Privacy & Fair Processing Notice
Leyton UK Limited, a company registered in England and Wales with the company number 06977112 and with its registered office at 13-15 Bouverie Street, Harmsworth House, London, England, EC4Y 8DP, Leyton UK Partners LLP, a limited liability partnership registered in England and Wales with the company number OC388386 and with its registered office at Harmsworth House, 13-15 Bouverie Street, London, England, EC4Y 8DP, Leyton Legal (Scotland) LLP, a limited liability partnership registered in Scotland with the company number SO305978 and with its registered office at The Hatrack, 144 St Vincent Street, Glasgow, G2 5LQ and THESEE MAROC, a company registered in Morocco with the company number 245533 and with its registered office at Plt 501, Shore 14, 5ème étage, Parc Casanearshore – Sidi Maârouf – Casablanca, (together “Leyton”). This privacy notice is issued on behalf of each of the abovementioned Leyton entities which shall be joint controllers in respect of your data, so when we use the terms “Leyton”, "we", "us" or "our" in this privacy notice, we are referring to all of these Leyton entities and we may share your data among these Leyton entities for the purposes set out in this privacy notice.
We strive to protect the privacy of all personally identifiable information collected during the course of our activities and it is important for you to know how we process your data. We will process your personal information under the terms of this policy and in accordance with any agreement with you.
We are a “data controller” in terms under data protection laws (including from 25 May 2018, the EU General Data Protection Regulation 2016 and the Data Protection Act 2018) (“Data Protection Laws”).
We need to process personal data relating to our R&D customers, our legal clients, our suppliers, the employees of our legal clients, the employees of our R&D customers and potential customers in order to function effectively as a business, to ensure good governance, for audit purposes and to enable us to meet our legal obligations.
Personal data is processed for commercial, administrative, statutory and marketing/promotion purposes. All such personal data is collected and held in accordance with all applicable Data Protection Laws.
What personal information will Leyton use?
This list includes all the ways we may use your personal information, and which of the reasons we rely on to do so. This is where we tell you what our legitimate interests are.
Personal Information We May Process:
Contracts and invoices that customer has with third parties
Employees and workers of Leyton’s legal clients and legal clients who are individuals
terms and conditions of employment
social media messages
race, nationality or religion
criminal record information
Employees of Leyton’s R&D customers
Company director ID such as passport or driving license for anti money laundering (AML) purposes
R&D employees’ professional experience and qualifications
Remuneration figures and start/end dates of employment for R&D employees and/or that of the support staff members’ involved in R&D projects
Employees and workers of Leyton’s R&D customers’ suppliers:
Personal data contained within invoices sent to Leyton customers. Such invoices may include an individual employee’s timesheet and charge out rates for the duration of work carried out for Leyton customers.
Potential customers (B2B only)
Our Reasons for Processing
Consent (under article 9 of the GDPR)
Our legitimate interests
Advising employers on how to carry out their obligations and exercise specific rights of both the employer and the employee under employment law; or advising individuals on their obligations and exercise of specific rights under employment law
Establishing, exercising or defending employment legal claim
To carry out obligations and exercise specific rights in employment law
To establish, exercise and/or defend employment legal claims
Our Legitimate Interests
Administering our business
To keep in contact with suppliers
To contact clients
Required by the legal team to provide employment legal advice
Required by the R&D team to provide their services
To send marketing information to potential customers in compliance with any applicable laws relating to marketing
Where do we obtain your information?
In most cases we will obtain this information from you directly. However, where you are an employee, a worker or a supplier of a customer or client of ours, we may obtain personal details about you from your employer using the reasoning contained within in the table, above.
We may also obtain information about you, if you are a legal client, when we carry out a conflict check on our conflict check database, Salesforce, or, if you are a prospective customer, via the DUEDIL database (a private company information database).
We process the personal data referred to above for the purposes of any contract or potential contract with our R&D customers, our legal clients and our suppliers; or for our legitimate interests in order to function effectively as a business, to ensure good governance, for audit purposes, to perform our business activities; and to enable us to meet our legal obligations that we may be subject to.
Who do we share your information with?
The information you provide to us may be accessed and processed by our staff and we may share it with our auditors, our professional advisors and carefully selected third parties in the course of providing services to us under suitable obligations of confidentiality.
In particular, we may share your information with the following entities:
LEAP (“LEAP”). If you are a prospective client of Leyton or if Leyton provides you with employment legal advice services your personal data, and, potentially, the personal data of your employees, may be transferred to LEAP, our legal software provider.
Sales Force (“Sales Force”). If you are a customer or a potential customer of Leyton, your personal data may be transferred to Sales Force, our CRM cloud provider.
Purple Lattice (“Purple Lattice”). Purple Lattice is Leyton’s IT support services provider, therefore, if you are a customer of Leyton your personal data, and, where appropriate, the personal data of your employees, may be accessed by Purple Lattice for system maintenance purposes.
Albion Legal (“Albion Legal”). If Leyton provides you with employment legal advice services your personal data, and, potentially, the personal data of key employees (e.g such as your HR manager), may be transferred to Albion Legal, if you have indicated that you wish to receive insurance services from Albion Legal.
We may also use information in aggregate, where personally identifiable information is removed, for marketing and strategic development to improve and support our activities.
We employ administrative, electronic and physical security measures to ensure that the information that we collect about you is protected from access by unauthorised persons and protected against unlawful processing, accidental loss, destruction and damage.
Please be aware that unfortunately the transmission of information via the internet or by email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of the data transmitted to us and any transmission is at your own risk.
The period for which the personal data will be processed
We will retain personal data securely and only in line with how long it is necessary to keep for the purposes or for a legitimate and lawful reason.
Our typical retention periods are as follows:
Supplier contracts and documentation - 7 years from the date of expiry or termination of the last supplier contract
Legal client contracts and documentation - 7 years from the date of expiry, termination or resolution of the last client instruction
R&D customer contracts and documentation - 7 years from the date of expiry or termination of the last customer contract
Anti-money laundering ID for legal clients -7 years from the date of the last client instruction
Names and emails addresses of both potential and existing customers used by the sales team - 7 years from the date which the potential customer last responded to solicitation of Leyton.
Some personal data may be retained for longer where it is in our legitimate interest to do so, such as to protect and defend our legal rights; or for research, archiving or statistical purposes. Individuals can request that other information relating to them be erased and we will deal with such requests in accordance with the law.
Transfers outside the European Economic Area
We, or carefully selected third parties that we contract with, may send personal data to countries outside the European Economic Area (‘EEA’). If and when this occurs, there will be protections in place to ensure the recipient protects the data to the same standard as the EEA. The protections include:
transferring to a non-EEA country with privacy laws that give the same protection as the EEA.
putting in place a contract with the recipient that means they must protect personal data to the same standards as the EEA.
transfer personal data to organisations that are part of Privacy Shield. This is a framework that sets privacy standards for personal data sent between the US and EU countries which makes sure standards are similar to what is used within the EEA.
In particular, personal data relating to employees of Leyton’s R&D customers, Leyton’s legal clients and/or employees and workers of Leyton’s legal clients (existing and prospective) may be passed to and from THESEE MAROC, an associate Leyton company registered in Morocco, in order to provide services to such customers and deal with business needs (including but not limited to the provision of IT support services) and such sharing is set out in a written data sharing agreement and/or data processing agreement.
Data subject’s rights
As an individual, you have the following rights as a data subject under applicable Data Protection Laws in relation to the processing of your personal data:
The right to request from us access to information held about you - (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
The right to request that inaccurate data held about you is rectified - this enables you to have any incomplete or inaccurate information we hold about you corrected.
The right to request the erasure of personal data - this enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing.
The right to restriction of processing - this enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
The right to object to processing - objection to processing of your personal information can occur where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes; and
The right to data portability.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Privacy Manager in writing.
Where we process your personal data based upon your consent, you have the right to withdraw your consent at any time.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact our Data Privacy Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
For more information and guidance about any of these rights please go to the website of the Information Commissioner’s Office at https://ico.org.uk
If you think there is an issue in the way in which we handle your personal data, you have a right to raise a complaint with the Information Commissioner’s Office. Their website contains details of how to make a complaint.
Changes to this Privacy & Fair Processing Notice
We keep our Privacy & Fair Processing Notice under regular review and reserve the right to update and amend it. This notice was last updated in November 2018.
For further information about the proposed data sharing set out in this notice, or about any aspect of Leyton and the processing of your personal data, please contact our Data Privacy Manager:
Data Privacy Manager
9 George Square
0141 375 9751