Our Privacy Notice (the “Notice”) sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us and properly safeguarded in a manner consistent with your rights and our obligations under applicable laws and regulations relating to privacy and the protection of personal data.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
- Information about us
- In accordance with the General Data Protection Regulations 2016 (“GDPR”), A A Hutton LLP is registered with the Information Commissioner’s Office (“ICO”) as the data controller under registration no Z5448075.
- Our Site https://www.aahutton.co.uk/privcay-policy/ is operated by A A Hutton LLP, a limited company registered in England under company number SO300293, whose registered address is Drumsheugh Gardens, Edinburgh EH3 7QG
- What this policy covers
- Information we may collect from/about you
We may collect your personal information through various means, including via our Site (through email or other electronic correspondence, by telephone, by direct contact, or if you voluntarily submit it, and where we are required by law to collect personal data).
- Some or all of the following data may be collected about you:
- Date of birth;
- Business/company name;
- Job title;
- Visual and audio images of you through our use of Body Worn Video and audio recording equipment;
- Contact information such as email addresses and telephone numbers;
- Demographic information such as postcode and preferences;
- Financial information such as credit / debit card numbers;
- Personal data collected arising out of the debt collection and enforcement process (some of which may include sensitive data related to the customer or other third parties), such as information on the physical or mental health or condition of the debtor and details of incidents occurring during debt enforcement visits;
- IP address (automatically collected);
- Web browser type and version (automatically collected);
- Operating system (automatically collected);
- A list of URLs starting with a referring site, your activity on our Site, and the site you exit to (automatically collected);
- LinkedIn™, Facebook™ or Twitter™ profile names;
- Caller line identification;
- Complainants and other individuals in relation to a judicial service complaint or enquiry;
- People who use our services, e.g. who subscribe to our newsletter or request a publication from us;
- Information that you provide as a job applicant through our online job application facility, e.g. name and contact details, curriculum vitae, covering letter, references, equality monitoring information;
- Vehicle registration keeper details; and
- Banking details that you have permitted us to use on your behalf.
- Sensitive personal data
- GDPR defines certain personal data as ‘sensitive’ such as personal data regarding your ethnic origin, physical health and mental health. We are required to understand whether the people that we deal with could be regarded as vulnerable and this may involve collecting and using sensitive personal data. We may, for debt collection purposes, therefore ask you for some sensitive details or you may voluntarily give such personal data to us. We will only use this personal data for debt collection purposes and we will obtain your consent to process this data. We may share any of your sensitive personal data with our client to ensure your case is managed appropriately and other members of the Marston Group for debt collection purposes only. Any sharing of your sensitive personal data with clients will be on the basis of your explicit consent or if we are required or permitted to do so under the General Data Protection Regulations 2016.
- How we use this information
- All personal information is stored securely in accordance with the principles of the General Data Protection Regulations 2016. For more details on security, see section 14.
- We use your personal data to provide the best possible services to you, in our legitimate interests and to fulfil our legal obligations as set out in detail below. This includes:
- providing and managing your access to our Site;
- personalising and tailoring your experience on our Site according to your interests or to make it more user friendly;
- supplying our services to you on behalf of our clients;
- personalising and tailoring our services for you;
- responding to communications from you, including any complaints;
- enabling payments to be made by debtors on behalf of our clients;
- sharing information about incidents occurring at the doorstep to protect the health and safety of the individuals involved with debt enforcement visits; and
- collecting information (where appropriate) on the vulnerability of individual customers who we are collecting or enforcing debts against, to ensure that they are treated fairly.
- Where permitted by law, we may also use your data for marketing purposes which may including contacting you by email, telephone and/or post with information, news and offers on our services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under the General Data Protection Regulations 2016 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended in 2004, 2011 and 2015.
- Calling our Contact Centre helpline may result in our collection of Calling Line Identification information. Calls are recorded for training purposes and for the analysis and management of internal staff performance. Call recordings may be reviewed also as part of a complaint investigation. The use of this information assists with the improvement of our efficiency and effectiveness.
- On what legal basis will we process your information?
We will always process your personal information on lawful grounds and in particular on the grounds set out below: –
- Legal and Statutory Obligation
- We may use or disclose your personal data to perform a legal and statutory obligation.
- For example, enforcement of criminal or civil court orders. This information is likely to include your name, contact details, payment details, and details of the court order.
- We may also be re required to disclose your personal data by a law enforcement or taxation agency for the purposes of preventing crime.
- Performance of a Contract/Service
- We will use your personal information to allow us to provide services you or your organisation have ordered, or to enter into a contract with you.
- This information is likely to include your name, contact details and payment details, information about your business and needs and any additional information we may need to help meet your specific requirements.
- If you do not provide us with the information set out in this paragraph, then we may not be able to provide you with the products and/or services you have ordered/requested.
- For example, we process recruitment data to decide whether to offer an employment contract.
- Legitimate Interest
- We will process personal information where we have a legitimate interest for example we may collect body worn video footage to protect the health and safety of our staff or contractors.
- We may use your data for marketing purposes which may include contacting you by email, telephone and/or post with information, news and offers on our services. We will not, however, send you any unsolicited marketing or spam and will take all reasonable steps to ensure that we fully protect your rights and comply with our obligations under the General Data Protection Regulations 2016 and the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended in 2004, 2011 and 2015
- You can ask us to stop doing so at any time.
- We may share your email address with Google and/or Facebook (acting as data processors) for them to use on our behalf in connection with the creation of marketing and promotion for us.
- They may use this to serve targeted advertising/content to you via their platform. You can control what advertisements you receive via the privacy settings on the relevant platform.
- Google and Facebook may also use socio-demographic information about you to identify other people like you, with similar interests to present our marketing to. This socio-demographic information is not used for any other purpose nor shared with any other party. No information about other individuals identified from these networks is shared with us at any time.
- We may use some of your personal information for statistical purposes when we evaluate our range of services.
- In the event that we buy or sell any business and/or assets we may disclose your personal data to the prospective buyer or seller of the business and/or assets. Please see 8 below.
The above activities are on the basis that they are in the legitimate interest of developing our business
- We may ask for your explicit consent to collect and share your sensitive personal data as set out in section 4 above.
- We may ask your consent to share your name and contact details with selected third parties so that they can tell you about their products and services.
- If you agree, we may also pass on your information, in certain cases, for the purposes of conducting a credit check.
- We will always ask you before we do this, and you can withdraw your consent at any time.
- Legal and Statutory Obligation
- How and where information is stored and how long do we hold it for?
- We only keep your personal data for as long as we need it for one of the lawful grounds set out in section 6 and/or for as long as we have your permission to keep it. For example our retention period for body worn video footage is 45 days.
- We have a system of retention periods in place to ensure that your information is only stored whilst it is required for the relevant purposes or to meet legal requirements. Where your information is no longer required, we will ensure it is disposed of or deleted in a secure manner.
- If you have any questions in relation to our retention periods, please contact the data protection officer at 12 Drumsheugh Gardens, Edinburgh, EH3 7QG
- The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“the EEA”) to third party suppliers (the EEA consists of all EU member states, plus Norway, Iceland and Liechtenstein). We will only transfer your data to a recipient outside the EEA where we are permitted to by law (for example (A) where the transfer is based on standard data protection clauses adopted or approved by the European Commission, (B) where the transfer is to a territory that is deemed adequate by the European Commission, or (C) where the recipient is subject to an approved certification mechanism and the personal data is subject to appropriate safeguards, etc)
- Data security is of great importance to us, and to protect your data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data collected through our Site.
- Notwithstanding the security measures that we take, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting to us via the internet.
- Disclosure of your information
- We may share your data with other companies in our Group. This includes our holding company and its subsidiaries.
- We may sometimes contract with third parties to supply services to you on our behalf. These may include payment processing, correspondence management and mailing. In some cases, the third parties may require access to some or all of your data. Where any of your data is required for such a purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely, and in accordance with your rights, our obligations, and the obligations of the third party under the law.
- We may compile statistics about the use of our Site including data on traffic, usage patterns, user numbers, sales and other information. All such data will be anonymised and will not include any personally identifying information. We may, from time to time, share such data with third parties such as prospective investors, affiliates, partners and advertisers. Data will only be shared and used within the bounds of the law.
- In certain circumstances we may be legally required to share certain data held by us, which may include your personal information, for example, for compliance purposes, where we are involved in legal proceedings, where we are complying with the requirements of legislation, a court order, or a governmental, investigative or taxation authority. We do not require any further consent from you in order to share your data in such circumstances and will comply, as required, with any legally binding request that is made of us.
- We may share your data in pursuing an interest that corresponds with a general public interest or a third party’s legitimate interest. This may include situations where we are required to go beyond its specific legal obligations set in laws and regulations to assist law enforcement or private stakeholders in their efforts to combat illegal activities, such as money laundering, fraud prevention or misuse of services. However the use of personal data in such circumstances will be restricted to data which is relevant to our services and necessary to identify you.
- When we investigate a complaint, we may need to share personal information with the organisation you have an outstanding debt with and with other relevant bodies (e.g. the Civil Enforcement Association or the Local Government Ombudsman to adjudicate on disputed complaints).
- Upon receipt of a complaint, we open a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
- We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile and publish statistics showing information such as the number of complaints we receive, but not in a form which identifies anyone.
- We are usually required to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant does not want information identifying him or her to be disclosed, we aim to respect that. However, it may not always be possible to handle a complaint on an anonymous basis.
- We will keep personal information contained in complaint files in line with our retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
- Similarly, where enquiries are submitted to us, we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
- When we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. We do not usually identify any complainants unless the details have already been made public.
- If you are not satisfied with the manner in which we have sought to redress your complaint, or if you wish to seek further advice with regard to the use of your data, you are within your right to contact the ICO for a further determination.
- Controlling your personal information
- When you submit information via our Site, you may be given options to restrict our use of your data. In particular, we aim to give you strong controls on our use of your data for direct marketing purposes (including the ability to opt-out of receiving emails from us, which you may do by unsubscribing using the links provided in our emails and at the point of providing your details).
- You may also wish to sign up to one or more of the preference services operating in the UK: The Telephone Preference Service the Corporate Telephone Preference Service and the Mailing Preference Service. These may help to prevent you receiving unsolicited marketing. Please note, however, that these services will not prevent you from receiving marketing communications that you have consented to receiving.
- Your right to withhold information
- You may access certain areas of our Site without providing any data at all. However, to use all features and functions available on our Site you may be required to submit or allow for the collection of certain data.
- Your right to access information
- You have the legal right to request details of any personal information we hold about you under the General Data Protection Regulations 2016.
- There are some exemptions, which means you may not always receive all the personal information we hold, however where this is the case we will clearly explain it to you.
- If you would like a copy of the information held on you, please write to us using the ‘Contact Us’ page.
- It would help us to if you could address your letter to the Data Subject Access Request Team
- Ensuring the accuracy of your information
- If you believe that any information we are holding on you is incorrect or incomplete, please contact us as soon as possible using the ‘Contact Us’ page. We will promptly correct or remove any information that is incorrect.
- You have the right to settle or close your account and request that your personal information be removed from our website or other records. Upon the closure of your account we are not obliged to retain your information and may delete any or all of your account information without liability.
- If you request a change of details and/ or account closure, we may retain residual information about you in our backup and/or archival copies of our database. This will be deleted in accordance with our data retention policy.
- Protecting your information
- We will use all reasonable efforts to safeguard your personal data. We have put in place strict physical, electronic and managerial procedures to safeguard and secure the information we collect online.
- You should note that when using the Site and our related services, your information may travel through third party infrastructures that are not under our control. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
- We use high level encryption software to prevent access to your personal information. Unfortunately, the internet is never a completely secure environment. Therefore, we cannot guarantee that hackers or unauthorised personnel will not gain access to your personal information despite our best efforts.
- We have put in place confidentiality clauses or confidentiality agreements (including data protection obligations) with our third party service providers.
- Your rights
You have the right to ask us at any time:-
- to confirm whether we hold any of your personal data;
- to send you a copy of any personal data that we hold about you – see 12. 1 above;
- to correct any inaccuracies in your personal data and to add relevant details where the personal data we hold is incomplete;
- to delete (to the extent possible) any of your personal data, where we are required by law to do so;
- to stop or restrict processing your personal data, where we are required by law to do so;
- to let you have a portable copy of the personal data we hold about you, where we are required by law to do so;
- to stop processing any of your personal data that we process on the basis of our legitimate interests; and
- to stop sending you marketing material. However please note that we may continue to send you service related (i.e. non-marketing) communications, such as emails relating to the services we provide.
- Where we have reached a decision that affects you by processing your personal data automatically then you have the right to speak to someone to discuss that decision.
- We do not use your personal data for the purpose of profiling.
- Where we process your personal data on the basis that you have given us your consent to do so then you may contact us at any time to withdraw your consent
- We recommend that you check this page regularly to keep up to date. This Policy was last updated in June 2019.
- Who can I contact if I have queries about this privacy notice?
- You can also contact us directly if you have any questions about our privacy notice or information we hold about you.
Please write to us at the address below.
Data Protection Officer,
12 Drumsheugh Gardens,
If you are dissatisfied with our handling of any complaint you also have the right to raise concerns with The UK Information Commissioner: https://ico.org.uk
- You can also contact us directly if you have any questions about our privacy notice or information we hold about you.
If you wish to exercise any of these rights or wish to object to our use of your personal information, please e-mail the data protection officer: firstname.lastname@example.org or write to us at the address given below.
Data Protection Officer
12 Drumsheugh Gardens, ~
© AA Hutton LLP