Murray Beith Murray Privacy Policy

Data Protection Privacy Notice

Please read this Privacy Notice carefully before providing us with any information about you or any other connected person.  Where you provide information about another person, you should first obtain their consent to do so.

We have developed this Privacy Notice in accordance with the Data Protection Act 2018 and Regulation (EU) 2016/679, commonly known as the General Data Protection Regulation or GDPR.  Its purpose is to advise you of the personal information we may collect, for what purpose(s), how we will use it, the lawful basis under which we may do this and your rights under the GDPR.  This Notice was last updated in July 2018.

When we refer to ‘personal data’, we mean information which identifies you as an individual, or is capable of doing so.

When we refer to ‘information concerning health’ we mean information related to your physical or mental health, including the provision of health care services, which reveal information about your health status.

Murray Beith Murray LLP is registered with, and supervised by, the Information Commissioner’s Office as a Data Controller and Processor, reference No Z6015139.  We have a responsibility to ensure that your personal information is processed in accordance with this Privacy Notice and the above Regulations.

If you would like to discuss anything in this Privacy Notice, please contact the Management Board who are responsible for Data Protection within the firm You may contact them at Data Protection, Murray Beith Murray LLP, 3 Glenfinlas Street, Edinburgh EH3 6AQ. Telephone 0131 225 1200. Email This email address is being protected from spambots. You need JavaScript enabled to view it.

We process personal data on the legal basis of Legitimate Interests, and the information below sets out further details on this processing.  We may obtain personal data from you and, with your authority, from credit referencing agencies, your authorised representatives and other providers of products or services to you.

To provide you with legal services, we may use the following personal data

• Contact information, such as home address, telephone number and email address
• Personal information such as age, gender, nationality, domicile and tax identification number
• Financial information such as income/outgoings, assets/liabilities and bank account details
• We may also require information on others such as your spouse/partner or dependants where this is relevant
• Information concerning your health – for which we will obtain your express consent to do so

To meet our obligations to the UK Money Laundering Regulations, we may use the following personal data

• Passport or driving license details
• Your home address
• Financial information such as occupation, income and source of wealth

To evaluate or monitor the competence of staff and suitability of services we may use the following personal data

• Personal information provided by you or third parties
• Letters, reports and any other correspondence between us or third parties

To respond to a complaint or claim we may use the following personal data

• Personal information provided by you or third parties
• Recordings of telephone calls between us
• Letters, reports and any other correspondence between us or third parties

To monitor and maintain our website, we may monitor and retain the following personal data

All computers that are linked to the Internet have an Internet Protocol I.P. number.  Our website logs your I.P. number when you visit it.    An I.P. number does not provide identifiable personal information on its own but there are facilities to look up IP numbers and establish the owner so this is treated by us as personal information.

To provide you with general information from or about us, we may use the following personal information:

• Contact information, such as name, home address, telephone number and email address

We will only communicate matters relating to the firm and the services we may provide to you.

We may share information with third parties where this is necessary to enable us to provide our services to you or to allow us to comply with our legal or regulatory obligations.  We will not share your data with any third party for marketing purposes.  The classes of third parties with whom we will share your personal data, and the reason for this, are as follows.

Other legal firms, law courts and other professional advisors

We may share your personal data where it is necessary to deliver the service we are providing, such as a property purchase or setting up a trust or executry.  We disclose only the personal information that is required to deliver that service.

IT systems and support, paper archives, electronic records

We outsource our IT hardware and systems support.  Certain operating and record keeping systems are provided by third parties.  These third parties may have access to data for support, service, backup and trouble-shooting purposes.  We have agreements in place with these third parties to restrict their access to and use of this data.

The Law Society of Scotland, other regulators, government and law enforcement agencies

These entities have a legal right to access our records and we have a legal obligation to disclose any information we hold in certain circumstances.

Credit reference agencies, fraud prevention agencies and related service providers

In order to meet our obligations in respect of The UK Money Laundering and Proceeds of Crime Regulations we may use a third party electronic verification system to verify your identity.  This is undertaken as part of the initial client appointment, and may be repeated at any time for the duration of the service(s) we provide to you.

Tax authorities

We may have to share information with tax authorities, either directly with overseas authorities or via Her Majesty’s Revenue and Customs who may share that information with the appropriate tax authorities abroad.

Our professional advisors and insurers

Our appointed auditors, lawyers, accountants, other professional advisors and insurers may require access to the client information we hold in order to provide us with advice or insurance.

Web analytics

Analysis of traffic using our website may be undertaken by selected third parties on our behalf.

Business transfers

We may transfer our records to a third party as part of a sale or transfer of some or all of the business to a regulated third party. 

Data transfers outside of the EU

We may share personal data outside of the EU where it is necessary to deliver the service we are providing.  Where data is shared outside of the EU, we have a regulatory obligation to only transfer to States with an ‘equivalent’ standard of data protection and to have in place a data transfer agreement to protect the security and management of the data being transferred.  

The Lawful basis upon which we process personal data under EU directive 2014/65/EU is Article 6, 1(f) Legitimate Interests.  This means the processing is necessary, without your explicit consent, for our legitimate business interests, unless these interests are overridden by your interests or fundamental rights. Our legitimate business interests are explained in Part 2 of this privacy notice.

You have the right to object to us processing your personal data on the lawful basis of legitimate interests, but to do so may mean that we are unable to provide services to you.  If you wish to object, please use the contact details in Part 1 to do so.

We process ‘information concerning health’ under Legitimate Interests as described above, but this is subject to Article 9 (a) Explicit consent because it is considered to be sensitive information.  This means we will obtain your consent to do so before processing any health related information.

You have the right to withhold your consent to us processing information concerning health, but to do so may mean that we are unable to provide services to you. 

The retention period for personal data varies, depending on our regulatory obligations and complaints time barring rules.  The table below shows the various retention periods, and relates to all forms of records such as paper, electronically stored records, emails and recorded telephone calls.

The GDPR provides you with the following rights in relation to your personal data processed by us:

The right to be informed

You have the right to be informed how your data will be processed and of your rights.  The required information is provided in this Privacy Notice.

The right of access

You have the right to obtain confirmation that your personal data is being processed and have access to this.   When requested by you, we must provide you with a copy of the information free of charge within one month. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive.  We may also charge a reasonable fee to comply with requests for further copies of the same information.  Data access requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to rectification

You are entitled to have personal data rectified if it is inaccurate or incomplete.  We must respond to a request for rectification within one month.  This can be extended by two months where the request for rectification is complex.  Data rectification requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to erasure

You may request the deletion or removal of your personal data where there is no compelling reason for its continued processing.  We may, however, decline the request where we have a legal or regulatory obligation to retain the data, or where it is being used in the exercise or defence of a legal claim.  In such circumstances we will write to you explaining our reasons for declining your request for the data to be erased.  Data erasure requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to restrict processing

You have a right to ‘block’ or suppress the processing of your personal data.  When processing is restricted, we are permitted to store the personal data, but not to further process it.  Data suppression requests should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to data portability

Individuals generally have the right to data portability.  However, this only applies to personal data where the processing is based on the legal basis of consent or for the performance of a contract; and it is carried out by automated means.  This right does not apply to the personal data that we process, as this is processed on the legal basis of Legitimate Interests and processing is not carried out by automated means.

The right to object to processing or withdraw consent

You have the right to object to your data being processed on the legal basis of Legitimate Interests and the right to object to direct marketing and data profiling.  You also have the right to withdraw consent for us to process your information concerning health.  Objections to, or withdrawal of consent for, data processing should be submitted using the contact details in Part 1 of this Privacy Notice.

The right to remedies, liabilities and penalties

You have the right to report any concerns you have about the way we have processed your personal data with the Information Commissioner’s Office.  You may do this online at https://ico.org.uk/concerns/handling/ or in writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.  Telephone 0303 123 1113 (England) or 45 Melville Street, Edinburgh, EH3 7HL Tel: 0303 123 1115 (Scotland).

The GDPR Principles apply to all entities in that control or process personal data on EU citizens and form the basis for this privacy notice.  The Principles require that personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals; and
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes; and
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed; and
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay; and
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Murray Beith Murray LLP