Data Protection Notice & Privacy Policy
Last updated: November 2022
White & Black Limited (“White & Black, we, us”) respects your right to privacy and is committed to protecting your personal data. This data protection notice outlines who we are, how we collect, use and safeguard your personal data, who we share it with and how you can exercise your rights in accordance with applicable data protection laws such as the UK GDPR (retained version of EU GDPR 2016/679) and the UK Data Protection Act 2018.
This data protection notice applies to individuals who access our website at www.wablegal.com (“Website Users”), individual clients who engage us to provide legal services or prospective clients who enquire about our services (“Clients and Prospective Clients”), other business contacts such as service providers or advisors (“Professional Contacts”) and individuals applying for employment vacancies with us (“Applicants”).
It is important that you read this data protection notice together with any other data protection notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This data protection notice supplements the other notices and is not intended to override them.
This website is not intended for children and we do not knowingly collect data relating to children.
1. Who we are and how to contact us
White & Black is a law firm authorised and regulated by the Solicitors Regulation Authority. Our SRA ID number is 534345. We are a limited liability company, registered in England and Wales with registered number 06436665.
Controller
White & Black is the Data Controller and is responsible for the processing of personal data in circumstances described in this notice. We have appointed a data protection partner who is responsible for overseeing questions in relation to the data protection notice. If you have any questions about this notice, including any requests to exercise your legal rights, please contact the data protection partner using the details set out below.
Our registered office is:
16 Beaumont Street, Oxford, OX1 2NA
Email address:
Please address any correspondence regarding this notice to ‘The Data Protection Partner’.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
Changes to this notice
We may change this notice from time to time. We will strive to ensure that any such changes are small and comply with applicable data protection laws. Where we make changes, we will inform you in a way that is proportionate to the changes we make. We recommend that you consult this notice regularly for updates. This notice was last updated on 28 May 2021.
Updates to your data
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us by sending an email to dataprotection@wablegal.com.
2. Our data protection principles
We take the protection of your personal data seriously and will comply with data protection law and principles, which means that your data will be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told you about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told you about.
- Kept securely.
3. The data we collect and why we collect it
Personal data, or personal information, means any information about an individual from which that individual can be identified either directly, or indirectly including with the help of other information. It does not include data where the identity has been removed (anonymous data). We may collect and process your personal data for different purposes. Processing, means any operation or set of operations that we carry out on your personal data, for example, collecting, using, storing and disclosing.
The personal data we collect and the purposes they are used for may vary depending on our relationship with you. These differences are detailed in the categories below.
Website Users
We will process your personal data when you use and interact with our website.
The categories of personal data that we collect from you may vary, depending on your interaction with our website.
The data we collect can be categorised as follows:
Data that we collect
- Technical Data. Including information such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Usage Data. Including information about how you use our website.
- Contact Data. Including information such as email address, postal address and telephone number.
How do we collect these data?
- As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. Please see our Cookies Policy for specific details. We may also collect Usage Data about how you interact with our website, this data will usually be aggregated.
- Direct Interactions. You may voluntarily give us your Contact Data when you sign up to receive E-Bulletins, News & information regarding Events using your email address. You may also give us your Contact Data when you make an enquiry to us using the details listed the ‘Contact’ section of our website.
Why do we collect these data?
We process this personal data when you use our website to help administer and protect our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). We will also process Technical and Usage Data to help improve our website, marketing, client relationships and website experiences. We collect and process Contact Data to send you E-Bulletins, News & Information that you have requested when using our website, this will usually be via email. We will also process your Contact Data to respond to an enquiry you have made.
What is our Lawful Basis for processing?
When we process your personal data, we will ensure that we have a lawful basis to do so.
We will process personal data from website users where it is in our legitimate interests, providing these interests do not override your fundamental rights and freedoms. For example, it is in our legitimate interest to ensure the security of our website and to understand the usage of our website to keep it updated and relevant. It is also in our legitimate interests to provide you with the E-Bulletins, News & Information that you have requested from us and respond promptly and effectively to any enquiries you may make.
Clients and Prospective Clients
We will process your personal data when you engage us to provide you with the legal services we offer, or if you make an enquiry regarding our legal services. We will process the personal information that is necessary for the performance of the requested services or to respond appropriately to your enquiry.
The categories of personal data that we collect from you may vary, depending on the matter that you retain us to advise you on.
The data we collect can be categorised as follows:
Data that we collect
- Identity Data. Including first and last names and D.O.B (where applicable).
- Contact Data. Including information such as email address, postal address and telephone number (these may be either personal or professional in nature depending on the context of the matter that we are advising you on).
- Financial Data. Including payment information such as bank details or transactional details.
- Identification and Background Data. Including copies of identity documents such as passports or utility bills and results of third-party verification searchers such as credit checks, anti-money laundering checks and company records.
- Special Category (‘Sensitive’) Data. Including information relating to your ethnicity or race, sexual orientation, health (for example any medical conditions or disabilities) and religious or philosophical beliefs.
How do we collect these data?
- Direct Interactions. You may provide us with certain categories of data when first engaging us to advise you or throughout the duration of our contract or when you enquire about engaging us to provide legal services.
- Third parties or our professional contacts. Third parties or other professional contacts, such as other law firms, may provide us with personal data relating to you and the matter in question, for example where you are referred to us by another entity.
- Other publicly available sources. We may use publicly available sources to collect data relating to you, for example Companies House and Smart Search, to aid us in our pre-contractual due diligence and identity checks.
Why do we collect these data?
We process this personal data primarily to enable us to provide you with the legal services you have requested, respond to your enquiries about engaging our services and to administer our business and develop our relationship with you. This will include, inter alia; using Identity, Contact and Financial Data to register you as a new client, processing Contact Data to communicate and interact with you regarding the matter we are advising you on and send you information or updates we think would be in your interest and processing Identification and using Background Data to carry out the necessary pre-contractual due diligence and identity checks that we are legally obliged to perform.
What is our Lawful Basis for processing?
When we process your personal data, we will ensure that we have a lawful basis to do so.
The lawful basis that we rely on will depend on the specific purpose for which we are processing your personal data. We will process your personal data on the basis that it is necessary for the performance of the contract that we enter when you retain our services. We will also process your personal data where it is necessary to fulfill our legal obligations (for example when we are legally obliged to carry out pre-contractual due diligence checks). We may also process your personal data where it is in our legitimate interests to do so, for example to administer and manage our business.
Special Category Data
We may process your Special Category Data in connection with the matter we are advising you on. For example, where you are visiting our offices for a meeting and we need to make reasonable adjustments to the working environment to facilitate any personal medical needs you may have.
Where we process your Special Category (“sensitive”) Data, we will ensure we have a further lawful basis as required by data protection law. For example, where you consent to processing of your sensitive personal data. If we approach you for your written consent to allow us to process certain particularly sensitive, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you provide your consent, it can be withdrawn at any time by contacting us at dataprotection@wablegal.com.
Professional Contacts
We will process your personal data if you are one of our professional contacts. This includes service providers and advisors (for example other law firms, individual contractors and service providers such as our accountants) or professional contacts from other business areas who may attend our professional events or seminars, request our E-Bulletins, News & information regarding Events, or interact with us through third-party networking events or platforms.
The categories of personal data that we collect from you may vary, depending on the nature of our relationship with you.
The data we collect can be categorised as follows:
Data that we collect
- Identity Data. Including first and last names and D.O.B (where applicable).
- Contact Data. Including information such as email address, postal address and telephone number. (these may be either personal or professional in nature depending on the context of our relationship).
- Professional Data. Including job title/role, employer, area of business and professional specialisms, seniority, and any notable achievements.
- Financial Data. Including payment information such as bank details or transactional details.
- Personal Interests Data. Including details of personal interests or hobbies.
- Identification and Background Data. Including copies of identity documents such as passports or utility bills and results of third-party verification searchers such as credit checks, anti-money laundering checks and company records.
How do we collect these data?
- Direct Interactions. You may provide us with certain categories of data when we engage you to provide us with certain services (professional or otherwise), for example accountancy or audit services. You may also provide us with certain categories of data when you sign up for or attend one of our professional events or seminars or through interactions at third-party networking events.
- Third Parties or other Professional Contacts. We may collect or receive your personal data from our other professional contacts or third parties where we consider it relevant to our business administration or growth and development. For example, where your professional services are recommended to us by other professional contacts.
- Other publicly available sources. We may use publicly available sources to collect data relating to you, for example your company website or professional social media and networking platforms. We may also collect results of third-party verification searches such as credit checks and anti-money laundering checks, for example if you are an individual contractor whom we are looking to engage.
Why do we collect these data?
We process this personal data for different reasons depending on the nature of our relationship with you. We may process your Contact and Identity Data to enable us to grow and develop our business and build a professional relationship with you. When you provide us with services, we may process your Contact, Identity and Professional Data to allow us to facilitate and administer our professional relationship with you. For example, we may process your Identification and Background Data to carry out pre-contractual due diligence when we are looking to engage you for services or process your Financial Data to pay you for the services you provide us. If you sign up to our E-Bulletins, News & information regarding Events, we will process your Contact Data and Identity Data to provide you with the requested information.
What is our Lawful Basis for processing?
When we process your personal data, we will ensure that we have a lawful basis to do so.
We process your personal data where it is in our legitimate interests to do so. We have legitimate interests in growing and developing our business and building professional networks as well as requesting the provision of services from third parties. If you are a service provider or adviser, we may also process your personal data where it is necessary to fulfill our own legal obligations.
Applicants
We will process your personal data if you apply to work for White & Black.
The categories of personal data that we collect from you may vary, depending on the nature and duration of your application process.
The data we collect can be categorised as follows:
Data that we collect
- Identity Data. Including first and last names and D.O.B.
- Contact Data. Including information such as email address, postal address and telephone number.
- Professional Data. Including information such as employment history, education and any further information provided in your curriculum vitae, covering letter or interviews with us. This may also include information relating results of any written, aptitude or psychometric tests.
- Special Category (‘Sensitive’) Data. Including information relating to your ethnicity or race, sexual orientation, health (for example any medical conditions or disabilities) and religious or philosophical beliefs.
How do we collect these data?
- Direct Interactions. From you when you apply to a vacancy with us, send us your curriculum vitae or covering letter or you interview with us.
- Third Parties or other Professional Contacts. Recruitment agents or other professional contacts may provide us with information such as your curriculum vitae.
- Named Referees. Named referees that you provide contact details for within your application process may provide us with personal information about you.
Why do we collect these data?
We process your Professional Data to assess your applicability to the work or role you have applied for and carry out any relevant background and referee checks. We will process your Contact and Identity Data to communicate with you and keep you informed regarding the recruitment process, keep our recruitment records updated and, where applicable, comply with our own legal obligations.
What is our lawful basis for processing?
When we process your personal data, we will ensure that we have a lawful basis to do so.
Where we have a vacancy, it is in our legitimate interests to find, assess and appoint a suitable candidate to fill the role and carry out the work. We will also be required to process your personal data to if we enter and begin a contract of employment with you.
Special Category Data
We may process your Special Category Data to assess whether we need to make reasonable adjustments to our working environment, for example whether you may require certain adjustments or additional support during a test or interview. We may also use this data for our own equal opportunity monitoring and reporting.
Where we process your Special Category (“sensitive”) Data, we will ensure we have a further lawful basis as required by data protection law. For example, where processing is required to exercise either our or your rights in an employment context or by obtaining your explicit consent. If we approach you for your written consent to allow us to process certain particularly sensitive, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. If you provide your consent, it can be withdrawn at any time by contacting us at dataprotection@wablegal.com.
For more details regarding the processing of your personal data in a recruitment context, please see our full candiate privacy notice.
Aggregated Data
We also process Aggregated Data. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your website Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this data protection notice.
If you fail to provide personal data
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, there is a possibility that we will be prevented from entering or performing the contract we have or are trying to enter with you, or provide you with the legal advice you have requested from us.
Opting out
If you have requested E-Bulletins, news & information regarding events from us, you can unsubscribe at any time by clicking the link within the email or contacting us at dataprotection@wablegal.com.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we decide that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get a more detailed explanation of how the processing for the new purpose is compatible with the original purpose, please contact us at dataprotection@wablegal.com.
If we need to use your personal data for a purpose that is unrelated to and incompatible with our original purpose of collection, we will notify you and we will explain the legal basis which allows us to do so.
4. Disclosures of your personal data
In the course of processing your personal data, we may have to share your personal data with relevant third parties in order for us to fulfil the purposes of processing set out above. These third parties are set out below.
When sharing your personal data, we require all third-party recipients to provide sufficient guarantees that your data will be safeguarded in accordance with data protection laws, and we do not allow our third-party service providers to use your personal data for their own purposes. We will put contracts or equivalent legal acts in place to ensure that third parties only process your personal data for specific purposes and in accordance with our strict instructions.
Third-party disclosures
Website User Data
- Web-hosting and analytics services such as Google Analytics
- Integrated marketing platforms such as MailChimp.
Clients and Prospective Clients
- Including service providers to us acting as processors who provide IT, system administration and hosting services.
- Service providers acting as professional advisers to us in the course of providing you with legal services. For example, foreign law firms providing local expertise.
- Cloud-based storage service providers such as Microsoft Azure.
- AI document analysis and management software providers.
- Our Practice Management software provider.
- CRM and integrated marketing platform providers, such as MailChimp.
- Background checking or screening providers such as Expedia or Smart Search.
- Event organisation and planning service providers such as Eventbrite.
Professional Contacts
- Service provides acting as processors who provide IT and system administration services.
- Cloud-based storage service providers such as Microsoft Azure.
- Event organisation and planning service providers such as Eventbrite.
- CRM and integrated marketing platform providers, such as MailChimp.
- Background checking or screening providers such as Expedia or Smart Search.
Applicants
- Organisations that may carry out psychometric or aptitude tests on our behalf.
- Recruitment agents.
In certain circumstances we may be legally obliged to disclose your personal data to the relevant law enforcement authority or judicial body without your knowledge. For example, as part of an ongoing investigation, detection or prosecution of criminal behaviour.
We may also share your personal data with third parties if we choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this data protection notice.
5. International transfers
For the purposes described in this notice, we most commonly process your data within the UK or the EEA. However, some of our external third-party service providers and advisors, for example integrated marketing platform service providers or foreign law firms, may be based outside the United Kingdom and the European Economic Area (EEA). Whenever your personal data is transferred outside of the UK or the EEA, the transfer will be carried out in accordance with applicable data protection laws. We will take steps to ensure that an adequate degree of protection is afforded to your personal data by implementing at least one of the following safeguards:
- ensuring an adequacy decision regarding the recipient country has been approved by the European commission or the UK government, granting your personal data an equivalent standard of protection to that which it would receive in the United Kingdom or the EEA; or,
- where an adequacy decision has not been granted, we will ensure additional appropriate safeguards, such as Standard Contractual Clauses 2010/87/EU or 2004/915/EC (approved by the European Commission and the UK Government), are in place with data recipients to secure your personal data to the equivalent standards of protection it receives in the United Kingdom or the EEA.
Please contact us on dataprotection@wablegal.com if you would like further information on the specific mechanism used by us when transferring your personal data to countries outside of the United Kingdom.
6. Data security
We are committed to ensuring that your information is secure. We have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online from being accidentally or unlawfully lost, destroyed, altered, disclosed or accessed. We will only share your personal data to those employees, advisors or third parties who have a legitimate requirement for it. Recipients of your personal data will be subject to duties of confidentiality.
In the event of a suspected personal data breach, we will implement our data breach policy and procedure and subsequently notify you and any applicable regulator where we are legally required to do so.
7. Data retention
How long will you use my personal data for?
We will only keep your personal data for as long as is necessary for us to fulfil the purposes we originally collected it for. We will only keep your data for longer than is necessary for the fulfilment of the original purpose it was collected for, where we are required to do so by law. By law we have to keep basic information about our clients (including Contact, Identity and Financial Data) for six years after they cease being clients. We may also keep information about previous or unsuccessful applicants for up to 12 months after their initial application, this is so that in the event of a legal claim, we can demonstrate that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way.
Where there is no legal obligation to retain your personal data, we will consider following factors in determining the appropriate retention period for your personal data; the amount, nature, and sensitivity of your personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means.
In some circumstances you can ask us to delete your data. Please contact the data protection partner using the details provided if you think your data should be deleted.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may legally use this information indefinitely without further notification to you.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further policy to you.
8. Your legal rights
In certain circumstances and where data protection law allows, you have several rights in relation to your personal data. You may have the right to:
- Request access to your personal data – this enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. This is commonly known as a “data subject access request” or “DSAR”.
- Request correction of your personal data – this enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data – this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You can also ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where you think we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.
- Object to processing of your personal data – you may object to processing where we are relying on a legitimate interest (or those of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object at any time where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing your personal data – this enables you to ask us to suspend the processing of your personal data, if you want us to establish the data’s accuracy, where our use of the data is unlawful but you do not want us to erase it, where is no longer required for the original processing purposes but is needed to establish, exercise or defend legal claims or where you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request transfer of your personal data – we will provide to you, or a third-party you have chosen, your personal data in a structured, commonly used, machine-readable format (this right will only apply where processing is carried out based on your consent or where we processed the data to enter or perform a contract with you.)
These rights are not absolute and your ability to exercise them will depend on the context of the processing situation in question. If you do wish to exercise any of the rights set out above, please contact the data protection partner at dataprotection@wablegal.com.
What we may need from you when exercising your rights
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances, where we refuse to comply with your request, we will provide you with the rationale for doing so and you will have the right to complain to the relevant data protection authority or seek judicial remedy.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.