If you want to know more about what personal data we hold and how we’ll handle it, you’ve come to the right place! But if we haven’t answered any of your questions, please contact us.
A client (or someone
who works for
Involved in a contract,
dispute, or transaction
A supplier (or
someone who works
for a supplier)
at one of our
A subscriber to our
newsletter or follower
on social media
Who we are
Stephenson Law is the name for the legal practice carried on by Stephenson Law Limited.
We’re a limited company registered in England and Wales under company number 9386665 and are registered as a ‘controller’ with the Information Commissioner’s Office under number ZA298239 in relation to the personal data we hold as a business.
We’re required to handle personal data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018 (DPA) and certain other regulations.
We must ensure that the personal data we hold are:
- used lawfully, fairly and in a transparent way
- collected only for valid purposes that we’ve clearly told you about and not used for any purposes that aren’t compatible with those purposes
- relevant and limited to what’s necessary for the purposes we’ve told you about
- accurate and kept up to date
- kept only for as long as necessary for the purposes we’ve told you about
- kept confidential and secure
Where we store personal data
The core systems we use to provide our services are hosted on servers in the United Kingdom and the European Economic Area. In relation to client matters, we won’t transfer any personal data outside the United Kingdom or European Economic Area unless:
- you’re based outside the EEA
- you use an email provider or other communications service which is hosted (or co-located) on servers outside the EEA
- we need to communicate with someone outside the EEA
- the transfer is necessary to form or perform a contract with you or someone else where the contract is in your interests
- the transfer is necessary to establish, exercise or defend legal claims against us
- the transfer is occasional and necessary for the purposes of our compelling legitimate interests
- you give your consent to the transfer
In relation to marketing, we use Hubspot and Mailchimp which are hosted on servers in the USA. Both companies have self-certified under the EU-US Privacy Shield framework and our agreements with them include a set of clauses approved by the European Commission to ensure an adequate level of protection for personal data.
How we keep personal data secure
We take information security very seriously and have implemented several technical and organisational measures to protect the information and personal data we hold. These include:
- Computers and other devices: All computers use BitLocker full-disk encryption and all mobile devices are owned and managed by us. We use Sophos Endpoint Security to protect against malware and viruses
- Email: We can enable email encryption on request, however by default, all emails are sent using ‘opportunistic TLS’ which encrypts the connection to your email provider, but not the message itself. We use software to protect against malware and phishing attacks (and you should too!)
- Cloud services: All cloud services that we use, including Microsoft Office 365, our document management system, onboarding platform and data room tools, are hosted on secure infrastructure which uses encryption in transit and, in most cases, encryption at rest
- Communications tools: We tend to use whatever communications tools are preferred by our clients. Our preferred tool is Microsoft Teams which encrypts data at rest and in transit (but not end-to-end, which few commercial video conferencing tools do). Where we record any calls or videos using Microsoft Teams, recordings will be encrypted at rest. Phone calls made to or from our mobiles are not encrypted (and if you dial into any conference call which uses encryption, your connection won’t be encrypted)
- Training: All our staff are trained on data protection and good information security practices
Call recording and email monitoring
We don’t routinely record telephone or video calls. However sometimes it may be useful for us to do so, for example, to ensure that we’ve got a detailed record of your instructions or to help us make a detailed note of a discussion we’ve had with a barrister or expert witness. If you’re present on such calls, we’ll notify you in advance and give you an opportunity to object to a recording being made.
There may be circumstances where inboxes are shared between members of our team (for example, if someone is on holiday or long-term sick leave). We may also monitor inboxes for the purposes of ensuring compliance with our legal and regulatory obligations and internal policies on electronic communications.
You may subscribe to receive our newsletter or, if you’re using an email address provided by your employer and you’re a ‘corporate subscriber’, we may add your details to our mailing list. You can unsubscribe from our newsletter at any time by clicking the ‘Unsubscribe’ link at the bottom of each email or by emailing us at firstname.lastname@example.org.
We use Mailchimp to manage our email marketing campaigns. Mailchimp uses tiny invisible images called ‘pixels’ that are contained within emails to enable us to see:
- whether you opened an email
- where in the world the device used to open the email was located (based on your device’s IP address)
- whether you shared the email on any social media platforms
- whether you marked the email as spam
- your overall level of engagement with our email marketing campaigns
We don’t use this information any purposes except if it appears that you’re not opening our emails, we’ll automatically unsubscribe you from our mailing list.
Our website uses small text files, called cookies, which are stored on your device when you access certain features of our website. You can find out more about the cookies used on our website and how you can control them by visiting this section of our policy.
You’ve got several important rights in relation to the personal data we hold about you. The most relevant are:
- Access: You’ve the right to request access to and be provided with a copy of the personal data held about you together with certain information about the processing of such personal data to check that we’re holding it lawfully and processing it fairly
- Correction: You’ve the right to ask us to correct any inaccurate or incomplete personal data held about you
- Deletion: You’ve the right to ask us to delete or remove any personal data held about you where there’s no good reason for us to continue holding it or where you’ve exercised your right to object
- Restriction: You’ve the right to ask us to restrict how we hold your personal data, for example, to confirm its accuracy or our reasons for holding it
- Objection: You’ve the right to object to our holding of any personal data about you which is based on our legitimate interests or those of a third party based on your circumstances. You also have the right to object to our holding your personal data for direct marketing purposes
Some of the above rights only apply in certain circumstances and may be subject to certain exemptions. For example:
- If we obtain your personal data from someone else in the course of seeking legal advice from us, this will be subject to legal professional privilege and, as we have a professional obligation to maintain the confidentiality of such personal data, you’re not entitled to be informed about our processing of your personal data or request a copy of it
- You don’t have any of the above rights where the disclosure of your personal data is required by law or an order of a court of tribunal
- You don’t have any of the above rights where disclosure of your personal data is necessary for the purpose of, or relates to, any current or prospective legal proceedings, is necessary for someone to obtain legal advice from us or is necessary for the purposes of establishing, exercising or defending our legal rights or those of our clients
You’ll not have to pay any fee to exercise any of the above rights, though we may charge a reasonable fee or refuse to comply with your request where permitted to do so by law. Where this is the case, we’ll let you know. To protect the confidentiality of your personal data we may ask you to verify your identity before fulfilling any request in relation to your personal data.
You’ve the right to complain if you’re not happy with how we have collected or used your personal data. We would hope to resolve any issues informally but, if we can’t, you also have the right to raise a complaint with the Information Commissioner’s Office (ICO).
If you’ve got any questions, or want to exercise any of your rights, please email us at email@example.com or call us on 0117 244 0056.