Client Data Protection Policy

Please read this Client Data Protection Policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us.

TOPICS

Introduction
Who Are We And What Do We Do
Contacting Us
The Data Protection Principles
Information We Collect
How We Use Your Information
What Is Our Legal Basis To Use Or Process Your Personal Information
Marketing
Who Do We Share Your Personal Information With?
Third Party Contractors And Other Controllers
International Transfers
Security Of Your Personal Data
How Long We Keep Your Personal Data
How To Access Your Information And Your Other Rights
Links
Email Monitoring
Complaints
Changes To This Policy

1. INTRODUCTION

This Client Data Protection Policy (“the Policy”) applies in relation to clients of Laurence Keenan Advocates Limited trading as Laurence Keenan Advocates & Solicitors. It is in addition to the Website Privacy Policy which applies when you visit Our Website (www.laurencekeenan.com) full details of which are accessible on Our Website.

In the course of our acting for you, we may receive information relating to you, your directors, shareholders, beneficial owners, employees, agents, associates and family members. In this Policy, we refer to this information as “personal data”.
This Policy sets out the basis on which we will process this personal data. Please read the Policy carefully to understand our practices regarding personal data and how we will use it.

This Policy only applies to the use of your personal information obtained by us and explains our approach to any personal information that we collect from you or which we have obtained about you from a third party and the purposes for which we process your personal information. It also sets out your rights in respect of our processing of your personal information.

The Policy will inform you of the nature of your personal information that is processed by us and how you can respect that we delete, update, transfer and/or provide you with access to it.

2. WHO ARE WE AND WHAT DO WE DO

We are Laurence Keenan Advocates Limited trading as Laurence Keenan Advocates & Solicitors, a company incorporated in the Isle of Man (company number 126958C) with registered office at Victoria Chambers, 47 Victoria Street, Douglas, Isle of Man, IM1 2LD (“LKAS”, “we”, “our”, and “us”).

We are a firm of Manx Advocates and are regulated by the Isle of Man Law Society.

We are a “data controller” for the purpose of data protection legislation.

3. CONTACTING US

If you have any questions about our Policy or your information, or wish to exercise any of your rights as described in this Policy or under data protection laws, you can contact us:

By post:	Laurence Keenan Advocates & Solicitors Victoria Chambers 47 Victoria Street Douglas Isle of Man IM1 2LD
Data Protection Officer:	Craige Sansbury
By telephone:	+44 (0)1624 611933
By email:	privacy@lklaw.co.im

4. THE DATA PROTECTION PRINCIPLES

“Personal data’ means “any information relating to an identified or identifiable natural person (known as a ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Anyone processing personal data must comply with the principles of processing personal data which applies by virtue of the General Data Protection Regulation (“GDPR”).

Lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimisation – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – data must be accurate and, where necessary, kept up to date.
Storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.

This Policy describes the personal data that we collect, and explains how we comply with these principles.

5. INFORMATION WE COLLECT

Information you provide us

We collect the personal data as necessary to enable us to carry out your instructions, to manage and operate our business and the comply with our legal and regulatory obligations.

The personal data that we collect includes, but is not limited to, the following:-

your name;
home and business address;
contact details (such as telephone numbers and email address);
date of birth;
gender;
marital status;
copies of passport, national identity card, driving licence, utility bills, bank statements and similar documents;
business and professional qualifications and experience;
immigration status and work permits;
other personal data contained in correspondence and documents which you may provide to us; and information we obtain from our IT and communications monitoring.

If you do not provide any personal data that we ask for and that we need to enable us to carry out your instructions, it may delay or prevent us from providing our services to you.

Where the personal data relates to your directors, shareholders, beneficial owners, employees, agents, associates or family members you confirm that you are authorised to provide this personal data to us. It is not reasonably practicable for us to provide to these individuals the information set out in this Policy. Accordingly, where appropriate, you are responsible for providing this information to any such individuals.

Information we collect from third parties

We collect most personal data from you directly. However, we may also collect information about you:

from publicly accessible sources, e.g. Companies Registry or Electoral Roll;
from third party sources of information, e.g. client due diligence providers;
being information which you have made public on websites associated with you or your company or on social media platforms;
from a third party with your consent, including (but not limited to):-
- your professional advisers;
- your employer;
- professional body or pension administrator;
- bank or building society, another financial institution or adviser.

Information we collect online

We do not use cookies or analytics on Our Website and do not collect any technical information from you when you access Our Website. No information about your visit and use of Our Website. Only information you provide to us voluntarily through the “Contact Us” feature of Our Website is collected or if you contact us under this Policy using the link below or by email to privacy@lklaw.co.im.

Children

Our Website is not intended for or directed at children under the age of 16 years and we do not knowingly collect data relating to children under this age.

Sensitive personal data

On rare occasions, you may also supply us with, or we may receive, special categories of (or “sensitive”) personal data. This is defined by data protection laws to include personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health.

We process these special categories of personal data on the basis of one or more of the following:-

where you have given explicit consent to the processing of the personal data for one or more specified purposes;
where the processing relates to personal data which is manifestly made public by you;
where the processing is necessary for the establishment, exercise or defence of legal claims;
where the processing is necessary for reasons of substantial public interest, in accordance with applicable law. Such reasons include where the processing is necessary:-
- for the purposes of the prevention or detection of an unlawful act or for preventing fraud;
- for the provision of confidential advice.

Data relating to criminal convictions & offences

We collect and store personal data relating to criminal convictions and offences (including the alleged commission of offences) only where necessary for the purposes of:-

the prevention or detection of an unlawful act and is necessary for reasons of substantial public interest;
providing or obtaining legal advice; or
establishing, exercising or defending legal rights.

6. HOW WE USE YOUR INFORMATION

Our use of your personal data is subject to your instructions, data protection laws and our professional duty of confidentiality.

We will only process your personal data if we have a legal basis for doing so, including where:-

processing is necessary for the performance of our contractual engagement with you: this relates to all personal data we reasonably need to process to carry out your instructions;
processing is necessary for compliance with a legal obligation to which we are subject: this relates to our legal obligations in relation to, for example, anti-money laundering; and
processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms: this relates to our processing for marketing purposes, for our management, accounting and administration purposes and for data security.

The purpose for which we use and process your information (excluding sensitive personal data) and the legal basis on which we carry out each type of processing is explained below.

Purposes for which we will process the information	Legal Basis for the processing
To provide legal professional services to you in connection with the matters we are instructed upon.	To take steps at your request before entering into a contract or for the performance of our contract or with you. To comply with our legal and regulatory obligations.
To carry out associated administration and accounting in connection with your matters and other processing necessary to comply with our professional, legal and regulatory obligations.	For the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations.
To comply with our anti-money laundering requirements.	To comply with our legal and regulatory obligations.
To comply with our internal business policies.	It is in our legitimate interests or those of a third party to adhere to our own internal procedures so that we can deliver an efficient service to you. We consider this use to be necessary for our legitimate interests and proportionate.
For updating client records.	For the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations.
For operational reasons, such as improving efficiency, training and quality control.	It is in our legitimate interests to be as efficient as we can so we deliver the best service for you.
To prevent unauthorised access and modifications to our systems.	It is in our legitimate interests to prevent and detect criminal activity that could be damaging for LKAS and for you. To comply with our legal and regulatory obligations
For marketing our services.	It is in our legitimate interests to market our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you.
To carry out credit reference checks.	It is in our legitimate interests to carry out credit control and to ensure our clients are likely to be able to pay for our services.
External audits and the audit of our accounts.	To comply with our legal and regulatory obligations.

Where we request personal data to identify you for compliance with anti-money laundering regulations, we shall process such information only for the purposes of preventing money laundering or terrorist financing, or as otherwise set out in this Policy or permitted by law.

Where we rely on legitimate interests as a lawful basis, we will carry out a balancing test to ensure that your interests, rights and freedoms do not override our legitimate interests. If you want further information on the balancing test we have carried out, you can request this from our Data Protection Officer.

Where you provide consent, you can withdraw your consent at any time and free of charge, but without affecting the lawfulness of processing based on consent before its withdrawal. You can update your details or change your privacy preferences by contacting our Data Protection Officer as provided in “Contacting us” above.

LKAS will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you in a timely manner and we will explain the legal basis which allows us to do so.

LKAS acts as a data controller in relation to the processing of personal data as set in this Policy. However, in some circumstances we may process personal data on your behalf as a data processor for the purposes of data protection laws. Where we process any personal data on your behalf as your data processor, the terms set out in our data processing addendum, a copy of which is available on request from our Data Protection Officer, shall apply.

7. WHAT IS OUR LEGAL BASIS TO USE OR PROCESS YOUR PERSONAL INFORMATION

A summary of the legal basis for each purpose is contained in Section 6 (How we use your Information) above.

In addition it may be necessary for us to use your personal information:-

To perform our obligations in accordance with any contract that we may have with you.
Where it is our legal obligation to use your personal information to comply with any legal obligations imposed upon us.

Where we rely on “legitimate interests” as a lawful basis, we will carry out a balancing test to ensure that your interests, rights and freedoms do not override our legitimate interests.

If you do not wish to provide us with your personal data and processing such information is necessary for the performance of a contract with you, we may not be able to perform our obligations under the contract between us.

8. MARKETING

We may use your personal data to notify you by email, telephone or post about important legal developments and services which we think you may find valuable, for sending you newsletters, invitations to seminars and similar marketing.

You have the right to opt out of receiving direct marketing communications from us at any time by:-

contacting our Data Protection Officer using the contact details set out above; or
using the “unsubscribe” link in emails

9. WHO DO WE SHARE YOUR PERSONAL INFORMATION WITH?

We do not share your personal data with third parties except as provided in this Policy.

We share your information with the following third parties:-

with LKAS directors, employees and consultants based in the Isle of Man;
with our third party data processors and service providers who assist with the running of Our Website and our office services including our IT support services, and data storage/back up services;
to Courts Tribunals, Law Enforcement and other Government authorities and third parties (whether within or outwith the Isle of Man) as may be permitted or required by applicable laws, or alternatively as provided for under contract or as we deem reasonably necessary in order to provide our legal services. Reasonable notice of such disclosure will be given (unless we are prohibited by law from so doing)

Our third party processors and service providers are subject to security and confidentiality obligations and are only permitted to process your personal data for specified purposes and in accordance with our instructions.

In addition, LKAS may disclose information about you in the following circumstances:-

in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets;
if all or substantially all of our assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets;
if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation;
if necessary to protect the vital interests of a person; and
to enforce or apply our terms and conditions or to establish, exercise or defend the rights of LKAS, our staff, customers or others.

We may also share personal information with a variety of the following categories of third parties as necessary:

Our professional advisers such as lawyers and accountants.
Government or regulatory authorities.
Professional indemnity or other relevant insurers.
Regulators/tax authorities/corporate registries.
Third parties to whom we outsource certain services such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT Support service providers, document and information storage providers.
Third parties engaged in the course of the services we provide to clients such as counsel, arbitrators, mediators, clerks, witnesses, court, opposing parties and their lawyers, and experts such as tax advisers or valuers.
Third party postal or courier providers who assist us in delivering our postal marketing campaigns to you, or delivering documents related to a matter.

Please note this list is non-exhaustive and there may be other examples where we need to share with other parties in order to provide the services as effectively as we can.

10. THIRD PARTY CONTRACTORS AND OTHER CONTROLLERS

As mentioned in Section 9 (Who do we share your personal information with?) above, we may appoint sub-contractor data processors as required to deliver the services, such as, (without limitation), document processing and translation services, IT systems or software providers and IT Support service providers, who will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations.

11. INTERNATIONAL TRANSFERS

We generally do not transfer your personal data outside the Isle of Man, or the European Economic Area (EEA) unless:-

You are based outside the Isle of Man/EEA; or
Where there is an international aspect of the matter which we have been instructed on.

Where personal data is transferred to and stored outside the EEA, we take steps to provide appropriate safeguards to protect your personal data, including (but not limited to):-

transferring your personal data to a country, territory, sector or international organisation which ensures an adequate level of protection, as permitted under GDPR;
entering into standard contractual clauses obliging recipients to protect your personal data as permitted under GDPR.

In the absence of an adequacy decision or of appropriate safeguards as referenced above, we will only transfer personal data to a third country where one of the following applies (as permitted under GDPR):-

the transfer is necessary for the performance of our contractual engagement with you;
the transfer is necessary for the establishment, exercise or defence of legal claims; or
you have provided explicit consent to the transfer.

If you want further information on the specific mechanism used by us when transferring your personal data out of the EEA, please contact our Data Protection Officer using the details set out above.

12. SECURITY OF YOUR PERSONAL DATA

We use industry standard physical and procedural security measures to protect information from the point of collection to the point of destruction. This includes encryption, firewalls, access controls, policies and other procedures to protect information from unauthorised access.

Where data processing is carried out on our behalf by a third party, we take steps to ensure that appropriate security measures are in place to prevent unauthorised disclosure of personal data.

Despite these precautions, however, LKAS cannot guarantee the security of information transmitted over the Internet or that unauthorised persons will not obtain access to personal data. In the event of a data breach, LKAS have put in place procedures to deal with any suspected breach and will notify you and any applicable regulator of a breach where required to do so.

13. HOW LONG WE KEEP YOUR PERSONAL DATA

Your personal data will not be kept for longer than is necessary for the purposes for which it was collected and processed and for the purposes of satisfying any legal, accounting, or reporting requirements.

The criteria we use for retaining different types of personal data, includes the following:-

General queries – when you make an enquiry or contact us by email or telephone, we will retain your information for as long as necessary to respond to your queries. After this period, we will not hold your personal data for longer than one year if we have not had any active subsequent contact with you;
Legal and regulatory requirements – to the extent permitted for legal, regulatory, fraud and other financial crime prevention and legitimate business purposes; and
Contractual obligations – we may need to retain personal data for up 6 years after we cease providing services and products to you where necessary to comply with our legal obligations, resolve disputes or enforce our terms and conditions.

After this period, when it is no longer necessary to retain your personal data, we will securely delete or anonymise it in accordance with our Data Retention Policy. Further details regarding our data retention policy can be obtained from our Data Protection Officer whose details are given above.

14. HOW TO ACCESS YOUR INFORMATION AND YOUR OTHER RIGHTS

You have the following rights in relation to the personal information we hold about you:

Your right of access

Save as described in this policy or provided under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.

Your right to rectification

If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we’ve shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to erasure

You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we’ve shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to restrict processing

You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances (such as where you contest the accuracy of that personal information). If you are entitled to restriction and if we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to data portability

You have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

Your right to object

You can ask us to stop processing your personal information, and we will do so, if we are:-

relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or
processing your personal information for direct marketing purposes.

Your right to withdraw consent

If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.

Your right to lodge a complaint with the Information Commissioner

If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the Isle of Man Information Commissioner (via the contact details specified in Section 17 (Complaints) below.

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data or where data may be exempt from disclosure due to reasons of legal professional privilege or professional secrecy obligations.

You can exercise any of your rights as described in this Policy and under data protection laws by contacting us as provided in “Contacting Us” above.

15. LINKS

Our Website may, from time to time, contain links to and from third-party websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and LKAS does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

16. EMAIL MONITORING

Whilst every member of the LKAS team has a personal private email address, emails which you send to us or which we send to you may be monitored by LKAS to ensure compliance with professional standards and our internal compliance policies. Monitoring is not continuous or routine, but may be undertaken on the instruction of a director where there are reasonable grounds for doing so. Occasional spot checks or audits may also be undertaken on the instruction or with the authority of a director.

17. COMPLAINTS

If you have any questions or complaints regarding our Policy or practices, please contact us as provided in “Contacting Us” above.

You have the right to make a complaint at any time with a supervisory authority where any alleged infringement of data protection laws occurred.

The supervisory authority in the Isle of Man is The Information Commissioner who can be contacted as follows:-

By post:	First Floor, Prospect House, Prospect Hill, Douglas, Isle of Man, IM1 1ET
By telephone:	+44 (0)1624 693260
By email:	ask@inforights.im
Via website:	www.inforights.im

18. CHANGES TO THIS POLICY

From time to time, we may change this Policy. The current version of this Policy will always be available from us in hard copy or on Our Website. We will post a notice on Our Website to notify you of any significant changes to this Policy.

Updated and effective as of 25th May 2018.