What are you looking for?

Introduction

We treat privacy and confidentiality very seriously at Hugh James. We comply with all aspects of the UK’s data protection legislative framework, which includes the European General Data Protection Regulation (GDPR) and the UK’s own legislation, as well as other confidentiality obligations that apply to us because we are solicitors.

In the course of providing legal and financial advice services to our clients and running our businesses, we gather and use personal information about a number of different categories of people. We have developed this privacy notice in order to be as transparent as possible about the personal information we collect and use.

For the purpose of the Data Protection Act 2018 (the Act), the data controller is Hugh James of Two Central Square, Cardiff, CF10 1FS.

Does this privacy notice apply to you?

This privacy notice has been written for the benefit of the following categories of people (referred to in this notice as “you”):

  • our clients and people that represent them or who work for them
  • customers of our clients, that our clients have instructed us to act for
  • people who make enquiries about our services
  • people who receive our legal updates, newsletters or invitations to our seminars and events and those who attend such events
  • people who visit our websites or who follow us on our various social media channels
  • people whose personal information is required in order to enable our clients (or their customers) to obtain legal advice or otherwise establish, exercise or defend legal rights
  • people (and their representatives) who are involved in one of our client’s matters including witnesses and the other parties to litigation or on the other side of transactions
  • business contacts of Hugh James
  • suppliers that we use or that our clients use
  • our regulators, insurers, auditors, professional advisers and certification bodies

This privacy notice does not apply to:

  • people who currently work for us, have worked for us or who are interested in working for us. We have written a separate privacy notice for this group.
  • any services which we provide to a client as a data processor. In such circumstances, our collection and use of personal information is covered by our client’s privacy notice

If you believe that we are processing your personal information, but you are not included in the above list please contact us to discuss this.

What this notice covers

We ask that you read this privacy notice carefully as it contains important information about:

  • the personal information that we collect and use
  • the lawful bases we rely on to collect and use it
  • why we collect and use personal information
  • where we get the personal information from
  • with whom we share personal information
  • when we transfer personal information outside the EEA
  • how long we keep information and how we ensure it is secure
  • your privacy rights

You should ensure that you read this general privacy notice alongside any specific privacy notice we may issue to you, from time to time, in relation to your information.

Data Controller

Your information will be held by Hugh James. We have appointed a dedicated Data Protection Officer (DPO) to ensure appropriate oversight of our data processing activities. The DPO is Mari Rosser, who is Head of Divisional Operations at Hugh James. She can be contacted by email at mari.rosser@hughjames.com

Categories of personal information that we hold

The personal information that we collect includes:

  • basic information, such as your name (including name prefix or title), the company you work for, your title or position and your relationship to a person.
  • contact information, such as your postal address, email address and phone number(s).
  • identification and background information provided by you or collected as part of our client checking processes. This may include date of birth, nationality, birthplace, previous addresses and ID card numbers, such as driving licence and passport.
  • where you are our client, we will collect information about your circumstances that have led to you wishing to use our services. This may include special category data where this is relevant to the matter we are working on for you and information about your family members and beneficiaries. We also keep records of your contact with us.
  • if you are involved in one of our client’s matters, we will collect information about you that is relevant to the matter. This may include special category data.
  • financial information, such as payment-related information and information relevant to funding, such as bank account or policy numbers.
  • technical information collected when you visit our website or digital or in relation to materials and communications we send to you electronically, which includes information about the type of device you are using, your IP address and geographic location, your operating system and version, browser type, the content you view and the search terms you enter.
  • information you provide to us for the purposes of attending meetings and events we host, including access and dietary requirements.

If we collect or receive your personal information in the context of our provision of legal and financial services we might receive information from third parties such as your relatives, employer, other parties involved in the services we are providing (e.g. other parties in litigation or transactions) or others such as regulators and authorities. The information we collect will be relevant to the legal and financial services that we are providing to our client and may include special categories of data where lawful for us to process it.

 

The lawful bases for processing personal information

We rely on the following legal bases to process your personal information:

 

Performance of a contract This applies where we need to collect and use your personal information in order to takes steps to enter into a contract with you or to perform our obligations under a contract with you.
Legal obligation This applies where we need to collect and use your personal information to comply with applicable laws and regulatory requirements.
Legitimate interests We may collect and use your personal information to further our legitimate business interests. We only do this where we are satisfied that your privacy rights are protected satisfactorily. You have a right to object to any processing of your personal information based on this legal basis (see below).
Establishment, exercise or defence of a legal claim This applies where we need to collect or use personal information to enable us to establish, exercise or defend a legal claim of our own or when we are working on matters for our clients or their customers.
Consent We may (but usually do not) need your consent to use your personal information. You can withdraw your consent by contacting us (see below).
Public interest Although we are not a public body, we do collect and use some personal information where this is necessary to perform tasks that are in the public interests.

 

 

Why do we collect and use personal information?

We collect and use personal information for the following purposes, relying on the specific lawful bases set out in the table below:

 

Why The legal bases
To manage and administer our relationship with our clients and to provide legal and financial advice services to them Performance of a contract
Establishment, exercise or defence of a legal claim
To manage and administer our relationship with customers of our clients and to provide legal and financial advice services to them Legal obligation
Legitimate interests
Establishment, exercise or defence of a legal claim
To undertake background checks on potential clients including checking identity and checks undertaken for anti-money laundering, anti-terrorism reasons, to avoid conflicts of interest, financial and reputational checks. We do not undertake any automated decision making, but we use credit reference and fraud prevention agencies who may do so. Legal obligation
Legitimate interests
Public interest
To assist our clients with obtaining funding and insurance to help them pursue their matters and for sourcing and obtaining financial products Legitimate interests
Consent
To assist our clients (or their customers) to obtain support with their matters from experts counsel, professional advisers and funders Performance of a contract
Legitimate interests
Establishment, exercise or defence of a legal claim
To ensure that we provide excellent standards of client service through our own audit, review and quality assurance checks or by those undertaken by our clients, regulators, auditors, professional advisers and certification bodies Legitimate interests
To manage and administrate our relationships with suppliers of good and services to us Performance of a contract
Legal obligation
Legitimate interests
To make and manage client and supplier payments, including collecting payments due to us Performance of a contract
Legal obligation
Legitimate interests
To look into any complaints or queries Performance of a contract
Legitimate interests
To otherwise carry out the day-to-day operations of our businesses efficiently including managing our financial positions, business capability, planning, communications, corporate governance and audit Legal obligation
Legitimate interests
Public interest
To undertake activities designed to promote and market our services including sending out newsletters, legal updates, holding events and seminars, inviting you to enjoy our hospitality and hosting you, and keeping records of your interests in these activities Legitimate interests
Consent (where legally required)
To undertake on-line marketing activities including using a variety of digital and social media channels Legitimate interests
Consent (where legally required)
To provide “added value” services to our clients Legitimate interests
To train and develop our staff and people who work for us Performance of a Contact
Legal obligation
Legitimate interests
To run our corporate social responsibility programmes Legitimate interests
To prevent and respond to actual or potential fraud or illegal activities Legal obligation
Public interest
To establish, exercise or defend our legal rights or for the purpose of legal proceedings in which we may be involved Establish, exercise or defend legal rights

 

Also, we may collate, process and share statistical reports based on an aggregation of anonymised personal information held by us. This is useful for a variety of business reasons. If we need to use your personal data for any other purpose, we will notify you and we will explain the legal basis which allows us to do so.

Added value, client relationship and marketing activities

We undertake a range of activities designed to provide added value for our clients and business contacts and to build on our already excellent relationships with you.

While we want to keep you fully aware of all of the services we offer, we are keen to ensure that we are not responsible for sending you with unwanted marketing material. We therefore do our best to tailor the information and invites we send out. To do this we store information about your professional and personal interests and communication preferences. We also track your level of engagement with us including via our on-line and digital platforms.

The data protection legislative framework recognises that it is in our legitimate business interests to collect and use personal information for marketing reasons. We do not need your consent to do this lawfully, but we are obliged to inform you that you have a right to object to this. The law also allows us to send marketing communications by electronic means to our existing clients and business contacts without needing consent. Again, you have the right to object to this activity if you wish.

We take the view that we can keep information for marketing purposes indefinitely, and keep communicating with you from time to time, until and unless you ask us to stop. When we send you information about the services we offer or invitations to our events, we always include a simple “unsubscribe” option. If you have any difficulty using it or wish to find out more about this activity please contact us.

Sources of information

The personal information we have comes from a range of sources.

  • You give us your personal information directly, when you engage with us, including via our websites or digital media channels
  • We obtain additional information in the course of undertaking checks in order to comply with our statutory and regulatory obligations or where such checks are in our legitimate business interests
  • We obtain and generate personal information in the course of providing legal or financial services and assisting you with obtaining funding and insurance
  • We obtain contact details and other information from our business contacts
  • We collect information from publicly available sources such as telephone directories, social media, the internet and news articles, and occasionally buy marketing lists of business contacts
  • We collect personal information while monitoring our technology tools and services, including our websites, email and social media communications. For information about our use of tracking devices and cookies, please refer to our Cookies policy.

If you wish to give us personal information about another person, please speak to us to ensure that you are legally entitled to give us the information and for advice on whether you need to inform that person.

Sharing your personal data

A number of third parties may have access to your personal information or we may share or send it to them. In order for us to provide our services to you certain third parties may also collect personal data about you on our behalf. This includes:

  • Suppliers, bound by obligations of confidentiality, who provide goods, services and professional advice to us to help us run our businesses
  • Credit reference agencies to help us undertake identity and credit checks
  • Third parties engaged in the course of services we provide to clients such as experts, counsel, other professional advisers, funders and insurance providers
  • Third parties involved in our clients’ matters such as counterparties in litigation and transactions, their representatives and other advisers, courts and tribunals, government agencies and law enforcement agencies
  • Third parties who wish to offer our financial advice clients’ financial products
  • Third parties who capture and manage client advice outcomes on behalf of our financial services clients

We may also be required to share personal information with regulatory authorities, government agencies and law enforcement agencies. We will use reasonable endeavours to notify you before we do this, unless we are legally restricted from doing so.

We do not sell, rent or otherwise make personal information commercially available to any third party.

The firm uses a telephone answering service, to provide switchboard and telephone answering services. As part of this service the provider will take personal details, included but not limited to contact details, about you to allow them to notify us that you have called us and so that we may call you back.

Hugh James Trust Corporation Limited and PRD Trust Corporation Limited

A trust corporation is a company which can hold assets in England and Wales as well as abroad, as defined by s68(18) of the Trustee Act 1925. Trust corporations can act as, amongst other things, executors and trustees, attorneys and deputies.

Hugh James Trust Corporation Limited (HJTC) and PRD Trust Corporation Limited (PRDTC) are wholly owned by the partners of Hugh James. They are non-trading entities and do not have any employees.

HJTC and PRDTC do not undertake any work themselves but, rather, instruct Hugh James to undertake on its behalf any work which it is required to undertake in matters where it is appointed. Hugh James undertakes work for HJTC and PRDTC in exactly the same way and on exactly the same terms as it does for any other client. A limited number of senior members of Hugh James are empowered to take decisions on behalf and sign documents on behalf of Hugh James Trust Corporation Limited.

Any data processed for the purposes of HJTC and PRDTC’s appointments will be processed by Hugh James and in accordance with this privacy policy.

Transfers outside the European economic area (EEA)

We do not send personal data outside the EEA as a matter of course. None of the service providers we use to help us run our businesses are based outside of the EEA.

Transfers of personal data outside the EEA can arise where we are acting for individuals or business clients with interests outside the EEA, such as in the following circumstances:

Where we are acting for individual clients that:

  • live outside the EEA
  • have assets or relatives based outside the EEA
  • work or have worked for businesses that have operations based outside the EEA
  • have had accidents outside the EEA
  • have a reason to make a claim against a business, individual, trust, estate or organisation based outside the EEA

Where we are we acting for or in conjunction with businesses or organisations that:

  • have operations or employees / contractors that based outside the EEA
  • buy goods or services from businesses or organisations that are based outside the EEA
  • are entering into transactions with business, organisations or individuals based outside the EEA
  • have potential legal disputes with a business, individual, trust, estate or organisation based outside the EEA.

If we are required to transfer personal data outside of the EEA, we will ensure that we do so in a legally compliant manner and take steps to ensure the information is protected in the same way as if it was being used in the EEA. If you are affected, you should discuss this with the lawyer acting for you who will explain the particular safeguards that we will put in place.

Choosing not to give personal information

If you choose not to provide us with certain personal data you should be aware that we may not be able to offer you certain services. For example, we cannot act for you unless we are able to check your identity and run anti-money laundering checks.

Keeping personal information

Our policy is to not hold personal information for longer than is necessary. We have established data retention timelines for all of the personal information that we hold based on why we need the information. The timelines take into account any statutory or regulatory obligations we have to keep the information, our ability to defend legal claims, our legitimate business interests, best practice and our current technical capabilities. We have developed a Data Retention Policy that captures this information. We delete or destroy personal information securely in accordance with the Data Retention Policy.

Security

We are strongly committed to information security, and we take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us including the use of encryption and pseudonymisation. We have Cyber Essentials Plus certification. If you wish to discuss the security of your information, please contact us.

Individual rights

You have a number of rights in relation to your personal data which we have. Not all of the rights apply in all circumstances. If you wish to exercise any of the rights, please contact us in the ways detailed below:

  • You have a right of access to the personal information we hold about you
  • You have the right to ask us to correct any information we hold about you that you think is wrong or incomplete
  • You have the right to object to any processing of your personal information where we are relying on a legitimate interest to do so, and you think that your rights and interests outweigh our own and you wish us to stop. There may, however, be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
  • You have the right to object if we process your personal data for the purposes of direct marketing. If you no longer want to receive communications from us, please contact us. We will stop sending you communications but will continue to keep a record of you and your request not to hear from us. If we deleted all of your information from our direct marketing databases, we would have no record of the fact that you have asked us not to communicate with you and it is possible that you may start receiving communications from us at some point in the future, if we obtain your details from a different source.
  • You have the right to ask us to delete your information. This is also known as the right to be forgotten or to erasure. We will not always agree to do this in every case as there may be legal or other legitimate reasons why we need to keep or use your information. If this is the case, we will consider your request and explain why we cannot comply with it. You can ask us to restrict the use of your personal information while we are considering your request.
  • Where our processing of your personal information is based on your consent, you have the right to withdraw it at any time. Please contact us if you want to do so.
  • You may have a right to obtain the personal information that you have given us in a format that be easily re-used and to ask us to pass this personal information on in the same format to other organisations. Please contact us to find out if this right applies to you.

Contact us

If you wish to exercise any of your rights under GDPR or if you are unhappy with the way in which we have used your personal data, please contact our Head of Compliance and Quality, Joanne Cromwell on 029 2267 5241 or by email at joanne.cromwell@hughjames.com or by post to Hugh James, Two Central Square, Cardiff, CF10 1FS.

You also have the right to complain to the Information Commissioner’s Office (ICO). Visit the ICO website to find out how to report a concern.

Changes to this privacy notice

This privacy notice was last updated on 24 July 2023. We keep this privacy notice under regular review and may change it from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. We would encourage you to check this privacy notice for any changes on a regular basis.