James McKenzie (Wills) Ltd (hereinafter referred to as “James McKenzie”) is a specialist Will Writing company, focusing primarily on providing Wills and related products to employees of large multinational companies.
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Process of obtaining information
Under GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
- a) processing will be fair, lawful and transparent
- b) data be collected for specific, explicit, and legitimate purposes
- c) data collected will be adequate, relevant and limited to what is necessary for the purposes of processing
- d) data will be kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
- e) data is not kept for longer than is necessary for its given purpose
- f) data will be processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
- g) we will comply with the relevant GDPR procedures for international transferring of personal data
Access to Data
As stated above, James McKenzie clients have a right to access the personal data that we hold on them. To exercise this right, clients should make a Subject Access Request. We will comply with the request without delay, and within one month unless, in accordance with legislation, we decide that an extension is required. Those who make a request will be kept fully informed of any decision to extend the time limit.
No charge will be made for complying with a request unless the request is manifestly unfounded, excessive or repetitive, or unless a request is made for duplicate copies to be provided to parties other than the employee making the request. In these circumstances, a reasonable charge will be applied.
Further information on making a subject access request is contained in our Subject Access Request policy.
Data Retention Period
James McKenzie Adheres to principle 5 of the GDPR act - Information should be retained only for as long as necessary.
We keep your information for the purposes of providing your Documents, handling any follow-up enquiries, and for the purpose of gaining probate (where required). Due to the nature in which it is intended, personal data will be kept indefinitely, unless:
- The law decides that it is no longer required.
- You no longer require our services and request in writing for it to be returned to you or destroyed safely.
Where necessary we will use your personal information to pass to third parties, should the process of your service require us to do so.
Where we engage third parties to process data on our behalf, we will ensure, via a data processing agreement with the third party, that the third party takes such measures to maintain the Company’s commitment to protecting data.
Any personal information supplied to us will not be shared for any outside marketing purposes and will not be sold.
We will not transfer your personal information outside of the European Economic Area (EEA).
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, James McKenzie will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the company’s legal advisers where necessary.
As our client you have the following rights:
- The right to be informed - about the data we hold on you and what we do with it;
- The right of access - More information on this can be found in the section headed “Access to Data”;
- The right to rectification - any inaccurate data will be corrected;
- The right to erasure – have data deleted in certain circumstances;
- The right to restrict processing – of the data;
- The right to data portability – transfer the data we hold on you to another party;
- The right to object - to the inclusion of any information;
- Rights in relation to automated decision making and profiling.
Data protection risks
This policy helps to protect James McKenzie from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
James McKenzie employees are aware of their roles and responsibilities when their role involves the processing of data. Regular training is provided to all employees.
Where data is computerised, it is encrypted or password protected (or both) on a cloud storage drive within the EEA that is regularly backed up. If a copy is kept on removable storage media, that media must itself be kept in a locked filing cabinet, drawer, or safe.
James McKenzie employees must always use the passwords provided to access the computer system and not abuse them by passing them on to people who should not have them.
Failure to follow the Company’s rules on data security may be dealt with via the Company’s disciplinary procedure. Appropriate sanctions include dismissal with or without notice dependent on the severity of the failure.
Requirement to notify breaches
All data breaches will be recorded on our Data Breach Register. Where legally required, we will report a breach to the Information Commissioner within 72 hours of discovery. In addition, where legally required, we will inform the individual whose data was subject to breach.
More information on breach notification is available in our Breach Notification policy.
Policy Last Updated 11/09/2018