We always require enquiry agents, process servers, or other suppliers we engage for these purposes to ensure that they comply with data protection law when providing their services.
5.4 If you or your solicitor have provided your bank details in order for us to make a payment to you, we will only use these as necessary to make that payment, and will not share those details with any third parties other than as necessary to make the payment.
5.5 We will keep and use that information as necessary for our legitimate interests in advising and representing our client, and as set out in the Our Legal Claims section below.
5.6 Please see Retention Of Your Information below for information about how long we keep the information set out above.
6.1 If you work for (or are) one of our suppliers, business partners or another body which we have a relationship with, the information we hold about you may include your contact information, your professional information, our relationship with you and your opinions or opinions about you. This information may be collected directly from you, or provided by your organisation or an organisation which has referred you to us. We use this information as necessary for our legitimate interests in managing our relationship with you and your organisation.
6.2 We may keep your information on our contact management systems for up to three years after the end of our relationship with your organisation.
7.1 Visitor information. We collect information about visitors to our premises (including when you attend an event we are hosting). We may record information on your visit, including the date and time, your name, employer and who you are visiting. If you have an accident at our premises, this may include a description of your accident. This information is kept for a period of up to seven years. If you are involved in an accident on our premises, our accident records are retained for a period of up to seven years (or, if the accident involves a child, until we believe they have turned 21).
7.2 Events at other premises. If you’re looking to attend an event that we’re operating or are involved in but that’s not at our premises, we will need to share your name (and, if relevant, the organisation you work for and your job title) with the relevant venue for our and their legitimate interests in ensuring security at the event, administering the event, and recording accurately the different attendees. The venue will have its own responsibilities for how it deals with that information.
7.3 Events at our premises. If you attend an event at our premises but expressed your interest through a third party (for instance a trade body or events organiser) then they will pass us your name (and, if relevant, the organisation you work for and your job title). We use those details (and any details you give us) as set out at “Visitor information” above.
7.4 CCTV and ANPR. We use CCTV and ANPR (automatic number plate recognition) at our Tunbridge Wells offices, which may record you and your activities, as well as the registration number of your vehicle. We use a third-party service provider (Security Engineering Ltd) to service and maintain these systems. We display notices to make it clear what areas are subject to surveillance. We only share footage or records following a warrant or formal request from law enforcement, or as necessary in relation to disputes. Recordings or number plate information may be kept for a period of up to 21 days (unless an incident occurs and it is necessary for us to keep recordings for longer, in which case the “Our Legal Claims” section below will apply). If you visit our other offices, you may still be captured on CCTV operated by the relevant property managers, but they will be responsible for how they deal with that information.
7.5 We collect and use this information as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety, and administering parking.
7.6 Wi-fi. If you use the wi-fi which we provide at one of our offices, we will record the unique identifier (MAC address) of the device you use and usage information (such as when and how long you were connected to our wi-fi for, and the volume of your data usage), this does not include information which is capable of directly identifying you. We do not actively monitor your activity, and this information will only be accessed if we become aware of any illegal activity on our wi-fi system, or any abuse of it. We only disclose this information if we receive a request from law enforcement, or as necessary in relation to a dispute. We collect and use this information as necessary for our legitimate interests in maintaining our network security, and complying with our legal obligations when providing wi-fi access. The information is kept for 30 days after collection, unless we become aware of an incident which makes it necessary to keep certain information for longer.
7.7 Training and promotional images and videos. If you attend one of our training sessions or other events, we may record images or videos at that event to use for training or promotional purposes. We do so as necessary for our legitimate interests in promoting our firm, and recording training for future use. Those images or videos will be kept indefinitely for those purposes. If you would prefer not to appear in any images or videos, please let us know at the time, or otherwise contact us.
8.1 If you contact us (or someone does on your behalf or in relation to you) that correspondence may include personal information about you, including details of the query or complaint, your opinions, contact details (including phone numbers and the date, time and duration of any calls), information about your interactions with us, and copies of any voicemails which you leave us. If we hold other information about you already (as otherwise set out in this privacy notice) then we may use that information to help address your issue.
8.2 We use that information as necessary for our legitimate interests in addressing a complaint or enquiry and recording how we dealt with it.
8.3 How long we keep this information will depend on what the complaint or query relates to. Please see Retention Of Your Information below for more information.
9.1 When you interact with our social media accounts (including our Facebook, Twitter or LinkedIn channels), you may provide information about yourself such as your views, photographs, videos and other content which you share on these platforms.
9.2 Where you share this information through a platform, we may use this information on that platform as necessary for our legitimate interests in responding to you and engaging with you. We reserve the right to remove or respond to the content you share from our feed or page.
9.3 This information may be retained and displayed indefinitely for as long as our social media channels are live.
10.1 In some circumstances you may provide us (whether through our website or otherwise) with information about you, or allow us (or someone on our behalf) to record you for publication or display. For instance, you may provide a review or testimonial, or act as a model.
10.2 Where we offer or judge awards or otherwise recognise individuals or businesses (for instance, compiling and publishing a “Change Makers” list) we may receive information from you (such as a nomination you submit) or information about you from a third party who is submitting a nomination or testimonial about you. We review and consider this information (and may seek out additional information from publicly available sources such as your LinkedIn profile, company website, or news articles or other search engine results) as part of that process and determining who should win an award or receive recognition. We do this as necessary for our legitimate interests in operating and judging awards or other recognition programmes.
10.3 We may display and publish this information (and, if relevant, attribute it to you) on our platforms as necessary for our legitimate interests in providing content and publicising the results of awards or other recognition programmes, and for promotional purposes (or, in some circumstances, because you have specifically consented to us doing this).
10.4 This information is kept and published or displayed by us for as long as we consider it relevant for those purposes. In the case of an award or recognition programme, submissions and forms will be kept until after any announcements or publications are made, but the announcements and publications themselves may be retained (and displayed on our website or other platforms) for as long as we consider relevant for the purposes of that award or recognition programme. You can ask us to remove or delete your content or information about you in connection with these purposes at any time (subject to any agreement you have with us about our right to use it) by contacting us. If we are displaying or publishing the information based on your consent, you have the right to withdraw that consent at any time.
11.1 We may collect information about you and your use of our website via technical means such as cookies, webpage counters and other analytics tools. We use this as necessary for our legitimate interests in administering our website and to ensure it operates effectively and securely, as well as to recognise if you have visited our website previously.
11.2 For non-essential cookies (ones which aren’t necessary to provide the functionality of our site), we will also ask for your consent before they are used, through our cookie consent banner.
11.3 For detailed information on the cookies we use and the purposes for which we use them see our cookie notice.
11.4 Any personal information relating to the relevant cookie will be deleted when it expires.
11.5 We may also ask for your email address when downloading documents or content from our website. We use this as necessary for our legitimate interests in protecting our content from automated copying and to manage our content strategy. If your email address is collected in this way, it will only be used for marketing if you consent to this (in which case please see the “Marketing” section above. Unless you consent to marketing, your email address will be kept for up to 60 days after it is provided.
11.6 Our website may, from time to time, contain links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
12.1 If you take part in a competition which we run, we’ll use the information you provide (such as your name, contact details, and information about your entry) as necessary for our legitimate interests in administering and managing the competition. We’ll keep that information on our systems for up to six months after the competition ends.
12.2 If you win the competition, we will publish or make available your name and (if applicable) county of residence or other details as set out in the competition terms. We do this as necessary for our legitimate interests in complying with advertising codes of practice and promoting the results of the competition, and will make it clear when we promote the competition. If you do not want us to publish this information or make it available to the public, please contact us and let us know (although we will still need to provide the information to advertising regulators if they ask us to). If we publish that information, it is available indefinitely. If we don’t publish that information, we keep it for up to six months to respond to requests in relation to advertising codes of practice. We won’t otherwise use your information unless we have your consent.
13.1 Applications. We will collect and hold information on applicants (including for vacation schemes and other placements), including information you provide to us in your application, or provided to us by recruitment agencies (your CV, application, details of your professional history and other information which you have provided or made available to that recruitment agency).
13.2 Other sources of information. We may also collect information about your professional history which you make available on LinkedIn, or which are on your employer’s website. If you are a professional, we may also check your professional body’s register (for instance, the Law Society for solicitors) to confirm your registration.
13.3 External assessments. For some application processes we may also use external assessment providers. We will pass your email address to them and they will contact you and invite you to take part in the assessment. They will share the results of that assessment with us (as well as analysis based on those results). Where we use an external assessment provider, our contract with them will require them to keep your information secure and only use it for the purposes of those assessments.
13.4 If we decide to offer you a role, we will contact your references (and they will provide us with details of their relationship with you and opinion about you). We will provide your references with information about your application as necessary to obtain a reference from them.
13.5 We use the information described above as necessary to enter into an employment contract with you (or engage with you in any other capacity), and for our legitimate interests in evaluating applications and recording our recruitment activities, and as necessary to exercise and perform our employment law obligations and rights.
13.6 Retention. If you are successful in your application and join our firm, your information will be used and kept in accordance with our internal privacy notice. If you currently work for us, or used to work for us, you can request a copy of this from us. If you are not successful in your application, your information will be held for up to 24 months after the relevant round of applications has finished.
13.7 Required information. You must provide certain information (such as your name, contact details, professional and educational history) for us to consider your application fully, and this will be made clear in the application process. If you have not provided all of this information, we may contact you to ask for it. If you do not wish to provide this information, we may not be able to properly consider your application.
13.8 Equal opportunities monitoring. We operate an equal opportunities monitoring process as part of some of our application rounds, in which you can provide details of your gender, age, marital status, health, ethnicity, and other relevant details as set out on our monitoring form. This is entirely voluntary, and if you do not wish to answer any or all of the questions on the form, this will not affect the handling of your application in any way. We use these forms and the information you provide as necessary for our legitimate interests in monitoring aggregate recruitment statistics and complying with our legal obligations regarding equal opportunities. The forms do not contain any information which allows us to directly identify you, and are detached from your application, stored separately, and only used to create aggregate statistics. The information you provide in those forms will not affect the handling of your application in any way. The individual forms are stored for three months and the aggregate statistical data (which you cannot be identified from) is stored indefinitely.
13.9 Referees. If you are listed as a reference by an applicant, we will hold your name, contact details, professional information about you (such as your employer and job title) and details of your relationship with the applicant. We will use this information (and any information you provide us) as necessary for our legitimate interests in evaluating candidates and as necessary to exercise and perform our employment law obligations and rights. Your information will be kept alongside the applicant’s information.
13.10 Emergency contacts. If you are listed as an emergency contact by someone who works for us, we will hold your name, contact details and details of your relationship with that staff member. We will use this to contact you as necessary to carry out our obligations under employment law, to protect the vital interests of that staff member, and as necessary for our legitimate interests in administering our relationship with that staff member. Your information will be kept until it is updated by that worker, or we no longer need to contact that staff member after they have stopped working for us.
14.1 We have set out in this privacy notice indications of how long we generally keep your information. In some circumstances, it may be necessary to keep your information for longer than that in order to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
14.2 Where we hold personal information in relation to legal services we have provided, we keep our files after the matter has been closed for up to 16 years following closure (although we may have to keep it for longer for legal, regulatory or technical reasons, or as set out in the Our Legal Claims section below).
14.3 Where we act in relation to a will or deed, the document itself is kept for as long as required in relation to that matter. Once the purpose for retaining the document has been fulfilled, we shall send the will to the executor, and a deed shall be returned to its owner.
14.4 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
16.1 We do not generally collect any “special categories” of more sensitive personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, as well as information about criminal convictions and offences) except if this is relevant in relation to a dispute you are involved in. If we do use these types of data in relation to a dispute we do so as necessary for our legitimate interests in establishing, exercising or defending legal claims.
16.2 We may also use these types of information in limited circumstances, with your explicit written consent (in which case when we obtain your consent we will make it clear what the information is to be used for).
16.3 We may also receive these types of information about you when you have clearly made that information public (for example, you may send us an email from an email address which makes clear what your political opinions are). If that is the case, we may store and otherwise use that information on that basis, but only as set out in this privacy notice.
17.1 We will only use your personal information when the law allows us to do so. Although in limited circumstances we may use your information because you have specifically consented to it, we generally use your information in the ways set out in this notice because:
17.1.1 we need to perform a contract we have entered into with you.
17.1.2 we need to comply with a legal obligation.
17.1.3 it is necessary for our legitimate interests (or those of a third party) which are not overridden by your rights or interests. Our “legitimate interests” are lawful business or commercial reasons to use your information, but they should not involve being unfair to you. Where we are relying on a legitimate interest to use your information, we will tell you what it is as part of this privacy notice, or when we otherwise contact you. The ways in which we use your information will generally be obvious or within what you would reasonably expect us to do.
17.1.4 we need to protect your vital interests (or someone else’s vital interests) or where it is needed in the public interest (although these circumstances are likely to be rare).
17.2 Change of purpose. We will only use your personal information for the purposes for which we collected it as set out in this notice, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
18.1 As well as any sharing listed above, we may also share your information with third parties, including third-party service providers where necessary for the purposes set out in this privacy notice. Third parties are required to respect the security of your personal information and to treat it in accordance with the law. We never sell your data to third parties.
18.2 We may be under a duty to share your personal information in order to comply with a legal obligation (such as the police or a regulatory authority).
18.3 We engage auditors (in relation to quality accreditations and legal requirements) and insurers who may have access to information that we hold, to comply with our legal requirements and as necessary for our legitimate interests in demonstrating compliance with quality standards and obtaining insurance cover. They will only use this data as part of their services, and they are subject to strict contractual and professional requirements.  
18.4 If your information relates to a legal matter, we may need to share your information as necessary for our legitimate interests in establishing, exercising or defending legal claims or otherwise providing legal services. We may need to share your information with other legal or professional advisors, insurers, and other parties involved in that matter.
18.5 We may also need to share your information to protect the rights, property, or safety of us, our clients, or others or where we have another legitimate interest in doing so.
18.6 If we sell, transfer, or merge parts of our business, we may share your information with other parties as necessary to do that (but only if they guarantee they will keep your data safe and private). If another law firm buys or merges with us, they may use your information in the same way as set out in this privacy notice.  
18.7 If we are reviewing whether to acquire a business, or the assets of a business, which holds your personal data (whether you are a customer or employee of that business or otherwise) we may receive limited personal data about you from that business or professional advisors involved in the transaction, as necessary for our legitimate interests in making decisions about that acquisition. If we do not acquire that business, any information we receive about you will be deleted as soon as practicable following the decision not to acquire. If we do acquire that business, your information will be kept and used as set out in the privacy policy for that business and (if we notify you) as set out in this privacy policy.
18.8 We may also share your information with data processors (service providers who process data on our behalf). We have contracts in place with our data processors which require them (among other things) to only use your information (including sharing it with other organisations) according to our instructions and treat it securely. We use data processors to provide some of our IT systems and to send out marketing emails (as described in the “Marketing” section above).
19.1 We are a UK business and our information is stored in the UK. However, if necessary for the establishment, exercise or defence of legal claims or as part of a contract with you (or made in your interests), the information that we hold about you may be transferred to, and stored at, a destination outside the UK and the EU.
19.2 If we otherwise need to transfer your information outside of the UK and the EU, we will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with this privacy notice.
19.3 Some countries or organisations outside of the UK and the EU which we may transfer your information to will have an “adequacy decision” in place, meaning the EU considers them to have an adequate data protection regime in place. These are set out on the European Commission website.
19.4 If we transfer data to countries or organisations outside of the UK and the EU which the EU does not consider to have an adequate data protection regime in place, we will ensure that appropriate safeguards (for example, model clauses approved by the EU or a data protection authority) are put in place where required. To obtain more details of these safeguards, please contact us.
20.1 As well as the measures set out above in relation to sharing of your information, we have put in place appropriate internal security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those members of staff who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality. We maintain cyber insurance and regularly:
20.1.1 review, identify and update our ICT risk analysis, mitigation measures and policies;
20.1.2 review and upgrade our ICT systems and best practice ICT security measures;
20.1.3 review and practice our containment procedures, corrective actions and regulatory commitments.
20.2 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where necessary.
21.1 We may act for an interested party regarding a matter which you are involved in. In particular:
21.1.1 Be informed in a clear, transparent and easily understandable way about how we use your personal information and about your rights. This is why we are providing you with the information in this privacy notice. If you need any more information about how we use your personal information, please contact us.
21.1.2 Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Please note that some information will be exempt from this right, and we will have to respect other people’s privacy if their information is linked with yours.
21.1.3 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. In some circumstances however we will need to keep the existing information for audit purposes, but will record your correction as well.
21.1.4 Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it (for instance, we may need to continue using your personal data to comply with our legal obligations or for the establishment, exercise or defence of legal claims). You also have the right to ask us to delete or remove your personal information where you object to our use of it (see below).
21.1.5 Object to processing of your personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to us using your information on this basis and we do not have a compelling legitimate basis for doing so which overrides your rights, interests and freedoms (for instance, we may need it to defend a legal claim). You also have the right to object where we are processing your personal information for direct marketing purposes.
21.1.6 Request the restriction of processing of your personal information. This enables you to ask us to stop using your information in a certain way, for example if you want us to establish its accuracy or the reason for processing it. We may however still need to use your information for the establishment, exercise or defence of legal claims.
21.1.7 Request the transfer of your personal information to another party where you provided it to us and we are using it based on your consent, or to carry out a contract with you, and we process it using automated means. This is unlikely to apply to the majority of our services.
21.1.8 Withdraw consent. Where we are relying on your consent (as opposed to the other bases set out above) to use your information, you have the right to withdraw your consent for that use at any time.
21.1.9 Lodge a complaint. If you think that we are using your information in a way which breaches data protection law, you have the right to lodge a complaint with your national data protection supervisory authority (if you are in the UK, this will be the ICO).
21.2 If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal information, withdraw your consent to the processing of your personal information or request that we transfer a copy of your personal information to another party, please contact us.
21.3 More information about your rights can be obtained from the Information Commissioner’s Office (ICO).
21.4 No fee usually required. You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee (or refuse to comply) if your request for access is clearly unfounded or excessive.
21.5 What we may need from you. We may need to request specific information from you to help us understand the nature of your request, to confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is to ensure that your information is kept secure.
21.6 Timescale. Please consider your request responsibly before submitting it. We will respond to your request as soon as we can. Generally, this will be within one month from when we receive your request but, if the request is going to take longer to deal with, we will let you know.
Any changes we make to our privacy notice in the future will be posted on our website and, where appropriate, notified to you by e-mail or otherwise.
This document is specific to Cripps LLP and is unlikely to be suitable for use by other organisations. It is also protected by copyright which prohibits you from copying it (or substantial parts of it) for your own business purposes without our permission.
Share