Skip to main content

Privacy Statement

Thorntons Law LLP Privacy Notice

Thorntons Law LLP (“we”, “us, “our”) respects your privacy and are committed to protecting your personal data.  This Privacy notice sets out the ways in which we collect, use and store your personal data.  It also explains the legal rights you have in relation to your personal data.

About us 

Thorntons Law LLP is a limited liability partnership, registered in Scotland (No. SO300381), whose registered office is Whitehall House, 33 Yeaman Shore, Dundee, DD1 4BJ.

You can contact us at the above address, addressing any request to the Data Protection Officer.  You can also contact us by email at privacy@thorntons-law.co.uk

Our commitment to you

We process your personal data in accordance with the overarching principles and requirements set out in the UK General Data Protection Regulation and the Data Protection Act 2018 (‘Data Protection Law’). What this means is that Thorntons processes your data in a way that is:

  • Lawful, fair and transparent;
  • Compatible with the purposes that we have told you about;
  • Adequate and necessary, we only use the data we need to use for the reason we told you;
  • Accurate and up to date;
  • Not excessive, we only keep your data for as long as we need it; and
  • Secure and protected. 

Why we process your personal data

We are a full service law firm and we need to process personal data for a number of reasons to deliver legal services. We are also an Estate Agency and you can access our Estate Agency privacy notice here. This privacy notice explains how we process your personal data if you are a client or prospective client of the firm, a professional contact, website and office visitors, or if you receive marketing materials from us. This privacy notice also applies if you are a non-client, whose personal data we capture in the course of our work, including but not limited to a client’s relative, the other side of the transaction, beneficiaries in executries, trustees, etc.

Ways we collect your personal data

There are a number of ways in which we may collect personal data about our clients, prospective clients, professional contacts, visitors and non-clients, these include: 

  • From you or your representatives directly where you contact us in writing, by e-mail, when you meet with our team in person or by video call, by telephone, contact us via our online portal, website or social media platforms. You may contact us to seek legal advice, to register to attend our events or subscribe to publications issued by us or to express an interest to work with us. 
  • For clients and non-clients, we may receive information about you from relatives, agents or third parties where you may be involved in a matter we are instructed in for example as a beneficiary, trustee, buyer, seller, debtor, defender, pursuer, witness, employee or employer.
  • Organisations with whom we have a professional relationship may share your information with us when they refer you to us.  These organisations may be other professional advisers such as solicitors, accountants, financial advisers, insurance companies, financial institutions.
  • Your doctor or other health service providers.
  • Online public sources or registers such as Companies House.
  • Where you apply for a position with us, we may receive information about you from a recruitment agent, your current and/ or former employers and/ or referees. See our applicant privacy notice for more details.
  • Providers of identity verification services and compliance services.
  • CCTV operating in any of our office sites or buildings.
  • The devices you use when you access our website and use our online chat service. 

What personal data do we process?

Data Type

Information Collected

Client/Prospective Client Contact Personal Data

  • Name
  • Postal address
  • Email address (personal and/or business)
  • Phone Numbers
  • Occupation
  • Your relationship to other persons

Identity Verification Data

  • Date of birth
  • Gender
  • Photograph/Video
  • Passport
  • Driving Licence
  • Address history
  • Credit data
  • Other identity evidence as required to meet our regulatory obligations. 

Special Category Data (race, ethnic origin, politics, religion, trade union membership, genetic, sex life, sexual orientation)

This information is not routinely collected but may be needed for certain types of legal work (immigration, employment, family, litigation). 

We use this information in relation to our own employees to ensure meaningful equal opportunity monitoring and reporting.

Health and Medical Data (also special category data)

This information may be needed for certain types of legal work (personal injury claims, employment, immigration, matrimonial, eldercare, vulnerable clients (for those arranging powers of attorney) and other forms of dispute resolution.

If you visit our offices, we may collect information about your health in order to make adjustments to support your visit.

Biometric Data (also special category data)

Facial similarity checks are run when completing your ID verification with our Due Diligence Supplier.

The biometric technology compares an image of your face to the image on your ID document.

Political Data (also special category data)

Checks for political information about you are run when completing our due diligence.

Criminal Convictions Data

This type of personal information may be processed in relation to litigation cases, employment, matrimonial, other cases. 

We also undertake criminal record checking as part of our recruitment processes. 

Checks for adverse information about you are run when completing our due diligence.

Financial Data

Information about your financial affairs, assets and liabilities may be required if it is relevant to matters upon which you wish us to advise you or to enable us to comply with our regulatory obligations relating to anti-money laundering. 

Information about third-parties’ financial affairs, assets and liabilities may be required if it is relevant to matters upon which you wish us to represent you

CCTV Data

Our office locations may operate CCTV and where they do this is clearly signposted. If you visit our offices your images may be captured on CCTV for security purposes.

Video telecommunication and collaborative platform Data

 

When invited and participating to a virtual meeting, a webinar, a presentation or a collaboration on a channel, the following types of information may be recorded:

  • your registration and participant information such as name, email address, company name and other contact/profile details.
  • direct interactions generated in meetings such as audio, video, Q&A, chat messaging content, comments.
  • indirect interactions such as your attendance status, download of our presentation material.

By default, virtual meetings between client and solicitor are not recorded but webinars are. When recording, not all virtual meetings enable participants to be viewed and heard.

You will be told when invited or at the very latest at the beginning of the video call if:

  • it is recorded and;
  • whether you’ll be heard and seen.

You can ask us for more details about what information will be/has been captured as it will vary from platform to platform.

Call Recording Data

If calling the following teams, your call may be recorded:

Our Lenders Team within our Dispute Resolution & Claims Department are recording calls with the customers of our lender clients who are authorised and regulated by the FCA in order to comply with their regulatory obligations and for monitoring purposes.  Information about your contact details, identification details and financial data may be discussed.

Our Personal Injury team are recording calls for training and quality monitoring purposes. Information about your contact details, identification details and health/ medical data may be discussed.

Our Estate Agency are recording calls for training and quality monitoring purposes including in case of complaints. Information about your contact details, identification details, financial data and property data may be discussed.

Credit/debit card details will be not be recorded.

Personal Data within correspondence

Copies of letters, e-mails received or sent by us, and information you have provided us in letters, e-mails, texts and audio recordings taken in relation to personal injury matters.  We may also keep notes and records of matters we discuss or advise upon.

Payment Data

In order to pay and transmit funds in the course of client transactions or collection of our own fees. 

We adhere to PCI–DSS standards and do not store credit or debit card details.

Marketing Data

Includes your communication preferences for receiving marketing from us.

Website Data

Includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Our website uses cookies and we may collect information about how you use our website.

Enquiry Data

Personal data you provide when you make an enquiry to us via our website or via social media.

Professional Adviser Personal Data

  • Name
  • Business Postal address
  • Business Email address
  • Business Phone Numbers
  • Occupation
  • Professional Credentials
  • Information to verify identity

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may not be able to perform our obligations but we will notify you if this is the case at the time.

Why we use your personal data

We will use your personal data where it is necessary for us to:

  • enter into and perform contract with you;
  • comply with our legal obligations; or
  • fulfil our legitimate interests.

We may ask for your consent to process your personal data under certain circumstances and where we do we ensure that it is freely given, specific, informed and unambiguous. You may withdraw your consent at any time by emailing privacy@thorntons-law.co.uk.

Purposes of Processing

Purpose

Lawful Basis of Processing

To communicate with our clients or their representatives regarding instructions, questions, concerns or complaints and to provide legal advice and other information.

Performance of a Contract

Legitimate Interests – to contact you to respond to communications from you.  

Sharing information with other professionals (advocates, expert witnesses, accountants, medical professionals, other solicitors acting as local agents, insurers etc.)

Performance of Contract – where necessary to ensure appropriate representation or information-gathering.

Legitimate Interests – where appropriate to provide clients with the best service.

To collect third-party information directly/indirectly from the third-party (i.e. non-clients) to assist with a client’s legal claim or proceedings

Legitimate Interests – where the information is essential to provide clients with the best service; or

Your consent – where the information is desirable to assist clients with a legal claim; or Your consent -  where you disagree with our use of Legitimate Interests at the point we collect your information; or

Legal obligation – to ensure our business is carried out in compliance with Anti Money Laundering and Terrorist Financing Regulations.

To prevent financial crime – to comply with our legal obligations to prevent financial crime including the prevention of fraud and money laundering under the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017.

Legal Obligation –  to ensuring our business is carried out in compliance with the law

Substantial Public Interest - processing that is necessary for preventing fraud and suspicion of terrorist financing or money laundering.

Record-keeping

Legal obligation – we are required to retain certain information about you to comply with legal requirements.

If you are not a client of the firm but you complete the “make an enquiry” form or speak to us via “live chat” or contact us via social media, then we capture personal data that you supply, such as your name, address, business name, e-mail address, home telephone number and work telephone number. We will use this personal data to respond to your enquiry.

Legitimate interests – it is necessary for us to process your personal data to respond to your request for information or assistance.

To record calls with our clients in specific teams for the purpose of training and quality monitoring.

 

To record calls with the customers of our lender clients for the purpose of fulfilling the FCA regulatory obligations of our lender clients and for monitoring.

Legitimate interests – it is necessary for us to ascertain or demonstrate the standards which ought to be achieved by our people when you call us, including where there is a complaint.

Legal obligation

Video telecommunication platforms:

To liaise with registrants and enable them to join the video call.

To evidence or accurately capture what was discussed in meetings or as a record keeping of legal work.

To make available a record of the event to our attendees for interactive or informative purposes.

To capture analytics and data insight from webinars in relation to registrants and attendees for business development opportunities.

Legitimate interests - It is necessary for us to process your personal data in order for you to attend our video calls.

Legitimate interests – it is necessary for some legal cases with complex elements to record a meeting.

Legitimate interests – it is necessary to make some events available to our employees and attendees for informative or interactive reasons

Legitimate interests – It is necessary for the development of our service to measure our clients’ engagement in the context of our marketing activity.

Consent – For non-clients signing up to webinars. You may withdraw your consent at any time by clicking here.

Client Marketing – if you have engaged us to provide a legal service to you, we may use your personal data to send you information about our legal services that we feel may be of interest or benefit to you.  In doing so we will add you to our marketing database and will send you marketing materials from time to time. 

We will also seek your feedback upon completion of the legal work we carry out for you to help us improve our services.

Legitimate Interests.  You have the right to object to use of your data for marketing at any time by clicking here.

Non-Client Marketing – if you have consented to receiving marketing communications via our website or other communications, we may use your personal data for this purpose.  In doing so we will add you to our marketing database and will send you marketing materials from time to time. 

Non-Client Business Marketing – to promote our business with business representatives unconnected with the Firm, by showing targeted ads online.

Consent.  You may withdraw your consent at any time by clicking here.

 

Legitimate Interest. You have the right to object to use of your data for marketing at any time by clicking here.

Events – if you sign up to attend one of our events at our offices or online, we will process personal data about you to register you for the event and we may contact you after the event to gather feedback from you.

Legitimate Interest – it is necessary for us to process your personal data in order for you to attend our events as a guest and for use to evaluate our events.

Online payments – we offer an online payment system at https://www.thorntons-law.co.uk/payments

If you choose to use this system to make debit or credit card payments to us your card details will be handled exclusively by our payment provider, Opayo. We comply with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will not store card details.

Performance of Contract

Debt Recovery – we may give your personal data to and receive personal information from third parties where necessary to recover debts due by you to us, for example sheriff officers.

Legitimate Interests – we have a legitimate interest to pursue unpaid fees and charges.

Cookies – we use cookies that are essential for the functionality of our website and we also use non-essential cookie which help us to understand how our website is used by visitors.  Both essential and non-essential cookies use personal data. More information on our use of Cookies can be found in our Cookies policy.

Legitimate Interests – functional cookies which are necessary for the operation of our website.

Consent – cookies which track how you interact with our website.

IT and Security – we may use personal data to administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) and to carry out system upgrade or system replacement. 

Legitimate Interests – to ensure our website is secure and functioning.

Legitimate Interests – to ensure we use the most appropriate systems.

Professional Services – if you provide professional services to the Firm, or to our clients on our behalf, we will process personal information about you in order to receive professional services from you.

Performance of a Contract

Legitimate Interest – to develop our professional relationship with you

Where we store your personal data and information security

We take appropriate technical and organisational measures to secure your personal information and protect it against unauthorised or unlawful processing as well as against its accidental loss or destruction or damage. Some of these measures include:

  • Using secure cloud-based servers to store your personal data, based in the UK.
  • Verifying the identity of individuals that access your personal data.
  • Regular review of our Information Security Management System.
  • Utilising a number of anti-virus and anti-malware systems at the gateway, on email and on endpoints to protect against cyber threats and encryption technologies to protect personal data where appropriate.
  • We have deployed data loss prevention software from Egress to help detect and mitigate the risk of data loss.
  • Restricting access only to those employees who need to know the information in order to deliver the service to you.
  • Providing regular data protection and information security training to all our employees.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted.

Once we have received your personal data, we will use strict procedures and security features as outlined above to try to prevent unauthorised access to your personal data.  As above, we cannot be held responsible for the security of your personal data collected by websites that our site may link to.  Such third parties shall have their own privacy notices and you should read these carefully.

Sharing personal data

If we share personal information with external third parties, we shall keep this to a minimum and take reasonable steps to ensure that recipients shall only process the disclosed personal data for those purposes and in accordance with our instructions.

In the course of certain types of work, we may be required to share your personal data with advocates, other solicitors, expert witnesses and other professional persons who may be controllers of that data.  We may also be required to instruct local agents to handle certain court-based activities from time to time for reasons of cost-effectiveness and efficiency.

We will not transfer your personal data to anyone else without your permission, except:

  • Where we are obliged by law or regulatory obligations.
  • Where we share your information with third party service providers.
  • Where we share your information with third parties who provide essential services.
  • Where some or all of our assets are purchased by a third party.
  • Where we share your information with data controllers, when we are instructed as a data processor.

We will never sell your information or disclose it for direct marketing purposes.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes.

The types of organisations/groups that we may share personal data with are set out below:

  • suppliers and service providers, such as call, video telecommunication and messaging platforms; cloud-based servers and systems for data storage, call recording, case management, secure file sharing, payment solutions, digital identity verification solutions; marketing services providers (i.e. Thorntons websites and consumer review services)
  • financial organisations
  • government departments
  • the courts
  • other professional advisers and consultants
  • regulatory authorities

A full list is available on request.

International transfers

We do not transfer your personal data outside the United Kingdom unless we have appropriate safeguards in place to afford your personal data with an adequate level of protection.

When we use Zoom Video Conferencing, some personal data is transferred to the EEA and also to the US.  When transferring personal data to the EEA countries, the appropriate safeguards we rely upon are covered by the UK Adequacy Regulations, which provide a similar protection to the UK data protection regime. When transferring personal data to Zoom in the US, the appropriate safeguards we rely upon when transferring personal data to them are Standard Contractual Clauses (‘SCCs’), which incorporate standard data protection clauses recognised by the UK data protection regime. For further details, see the global Zoom Data Processing Addendum at https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf  Please contact us if you want further information on the specific Standard Contractual Clauses used by us.

 

Mergers and Acquisitions

If our firm enters into a joint venture with, acquires or merges with, another business entity, your information may be disclosed to us as the joint or new data controller. If this is the case, we will notify you within one month of receiving your personal data and explain who we are and what are your rights – such as your right to object to Thorntons Law processing your personal data. If we are using your personal data for a different or extended purpose from your previous firm, we will seek separate consent from you to do so.

Any retained personal data from your previous firm is administered by Thorntons Law until the end of the retention period where it will be securely destroyed or deleted. We will also keep safe custody of the Wills or Title Deeds from those firms. Thorntons Law will assist with any Data Subject Rights requests for any legacy personal data, which you can direct to dpo@thorntons-law.co.uk.

How long we will keep your personal data for

We do not hold information for longer than is necessary.  We have a Records Management and Retention Policy which sets out the periods and rules for retaining and reviewing all data that we hold. This sets out different retention periods depending upon the nature of the information.  In some cases, the Law Society of Scotland, which regulates us, recommends minimum periods of record retention and we comply with those.  This can be made available on request by contacting privacy@thorntons-law.co.uk

Changes in personal information

It is important that the personal data we hold about you is accurate and up-to-date. Please keep us informed if your personal information changes during your working relationship with us.

Questions and concerns

If you have any questions or concerns on how we collect, handle, store or secure your personal data, please contact our Data Protection Officer by email at  dpo@thorntons-law.co.uk or by post to the  Data Protection Officer, Thorntons Law LLP, Whitehall House, 33 Yeaman Shore, Dundee, DD1 4BJ.

You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think we have infringed your rights. The ICO’s contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Telephone: 0303 123 1113

www.ico.org.uk

Your rights

You have various rights under data protection law. As an individual you have the following rights:

Right to be informed

This Privacy Notice provides you with details as to how we collect and use your personal data

Right to access

You have a right to request access to the personal data we hold about you by making a “subject access request”. You will be provided with a copy of all personal information that we hold about you. There will be no charge for providing you with this information

Right of rectification

You have a right to request that we correct or complete any inaccurate or incomplete personal data we hold about you

Right of erasure

You have the right to ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for retaining it. If we are required to keep your personal data to comply with our legal or regulatory obligations or legitimate interests in legal proceedings or claims, then we may have to decline your request

Right to restrict processing

You have the right to request that we restrict the processing of your personal data that we hold about you for specific reasons. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or the protection of the rights of another person, or for an important public interest, then we may have to decline your request

Right to data portability

You have a right to obtain and reuse the personal data that we hold about you for your own purposes in certain circumstances

Right to object

You have a right to object to us processing your personal data. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or can demonstrate our compelling legitimate interests or our appropriate safeguards in place for the specific purpose of scientific, historic research or statistics necessary for the performance of a task carried out in the public interest, then we may have to decline your request

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time Limit to respond

We try to respond to all legitimate requests within one month from the date we receive it. Occasionally we may extend the time for response by up to two months if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Changes to our privacy notice

We may be required to update this Privacy Notice from time to time.  The up-to-date version will always be on our website and we will communicate material updates to our clients from time to time.  We will not process your personal data for purposes other than those set out in this document or which may be prejudicial to your interests without letting you know and giving you the opportunity to review and object to any such amended processing. 

Contact us

If you have any questions regarding this Privacy Notice, please contact our Data Protection Officer, Whitehall House, 33 Yeaman Shore, Dundee, DD1 4BJ, Tel No. 01382 229111 or by e-mail – dpo@thorntons-law.co.uk