This is an important document and we ask that you read it carefully and raise any questions or concerns you may have on the content with the SH&P contact referred to below.
In the course of our business we collect personal data relating to clients and employees of the Firm, professional contacts and service providers. We take our responsibilities in relation to such data very seriously and understand the importance of this issue to the individual.
The General Data Protection Regulations (“the GDPR”) comes into force on 25 May 2018. The regulations cover all aspects of personal data and places on us obligations to clearly identify what personal data we have, where we obtain it, why we have it, how we use it, how we store it and who we share it with. The GDPR also sets out your rights in relation to the personal data we have and obligates us to provide a contact within the Firm should you have any queries or complaints in relation to the way in which your data is kept, controlled or processed.
In essence, “personal data” is any information relating to an identifiable individual or from which an individual can be identified. The following sets out what personal data we may hold in relation to clients of the Firm (or passed to us by clients of the Firm in relation to their clients) and how it is handled.
What Personal Data Do We Have?
In all cases, the information above is supplied by the client.
Additionally, we may collect personal data via the use of Cookies on our website or in software programs offered through our website. For details of this please see our separate Cookies Policy.
Why Do We Have The Personal Data?
Under the GDPR, we can only hold and use your personal data if there is a legitimate reason for doing so. The legitimate reasons recognised under the Regulations include:
• To fulfil a contract with you or to act at your request prior to entering into a contract
• To comply with a legal or regulatory obligation
• Our legitimate interests or the legitimate interests of a third party
• With your consent
Set out below is the personal data we may hold on you and the legal basis for having and using it:
The Data we may have | The Legal basis |
Name & address, telephone & fax Nos., email address, position | To fulfil the Contract for Services we have with you or to act on a request from you prior to entering into a contract |
Photo identification | To comply with our legal obligations under the money laundering regulations |
Proof of residential address | To comply with our legal obligations under the money laundering regulations |
The subject matter on which you instruct us or request advice or assistance | To fulfil the Contract for Services we have with you or to act on a request from you prior to entering into a contract |
For users of our online software we hold the following additional personal data: | |
Users of MySH&P: The password to your account | To fulfil the contract we have with you to provide access to your records |
Users of Online Renewals: The password to your account. | To fulfil the contract we have with you to renew your rights online |
Payment card – cardholder’s name & address, billing address and delivery address | To fulfil the contract we have with you to renew your rights online |
As part of the contract for services we have with you we will endeavour to notify you of changes in the law affecting your intellectual property or related to advice we have given you in relation to intellectual property which might require action by you or be of interest in terms of strategy or future decisions on such matters. Similarly, we may notify you of any offers we may make in relation to service charges or any new intellectual property service we may introduce which may be of interest to you. To do this, we may use your personal data as described above.
Regarding communications which are exclusively for the purpose of marketing or promotion you have the right to opt out of receiving them at any time by:
• Emailing us at jwelfoot@shandp.com, or,
• Using the “unsubscribe” option in the relevant communication
Who Do We Share Your Personal Data With?
(i) In certain circumstances, we may have to share your personal data to fulfil our contractual obligations to you in relation to your intellectual property, because a dispute has arisen between us or because we are obliged to do so in law. In all cases, the data supplied is only that necessary to fulfil the purpose. The external bodies/persons with whom we might share your personal data under the circumstances described are:
• National and International bodies set up to register, administer or enforce intellectual property rights.
• Overseas Attorneys whom we appoint to act in relation to your intellectual property
• Other members of the legal profession appointed by us (with your consent) to act on your behalf
• Other individuals or organisations to solicit evidence or assistance in relation to a particular case
• Our communications services providers
• The Firm’s solicitors (in case of dispute)
• Our insurers
• Government law enforcement bodies
• Professional regulatory bodies
In selecting third parties to act on your behalf we only use individuals or organisations known to or recommended to us and so long as we are satisfied that they take appropriate measures to protect data. Those domiciled within the EEA will be bound by the GDPR. For others please see “Sharing Your Personal Data Outside the EEA” below.
(ii) There are others who may have access to the personal data we hold electronically, incidental to maintaining our systems and software or facilitating payment for services on our behalf. These will be:
• Our IT service providers
• Our software developers
• Our payment facilitator (for use of Online Renewals)
These service providers have access to our systems only to the extent necessary to perform their contractual obligations to us and so long as we are satisfied that they take appropriate measures to protect data. We have satisfied ourselves that all of these service providers are fully compliant with the GDPR.
Sharing Your Personal Data Outside The EEA
The GDPR has effect throughout the EEA. However, in order to fulfil our contractual obligations to you, we may have to transfer data outside of the EEA, e.g. where the service we provide to you relates to matters in a non-EEA country. You should be aware that the data protection provisions in such countries may not be as stringent as in the EEA. However, we can confirm that we only deal with professionally recognised, reputable bodies in these territories and we will do everything we can to ensure that if personal data is transferred, it is handled in a way consistent with this policy.
Where Is The Personal Data Stored And How Is It Secured?
The personal data referred to above is held at our offices and the offices of the third parties referred to under “Who Do We Share Your Data With?” above.
The data held by SH&P is kept on hard copy files and in password protected electronic files and record systems. Access at SH&P is limited to those who need it in order to fulfil our service obligations to you. Our staff have been made aware of the importance of personal data and the Firm’s obligations under the GDPR and other relevant data protection legislation.
SH&P’s IT systems are protected by a firewall at the perimeter and anti-virus, anti-malware and content filtering software. Our systems are backed up to The Cloud via a leading cloud service provider at a certified managed hosting location.
Sensitive personal data, e.g. photo identification and proof of residential address is kept separately by a Partner of the Firm in hard copy only in a secure location.
For information on the security of personal data that we share with third parties please see “Who Do We Share Your Personal Data With?” and “Sharing Your Personal Data Outside The EEA” above.
How Long Do We Keep It?
Subject to the points below we will retain your personal data for so long as you are a client of the Firm or the contact for a client of the Firm. This will include the lifetime of any intellectual property you own where we remain responsible for maintenance and record keeping.
We may keep your personal data for a period after that described above in order to respond to any questions or complaints from you or your representatives regarding the nature and quality of the services provided by us for you or to comply with any legal obligations regarding the retention of records. During this period the personal data will be retained only for these purposes.
When it is no longer necessary to keep your personal data for any of the reasons described above we will delete it.
Please also see the section “Your Rights” below.
Your Rights
Under the GDPR you, as an individual, have certain rights in relation to your personal data. In addition to the right to be informed about the personal data we hold and the use we make of it (as described in this Privacy Notice) you are also entitled to:
• Access the personal data we hold
• Rectify inaccurate or incomplete personal data we hold
• Request deletion of the personal data we hold (in certain circumstances)
• Restrict processing of personal data (in certain circumstances)
• Obtain and reuse the personal data that we hold (in certain circumstances)
• Object to the processing of your personal data (in certain circumstances)
• Prevent automated individual decision making and profiling (in certain circumstances)
For further information on these rights please contact us (see “Your SH&P Contact” below) or the UK Information Commissioner’s Office (ICO) website where you will find guidance on the GDPR both generally and on “Your Rights” under the regulations in particular.
Should you wish to exercise any of the rights referred to above please contact us (see “Your SH&P Contact” below)
Your SH&P Contact For Privacy
If you have any questions or concerns regarding this Policy please contact the Partner responsible for data protection within the Firm as follows:
Jon Welfoot Stevens Hewlett & Perkins 1 St Augustine’s Place Bristol BS1 4UD United Kingdom |
Tel No. 0117 922 6007 Fax No. 0117 922 6009 Email: jwelfoot@shandp.com |
Complaints
The GDPR gives you the right to file a complaint about the handling of your personal data with the regulatory body in the EEA State in which you are domiciled. The UK regulatory body is The Information Commissioner’s Office (https://ico.org.uk/).
SH&P
22 May 2018