Welcome to mpm legal’s privacy notice. This notice covers both mpm legal’s activities as a law firm as well as the services it provides as “mpm included”.
mpm legal is committed to safeguarding the privacy of the personal information that is provided to us or collected by us during the course of our business, as well as the personal information that we receive from visitors to our mpm legal website (mpmlegal.co.uk).
mpm legal solutions Limited is a limited liability company with registered company number 08049479 and our registered office is at Chiltern House, 45 Station Road, Henley on Thames, RG9 1AT. mpm legal is registered with the Information Commissioner under registration number ZA029567.
Purpose of this notice
The purpose of this notice is to give you information about how mpm legal collects and processes your personal data.
A controller is a person or organisation who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. We are the controller and responsible for the personal data that we are provided with or collect.
If you have any questions about this privacy notice, including any requests to exercise your rights, please contact Mark Minns, our Partner responsible for Privacy, using the details set out below:
Mark Minns
mpm legal solutions limited
Chiltern House
45 Station Road
Henley-on-Thames
RG9 1AT
The data we collect about you
Personal data includes any information about an individual from which that person can be identified.
Special categories of personal data include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data.
We collect, use, store and transfer different kinds of personal data about you. We have grouped together the following categories of personal data to explain how this type of information is used by us:
- Identity Data including your first name, middle names, maiden names, last name, marital status, title, date of birth, passport number, photographic identification and gender
- Contact Data including your job title/function, the organisation you work for or are engaged by, email address, billing address, delivery address and telephone number
- Business Information including information provided in the course of the client relationship between you or your organisation and mpm legal, or otherwise provided by you or your organisation
- Financial Data including your bank account details
- Marketing and Communication Data including your preferences in receiving marketing from us and your communication preferences
- Profile and Usage Data including information about the use of our website, your usernames or passwords, your interests, feedback and survey responses. Typically, Profile and Usage Data will be collected by means of cookies or other similar technologies.
- Technical Data including information collected when you access our website, your internet protocol (IP) address, your browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices that you use
- Special Categories of Personal Data we process this type of data in limited circumstances, for example, where required to do so for legal or regulatory purposes or where you have provided us or our service providers with such information as it is necessary for a specific service that we are providing to you or the organisation who engages mpm included.
- mpm included whilst we do not intend to collect or access any personal data in the course of providing our diversity, equality and inclusivity consultancy services (because the data sets that we access are aggregated and anonymised so we do not access any information that may directly identify a living individual), it is possible however that due to limited numbers of participants or provision by our client of other data sets that may cross relate to participants or for any other reason, information we access may fall within the definition of personal data. This may include Special Categories of Personal Data.
How we collect your data
We use different methods to collect your personal data, including through the channels set out below:
Direct channels including where you or your organisation is our client or a prospective client, is a client or contact or prospective client of one of our clients, or a supplier or prospective supplier to us, you communicate with us, you visit our website or attend our events. Or, we may receive information about you from a client, prospective client or contact in circumstances where we are required to obtain information about you in connection with a dispute in the employment tribunal or courts.
Indirect channels including where your personal data has been provided by one of our members of staff, by someone else from your organisation, by someone else from another organisation with whom you or your organisation is dealing, by someone who has referred or recommended us to you, by someone involved in recruitment or visa applications, by or from publicly available sources and other third parties who decide to provide us with your details. In the context of mpm included, information about you may have been collected by our service provider and then made available to us on an aggregated and anonymised basis. We explain above why sometimes, despite this anonymisation and aggregation, this information could still be seen as personal data.
If you provide information to us about someone else you must ensure that you are entitled to disclose that information to us and that, without our taking any further steps, we may process that information in accordance with this Privacy Notice. If you are in any doubt you should check with the relevant people in your organisation or seek your own legal advice.
How we use your data
The table below summarises the purposes for which we use your data and the legal basis on which we do so.
We may process your personal data for more than one legal basis depending on the specific purpose for which we are using it. Please contact us at mark@mpmlegal.co.uk if you would like specific legal basis we are relying on to process your personal data where more than one ground is set out below.
| Purpose and/or activity | To conduct conflict of interest checks where you are a client or prospective client, a potential transaction counterparty or rival bidder, or a litigant in proceedings involving our client/prospective client |
| Type of data | Identity Data Contact Data |
| Legal basis for processing | Legitimate interest: ensuring that we understand any conflict of interest which may arise for us in a matter Legal or regulatory obligation Performance of a contract |
| Purpose and/or activity | Setting you or your organisation up as a client of mpm legal, including performing anti-money laundering, anti-terrorism, sanction screening, fraud and other background checks |
| Type of data | Identity Data Contact Data Business Information Financial Data Special Categories of Personal Data |
| Legal basis for processing | Legitimate interest: the efficient administration of our legal services Legal or regulatory obligation Performance of a contract Public interest |
| Purpose and/or activity | Providing and administering legal services on behalf of our clients, prospective clients or clients of our clients or prospective clients |
| Type of data | Identity Data Contact Data Business Information Financial Data Special Categories of Personal Data |
| Legal basis for processing | Legitimate interest: performing our business Legal or regulatory obligation Performance of a contract |
| Purpose and/or activity | Dealing with introducers and referrers |
| Type of data | Identity Data Contact Data Business Information Financial Data Special Categories of Personal Data |
| Legal basis for processing | Legitimate interest: performing our business Legal or regulatory obligation Performance of a contract |
| Purpose and/or activity | Relationship management, including complaints handling |
| Type of data | Identity Data Contact Data |
| Legal basis for processing | Legitimate interest: ensuring that we provide a good service to our clients Legal or regulatory obligation |
| Purpose and/or activity | Business Development and marketing |
| Type of data | Identity Data Contact Data |
| Legal basis for processing | Legitimate interest: marketing and promoting our services |
| Purpose and/or activity | Communicating with you in response to an enquiry from you, or where you have asked us to provide you with communications from time to time or have indicated that you are happy to received such communications, such as updates on legal matters or about us |
| Type of data | Identity Data Contact Data Marketing and Communications Data |
| Legal basis for processing | Legitimate interest: providing a responsive service and/or marketing and promoting our services |
| Purpose and/or activity | Recruitment purposes |
| Type of data | Identity Data Contact Data |
| Legal basis for processing | Legitimate interest: recruitment of staff Performance of contract Consent |
| Purpose and/or activity | Quality control |
| Type of data | Identity Data Contact Data Business Information Technical Data Profile and Usage Data |
| Legal basis for processing | Legitimate interest: providing a good quality service to our clients |
| Purpose and/or activity | Security of our physical premises and our IT systems together with ensuring our safety whilst on our premises or at an event we have organised |
| Type of data | Identity Data Contact Data Technical Data |
| Legal basis for processing | Legitimate interest: keeping our information and infrastructure secure and ensuring physical safety |
| Purpose and/or activity | Dealing with our insurers |
| Type of data | Identity Data Contact Data Business Information |
| Legal basis for processing | Legitimate interest: risk management |
| Purpose and/or activity | Enforcing any legal claims against you or your organisation or defending any claims from you or your organisation |
| Type of data | Identity Data Contact Data Business Information Financial Data Special Categories of Personal Data |
| Legal basis for processing | Legitimate interest: establishing, enforcing or defending a legal claim |
| Purpose and/or activity | To check whether we would have a conflict of interest in appointing you as a client or supplier |
| Type of data | Identity Data Contact Data Business Information |
| Legal basis for processing | Legitimate interest: risk management |
| Purpose and/or activity | To take you on as a new supplier including performing anti-money laundering, anti-terrorism, sanction screening, fraud and other background checks |
| Type of data | Identity Data Contact Data |
| Legal basis for processing | Legitimate interest: ensuring that we understand any conflict of interest which may arise for us in a matter Legal or regulatory obligation Performance of a contract |
| Purpose and/or activity | Receiving and administering services |
| Type of data | Identity Data Contact Data Business Information Financial Data |
| Legal basis for processing | Legitimate interest: supporting the effective running of our business Performance of a contract |
| Purpose and/or activity | Other purposes required by law |
| Type of data | Any of the information detailed in this notice |
| Legal basis for processing | Legal Obligation |
| Purpose and/or activity | Other purposes described at the point of personal data |
| Type of data | As described at point of collection |
| Legal basis for processing | As described at point of collection |
| Purpose and/or activity | mpm included DEI consultancy services |
| Type of data | Special Categories of Personal Data |
| Legal basis for processing | Explicit consent (collected by our service provider to cover both its own use as well as ours) |
Change of Purpose
We will only use your information for the purposes for which we collected it as detailed above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you would like to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at mark@mpmlegal.co.uk
Disclosures of your Personal Data
We may share your personal data as follows:
- our professional advisers such as lawyers, accountants, counsel, expert witnesses, medical professionals and consultants;
- any person or entity to whom we are required or requested to make such disclosure by any court of competent jurisdiction or by any governmental, taxation or other regulatory authority, law enforcement agency or similar body;
- service providers who provide information technology and system administration services to us;
- professional indemnity and other insurers;
- organisations to whom we outsource certain services including practice management and office management systems, telephone reception services, archive storage providers, data hosting, website management, email marketing, confidential waste disposal, IT systems or software providers, IT support service providers, document and information storage providers;
- organisations or individuals engaged by us in the course of providing our services to you or the organisation that you work for, such as consultants, other specialist law firms or barristers;
- organisations with whom you or your organisation is dealing and their professional advisers;
- postal or courier providers who assist us in delivering out postal marketing campaigns to you, or delivering documents related to our work for you;
- prospective purchaser of our business or its assets;
- referees where dealing with job applications;
- clients of mpm included in the form of aggregated and anonymised reports.
Where organisations in any of the above categories of recipients are providing us with services that involve them processing personal data on our behalf, they are our data processor. The data processors we currently use include:
- Microsoft Corporation (Office applications)
- Themis Solutions Inc (known as “Clio”) (practice management software)
- The Rocket Science Group LLC (known as “MailChimp”) (email marketing services)
- Xero Limited (accounting software)
Please note this list is non-exhaustive and there may be circumstances where we reasonably need to share your personal data with other organisations in order to provide our services as effectively as we can, as described in this privacy policy or as required under applicable law or otherwise with your consent.
International Transfers
In some cases, the parties who we use to process personal data on our behalf are based outside the UK, therefore their processing of your personal data will involve a transfer of such data outside the UK. Similarly, in the course of advising clients based outside of the UK, we may be required to share matter relevant personal data with them. Where this is the case we will only share the minimal amount of personal data necessary for the purpose of processing.
Whenever we transfer your personal data out of the UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide and adequate level of protection for personal data by the UK government; and
- where we use certain service providers, we may use specific contracts approved by the UK which gives personal data the same protection it has within the UK;
Data Security
We have put appropriate technical and organisational security measures in place to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We have also put procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. This includes for the purposes of satisfying any legal, accounting, insurance or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of specific retention periods for different aspects of your personal data are available from us on request by emailing mark@mpmlegal.co.uk
Upon expiry of the specific retention period we will securely destroy your personal data in accordance with applicable laws and regulations.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. It is our policy to respect those rights and we will act promptly and in accordance with any law, rule or regulation relating to the processing of your personal data.
Your rights are:
- to be informed about how personal data is used – you have a right to be informed about how we will use and share your personal data. This explanation will be provided to you in a concise, transparent, intelligible and easily accessible format and will be written in clear and plain language;
- right to access personal data – you have a right to obtain confirmation of whether we are processing your personal data, access to your personal data and information regarding how your personal data is being used by us;
- right to have inaccurate personal data rectified – you have a right to have any inaccurate or incomplete personal data rectified. If we have disclosed the relevant personal data to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible;
- right to have personal data erased in certain circumstances – you have a right to request that certain personal data held by us is erased. This is also known as the right to be forgotten. This is not a blanket right to require all personal data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your personal data;
- right to restrict processing of personal data in certain circumstances – you have a right to block the processing of your personal data in certain circumstances. This right arises if you are disputing the accuracy of personal data, if you have raised an objection to processing, if processing of personal data is unlawful and you oppose erasure and request restriction instead or if the personal data is no longer required by us but you require the personal data to be retained to establish, exercise or defend a legal claim;
- right to data portability – in certain circumstances you can request to receive a copy of your personal data in a commonly used electronic format. This right only applies to personal data that you have provided to us (for example by completing a form or providing information through a website). Information about you which has been gathered by monitoring your behaviour will also be subject to the right to data portability. The right to data portability only applies if the processing is based on your consent or if the personal data must be processed for the performance of a contract and the processing is carried out by automated means (i.e. electronically);
- right to object to processing of personal data in certain circumstances, including where personal data is used for marketing purposes – you have a right to object to processing being carried out by us if (a) we are processing personal data based on legitimate interests or for the performance of a task in the public interest (including profiling), (b) if we are using personal data for direct marketing purposes, or (c) if information is being processed for scientific or historical research or statistical purposes. You will be informed that you have a right to object at the point of data collection and the right to object will be explicitly brought to your attention and be presented clearly and separately from any other information; and
- right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect – you have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you.
You may exercise any of your rights by emailing mark@mpmlegal.co.uk. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one calendar month. Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Updated: January 2022