Privacy Policy

Introduction

We know that you care about your personal data and how it is used, and we want you to trust that the Penn Group of Companies use your personal data carefully.

This Privacy Notice will help you understand what personal data is and what personal data we collect, why we collect it and what we do with it.

Please take a moment to familiarise yourself with our privacy practices and let us know if you have any questions by contacting our Information Management Officer (IMO) whose details are stated below.

What Is An IMO?

We have a designated person who is responsible for our data management. We call that person an Information Management Officer or IMO. That is not a statutory role. There is a formal obligation to have a Data Protection Officer or DPO in certain circumstances, but we do not meet those circumstances. Therefore, the first point of contact for any concerns you have in relation to your data for whatever reason is our IMO.

Who Is Our IMO?

Our IMO is Shak Inayat

You can contact our IMO for any company within Penn Group as follows:

Company Name: Penn Chambers Limited, Penn Accounts Limited, Penn Tech Limited, Penn Group (Holdings) Limited) or Penn Financial Limited (collectively referred to as Penn Group)

Telephone: 0333 34 44 54 8

Email: IMO@penngroup.co.uk

Writing: Shak Inayat, IMO – 13 Austin Friars London EC2N 2HE.

Your Duty To Inform Us Of Changes

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

If You Are Unable To Provide Personal Data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with legal advice). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

Our Role As Data Controller

When we at Penn Group make all the decisions about how your data is processed, we are acting as the data controller. However, when we are processing your personal data on behalf of a third party in accordance with their strict instructions, we are acting as a data processor. This privacy notice complies with our obligations to provide you with information as a data controller.

What Is Data?

In this document, we adopt the same definitions as the GDPR, in particular:

Personal data ‘means any information relating to an identified or identifiable natural personal (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’.

How Do We Collect Your Data?

How your personal data is collected depends on your relationship with us. For example, if you are a client using our legal services, if you are a visitor to our website or a subscriber to our services. We use different methods to collect data from and about you including through:

Direct interactions. You may give us details of your identity, contact information and financial data by speaking to us direct, filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

a) Create an account on our website or on our case management system Proteus 3;

b) Subscribe to our service or publications; or

c) Request marketing to be sent to you.

Automated technologies or interactions. As you interact with our website or our case management system Proteus 3 we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies. Please see our cookies policy for further details.

Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, especially concerning money laundering, passport and driving licence authenticity, company directorships and such like.

Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the UK and the EU.

Where we obtain personal data from third party suppliers, we always ensure that these suppliers are bound to respect data protection laws and your privacy rights pursuant to their contract with us.

Why Are We Providing You With This Notice?

At Penn Group we try to be transparent in our dealing with you at all times and sending you this notice is an example of that. In any event, we are obliged to provide you with the information contained in this notice so that you are aware of certain information about what we do with your data and further, what your rights are in relation to that data.

What Do We Need To Tell You?

We are legally obliged to inform you of the following information relating to the data we hold on your behalf on you that we have collected from you. If you do not understand any of the concepts used in this notice or require further clarification, please do not hesitate to contact our IMO whose details are stated above.

The purposes of the processing:

We may need to use some information about you to:

1. deliver legal, accountancy and financial services advice and support to you that you have requested from us;

2. manage those services we provide to you;

3. train and manage the employment of our staff who deliver those services to you;

4. help investigate any complaints you have about the services we provide to you

5. keep track of the amount of costs you may have incurred on instructing us to act on your behalf in providing those services you request us to provide;

6. check the quality of the services that we provide to you; and

7. to help with research and planning of new services.

We will only use your personal data when legally permitted and:

a) Where we need to perform the contract between us.

b) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

c) Where we need to comply with a legal or regulatory obligation.

Where we send you marketing material we rely on your consent as a legal ground for processing your personal data. You have the right to withdraw consent to marketing at any time by emailing us at IMO@penngroup.co.uk or by clicking on the resource links in the material itself where applicable.

The categories of personal data concerned

We may collect, use, store and transfer different kinds of personal data about you. The type of data we collect about you depends on your relationship with us. For example, if you are a client using our legal or accountancy or financial services if you are a visitor to our website or a subscriber to our services. In all cases, we have grouped together the different kinds of data we may or are likely to collect from you:

Profile Data which may include your username and password, full name, address of yourself and others in your family, your interests in our other services, preferences, feedback and survey responses.

Transaction Data may include details about facts relevant to the services that we are providing to you such as intended property purchase and so on.

Technical Data which may include internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our websites including our office management system Proteus 3.

Marketing and Communications Data which may include your preferences in receiving marketing from us and our third parties and your communication preferences.

The recipients or categories of recipient to whom your personal data has been or will be disclosed

The recipients of your data depends on your relationship with us. For example, if you are a client using our legal or accountancy or financial services, if you are a visitor to our website or a subscriber to our services. In all cases, we have grouped together the different kinds of recipients of your data as follows:

Internal Staff. Our office based and remote working staff will have access to your data to provide you with the services and support for which you engage us. These staff are directly employed employees in the traditional sense of employees.

External “Staff”. We occasionally instruct other people who have the appearance of being directly employed by us as external consultants, for example consultant solicitors to manage or assist on for example cases on a semi-permanent or ad hoc basis as circumstances dictate. They are prior to engagement required to sign our contract for services and are therefore always subject to our rigorous data management policies.

Penn Group of Companies

We are a close-knit group of companies within Penn Group and the Group in the main comprises:

Penn Accounts - accountants

Penn Chambers - solicitors

Penn Financial - mortgage brokers

Penn Tech - IT software solutions for professional companies

Hexagon Legal Network - networking for professionals

We will share your data within Penn Group only where we think this will benefit you but with the same restrictions and limitations. We will not share your details outside the Group under any circumstances save for as provided in this communication.

Third Party Service Providers

We regularly instruct third parties to assist us where necessary to ensure that you either comply with the requirements of the law or to give best service to you as a client. The former category of providers includes organisations such as HMLR or experts such as tax experts, barristers and so on, often as a consequence of a legal requirement already in place or a court order requiring us to do so. Sometimes we use third parties to optimise our services to you such as digital dictation companies, external tax advisors, external book keepers who are better able to provide technical competences to Penn Group without the cost of employing those services full time.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

The recipients in third countries or international organisations to whom your personal data has been or will be disclosed

From time to time, we may share your personal data which involves transferring it to third parties who may be established outside the European Economic Area (EEA).

Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission such as New Zealand where we send our typing for transcribing purposes.

Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.

Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

The envisaged period for which your personal data will be stored and why;

We expect to retain your data in both electronic format and/or hard copy format for a period not exceeding 7 years. Under Money Laundering Regulations and the Proceeds of Crime Act we are obliged to retain certain information for 5 years. In relation to a potential negligence claim that you may commence against us the time limit is 6 years. Taking into account sensible time limits for appeals against that 6-year limitation period, we will not keep your files for more than 7 years as a consequence.

Data Collected From Other Sources

We may occasionally collect data from external sources and these can be broadly broken down as follows:

Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register (or third-party companies that obtain that data on our behalf) based inside the UK and the EU.

Where we obtain personal data from third party suppliers, we always ensure that these suppliers are bound to respect data protection laws and your privacy rights pursuant to their contract with us.

What Are Your Other Rights?

The right to be informed

You always have the right to be informed that we are holding your data and that we are processing your data. You also have the right to receive other information that we have included in this privacy notice.

The right of access

You have a right to access your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

We can also provide you in most cases with direct access to your data by granting you access to our online portal of Proteus 3 in addition to or in the alternative to providing you with a copy of the data itself.

The right to rectification

You also have the right of personal data that we hold about you to be rectified (corrected). This right enables you to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.

The right to erasure

The right to erasure (often referred to as the right to be forgotten) enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Please note that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

The right to restrict processing

This right enables you to ask us to suspend the processing of your personal data in the following circumstances:

(a) if you want us to establish your data’s accuracy;

(b) where our use of the data is unlawful, but you do not want us to erase it;

(c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend a legal claim; or

(d) you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

The right to data portability

You also have the right for your personal data to be sent (ported) to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

The right to object

You have a right to object to us using your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular circumstances that makes you want to object to us (or the third party) processing your data on this ground as it impacts on your fundamental rights and freedoms. You always have the right to object to us using your personal data where we are processing your personal data for direct marketing purposes.

Rights in relation to automated decision making and profiling.

We do not use your data to prepare automatic decisions without human interaction.

Time Limits For Us To Respond To Your Requests

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.

Complaints – Lodging a complaint with our supervisory authority

If you have a complaint about how we have cared for your data, we would appreciate an opportunity to deal with your concerns and offer solutions before you approach the Information Commissioner's Office (ICO). If you do agree to that course of action (and you are not obliged to do so), please contact our IMO whose details are near the top of this privacy policy.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk).

Our number for Penn Chambers is Z1234567

Our number of Penn Accounts is Z1148053

Our number for Penn Tech is ZA486266

Our number for Penn Financial is ZA748473

Our number for Hexagon Legal Network is ZA270639

How Do We Keep This Information Up To Date?

Penn Group will occasionally make changes and corrections to the above. If we believe that the changes are material, we’ll let you know by doing one (or more) of the following:

(1) posting the changes on our website site, or

(2) sending an email to you (if you are an existing client) informing you about the changes; or

(3) writing a letter to you (if you are an existing client) informing you about the changes.

Penn Group

13.03.24

Version 2.6

Go back