LexLeyton is committed to safeguarding the privacy and security of the personal information provided to us. In this Notice we
explain how we, including how we collect, use and process your personal data, and how, in doing so, we comply with our legal
The term “Personal Data” means any information relating to an identified or identifiable person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
WHO WE ARE
LexLeyton is the trading name of both Leyton UK Partners LLP and Leyton Legal (Scotland) LLP and is associated to Leyton UK Limited.
In relation to the applicable data protection legislation (including but not limited to the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”)), the entities responsible for your personal data as data controllers are:
- Leyton UK Partners LLP is a limited liability partnership registered in England and Wales (OC388386). Registered office Harmsworth House, 13-15 Bouverie Street, London, England, EC4Y 8DP. Authorised and regulated by the Solicitors Regulation Authority under SRA number 619453; and
- Leyton Legal (Scotland) LLP is a limited liability partnership registered in Scotland (SO305978). Registered office 8th Floor, Lomond House, 9 George Square, Glasgow, G2 1DY. Authorised and regulated by the Law Society of Scotland under practice number 53122. A list of members of each LLP may be inspected at their respective registered offices.
In this Notice, “LexLeyton” and “us”, “we” or “our” shall refer to both Leyton UK Partners LLP and Leyton Legal (Scotland) LLP. The expressions ‘you’ and ‘your’ refer to you, our client.
WHERE DO WE COLLECT PERSONAL DATA FROM?
We collect personal data in three main ways:
- Personal data that we receive directly from you (for example where we meet, where you contact us proactively, usually by phone or email; and/or where we contact you, whether by phone or email or any other form of communication).
- Personal data that we receive from other sources; and
- Personal data that we collect automatically.
We collect and process information:
- obtained or created in relation to the legal services we provide;
- relating to individuals who apply for a job or work placement with us;
- relating to our employees, suppliers, partners and contractors;
- relating to online service users, subscribers to our newsletters and other promotional materials;
- relating to other third parties.
- Information about collection, use and disclosure of personal information relating to our employees and partners can be found in our Data Protection Policy
WHY DO WE PROCESS YOUR PERSONAL INFORMATION?
We process your personal information where:
- it is necessary for the performance of a contract with you (e.g. to provide legal services);
- you have provided us with your consent to use your personal information (e.g.. in the course of subscribing to our newsletters);
- we are required by law to do so; or
- it is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, which is not detrimental to you and would have minimal impact on your privacy
HOW DO WE COLLECT USE AND DISCLOSE YOUR PERSONAL INFORMATION?
The personal information we collect will include the types of data shown below. We also collect incidental personal data about third parties when providing our Services.
|Internal-clientdata||Personal data belonging to individuals whose personal information may be processed by us as aresult of providing the Services to you. This may include personal information relating to:
|Business Administration Data||
Personal data to include Client Data necessary in order to:
|CCTV Surveillance Data||An external CCTV entry system may be installed at some of our offices. All external CCTV cameras areclearly visible to all staff and visitors. The camera will usually be positioned outside the entrance to theoffice building and/or the reception area but may be repositioned from time to time to ensure theireffective use.|
|Applicants for Employment or work placement||Personal data such as name, address, contact details, education and employment history; backgroundchecks (financial and criminal), ID and right to work status; information relating to next ofkind/dependants.
Financial information including bank details and identifies (e.g. National Insurance numbers). In particularwe expect to share this information with Leyton UK Ltd which provides inter alia HR and support servicesto LexLeyton.
WHY DO WE BELIEVE THAT WE ARE ENTITLED TO USE THIS DATA?
|Type of data||What do we use this for?||Legal justification|
|Client Data||Below are the various ways in which we useyour data in order to ensure the smoothrunning of our agreements and dealings withyou:• Processing your data in order to carry outanti-money laundering and “Know YourClient” checks in accordance with our legaland regulatory obligations;
It is necessary for us to use this personal information toperform our obligations in accordance with any contractthat we may have with you.
Depending on the circumstances, it can otherwise be inour legitimate interest or a third party’s legitimateinterest to use the personal information to ensure weprovide the Services in the best way that we can.
|Marketing Data||We use this to promote our business.||It is in our legitimate interest or a third party’slegitimate interest to use the personal information toensure we provide the right Services in the best waythat we can and otherwise build our business.|
|Website Data||We may process your data for the purpose oftargeting you with appropriate marketing andPR campaigns. Subject to any applicable locallaws and requirements, we will only send youmarketing and PR information.
By using this information, we are able tomeasure the effectiveness of our content andhow visitors use our websites and our Services.This allows us to learn what pages of ourwebsites are most attractive to our visitors,which parts of our websites are the mostinteresting.
|It is our legitimate interest to use the personalinformation to ensure we provide the right services andinformation as well as the Services themselves in thebest way that we can, improve our services andproducts and promote our services and contact youwith communications about legal updates, breakingnews, newsletters and event invitations.|
|Internal ClientData andIncidentalData||In order to provide employment-law related Services to you.||It is necessary for us to use this personal information toperform our obligations in accordance with any contractthat we may have with you.
Depending on the circumstances, it can otherwise be inour legitimate interest or a third party’s legitimateinterest to use the personal information to ensure weprovide the Services in the best way that we can.
|BusinessAdministrationData||Personal data is used:
||It is necessary for us to use this personal information to:
|CCTV Surveillance Data||This is primarily to assist with security and safety of our staff and visitors to our offices.||This is primarily to assist with security and safety of our staff and visitors to our offices.|
|Applicants for Employment or work placement||Human resources administration. Assessing suitability, eligibility and / or fitness to work.
Health and safety and the application, audit and enforcement of our policies.
|It is necessary for us to use this personal information toprocess any application appropriately and in the courseof managing our business.|
WHO DO WE SHARE PERSONAL INFORMATION WITH FOR THE PURPOSE OF PROVIDING OUR SERVICES?
We may share personal information with the following potentially associated parties (Potentially Associated Parties) when carrying out our Services.
|Type of data||Who is it passed to?||Legal justification|
|Client Data + Internal Client Data and Incidental Data||
|It is necessary for us to use this personal information to perform our obligations in accordance with any contract that we may have with you.
Depending on the circumstances, it can otherwise be in our legitimate interest or a third paty’s legitimate interest to use the personal information to ensure we provide the Servicesin the best way that we can.
Please note that Leyton UK Partners LLP and Leyton Legal (Scotland) LLP both trade as “LexLeyton’ and, subject to applicable regulatory law, each of those entities may share legally privileged and client confidential information (including personal data) in respect of the cases they each are working on as permitted by and pursuant to our contracts withour clients in order for each of these entities to use common resources to provide legal services to our legal clients.
||Where your personal information is not in ananonymous form, it is in our legitimate interestto use your personal information in such a wayto ensure that we provide the very bestproducts and services to you and our other clients.|
|Business Administration Data||Professional advisers such as lawyers and accountantsand experts and suppliers and/or governmental orregulatory authorities and third party outsourcedbusiness administration services providers includingLeyton UK Ltd (which provides business administration,marketing and other support services)||It is necessary for us to use this personalinformation to:
|Applicants for Employmentor work placement||Your personal information may be transferred toservice providers to include Leyton UK Ltd anassociated company which provides inter alia, HR andbusiness support services ; and stored within ourinformation systems and within third party informationand software applications and services and systemswhich have been procured to support the operation ofthe HR services function. When information is sharedwith service providers it is limited to that which isrequired for providing the service and will beadequately protected.||It is necessary for us to use this personalinformation:
This above list is illustrative and not exhaustive.
If we merge with or are acquired by another business or company in the future, we may share your personal data with the new owners of the business or company (and provide you with notice of this disclosure). We do not sell any personally identifiable information provided to us to any unrelated third party, but, as set out above, we may share it with related entities or with unrelated third parties in connection with our own marketing activities, or as may be legally required.
We use your name and email address to send you marketing communications by email, where either:
1. you have consented to receive such marketing communications; or where
2. we have another lawful basis to do so.
Our email marketing may include both personalised/tailored and non-personalised email marketing.
Where we are sending you personalised email marketing, we may use information that we have noted you from your interactions with our website to decide what sort of personalised marketing communications to send you, whilst also assessing your needs whilst we provided Services to you.
We will only send you marketing communications via email where you have consented to receive such marketing communications, or where we have a lawful right to do so on the basis of a soft-opt in legal justification.
COMMUNICATIONS TO REFERRERS
In your Engagement Letter we set out that we may communicate with any company that may have referred you to us for the purpose of communicating the fact of your instruction and the nature and extent of our agreement to provide services to you.
It is our legitimate interest to use the personal information to ensure we provide the right services and information as well as the Services themselves in the best way that we can and otherwise promote our business by these means.
You expressly waive any duty we may have relating to client-confidentiality to this degree, where we set out that this information will be used to investigate the success of any joint-pitch work undertaken with that company and so that company can measure it’s performance under the terms of any related marketing and prospecting agreement. In particular we anticipate having to communicate this information to Leyton UK Limited which provides marketing and prospecting services.
HOW DO WE SAFEGUARD YOUR PERSONAL DATA?
We are committed to taking all reasonable and appropriate steps to protect the personal information that we hold from misuse, loss, or unauthorised access. We do this by having in place a range of appropriate technical and organisational measures. These include measures to deal with any suspected data breach.
HOW LONG DO WE KEEP YOUR PERSONAL DATA FOR?
We will ordinarily process your data throughout the course of our interactions and will then generally retain it for an appropriate amount of time after we have parted ways, depending on local law requirements and our legitimate business and risk-management needs. The periods of time for which we retain your data will vary depending on the type of data in question and any overarching legal, regulatory or risk-management requirements to retain it for certain minimum periods. We may, for example, be required to retain certain data for the purposes of tax reporting or responding to tax queries. In other instances, there may be some other legal, regulatory or risk-management requirements to retain data, including where certain data might be relevant to any potential litigation (bearing in mind relevant limitation periods).
In determining the appropriate retention period for various types of personal data, in addition to ensuring that we comply with our legal, regulatory and risk-management obligations, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we need to process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
A copy our retention policy may be obtained by sending an email request to our Data Protection Manager at dpm@LexLeyton.co.uk
HOW CAN YOU ACCESS, AMEND OR TAKE BACK THE PERSONAL DATA THAT YOU HAVE GIVEN TO US?
One of the GDPR’s main objectives is to protect and clarify the rights of citizens and individuals with regards to data privacy. This means that you retain various rights in respect of your data, even once you have given it to us. These are described in more detail below.
To get in touch about these rights, please contact our Data Protection Manager at dpm@LexLeyton.co.uk We will seek to deal with your request without undue delay, and in any event within one month (subject to any extensions to which we are lawfully entitled). Please note that we may keep a record of your communications to help us resolve any issues which you raise.
Right to object
This right enables you to object to us processing your personal data where we do so for one of the following four reasons: (i) our legitimate interests; (ii) to enable us to perform a task in the public interest or exercise official authority; (iii) to send you direct marketing materials; and (iv) for scientific, historical, research, or statistical purposes.
The “legitimate interests” and “direct marketing” categories above are the ones most likely to apply. If your objection relates to us processing your personal data because we deem it necessary for our legitimate interests, we must act on your objection by ceasing the activity in question unless:
- we can show that we have compelling legitimate grounds for processing which overrides your interests; or
- we are processing your data for the establishment, exercise or defence of a legal claim.
If your objection relates to direct marketing, we must act on your objection by ceasing this activity.
Right to withdraw consent
Where we have obtained your consent to process your personal data for certain activities, you may withdraw this consent at any time and we will cease to carry out the particular activity that you previously consented to unless we consider that there is an alternative reason to justify our continued processing of your data for this purpose in which case we will inform you of this condition. To withdraw your consent please contact our Data Protection Manager at dpm@LexLeyton.co.uk
Data subject access requests (DSAR)
You may ask us to confirm what information we hold about you at any time, and request us to modify, update or delete such information. We may ask you to verify your identity and for more information about your request. If we provide you with access to the information we hold about you, we will not charge you for this unless your request is “manifestly unfounded or excessive”. If you request further copies of this information from us, we may charge you a reasonable administrative cost where legally permissible. Where we are legally permitted to do so, we may refuse your request. If we refuse your request we will always tell you the reasons for doing so. Should you wish to make a request in line with your rights as an individual please send it in writing to dpm@LexLeyton.co.uk
Right to erasure
You have the right to request that we erase your personal data in certain circumstances. Normally, the information must meet one of the following criteria:
- the data are no longer necessary for the purpose for which we originally collected and/or processed them;
- where previously given, you have withdrawn your consent to us processing your data, and there is no other valid reason for us to continue processing;
- the data has been processed unlawfully (i.e. in a manner which does not comply with the GDPR);
- it is necessary for the data to be erased in order for us to comply with our legal obligations as a data controller; or
- if we process the data because we believe it necessary to do so for our legitimate interests, you object to the processing and we are unable to demonstrate overriding legitimate grounds for our continued processing.
We would only be entitled to refuse to comply with your request for erasure for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with legal obligations or for the performance of a public interest task or exercise of official authority;
- for public health reasons in the public interest;
- for archival, research or statistical purposes; or
- to exercise or defend a legal claim.
When complying with a valid request for the erasure of data we will take all reasonably practicable steps to delete the relevant data. Please however note that it is virtually impossible to guarantee the permanent and irretrievable deletion of electronic data. In addition, sometimes we may be obliged by law or regulation, or need for risk-management reasons, to retain the ability to access certain elements of personal data.
Right to restrict processing
You have the right to request that we restrict our processing of your personal data in certain circumstances. This means that we can only continue to store your data and will not be able to carry out any further processing activities with it until either: (i) one of the circumstances listed below is resolved; (ii) you consent; or (iii) further processing is necessary for either the establishment, exercise or defence of legal claims, the protection of the rights of another individual, or reasons of important EU or Member State public interest.
The circumstances in which you are entitled to request that we restrict the processing of your personal data are:
- where you dispute the accuracy of the personal data that we are processing about you. In this case, our processing of your personal data will be restricted for the period during which the accuracy of the data is verified;
- where you object to our processing of your personal data for our legitimate interests. Here, you can request that the data be restricted while we verify our grounds for processing your personal data;
- where our processing of your data is unlawful, but you would prefer us to restrict our processing of it rather than erasing it; and
- where we have no further need to process your personal data but you require the data to establish, exercise, or defend legal claims.
If we have shared your personal data with third parties, we will notify them about the restricted processing unless this is impossible or involves disproportionate effort. We will, of course, notify you before lifting any restriction on processing your personal data.
Right to rectification
You also have the right to request that we rectify any inaccurate or incomplete personal data that we hold about you. If we have shared this personal data with third parties, we will notify them about the rectification unless this is impossible or involves disproportionate effort. Where appropriate, we will also tell you which third parties we have disclosed the inaccurate or incomplete personal data to. Where we think that it is reasonable for us not to comply with your request, we will explain our reasons for this decision.
Right of data portability
If you wish, you have the right to transfer your personal data between data controllers. In effect, this means that you are able to transfer your Leyton Legal account details to another online platform. To allow you to do so, we will provide you with your data in a commonly used machine-readable format that is password-protected so that you can transfer the data to another online platform.
Alternatively, we may directly transfer the data for you. This right of data portability applies to: (i) personal data that we process automatically (i.e. without any human intervention); (ii) personal data provided by you; and (iii) personal data that we process based on your consent or in order to fulfil a contract.
Right to lodge a complaint with a supervisory authority
You also have the right to lodge a complaint with the Information Commissioner. The relevant contact details are:
Phone: 0303 123 1113
Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
You may ask to unsubscribe from direct marketing at any time.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during the period for which we hold your data.
If you have any comments or suggestions or you would like to exercise any of the rights referred to above then please contact our Data Protection Manager at dpm@LexLeyton.co.uk We take privacy seriously and will get back to you as soon as possible.
TRANSFERRING YOUR DATA INTERNATIONALLY
In order to provide you with the best service and to carry out the purposes described, your data may be transferred:
- to third parties such as regulatory authorities, advisers or other suppliers to LexLeyton to include inter alia Leyton UK Limited a company registered in England and Wales (06977112) and Thesee Maroc a company registered in Morocco (RCS 245533) which provides IT support services;
- to a cloud-based IT storage and IT systems providers; and
- to other third parties.
For example an IT supplier may see your personal information when providing software support or a company used for marketing services may process contacts’ personal information for us.
We want to make sure that your data is stored and transferred in a way, which is secure. We will therefore only transfer data outside of the European Economic Area or EEA (i.e. the Member States of the European Union, together with Norway, Iceland and Liechtenstein) where it is compliant with data protection legislation and the means of transfer provides adequate safeguards in relation to your data, for example:
- by way of data transfer agreement, incorporating the current standard contractual clauses adopted by the European Commission for the transfer of personal data by data controllers in the EEA to data controllers and processors in jurisdictions without adequate data protection laws; or
- by signing up to the EU-U.S. Privacy Shield Framework for the transfer of personal data from entities in the EU to entities in the United States of America or any equivalent agreement in respect of other jurisdictions; or
- transferring your data to a country where there has been a finding of adequacy by the European Commission in respect of that country’s levels of data protection via its legislation; or
- where it is necessary for the conclusion or performance of a contract between ourselves and a third party and the transfer is in your interests for the purposes of that contract (for example, if we need to transfer data outside the EEA in order to meet our obligations under that contract if you are a client of ours); or
- where you have consented to the data transfer.
To ensure that your personal information receives an adequate level of protection, we have put in place appropriate procedures with the third parties we share your personal data with to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the law on data protection.
CHANGES TO THIS PRIVACY NOTICE
We may make changes to this Privacy Notice from time to time to reflect any changes to our use of your personal information.
We may also make changes as required to comply with changes in applicable law or regulatory requirements.
We encourage you to review this Privacy Notice from time to time so that you receive up to date information about how we use your personal information.