How we use and protect your personal information

Carter Thomas Limited is a data controller. We respect your privacy and are committed to processing all personal information about you in accordance with the UK’s data protection laws.

In the sections below, this Privacy policy explains how we collect, store and use personal information.

1. Information we collect, hold and use
2. Lawful basis for using personal information
3. Special category and criminal offence data
4. Data sharing
5. Reviews
6. Transferring your information to another country
7. Retention of your information
8. Your choices and rights
9. Contact and complaints

We may update this Privacy Policy from time to time with immediate effect. We therefore recommend that you check this page regularly.

1. Information we collect, hold and use
Personal information is any information about an individual from which that person can be identified. In addition, there are special categories of more sensitive personal information requiring a higher level of protection and this is explained in more detail in section 3.

We may collect and process personal information through various means, including:

• when you contact us and send information to us by email or via other channels;
• when you call us;
• when you use our website;
• when, as a client or non-client, you sign up to our legal updates services* (such services are delivered by way of email updates, webinars, seminars, workshops and other events.);
• via social media platforms we use (i.e. LinkedIn, Twitter, Facebook, etc.);
• via publicly accessible sources (i.e. Companies House, HM Land Registry, etc.);
• at networking, seminars and other events we host/co-host or attend;
• when you (or a person representing you) applies for a job with us;
• in order to determine if we can provide legal services to you, your family or other relevant third parties or to an organisation that you are connected with;
• in the course of providing legal services to you, your family or other relevant third parties or to an organisation that you are connected with;
• in the course of providing legal services to a person you are sponsoring or otherwise supporting;
• where we enter into a contract to receive services from you; and
• otherwise through the provision of legal services or the operation of our business.

*our clients receive our legal updates services as part of our legal service to them.

Online client/prospective client meetings and online events (webinars, seminars, workshops, etc.) may be recorded by us (either voice only or visual and voice) in order to provide and improve our legal and other services. Recordings which include personal information of attendees and their image will not be shared or stored externally.

If you are a data controller or a data processor in your own right, and you provide personal data to us, you confirm to us that you have a lawful basis for doing so under data protection law and all necessary consents, where required.

The personal information that may be provided to us may include:

• your name, address and contact details;
• Anti-Money Laundering and Know Your Client information (e.g. evidence of your identity (including your professional online presence) and address, source of funds, bank details, lawful trading etc.);
• information relating to a legal matter and the provision of our services. For private clients, this may include information about you, your immigration background, your employment, your family and other relevant third parties. For corporate, education and charity clients, this may include information about your personnel, students and other relevant third parties;
• information relating to your location, preferences and interests;
• images/recordings of you (via online recordings, CCTV images and photos taken at marketing events);
• employment and job application details (i.e. date of birth, employment history, qualifications, evidence of your right to work in the UK, equality monitoring information, job role, salary, annual leave, pension and benefits);
• where required, your or others’ signature(s), National Insurance number(s), bank account information or other financial details and information about any relevant sanctions; and
• special category and criminal offence data in order to perform a contract or otherwise where you have provided consent.

Each time you visit our website, we may automatically collect the following information:

• Web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform.
• Information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).
• Location, device and demographic information (Google Analytics provides age range and gender information).

Find out more about how Google collects demographic data.

You can opt-out of being tracked by Google Analytics.

For information on how we use Cookies and your choices, please review our Cookie policy.

The personal information we receive may relate to any of the following categories of person:

• our clients and our clients’ family members, personnel, students and other relevant third parties;
• prospective clients and their family members, personnel, students and other relevant third parties;
• those who use and/or submit enquiries through our website;
• those who receive our legal updates services;
• our employees, consultants and those who join us for work experience;
• anyone applying for a role with us or for work experience;
• emergency contacts whose details have been provided to us by our employees, consultants and those who join us for work experience;
• third parties with whom we have contact by virtue of providing legal services;
• those to whom we receive work from or refer work to, professional advisors, translators and other professionals with whom we work when providing legal services or otherwise running our business;
• our contractors and suppliers; and
• visitors to our offices.

2. Lawful basis for using personal information
We will only use your personal information for the following lawful reasons:

• To enter into and perform a contract (this applies to personal information provided by clients, prospective clients, former clients, those who are sponsoring or otherwise supporting a client, those who provide services to us, those who apply to us for positions, our employees and consultants and others with whom we have, or are seeking to have, a contractual relationship);
• Where we have a legitimate interest as a legal services provider and this is not overridden by your own interests or fundamental rights or freedoms (this applies to personal information provided by clients, prospective clients, former clients, those who are sponsoring or otherwise supporting a client, third parties relevant to a matter or prospective matter, those who receive our legal updates services, professional contacts, referrers, governmental departments, local authorities, charities and other third parties whom we work with regularly, who benefit from our relationship with them and who should reasonably expect us to hold and use their data);
• Where we need to comply with a legal obligation to which we are subject (this applies in all cases where we are required by law to process personal information); or
• Otherwise, with your consent.

We may also use your personal information in the following situations, which are likely to be rare:

• Where we need to protect your vital interests (or someone else’s interests); or
• Where it is needed in the public interest.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3. Special category and criminal offence data
In order to enter into and perform a contract, we may need to collect more sensitive personal information about you such as your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data for example; fingerprints. We may also need to collect information about criminal convictions and offences.

We may also on occasions seek to obtain your consent to providing such personal information to us for the purpose of, for example, responding to requests from our regulator for diversity data. Where we are requesting your consent to receive and use such personal information, you will have the right to withhold consent.

4. Data sharing
We may share your details with relevant third parties. These may include service providers, support services and organisations that help us to market our services and third parties instructed to enable us to fulfil our contractual obligations to you and/or our clients in the course of business.

If we share your information with third parties, they will process your information as either a data controller or as our data processor and this will depend on the purposes of our sharing your personal data. We will only share your personal data in compliance with relevant data protection legislation.

We may share personal information with:

• our regulator, the Solicitor’s Regulation Authority (SRA), HMRC or other government or law enforcement agencies;
• our insurance providers and our professional indemnity insurance broker;
• our lawyers, accountants and auditors, including external accreditation bodies;
• our bank;
• other professional advisors or third parties (including counsel, overseas lawyers, accountants, expert witnesses, translators or costs draftsmen) with whom we engage as part of our work for our clients or who our clients engage;
• our data processors providing email security, data governance, archiving and other IT, financial, cashiering, compliance and business support services.
• our email platform provider and our website platform provider;
• organisations we use for marketing purposes including, for example, webinar providers;
• selected partner digital agencies and online job application providers;
• analytics and search engine providers that assist us in the improvement and optimisation of our website; and
• any third party you ask us to share your data with;
• the Home Office if we are filing applications on your/your organisation’s behalf. Please note that the Home Office may share personal information with a range of organisations and please carefully review the Home Office’s Personal Information Charter for more information;
• any future buyer of our business or part of our business.

Many of the services we use are provided to us via secure and compliant cloud-based software.

We may share your information if we refer you to a third-party adviser for specialist advice or if we are prevented from acting for you due to a conflict.

Where we share information with other data controllers, they are responsible to you for their use of your information and compliance with the law.

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal information for their own purposes. We only permit them to process your personal information for specified purposes and in accordance with our instructions.

If you are a delegate at a webinar, seminar, workshop or other events, we may share names and contact details with third party event organisers and on the delegate list which is shared with other attendees. If you attend one of our online webinars you may need to sign-up/log-in and your name may appear on screen and be seen by other attendees.

We may share your personal information with other third parties in the context of the negotiations for a sale or restructuring of the business or otherwise for the purpose of receiving professional including legal advice.

5. Reviews and feedback
If you or anyone associated with your organisation, where relevant, writes a review for us or otherwise provides feedback that may be published by us or a third party online or otherwise (for example, Google reviews, Trust Pilot, The Legal 500, Who’s Who, etc.) your name and organisation, where relevant, may appear. By providing a review you acknowledge and consent to this.

6. Transferring your information to another country
If the work we are doing for you means we need to transfer your personal information to another country, we will do this in accordance with relevant data protection legislation.

7. Retention of your information
We will retain your personal information for as long as is reasonably necessary for the purpose for which it was obtained and in accordance with our legal obligations.

Due to the nature of immigration and nationality law, in relation to the services we provide to our clients we will generally store information for up to fifteen years after the end of our relationship with our client. In relation to other matters, the retention period will depend on the specific reason(s) for which it was collected.

We may keep your data for longer if we cannot delete it for legal, regulatory or technical reasons. Where we are asked to delete data, we will delete it from the online systems we use on a daily basis. Please note that data may still remain in backup systems which are ‘beyond use’, in line with ICO guidance, until the backup deletion cycle passes through.

We may also keep it for research, preventing conflicts of interests or statistical purposes. If we do, we will ensure that appropriate safeguards are in place to protect your privacy and only used for those purposes.

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. Unfortunately, the transmission of information via the internet is not completely secure and although we do our best to protect your personal data, we cannot absolutely guarantee the security of your data.

The third parties we engage to provide services on our behalf will keep your data stored on their systems for as long as is necessary to provide the services to you.

8. Your choices and rights
You have a number of rights in relation to the personal information we hold. You can find detailed information here.

You can, in certain circumstances:

1. Seek access your personal information (commonly known as a ‘subject access request’).
2. Request that the personal information we hold about you is updated or amended.
3. Request the erasure of your personal information.
4. Object to the processing of your personal information.
5. Request that the processing of your personal information is restricted.
6. Request the transfer of your personal information to another party.

If we are processing personal information on the basis of your consent, you may withdraw your consent to us processing it for the purpose you consented to. You can do this either via the opt-out mechanism accessed via our electronic marketing communications or by sending a request to us at privacy@carterthomas.co.uk. Please note that we may continue to process your personal information if other grounds apply.

To exercise any of the above rights, please contact us or email privacy@carterthomas.co.uk.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

9. Contact and complaints
If you have any questions about our use of your personal information or wish to raise a complaint, please contact us or email privacy@carterthomas.co.uk.

We are committed to resolving any concerns or complaints with you directly and hope that you will contact us in the first instance so we can do so.

You have the right to file a complaint with the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues. Further information on your rights and the complaints process can be found on the ICO website.

Last updated: 07 June 2022