Privacy Notice
Welcome to our website. We take your privacy seriously and are committed to protecting your personal data. This Privacy Notice explains how we collect, use and protect your personal data when you visit our site. As a legal services provider, we adhere to strict data protection laws and ethical standards to ensure your privacy is respected at all times. This Privacy Notice was last updated on 7 October 2024. Please take a moment to read through this Privacy Notice to understand how Aria Grace Law handles your personal data and your rights regarding your personal data. If you have any questions, please feel free to contact us at privacy@aria-grace.com.
A. Legal entity information
“Aria Grace Law” refers to the following legal entities:
-
Aria Grace Law CIC, which is a company registered in England & Wales with the registration number of 13927967 and the registered address of 20 North Audley Street, London, W1K 6WE.
-
Aria Grace Limited, which is a company registered in England & Wales with the registration number of 11421845 and the registered address of 20 North Audley Street, London, W1K 6WE.
Each of the entities that form Aria Grace Law operate as data controllers. A data controller determines why, when and how personal data is processed. The word “processing” refers to any activity that involves the use of personal data, including obtaining, recording, holding, organising, amending, retrieving, using, disclosing, erasing or destroying it, as well as transmitting or transferring it to third parties.
B. Applicable law and standards
Aria Grace Law complies with data protection law and best practices. The data protection laws that apply to it include the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to personal data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It sits alongside the Data Protection Act 2018.
C. Personal data that Aria Grace Law collects
Personal data refers to any information that relates to an identified or identifiable individual. This can include a wide range of details that can be used to directly or indirectly identify a person. In the course of providing our services, we collect a variety of personal data from our clients and other individuals who engage with our law firm. Below is a more detailed explanation of the types of personal data we collect:
-
Identity and Contact Data: This includes personal details that allow us to identify and communicate with you. We may collect your name, marital status, title, date of birth, gender and contact information such as your address, email address and phone number. This information is essential for verifying your identity, maintaining accurate records and facilitating communication.
-
Financial and Transaction Data: If you engage in financial transactions with us, such as making payments for our services, we will collect your financial information. This includes your bank account details, payment card information and records of transactions made with us. We handle this data with the utmost security to ensure your financial information is protected.
-
Contractual Data: When you enter into a formal agreement or contract with us, we collect and store information related to that agreement or contract. This includes details of any legal services we are providing, the terms and conditions agreed upon and any related correspondence. Contractual data helps us deliver our services and fulfil our obligations under the agreement or contract.
-
Usage and Technical Data: We may collect technical information when you interact with our website or use any of our online services. This includes data such as your Internet Protocol (“IP”) address, browser type, time zone settings and device information. We collect this data to monitor the functionality of our website, improve user experience and ensure our services are accessible and secure.
-
Sensitive Data: In some cases, we may collect sensitive data, also known as "special category data”, when it is relevant to the services we are providing. This may include information about your racial or ethnic background, health information or other sensitive personal details. We only collect this type of data where necessary and with your explicit consent or where it is required by law.
This information is collected to help us deliver our legal services efficiently and to comply with legal obligations, while always ensuring that your privacy and data are protected in accordance with the highest standards.
D. Aria Grace Law’s legal grounds for processing your personal data
We only process personal data where we have one or more legal ground that allows us to process your personal data. Below is a summary of the legal grounds that we rely upon:
-
Consent: This is where you have given clear and explicit consent, either through a statement or a clear positive action, for us to process your personal data for a specific purpose. You can withdraw your consent at any time.
-
Performance of a contract: This is where we are processing your personal data because it is necessary for the performance of a contract to which you are a party (or to take steps at your request before entering into a contract).
-
Legal obligation: This is where we process your personal data as it is necessary to comply with a legal or regulatory obligation, such as anti-money laundering or compliance with court orders.
-
Legitimate interests: This is where we process personal data based on our legitimate interests, provided these interests are not overridden by your rights and freedoms. Our legitimate interests include running and improving our business, providing legal services and managing client relationships.
-
Vital interests: This is where we may process personal data to protect your vital interests or those of another person, such as in an emergency situation.
E. Categories of individuals (data subjects) whose personal data we process
At Aria Grace Law, we interact with a wide range of individuals and groups. Here’s a quick summary of the types of people we collect data from, what we collect, how we collect it and why we process it:
-
Website users: We collect personal data from individuals who visit our website. This data includes information that helps identify you, such as your name, contact details like your email address and technical information such as your IP address and browser type. We also collect any communication details, such as messages you send through the website. The data is gathered in two ways: automatically through cookies and tracking technologies as you browse the site or directly when you provide it via forms or other contact options. We process this data based on your consent when you engage with our site, our legitimate interest in improving the website and any legal obligations we must follow.
-
Job applicants: We collect personal data from individuals who apply for roles at our firm. This includes your identity and contact information, details from your CV, qualifications and potentially diversity data if provided. The data is collected through application forms, emails and references provided during the recruitment process. We process this data based on your consent when you apply, our legitimate interest in assessing your application and to fulfil our contractual obligations related to hiring.
-
Prospective and existing clients: We collect personal data from individuals or businesses that are seeking or currently receiving legal services from us. This data may include your identity, contact information, financial details, case-specific information and sensitive data relevant to your legal matter. We gather this data through various interactions, such as meetings, phone calls, emails or submissions made through our website. The legal basis for processing this data includes fulfilling our contract to provide legal services, our legitimate interest in improving those services and compliance with legal obligations.
-
Third-party suppliers: We collect personal data from service providers who support our operations. This data includes contact names, email addresses, service-related details and communication records. We gather this data through regular communications and during the course of our service engagements. The legal basis for processing this data includes fulfilling contracts related to service agreements, our legitimate interest in managing supplier relationships effectively and compliance with legal obligations.
This simplified overview shows how we process personal data across different interactions to ensure smooth operations while complying with legal requirements.
F. Sharing your personal data with others
We take your privacy seriously and only share your personal data with third parties when it is necessary for specific purposes. Below are the circumstances under which we may share your personal data:
-
Service providers: To ensure the smooth operation of our services, we work with a range of trusted third-party service providers who assist in the delivery of our legal services. This includes IT support, cloud storage providers, payment processors and other technical or administrative services. These providers are carefully selected and required to handle your personal data securely and in accordance with data protection laws. They only process your personal data in line with our instructions and for the specific purposes we have outlined.
-
Legal and regulatory bodies: In certain situations, we may be legally required to share your personal data with regulatory authorities, courts or law enforcement agencies. This could include sharing information in response to legal processes such as court orders or to comply with regulatory obligations such as anti-money laundering requirements. In all such cases, we ensure that any disclosure is lawful and limited to what is necessary.
-
Client services: If we have collected your personal data while providing legal services to a client, we may need to share this data with the client as part of our engagement. Additionally, where legally permitted and relevant to the legal matter, we may share your personal data with other parties involved in the case, such as barristers, expert witnesses or other legal professionals.
-
Feedback and surveys: To continually improve the quality of our services, we may seek feedback from our clients. On a confidential basis, we may share your personal data with carefully selected third parties to conduct surveys or gather feedback about your experience with our firm. This information helps us assess our performance and identify areas where we can enhance our offerings, while always safeguarding your privacy.
Please note that when we share your personal data, this may entail transferring your personal data outside of the UK and European Economic Area (“EEA”). Where we do so, we ensure that robust safeguards including those outlined below are in place.
-
Contractual protections: We require that any organisation receiving your personal data has contracts in place with us that explicitly outline their obligations to protect it. These contracts are designed to ensure that the receiving organisation upholds the same high standards of data protection that are mandated in the UK and the EEA. This includes obligations around the secure handling of your personal data, limitations on how it can be used and requirements for reporting any data breaches. By establishing these contractual protections, we create a legally binding framework that compels third parties to treat your personal data with the utmost care and respect.
-
Adequate protection standards: When transferring your personal data to countries outside the UK and the EEA, we are committed to ensuring that such transfers are conducted in compliance with data protection laws. Specifically, we only transfer personal data to countries that are recognised by the Information Commissioner’s Office (“ICO”) or the European Commission as providing adequate protection for personal data. This means that these countries have established legal frameworks and safeguards that align with the data protection standards set forth by UK and EU laws. By adhering to these adequacy standards, we help ensure that your personal data remains protected from potential risks associated with cross-border transfers.
Through these measures, we aim to uphold your trust and confidence in how we handle your personal data, ensuring it is treated with the highest level of security and integrity throughout our operations and beyond.
G. Protecting your personal data
At Aria Grace Law, the protection of your personal data is a fundamental aspect of our operations. We understand that personal data security is vital for maintaining your trust, and as such, we employ a comprehensive range of technical and organisational measures designed to ensure the highest levels of security for your personal data:
-
Security measures: We implement advanced security protocols to protect against accidental loss, unauthorised access and tampering of your personal data. This includes the use of encryption technologies, firewalls and intrusion detection systems, which work together to create a secure environment for data storage and transmission. Regular security assessments and updates are conducted to identify and mitigate potential vulnerabilities, ensuring our systems are always protected against emerging threats.
-
Restricted access: Access to your personal data is strictly limited to trusted employees, selected contractors and relevant third parties who require this information to perform specific tasks related to our legal services. We enforce role-based access controls, ensuring that individuals can only access the data necessary for their work. This minimises the risk of unauthorised access and ensures that your personal data is handled only by those with a legitimate need to know.
-
Data breach preparedness: We recognise that despite our best efforts, data breaches can occur. To address this, we have developed robust policies and action plans that enable us to respond swiftly and effectively in the event of a data breach. Our response protocols include immediate containment measures, comprehensive investigations to determine the cause and scope of the breach and timely notifications to affected individuals and relevant authorities as required by data protection laws. Our preparedness ensures that we can minimise the impact of any incident on your personal data.
-
Third-party compliance: We maintain stringent standards for third-party compliance to ensure that any suppliers we work with uphold similar security practices. We conduct thorough due diligence on our suppliers to verify that they meet our strict security requirements. Additionally, all suppliers are required to adhere to contractual agreements that comply with applicable data protection laws, ensuring they maintain the security and confidentiality of your personal data at all times. This collaborative approach to data protection helps create a secure environment throughout our entire supply chain.
By implementing these comprehensive measures, we are dedicated to protecting your personal data and ensuring its integrity, confidentiality and availability throughout our operations. Your trust is paramount to us and we are committed to maintaining the highest standards of data protection.
H. Retaining your personal data
We retain your personal data only for as long as necessary to achieve the purposes for which it was collected, including compliance with any legal, regulatory, tax and accounting obligations.
When determining the appropriate retention period, we take into account several factors, including:
-
Nature and sensitivity of the data: We assess the type of personal data we hold and its level of sensitivity to ensure that it is managed appropriately throughout its retention period.
-
Potential risks of unauthorised access: We evaluate the risks associated with unauthorised access to your personal data, which helps us decide how long we should retain it while maintaining its security.
-
Specific purposes of processing: We consider the particular reasons for processing your personal data, ensuring that we only keep it for as long as it is relevant and necessary for those purposes.
In certain cases, we may retain your personal data for a longer duration to address any complaints or potential legal issues that may arise from our relationship. However, we strive to minimise such circumstances whenever possible to ensure that your personal data is not kept longer than necessary.
I. Your legal rights in respect of your personal data
You have important rights concerning your personal data, which are designed to empower you and give you greater control over how your personal data is handled. Below is an overview of your rights and how you can exercise them:
-
Access your personal data: You have the right to know what personal data we hold about you. If you're curious about the personal data we collect, you can request access to it. This helps you understand what data we process and how we use it.
-
Correct errors in your personal data: If you notice any inaccuracies in your personal data, please let us know. You have the right to request that we update or correct any incorrect information. This ensures that the data we have is accurate and reflects your current situation.
-
Request deletion of your personal data: Under certain circumstances, you can request the deletion of your personal data, particularly if it is no longer necessary for the purposes for which it was collected. However, please be aware that we may need to retain certain information to comply with legal obligations, even if you request its deletion.
-
Limit the processing of your personal data: If you have concerns about the accuracy of your personal data or how we are using it, you can request that we limit its processing while we investigate your concerns. This right allows you to ensure that your data is being handled appropriately.
-
Object to processing your personal data: You have the right to object to the processing of your personal data, especially if the processing is based on our legitimate interests or if it is being used for direct marketing purposes. If you choose to object, we will assess your request and respond accordingly.
-
Transfer your personal data where data portability applies: If you wish to transfer your personal data to another organisation or receive it in a structured format, you can request data portability.
While we fully respect and support your rights concerning your personal data, it’s important to note that these rights are not always absolute. There may be circumstances in which we cannot fulfil a request to exercise your rights, depending on the specific context and legal obligations we are bound to uphold.
For instance, certain exemptions may apply when fulfilling requests related to access, correction or deletion of your personal data. One such exemption is legal privilege, which protects the confidentiality of communications between a client and their legal advisor. This means that if a request pertains to information that is subject to legal privilege, we may not be able to disclose that information without breaching our professional obligations.
In addition, we may need to retain some personal data to comply with legal, regulatory or ethical requirements, which could restrict your ability to exercise rights such as deletion or restriction of processing. We will always inform you of the specific reasons if we are unable to fulfil a request, ensuring transparency throughout the process. Our commitment is to protect your rights while also adhering to the legal frameworks that govern our practice as a law firm.
To exercise any of your rights, please reach out to us at privacy@aria-grace.com. Accessing your personal data and exercising these rights is free of charge. However, if we find your request to be manifestly unfounded or excessive, we may charge a reasonable fee or decline the request, providing an explanation for our decision.
For security reasons, we may need to verify your identity before processing your request. We aim to address all legitimate requests within one month. However, if your request is particularly complex, it may take a little longer. If that happens, we will keep you updated on the status of your request to ensure transparency throughout the process.
If you believe that your rights regarding your personal data are not being respected or have been compromised, you have the option to file a complaint with the ICO at www.ico.org.uk. The ICO is the regulatory body responsible for upholding information rights and ensuring that data protection laws are enforced.
However, we strongly encourage you to reach out to us first if you have any concerns. At Aria Grace Law, we are committed to addressing your issues and providing you with the support you need. We value your feedback and take any complaints seriously, as they help us improve our services and practices. By contacting us directly, we can often address your concerns quicker and more effectively.
J. Aggregated data
At Aria Grace Law, we sometimes aggregate data for the purposes of analysis, which may include statistical or demographic information. This process involves compiling data from multiple individuals to create a broader dataset that reflects trends or patterns.
When we aggregate data, we ensure that all personally identifiable information is removed or anonymised. This means that any information that could potentially identify you, either directly or indirectly, is stripped away. As a result, the aggregated data becomes completely anonymous and cannot be traced back to any individual.
Because this anonymised data does not relate to any identifiable person, it falls outside the scope of data protection laws. This allows us to utilise the data for various analytical purposes without the constraints that govern personal data. For example, we might analyse aggregated data to understand user behaviour, improve our services or assess the effectiveness of our marketing strategies.
By employing this method, we can gain valuable insights while ensuring your privacy and protecting your personal data. Our commitment to responsible data management means that even when using aggregated data, we prioritise your privacy and adhere to the highest standards of data protection.
K. Linking to other websites
Our website may include links to third-party websites, applications and plug-ins. When you click on these links or enable connections to external sites, you may allow third parties to collect or share data about you. Please be aware that we do not have control over these external websites and cannot be held responsible for their privacy practices. We recommend that you review the privacy statements of any site you visit after leaving our website to understand how your data may be used.
L. Our marketing practices
We prioritise giving you choices regarding how your personal data is used for marketing purposes. We may utilise your personal data to better understand your interests and tailor our communications accordingly. You will receive marketing communications from us if you have requested information or purchased services and have not opted out. Before sharing your personal data with any third parties for marketing purposes, we will always obtain your explicit consent. If you wish to stop receiving marketing messages, you can easily opt out by contacting us or the relevant third parties involved. Please note that opting out of marketing communications will not affect messages that are necessary for fulfilling our contractual obligations, such as essential communications related to services you have engaged us for.
Date: 7 October 2024