This Privacy Notice sets out how we obtain and use personal data about you before and after your relationship with us, in accordance with the Data Protection (Bailiwick of Guernsey) Law, 2017 (“the Guernsey DP Law”) and in accordance with the European Union General Data Protection Regulation (2016/679) (“GDPR”).
Ashton & Co (“Ashton & Co” or “we”) is a law firm specializing in commercial law, trusts, tax and white collar crime . We are a “data controller”, this means that we are responsible for deciding how we hold and use your personal data. We are required under the data protection legislation detailed above to notify you of the information contained in this privacy notice.
This notice applies to clients, individuals connected to our clients, service providers, business referrers, intermediaries and other contacts of Ashton & Co (whether current, prospective, declined, exited or former) and users of our website. We may update this Notice at any time.
Any questions in relation to this Privacy Notice or requests in respect of personal data should be directed to email@example.com in the first instance.
The data we obtain, store and use
Ashton & Co processes data in order to provide its legal services. The type of data we may collect and process includes:
- Contact details (including names, postal and email addresses and telephone numbers)
- Information required for Ashton & Co to meet legal and regulatory requirements, including identification data (date and place of birth, nationality, identity number, copies of your passport or other identification document)
- Any information required for us to provide our services. This is highly variable and the information required will depend upon the details of your case
- Any other information you may provide to us
The nature of our work means we are also likely to collect, store and use Special Category Data which may include:
- Data relating to a person’s criminal record or alleged criminal activity
- Information about your health, including any medical condition, health and sickness records
- Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions
Special Category Data requires a higher level of protection and will only be processed where it is necessary for us to do so.
Purposes of processing
We use data, including personal data, for the following purposes, this table also confirms the lawful basis we are relying on in each case:
|Purpose||Lawful Basis for Processing|
|To provide our services||One or more of the following may apply:
The processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings)
The processing is necessary for the purposes of establishing, exercising or defending legal rights
The processing is necessary to protect the vital interests of the data subject or any other individual
|To administer any contract we have entered into with you or where a party related to an entity for which we are contracted to provide services||To fulfil the contract we have entered into.|
|Making arrangements for the termination of our business relationship||The legitimate interests of Ashton & Co to seek to ensure that business relationships are terminated efficiently and effectively|
|To manage our client, intermediary and other business relationships||The legitimate interests of Ashton & Co to seek to ensure that its business is conducted efficiently and with a view to enhancing business services|
|To obtain legal and/or tax advice or representation (for example: expert witnesses)||The legitimate interests of Ashton & Co and its clients to ensure that it is able to engage relevant tax or legal advisers and/or representation|
|To ensure the security of Ashton & Co systems and staff and prevent fraud||The legitimate interest of Ashton & Co in protecting its systems and staff from being misused or the victim of criminal activity|
|To meet all legal obligations applicable to Ashton & Co including in respect of managing conflicts of interest||The processing is necessary for compliance with a legal obligation to which Ashton & Co is subject|
The data sought will vary and the purposes for processing will overlap depending on the type of services provided.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another purpose and that purpose is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note: we may process your personal data without your knowledge or consent where this is required or permitted by law.
Failure to provide personal data
If you fail to provide certain personal information and data when requested, we may not be able to fulfil the contract we have entered into for you, or on your behalf, or provide the services requested or we may be prevented from complying with our legal obligations.
Sources of personal data
The sources of data will vary on a case-by-case basis but may include banks, law enforcement agencies, government (e.g. Revenue Service), clients directly, third parties connected to the client (for example: relatives or employers) or open-source material.
Where we collect personal data directly, we do so via the completion of forms provided to you and completed by you, from identification documents provided and from correspondence including email, meetings and telephone conversations.
We will collect personal data throughout the course of our business relationship or while we provide services to clients connected to you.
Recipients of personal data
We share information with third parties including third party service providers where required by law, where it is necessary to administer our business relationship, where it is necessary for us to provide the services to you or where we have another legitimate interest in doing so.
The following are potential recipients of personal data (in each case including respective employees, directors and officers):
- Bailiwick courts and tribunals
- Guernsey Legal Aid Service (GLAS), where you are using their legal aid
- Sub-contractors, agents, consultants or service providers such as IT or archiving firms
- Bankers, auditors, accountants, legal and other professional advisers
- Guernsey and overseas regulators, or other government or supervisory body and tax authorities when required by law
- Law enforcement agencies where necessary for Ashton & Co to fulfil legal obligations applicable to it
When Ashton & Co engages a third party to process your personal data, we will require them to process your personal data in accordance with our instructions and protect the data against unauthorised or accidental use, access, disclosure, loss or destruction. We do not allow them to use your personal data for their own purposes. They will only be permitted to process your personal data for a specified purpose and in accordance with our instructions. Where they no longer need to your personal data to fulfil the contract, they will need to transfer the data back to us and/or destroy or delete any data held by them.
Transferring data outside of Guernsey and the EU
In the event any of the third parties detailed above are outside of Guernsey or the EU and where we are transferring personal data which would be protected under the Guernsey DP Law or GDPR we will ensure that we meet the relevant requirements prior to carrying out such a transfer. This may include only transferring the data where we are satisfied that:
- The non-European Union country has Data Protection laws similar to the Laws in Guernsey and the European Union
- The recipient has agreed through contract to protect the information to the same Data Protection standards as Guernsey and the European Union; or
- We have obtained consent from the relevant data subjects to the transfer
We have put in place appropriate security measure to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed without authorisation. In addition, we restrict access to your personal data to those employees, agents, contractors, consultants and other third parties who have a business need to access the data. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator or a suspected breach where we are legally obliged to do so.
Ashton & Co only keeps data for as long as is necessary to fulfil the purposes (as set out above) for which we collected it. Details of retention periods for different aspects of your personal data is available in our retention policy which is available on request from our Data Protection Representative. To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential for harm from unauthorised use or disclosure of the data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Once our business relationship ends, we will retain and securely destroy your personal data in accordance with our record retention and destruction policy, applicable legislation and/or regulatory requirements.
Data subject’s rights
As a data subject you have certain rights in respect of your personal data. You have the following rights:
- Right of access – you have the right to request a copy of the personal data that we hold about you and to check that we are lawfully processing that data. You will not have to pay a fee to access your personal data (or exercise any of the other rights) unless your request is clearly unfounded or excessive in which case, we may charge a reasonable fee or refuse to comply with the request.
- Right of rectification – you have the right to correct data that we hold about you which is inaccurate or incomplete.
- Right of erasure – of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue to process it.
- Right to restrict processing – this enables you to ask us to suspend the processing of your personal data for example: if you want us to establish its accuracy or the reasons for processing it.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing including direct marketing. You also have the right to ask us to delete or remove personal data where you have exercised your right to object.
- Right to object to automated processing including profiling – you have the right not to be subject to decisions based on automated processing or profiling. Ashton & Co does not currently undertake any automated processing or profiling.
If you wish to exercise these rights you should send the request in the first instance to firstname.lastname@example.org
This Privacy Notice sets out our current policy as regards the maintenance and processing of personal data. It does not form, and should in no way be construed as, a contract and no contractual rights or causes of action shall arise in relation to or consequence of the content of this Notice.
Changes to this Privacy Notice
We keep this Privacy Notice under review and any updates will appear on our website at www.raymondashton.com. We last updated this Privacy Notice on 23 April 2021.
Ashton & Co has a Data Protection Representative and all enquiries in respect of this Privacy Notices, any complaints about the way in which your personal data is being processed, or any request to exercise any of the rights set out above should be directed to the Data Protection Representative via email at email@example.com, telephone +44 (0)1481 753300 or by post at:
Ashton & Co
Suite A5, Hirzel Court
St Peter Port
In the event you wish to make a complaint about how your personal data is being processed or how your complaint has been handled you have the right to lodge a complaint directly with the Guernsey Data Protection Commissioner either via email firstname.lastname@example.org or by post at:
Office of the Data Protection Authority
St Martin’s House
St. Peter Port
How to contact us
If you have any questions about this Privacy Notice or any data which we hold about you, please contact: email@example.com