Privacy Notice for Clients and Business Contacts
ReganWall, Business Law Firm
Adopted: August 2018 (updated March 2020, updated July 2020)
ReganWall, Business Law Firm takes the protection of your personal data very seriously. This Privacy Notice tells you how we collect and use your personal information and your rights in relation to that information. It tells you:
- WHO WE ARE AND WHAT WE DO
- WHAT PERSONAL DATA WE COLLECT ABOUT YOU AND WHY WE COLLECT IT
- HOW WE OBTAIN YOUR PERSONAL DATA
- WHY WE PROCESS YOUR PERSONAL DATA AND OUR LAWFUL BASIS
- YOUR RIGHTS
- WHO WE SHARE YOUR PERSONAL DATA WITH
- HOW LONG WE HOLD YOUR PERSONAL DATA
- HOW WE PROTECT YOUR PERSONAL DATA
- CHANGES TO THIS PRIVACY NOTICE
- HOW YOU MAY CONTACT US
- SUPERVISORY AUTHORITY
Who we are and what we do
ReganWall is a Cork-based business law firm. We specialise in providing corporate and commercial legal services to business clients.
This Privacy Notice provides further information about the personal data processed by us for the purposes of the General Data Protection Regulation (“GDPR”).
What personal data do we collect about you and why we collect it
We may collect and process different types of personal data in the course of operating our business. As a law firm our principal focus is on providing best in class legal services to our clients. We also undertake a number of related activities, including hosting client events, hosting and/or participating in seminars and conferences and circulating legal updates and marketing material.
As an employer, we also collect and process personal data as part of the recruitment process. A separate Privacy Notice is provided to our employees.
We also collect and process personal data about our suppliers.
In the context of the COVID-19 pandemic we may request certain health related data from you in advance of attendance at our offices. This includes whether you have been diagnosed with or are displaying symptoms of COVID-19 or whether you have been advised by a doctor to cocoon or self-isolate. You may also be asked to confirm if you have been in close contact with a person who has been confirmed or is a suspected case of COVID-19 and advise of any travel outside of Ireland within certain timeframes.
|Examples of Personal Data||Why we collect it|
|Your personal details such as your name and job title as well as contact data such as your telephone number, email address or postal address||Legal services and related activitiesAdministration purposesCompliance with our legal obligations, for example in relation to anti-money laundering MarketingRecruitmentReceipt of goods or services from our suppliersTo enable contact tracing of visitors to our offices in line with Government requirements arising out of the COVID-19 pandemic|
|Financial data such as payment related information or bank account details||Legal services and related activitiesAdministration purposesReceipt of goods or services from our suppliers|
|Identification and other background verification data such as a copy of a passport, driver’s licence or utility bill as well as other information we require to comply with our obligations under anti-money laundering legislation||Legal obligations connected with “know your customer” requirements under anti-money laundering laws|
|Personal data provided to us or generated by us in the course of providing our legal services, which may, where relevant, include special categories of personal data||Legal services and related activities|
|Recruitment related data such as your curriculum vitae, your education and employment history, details of professional memberships and other relevant information||Recruitment|
|Website usage and other technical data such as details of your visits to our website or information collected through cookies and other tracking technologies||Improving our websiteResponding to enquiries|
How we obtain your personal data
We may obtain personal data from you directly, from a third party, from our website or from publicly available sources. If it is not disproportionate or prejudicial, we will contact you to let you know we are processing your personal information.
You may provide your personal data to us when you:
- make an enquiry or seek information about our services;
- give us information necessary for a specific client service that we are performing for you; for example, in the context of our “know your customer” processes and other background checks;
- give us your business card at an event or a meeting;
- participate in our client seminars and similar events;
- participate in our marketing, recruitment or other promotional events;
- market or provide your services to us; or
- visit our offices.
A third party may provide your personal data to us, when we:
- provide our client services;
- conduct background checks, including “know your customer” checks; or
- are recruiting and you have provided your personal data to a recruitment agency for the purpose of sharing it with us.
You may give us your personal data when you use our website. This includes data about your profile and usage as well as technical data.
We may collect data on identity, contact details, financial data, and professional information from publicly available sources, including from:
- public registers of individuals (such as electoral registers);
- public registers of companies, charities, law firms, chartered accountants and other entities;
- public registers of sanctioned persons and entities; and
- other public sources including any services accessible on the Internet which you are using for professional networking purposes, such as LinkedIn.
Why we process your personal data and our lawful basis
We process all personal data lawfully and in accordance with legal requirements. The GDPR sets out the grounds upon which processing of personal data may be undertaken.
We will process your personal data where:
- this is necessary to perform our obligations relating to or in accordance with any contract that we may have with you;
- it is in our legitimate interest to use your personal data to ensure that we can carry out our activities as effectively as possible. We will only use this basis when we are of the view that our interest in collecting the personal data is not outweighed by your interests or fundamental rights and freedoms. You may object to any processing we undertake on this ground. Please see “Your Rights” for further information;
- we need to do so in order to comply with any legal or regulatory obligations, such as our obligations under anti-money laundering and counter terrorist financing law;
- the processing is necessary for the establishment, exercise or defence of legal claims or for the purposes of providing legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings;
- we need to do so to comply with public health requirements and protecting against serious cross-border threats to health; or
- you have consented to us processing your personal data for a particular purpose.
You have a number of rights to control the personal data we use and how we use it. The rights available to you depend on our reason for processing your information.
Your right of access
You have the right to ask us if we are using or storing your personal data. You may exercise this right by asking us for a copy of the data. This is usually called “making a data subject access request”. We will provide the first copy of your personal data free of charge but we may charge you a reasonable fee for any additional copies.
We will not give you access to a copy of your data if this would adversely affect the rights and freedoms of others. For security reasons we will not give you access to credit/debit card details but will delete these from our systems at your request.
You may ask to change information you think is inaccurate
You may ask for your personal data to be corrected or deleted. This is known as the “right of rectification”.
We may not always be able to change or remove that information but we will correct factual inaccuracies and may include your comments in the record to show that you disagree with it. We will usually take one month to respond to your request.
You may ask to delete information (right to be forgotten)
In some circumstances you may ask for your personal information to be deleted. This is known as the “right to be forgotten” or the “right to erasure”.
You do not always have a right to be forgotten and the right only applies in certain circumstances including the following:
- we no longer need your personal data;
- you have removed your consent for us to use your information (where there is no other legal reason for us to use it);
- there is no legal reason for the use of your information;
- deleting the information is a legal requirement; and
- you have objected to the use of your data and your interests outweigh our interests.
Where your personal information has been shared with others, we’ll do what we can to make sure those using your personal information comply with your request for erasure.
Please note that we are unable to delete your information where:
- we are required to have it by law;
- it is used for freedom of expression;
- it is used for public health purposes;
- it is for scientific or historical research or statistical purposes where deleting the data would make it difficult or impossible to achieve the objectives of the processing; or
- it is necessary for legal claims.
You may ask us to limit what we use your personal data for
You have the right to ask us to restrict the way we use your personal data if you are concerned about its accuracy or how it is being used. You may also stop us from deleting your data.
If you ask us to restrict your personal data we must store it securely and we will not use it unless:
- we have your consent to do so;
- the data is needed for legal claims;
- its use is to protect another person’s rights; or
- its use is for reasons of important public interest.
Where restriction of use has been granted, we’ll inform you before we carry on using your personal data.
Your right to object to processing
You may object to our processing of your personal data if we are using it for certain purposes, including:
- for our legitimate interests;
- for statistical purposes; or
- for direct marketing.
However, we may refuse to comply with your objection if we have a sufficiently strong reason for continuing to process your data that overrides your objection. We may also refuse to comply if the use of your data is for a legal claim. We will inform you if this is the case.
You may ask to have your personal data moved to another provider (data portability)
You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called “the right to data portability”.
This right only applies if you have provided us with the personal data and we hold that data electronically. It does not apply where it would adversely affect the rights and freedoms of others.
You may make a complaint
You have the right to lodge a complaint with the local supervisory authority for data protection in the EU member state where you usually reside, where you work or where you think an infringement of data protection law took place. See the section below relating to the Supervisory Authority for further information.
Who we share your personal data with
We may need to share your personal data in the course of providing our legal services, including for the purposes of communicating and dealing with the various parties involved in a transaction or matter and with other professional advisers as well as with counterparties. We may also disclose your personal data:
- to any person or entity to whom we are required or requested to make such a disclosure by a regulatory authority or law enforcement authority or in order to enforce legal contracts;
- to any financial institution providing finance to us;
- to business partners and subcontractors for the performance of any contract relating to our services, including email, CRM, payment processors, data aggregators, hosting service providers, external consultants, service providers, auditors, accountants and IT consultants;
- to protect our rights, property, or safety, or that of our clients or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection;
- to analytics and search engine providers that assist us in the improvement and optimisation of our website. This consists of information relating to the web pages visited on the website and tracking codes from service providers like LinkedIn and Google; and
- in the case of a merger or demerger of the firm or where substantially all of the assets of the firm are transferred to another party, in which case personal data held by us may be one of the transferred assets, or where one or more of the firm’s partners establishes a succeeding practice which takes over some or all of the business of the firm, in which case personal data held by us may be transferred to the succeeding firm; and
- to our affiliates and associated companies, including RW Services Limited (a company owned by our partners).
How long we hold your personal data
How long we keep your personal data depends on why we are processing it in the first place. A summary of our retention practices is set out below. We normally retain:
- general corporate/commercial files for 7 years and 6 months;
- property files for 13 years;
- copies of executed agreements, deeds and closing papers for 13 years;
- original versions of executed agreements, deeds and closing papers indefinitely;
- accounts documentation for 6 years;
- AML documentation for 5 years;
- the personal data of our business contacts as required for the business relationship;
- the personal data of our suppliers for 6 years and 3 months after the supplier relationship ends;
- personal data relating to website usage for 12 months;
- trust documents for the duration of the trust and 12 years thereafter;
- personal data collected for recruitment purposes for 12 months in the case of an unsuccessful candidate. We retain successful applications with our HR files; and
- personal data obtained for the purposes of contact tracing of visitors to our offices for 3 months.
How we protect your personal data
We have implemented appropriate information security policies, rules and technical measures to protect personal data under our control from unauthorised access, improper use or disclosure, unauthorised modification and unlawful disclosure or accidental loss. All those who process your personal data on our behalf are obliged to respect its confidentiality.
If you think that there has been any loss or unauthorised access to personal data of any individual, please let us know immediately.
Changes to this privacy NOTICE
We may change this Privacy Notice from time to time. You may check to see if this Privacy Notice has been changed by looking at the date at the top of this policy which tells you when it was last updated.
If the Privacy Notice has been changed since you last looked at it, you should read it again to make sure you are comfortable with the changes we have made.
How you may contact us
If you have any questions about this Privacy Notice or if you wish to exercise your rights under the GDPR or other relevant legislation, please contact us by either sending an email to email@example.com or calling us on +353 21 234 0428.
As well as contacting us, you may contact the Data Protection Supervisory Authority relevant to you if you have any concerns about this Privacy Notice, or about the way we are processing your personal data.
The Supervisory Authority in Ireland may be contacted at firstname.lastname@example.org if you have any concerns or questions about the way in which we are processing your personal data.