This notice explains when and why Gerard McDermott QC Ltd (‘GMQC Ltd’) collects personal information about you, how we then use that information and who we may then share it with. It also explains how we keep your information secure and for how long we may retain it.
It also sets out your rights in relation to the information we collect and sets out our commitment to ensuring that personal data, including special category data that we collect and use is carried out in compliance with data protection law including the General Data Protection Regulation 2016/679 and all other relevant EU and UK data protection legislation.
Who we are
GMQC Ltd is a law firm that provides legal advice and representation to its clients.
It is a limited company registered in England, registered number 09570484.
Our registered office is Incom House, Waterside, Trafford Park, Manchester M17 1WD.
Our trading and postal address is 7 Stamford Street, Stalybridge, Cheshire SK15 1JP.
We are authorised and regulated by the Bar Standards Board under the unique entity reference number ER127139.
We are registered with the Information Commissioner’s Office (‘ICO’) and our registration number is ZA129171.
We are a controller of your information for the purposes of data protection legislation.
Data protection principles
We comply with the data protection principles set out below and when processing personal data, ensure that it is:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject
- Collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes
- All adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
- All accurate and kept up to date
- Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed
- Kept secure
The information we collect
We process personal data of individuals pursuing or defending legal claims or who are seeking legal advice.
We also process personal data of others who are or may be witnesses in the claim.
The exact type of information we will ask you for will depend on what you have asked us to do for you or what we have agreed to do for you.
There are two types of personal information (personal data) that we may be provided with and process:
- Personal data
- This is general information that you give us about yourself including your name, date of birth, gender, postal and email addresses, telephone numbers and National Insurance number
- Sensitive personal data
- This is more sensitive personal information and may include your racial or ethnic origin, religion, sexual orientation, political opinions, trade union membership, philosophical views, biometric and genetic data and information about your health, namely medical records.
You provide us with general information in order that we may pursue or defend any claim and then contact you so as to keep you updated as to what we are doing for you.
Your general information is also required in order we may verify your identity and comply with any relevant regulations as to, for example, anti-money laundering regulations.
We need your National Insurance number in order that any personal injury claim may be registered with the Compensation Recovery Unit which is a part of the Department for Works and Pensions.
As we specialise in personal injury claims, you will often be asked to provide us with information about your health both in terms of what injuries were caused by the accident and any previous medical history. We may require you to agree to allow us access to your medical records and obtain information about your health.
Where we get your information from
Information about you may be obtained from a number of different sources. These may include the following:
- You may provide us with information about yourself when you speak to us (either in person or on the telephone) or when you write to us;
- You may provide us with information relating to someone else if you have the authority to do so
- Medical organisations such as the NHS who provide us with medical records and information if you have given them your consent to do so;
- Family or friends may provide us with information that is relevant or potentially relevant to your claim;
- Other parties relevant to the litigation may provide data, for example your employer.
Why we need your information
We ask you to provide us with your personal data is so we can do the work you have asked us to do for you.
Ordinarily, this will be to represent you in relation to a claim you are making or that has been made against you and to provide you with legal advice in relation to that claim.
The reasons we can collect and use your personal information
We rely on the following lawful bases for collecting and using your personal data:
- In performance of our contractual obligations to you when acting for you;
- In pursuing a legitimate interest namely the exercising of a legal right by you when pursuing or defending a claim, and/or the legitimate interests of our company in running a bar standards board entity.
Who has access to your personal information
We share your personal data internally on a strict need to know basis.
There may be circumstances when we are carrying out legal work on your behalf where we may need to disclose information to third parties.
We are setting out below some examples of when and to whom your personal information may be disclosed.
- To insurance companies or solicitors acting on behalf of other parties involved in your claim or to the other parties themselves
- To general Practitioners and/or hospitals and/or other NHS organisations
- To private healthcare providers you may have attended
- To expert witnesses instructed to provide expert reports in your claim and any companies that arrange for the provision of expert witness services
- To your employer insofar as we need to contact them in relation to your claim
- To the Courts and Tribunal Service
- To HMRC
- To the Department for Works and Pensions
- To Barristers instructed to provide advice or representation for you
- To insurance companies who may provide legal expenses insurance to you
- To our regulator (the Bar Standards Board)
- To companies who provide typing, photocopying or costing services (‘administrative support’)
In relation to companies who provide us with administrative support, we will always obtain a GDPR compliant agreement from them to ensure they understand their obligations to keep any information sent to them secure and confidential.
All information relating to your matter is held in one of or a combination of the below:
- In paper;
- On our server;
- On a cloud based system.
We risk assess our policies and procedures regularly in accordance with GDPR guidance and legislation. We implement technical and organisational measures to ensure that we secure personal data in a manner that takes account of the potential risks involved for your rights and interests.
Gerard McDermott QC Limited does not routinely transfer personal information outside of the European Economic Area (EEA), however, should the need to do so this will because it will be necessary for the establishment, exercise or defence of legal claims.
We will also ensure that where such transfers are carried out they are done using secure methods that offer sufficient assurances and guarantees that your data is afforded the necessary safeguards to prevent it from accidental or unlawful loss, disclosure, access, alteration or destruction.
Your personal information will only be retained for as long as is necessary to fulfil the purpose it was collected for; or as required by law; or for as long as set out in any contract we enter into, or for as long as required for legitimate interests.
We generally retain new enquiries (claims under where no contract has been entered into) on our system for three years from the date of the last activity on the file when it will be securely and permanently destroyed.
We retain our cases for different periods depending on the nature of the claim:
- Generally, we retain your case for:
- 7 years from the date of settlement or;
- 7 years from the date of closure or;
- 7 years from the date of the last activity on the file.
If you are a minor, we will retain it from one of the relevant dates above, or 7 years from the date of your 18th birthday, whichever is later.
We retain your data for these periods of time as it may be required in the event of there being any complaint or claim made against us arising out of the work we have done for you, and for financial records.
Deletion of your data will be carried out without further notice to you as soon as is reasonably practicable after the data is marked for deletion.
What are your rights
Under GDPR, you are entitled to access your personal data (otherwise known as a ‘right to access’). If you wish to make a request, please do so in writing.
A request for access to your personal data means you are entitled to a copy of the data we hold on you – such as your name, address, contact details, date of birth, information regarding your health – but it does not mean you are entitled to the documents that contain this data.
Under certain circumstances, in addition to the entitlement to ‘access your data’, you have the following rights:
- The right to be informed: which is fulfilled by way of this privacy notice and our transparent explanation as to how we use your personal data
- The right to rectification: you are entitled to have personal data rectified if it is inaccurate or incomplete
- The right to erasure / ‘right to be forgotten’: you have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing.
This right only applies in the following specific circumstances:
- Where the personal data is no longer necessary in regards to the purpose for which it was originally collected
- Where consent is relied upon as the lawful basis for holding your data and you withdraw your consent
- Where you object to the processing and there is no overriding legitimate interest for continuing the processing
- The personal data was unlawfully processed
- Where you object to the processing for direct marketing purposes
- The right to object: you have the right to object to processing based on legitimate interests; and direct marketing.
This right only applies in the following circumstances:
- An objection to stop processing personal data for direct marketing purposes is absolute – there are no exemptions or grounds to refuse – we must stop processing in this context
- You must have an objection on grounds relating to your particular situation
- We must stop processing your personal data unless:
- We can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
- The processing is for the establishment, exercise or defence of legal claims.
- The right to restrict processing: you have the right to request the restriction or suppression of your data.
When processing is restricted, we can store the data but not use it. This right only applies in the following circumstances:
- Where you contest the accuracy of the personal data – we should restrict the processing until we have verified the accuracy of that data
- Where you object to the processing (where it was necessary for the performance of a public interest or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override your right
- Where processing is unlawful and you request restriction
- If we no longer need the personal data but you require the data to establish, exercise or defend a legal claim
If you would like more information about your rights under the GDPR then please visit the ICO website at https://ico.org.uk/.
If you wish to raise a complaint on how we have handled your personal data or wish to exercise any of your rights under GDPR, you can contact us in writing and we will investigate your complaint further.
For data protection queries and requests, please contact [email protected]
We may require you to provide further information in order you can be identified and we will require you to provide us with a contact address so that we may request further information from you to verify your identity.
We will require you to provide proof of your identity and your address and to state which right or rights you wish to exercise.
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns or by telephone on 0303 123 1113.
Changes to this notice
This privacy notice was published on 27th of September 2019. We do not intend to process your personal information except for the reasons stated within this privacy notice. If this changes, this privacy notice will be amended and placed on our website.
Gerard McDermott QC Ltd
7 Stamford Street