Last updated 11 August 2022
- Who we are, and how you can contact us
- Who we collect Personal Data from
- General Data
- Law Firm Users
- End Users
- How we share your Personal Data
- Our security measures
- How long do we keep your Personal Data for?
- Transfers outside of the United Kingdom
- Rights of the Data Subject
1. Who we are and how can you contact us
Legl is subject to the UK Data Protection Act 2018, the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019/419), the Privacy and Electronic Communications (EC Directive) Regulations 2003, and all similar or related legislation (collectively, the “Data Protection Legislation”).
Email: [email protected]
Office 7, 35-37 Ludgate Hill, London, England, EC4M 7JN
“Personal Data” means any information relating to an identified or identifiable individual (“Data Subject”), as further set out in the Data Protection Legislation. Examples of identifiers we process are name, email address, identification card number, location data, an online identifier or one or more factors relating specifically to the economic, cultural or social identity of the natural person. The specific type of Personal Data we collect is covered in Sections 3 (a), (b) and (c) below.
3. Who we collect Personal Data from
Section (a) – General Data: This Section is relevant if you visit our website or if we acquire information from you through our day-to-day business.
Section (b) – Law Firm Users: This Section is relevant if you are engaged or otherwise employed by a Law Firm and you access the Legl Services on the Law Firm’s behalf.
Section (c) – End Users: This Section is relevant if you are an individual being represented or otherwise assisted by a Law Firm and access the Legl Services via a request or link from such Law Firm.
Please read the General Data section as well as any other section relevant to you.
(a) General Data
What Personal Data do we collect?
When you visit our website, www.legl.com, we may collect and process information about your activity on and interaction with the website, such as your IP address and details of the device or browser you use to access the website.
If you sign up for news and marketing updates about our business via our website, e-mail, or other marketing tools such as marketing automation platforms we will collect your name and your email address and any additional Personal Data you provide us. The Personal Data collected enables us to identify subscribers through a combination of the information provided during the sign-up process. Depending on the marketing tools that we use to facilitate the sign-up process, we may on occasion use a third-party data processor to process the Personal Data of Subscribers. In such circumstances, subscribers will be made aware of this during the sign-up process and asked to provide consent accordingly. Thereafter, provided consent is given, any use of Personal Data collected in this manner will be used or shared pursuant to Legl’s legitimate interests.
If you contact Legl via Twitter, LinkedIn, Facebook or any other social platform, please note that the information that you provide to us (including any Personal Data) will be shared via the relevant social media platform.
In all instances described above, Legl acts as the data controller of such Personal Data.
How do we use this Personal Data?
Our legal basis for collecting and using the Personal Data is dependant on the type of Personal Data used and how it is collected. We will generally collect Personal Data from you only where you have provided your consent, where the processing is in our legitimate interests and is not overridden by your data protection interests or fundamental rights and freedoms.
In particular, we process your Personal Data in this manner on the basis that we have a legitimate interest:
- to respond to your enquiries;
- to provide you with news updates about the Legl Services and industry news;
- to manage risk or prevent other illegal or prohibited activities; and
- to resolve issues or fix problems on our website.
In some cases, we may also have a legal obligation to collect Personal Data from you. If we ask you to provide Personal Data to comply with a legal requirement or to perform our obligations under a contract with you, we will make this clear at the relevant time and advise you whether the provision of your Personal Data is mandatory or not (as well as of the possible consequences if you do not provide your Personal Data).
(b) Law Firm Users
During the on-boarding process we will collect the business contact details of Law Firm personnel who will be using the Legl Services (“Law Firm User”). The processing of such Personal Data in this manner is necessary for Legl to perform the contract it has with the relevant Law Firm and to provide the Legl Services to the Law Firm Employees. In this respect, Legl acts as the data controller of such Personal Data.
(c) End Users
We will share your Personal Data with the Law Firm who has purchased the Legl Services from us. The Law Firm is responsible for obtaining the relevant consents from you and ensuring that you are happy with the ways in which your Personal Data will be used. Please refer to the Law Firm’s privacy statement for further information in this regard.
Depending on the activities that Legl has been engaged by the Law Firm to undertake, Legl may use sub-processors to collect certain Personal Data, including your name, email address, identification card number, location data, IP address, credit card information, home address, ID documentation, biometric data (i.e., a photo) and any other Personal Data contained in any documents that are uploaded by you into the system.
- Stripe (payments processor): Stripe maintain best in class PCI Level 1 certification and are regulated by the Financial Conduct Authority (“FCA”);
- Banked (payments processor): Banked has achieved Cyber Essentials Plus certification and are regulated by the Financial Conduct Authority (“FCA”);
- Onfido (identity verification solution): Onfido are ISO27001 certified and maintain SOC 2 Type II compliance;
- ComplyAdvantage (identity verification solution): ComplyAdvantage are ISO27001 certified and maintain SOC 2 Type II compliance;
- Creditsafe (business verification solution): Creditsafe are ISO27001 certified and are regulated by the FCA;
- HelloSign (eSignature solution): HelloSign stores data in SOC 1 Type II, SOC 2 Type I, and ISO27001 certified data centresl; and
- TrueLayer (AISP services): Truelayer is regulated by the FCA and is certified as ISO27001 compliant.
The Personal Data provided to Legl may be processed for one or more of the following purposes:
- to perform our contract with Law Firms and provide the Legl Services to the Law Firms;
- to enable the Law Firms to identify and/or verify the identity of End Users in accordance with the Sanctions and Anti-Money Laundering Act 2018 and the Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017 (and any other applicable laws and regulations);
- to comply with legal and regulatory obligations applicable to the Law Firms; and/or
- for any other specific purposes requested by the Law Firms.
4. How we share your Personal Data
Where it is necessary for the performance of our contract with Law Firms or for our internal business processes, we may share your Personal Data with our contractors and/or third-party partners.
In addition, it may be necessary for us to disclose your Personal Data in order to:
- fulfil our regulatory, contractual, legal and/or compliance obligations;
- protect the rights, property and/or safety of Legl, our affiliates and our contractors, directors, employees or other personnel.
If we share Personal Data, we will only do so insofar as it is reasonably necessary for the purposes for which we have collected it.
5. Our security measures
The Personal Data you provide to us will be transferred to and stored securely on AWS servers. AWS employs its own physical and network security measures and its data centres undergo annual certifications to ensure they meet the highest standards of physical and virtual security. You can find more information regarding AWS’ security practices here.
We take robust technical and organisational measures to ensure a level of security appropriate to the risk that could be countered via the use of our website and the Legl Services, taking into account the likelihood and severity those risks might pose to your rights and freedoms. In particular, we will take precautions to protect against the accidental or unlawful destruction, loss or alteration, and unauthorised disclosure of or access to the Personal Data transmitted, stored or otherwise processed by us.
For example, Personal Data is encrypted at rest and any data sent is encrypted over HTTPS. Payments are processed with Strong Customer Authentication (SCA) in line with the latest payments regulation PSD-2. All of our systems are protected by strong passwords and multi-factor authentication where available.
6. How long do we keep your Personal Data for?
We will only keep your Personal Data for the duration of our contract with the Law Firms or as long as we reasonably require to fulfil the purpose for which the Personal Data was collected, and that’s in our legitimate interests. In any event, the Personal Data will be retained only for as long as the Data Protection Legislation allows.
In addition, either upon request by the Law Firm or when Legl (or any of our engaged third party service providers) no longer needs to process Personal Data (whichever is earlier), Legl will cease all use of the Personal Data and will destroy the Personal Data (unless retention of any such personal data is required by applicable law, including any applicable Data Protection Legislation).
7. Transfers outside the United Kingdom
This means that we will only transfer your Personal Data to third parties located outside the United Kingdom if:
- that third party is situated in a country that has been confirmed by the United Kingdom government to provide adequate protection to Personal Data;
- that third party has agreed (by way of written contract) to provide all protections to your Personal Data as required by the Data Protection Legislation; or
- we otherwise have a legal basis for doing so.
A cookie is a piece of information in the form of a very small text file that is placed on an internet user’s hard drive. It is generated by a web page server, which is basically the computer that operates a web site. The information the cookie contains is set by the server and it can be used by that server whenever the user visits the site. A cookie can be thought of as an internet user’s identification card, which tells a website when the user has returned.
- Essential cookies: these are cookies that are required for the operation of our website
- Analytical/performance cookies: these cookies collect information about how visitors use our Website, for instance which pages visitors go to most often, and if they get error messages from web pages. Information collected by these cookies is aggregated and therefore anonymous. It is only used to improve how the Website works
- Communications cookies: these cookies save your settings across logins and help us track the performance of our communications and support. Information collected by these cookies is aggregated and therefore anonymous
- Sharing cookies: these cookies allow you to interact with third party services such as Twitter, You Tube and LinkedIn
- Advertising cookies: these are cookies used for advertisement targeting purposes and to track the performance of our online advertising
9. Rights of the Data Subject
The Data Protection Legislation provides you with the following rights:
- the right to access your Personal Data or to get a copy of it;
- the right to have your Personal Data rectified if it is inaccurate or incomplete;
- the right to request deletion or removal of your Personal Data (although in order to comply with our legal obligations we may not always be able to do this);
- the right to restrict processing of your Personal Data;
- the right to data portability to enable the moving, copying or transferring of your Personal Data from one platform to another;
- the right to object to the processing of your Personal Data in certain circumstances and withdraw any consent you have given; and
- rights relating to profiling and automated decision making resulting from the processing of your Personal Data.
For End Users, these rights are exercisable against the Law Firm and any queries should be directed to the relevant contact as per the privacy statement of the Law Firm.
Individuals covered by the General Section above and Law Firm Users may exercise these rights by sending a request to the Data Protection Officer at the notice details above.
Should you have any queries or complaints in relation to how we use your Personal Data, please contact us using the details set out above. Should you wish to take any complaints or queries further, you have the right to contact the UK’s supervisory authority, the Information Commissioner’s Office regarding such issues. For more details you can visit their website at https://ico.org.uk/.