PRIVACY POLICY
Our moto is to deliver an exceptional service to our clients. This includes looking after their data. We want you to know what personal data we process and why. This privacy notice contains information about what personal data we collect and store about you, how we use it, the legal basis for using it and how long we keep it. It also tells you who we share this information with, what we do to protect your data and how to get in touch with us. This privacy notice is relevant to our dealings with our clients and prospective clients, our staff, our solicitors and candidates considering a career with us. We have appointed a data protection officer ("DPO") who is responsible for overseeing questions in relation to this privacy notice. If you have any such questions, including any requests to exercise your legal rights or concerns relating to your data, please contact the DPO using the details below ('Get in touch') or by writing to Data Protection Officer, Hilltop solicitors Ltd, Sophia House, 28 Cathedral Road Cardiff CF11 9LJ or by calling 02920 660155. You have the right to make a complaint at any time to the Information Commissioner's Office ("ICO"), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

CHANGES TO THE PRIVACY NOTICE AND YOUR DUTY TO INFORM US OF CHANGES

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

WHO WE ARE.
Hilltop Solicitors Ltd, collects and is responsible for personal information about you. When we do this we are the 'controller' of this personal information for the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws.
Our Data Protection Officer is responsible for overseeing all aspects of our data governance.

WORKING WITH US
We are a commercial law firm. As a client, we are at your service and have all the knowledge and experience you need to succeed. As a staff member, solicitor or supplier, we work with you to deliver services to our clients. When working with you, we will have access to and process data. We want to tell you what we have, why we have it and how long we will keep it for.

WHAT DATA WE COLLECT ABOUT YOU
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes address, email address and telephone numbers.
Financial Data includes bank account and payment card details.
Transaction Data includes details about payments to and from you and other details of services you have purchased from us. We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data, or any information about criminal convictions and offences) unless required to enable us to provide our services to you, in which case it will be used in accordance with this privacy notice.
Information gathered automatically
We may also collect information automatically about your access and usage of our website using cookies and other analytical technology. Full details of our data collection methods are included in the 'Cookie' section below. We will use your IP address, which is a numeric code that identifies a computer on the internet, to collect internet traffic data and information on your browser type and computer. If you do not wish to receive cookies, you may reject them by amending your browser settings, unless they are required for the delivery of our website or services to visitors.
Information gathered from other sources including third parties
Additionally, we may obtain information about you from legitimate third parties, including existing clients, Courts and other Government institutions (the Home Office, Police Station etc.) and other relevant entities that are known to you or related to your enquiry or requirements.

IF YOU FAIL TO PROVIDE PERSONAL DATA
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time.

HOW IS YOUR PERSONAL DATA COLLECTED?
We use different methods to collect data from and about you including through a) Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms or by corresponding with us by post, phone, email, website chat, voice calls, text messages or otherwise. This includes personal data you provide when you:
• apply for and use our services;
• request marketing to be sent to you;
• give us some feedback.
• you make enquiry through our website.
• request information about us, our website, our services or any other interaction involving this website; b) Third parties or publicly available sources. We may receive personal data about you from various third parties and public sources, including those set out below:
• Experts instructed by us upon your behalf in the course of our dealings with you;
• Identity and Contact Data from publicly availably sources such as Companies House and the Electoral Register based inside the EU.

HOW WE USE YOUR PERSONAL INFORMATION.
We use your personal information for the following purposes:
• To provide you with legal services.
• To comply with our legal responsibilities to the SRA and under relevant regulation.
• To promote and market our services.
• To engage with and recruit talented individuals to work with us.
• To engage with partners that supply us with goods and services;
• To manage any queries or complaints you have about the services you receive;
• To monitor the quality of service we deliver to you, and ensure it meets your expectations;
• To comply with legal obligations to act in the public interest and uphold the rule of law.

WHY YOU HAVE TO PROVID THE IFNORMATION?
Some of the personal information, such as your personal details and financial information, is required for us to comply with the regulatory framework we work under or required under statutory obligations for Anti-money Laundering purposes, to comply with the Solicitors Regulatory Authority (SRA) regulations, HMRC requirements, Land Registry requirements and requirements of the Courts of England and Wales. If you do not give us this information, we may not be able to provide you with legal services or complete your matter.

YOUR CONSENT
In some cases, you will give us consent to use your personal information in a certain way. If you have given us consent to use your data in a certain way, and we have no other legal basis for doing so, we will rely on your consent. There is more information below on your rights regarding consent. The activities where we rely on your consent are:
Keeping in touch with you and sending you information about how our services can help. We will also let you know about what is going on at our firm and developments in the industry. We will always give you an option to opt-out of future communications.
If you are thinking about working with us and have applied for a role either directly or through a recruiter, we will rely on your consent to process your application. If you chose to withdraw your consent in these circumstances, then please be aware we may not be able to process your application and will only keep personal information that we are required to by law or to defend a legal claim.
If you are giving us any special categories of data, we may need your explicit consent to do so. We will let you know if this happens and explain it all to you.
You always have the right to withdraw your consent at any time. If consent relates to electronic communications (such as a newsletter or invitations to events) then we will always give you an 'Opt-Out' option in every communication. You can also contact us using any of the details below ('Get in touch') to withdraw consent.

PERFORMANCE OF A LEGAL CONTRACT
We will process personal information that relates to the services we are providing you with, or receiving from you, that are bound by our engagement with you (legal contract). The areas where we are processing personal information to enter into, or fulfil a legal contract are:
Providing legal services to you or discussing our services with you to arrange an engagement. We will process any personal information relating to your matter under this legal basis. We may also be processing personal information given to us by a client to fulfil a contract, even though the personal information is not the client's but of related parties such as family, next of kin or staff details at a related company.
When working with you in partnership to deliver services we may process personal information, such as information in agreements and on invoices, required to fulfil our obligations under those contracts.

TASKS CARRIED OUT IN THE PUBLIC INTEREST
There may be some cases when we have a legal obligation to act in the public interest in relation to the detection and reporting of suspected crime. We can't rely on your consent and may not be able to tell you when we are processing your personal information in this way so as not to prejudice those purposes.

LEGITIMATE INTEREST
We rely on legitimate interests to engage with talented individuals that may be a great fit for our firm. We may use personal information that you have made public and shown interest to discuss opportunities with you (for instance on CV sites and professional networking sites).
We rely on legitimate interests in some cases to invite you to certain events such as networking events or hospitality events. Our legitimate interest is to thank our clients and bring like-minded people together. We will use your contact information when we do this and can provide more information on the assessments, we have gone through to make sure the use of your information in this way is fair on request (see 'get in touch' below).

WHO WILL WE SHARE YOUR PERSONAL INFORMATION WITH?
We work closely with selected partners and consultants that we share personal information with to deliver you the service you expect from us. We share personal information to:
• Perform the services you have instructed us on that may require us to share data with expert consultants, counsel and advisors as required to complete your matter;
• Professional services business that helps us to maintain business quality and manage compliance with regulations;
• Search providers used to perform due diligence searches, anti-money laundering searches and any other searches required by law or to undertake your matter;
• Credit reference agencies used to perform searches required by law or to undertake your matter;
• Certain processors and providers of services and software that make up the platforms and systems we use to deliver services;
• Storage and archiving providers to ensure your personal information is protected securely and backed up.
Any partners, suppliers or third parties we share data with will be bound by strict agreements that meet the requirements of GDPR and will be monitored for performance with those agreements.
We will share personal information with official bodies if required by law including the SRA, ICO, the police, law enforcement and intelligence agencies.

SHARING OF YOUR INFORMATION OUTSIDE THE EUROPEAN ECONOMIC AREA (EEA)
It may be necessary to transfer your personal information outside the EEA or to an international organization in order to perform your instructions. We do not routinely transfer data outside of the EEA, and when we do we will notify you of the reasons, the legal basis for doing so, any relevant risk assessments that we want to make you aware of, and the appropriate safeguards in place to protect your rights and freedoms.
If you would like any further information on transfers outside of the EEA, or would think as part of your matter you will want us to transfer your data outside of the EEA, then please contact our Data Protection Manager (see 'Get in touch').

HOW LONG WILL WE STORE YOUR PERSONAL DATA?
We will only keep your personal information for as long as necessary to complete the purposes we have described above. We use the following retention periods and review these periodically to make sure we are only keeping what we need (If information can be kept for two different periods, we will keep it for the longer of those two periods):
• Matter information - Information about you and any personal information relating to your matter we will keep for a period of 7 years after the matter has ended, or 1 year after any relevant limitation period, whichever is longer. This is to comply with our requirements to our insurance provider to have records available in the case we need to defend a legal claim, and to comply with the SRA obligations regarding record keeping.
• Identification and Due Diligence - Information relating to Anti-money Laundering checks and due-diligence we will keep for a period of 5 years from the end of the last matter undertaken for you to comply with our Anti-money Laundering obligations. If you continue to work with us we will update this information at least every 3 years.
• Financial Transactions - Information about you and any financial transactions, including fees paid and payments for services, we will keep for a period of 7 years to comply with HMRC requirements to keep accurate records that can be audited.
• Contact information used in marketing with your consent and to pursue a legitimate interest will be kept for 30 days once you have withdrawn your consent.
Information that we delete may be kept in an encrypted, secure and 'beyond reach' backup for a period of 6 years after deletion. We need to maintain backups of our systems to comply with article 32 of the GDPR (security and resilience).

YOUR RIGHTS
Under the General Data Protection Regulation, you have a number of important rights that you can exercise free of charge. In summary, these rights are:
• Transparency over how we use your personal data and fair processing of your information (which includes the right to be given the information in this notice);
• Access to your personal information and other supplementary information;
• Require us to correct any mistakes or complete missing information we hold on you;
• Require us to erase your personal information in certain circumstances;
• Receive a copy of the personal information you have provided to us or have this information be sent to a third party, this will be provided to you or the third party in a structured, commonly used and machine readable format;
• Object at any time to processing of your personal information for direct marketing;
• Object in certain other situations to the continued processing of your personal information;
• Restrict our processing of your personal information in certain circumstances;
• Request not to be subject to automated decision making which produce legal effects that concern you or affect you in a significantly similar way
If you want more information about your rights under the GDPR please see the Guidance from the Information Commissioners Office on Individual's rights under the

GDPR.
If you want to exercise any of these rights, please contact us (see 'get in touch' for contact details) and let us know who you are and what right you want to exercise. We may need to ask for additional information regarding your identity, and we may also need some information from you on specific categories of data, types of processing activities or periods of processing activities that you wish to focus your request around.
We will respond to you no later than one month from when we receive your request. Please note if you wish to unsubscribe from any email you can do so by emailing our Data Protection Manager (see 'get in touch' for contact details). It may take 10 working days for this to become effective.

OUR SECURITY
We are a modern law firm and has invested significantly in our process, systems and controls to safeguard your data. We keep your personal information secure through:
• Training all of our staff and Partners on the importance of information security and the processes we have in place to do so;
• Review by external advisers who will help us to understand and manage emerging threats to information;
• Policies and procedures that are enforced across the practice;
• Security functions in systems;
• Audits and checks on the performance of controls;
• Risk management processes that identify and mitigate risks and threats to your information;
• Encrypted backups taken periodically to make sure data is always available;
• Encryption on devices that hold data;
• Password policies for any systems that hold data;
• Administrative control and oversight to any systems or networks that hold data.

FUTURE PROCESSING
We do not intend to process your personal information for any reason other than stated within this privacy notice. If this changes, we will update this privacy notice on our website and in any documentation, we send you, or tell you by email when we start processing your data in a new way.

CHANGES TO THIS PRIVACY NOTICE.
This privacy was published in August 2022. It is due for review within 12 months. We regularly review our internal privacy practices and may change this policy from time to time. When we do we will inform you by updating our website and telling you in any documentation or messages we send you.

CONTACT US
By Post: Hilltop Solicitors Ltd, Sophia House, 28 Cathedral Road, Cardiff CF11 9LJ
By Phone: 02920660155
Data Privacy: Our Data Protection Officer is Ali Imran who can be contacted using the postal address and telephone number above or by email at:
admin@hilltopsolicitors.co.uk