By accessing or using the Website or using the services that we provide you are agreeing to comply with and be bound by these terms (and any documents referred to in them) which set out important information about how we will use your personal data.
In certain circumstances (as set out below) you will be required to indicate your consent to the processing of your personal data as set out in this Policy when you first submit information to us (whether via the Website or other means).
We may update this Policy from time to time. If we change this Policy we will post the changes on this page, and place notices on other pages of the Website as applicable, so that you may be aware of the personal data we collect and how we use it. This Policy was last updated in April 2018.
The terms ‘BMA Law’ or ‘us’ or ‘we’ refer to BMA Law Limited a company registered in England and Wales (under company number 09195241 and having its registered office at BMA House, Tavistock Square, London, WC1H 9JP. The term ‘you’ refers to the individual accessing and/or submitting personal data to the Website. We act as Data Controller and are responsible for, and control the processing of, your personal data in accordance with the Data Protection Requirements.
References in this Policy to:
‘Data Protection Requirements‘ means the Data Protection Act 1998 (until repealed) (“DPA”), the Data Protection Directive (95/46/EC) (until repealed) and, from 25 May 2018, the General Data Protection Regulation 2016/679 (“GDPR”) or any equivalent provision which may replace the GDPR following the formal political separation of the United Kingdom from the European Union; the Regulation of Investigatory Powers Act 2000; the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699); the Electronic Communications Data Protection Directive (2002/58/EC); the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003); and all applicable laws and regulations which may be in force from time to time relating to the processing of Personal Data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner or any other supervisory authority, and the equivalent of any of the foregoing in any relevant jurisdiction; and
‘personal data’, ‘Data Controller’, ‘special category data’ and ‘processing’ shall have the meanings given to them in the DPA or, from 25 May 2018, the GDPR.
‘personal data’ has a legal definition but, in brief, it refers to information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Such information must be protected in accordance with applicable Data Protection Requirements.
‘special category data’ has a legal definition but, in brief, refers to information relating to an identifiable person’s religion, sexuality, disability, political beliefs or health and will include details of any trade union membership, including your membership, if any, of the BMA.
Personal data we may collect about you
We will obtain personal data about you and members of your family (such as your name, address, postcode, email address and telephone number, BMA membership number, BMA Group staff number, GMC membership number, date of birth, payment details, opinions and any other information you may supply to us) whenever you complete an online form, send or provide information to us in relation to the services we offer or instruct us to carry out services for you.
For example, we will obtain your personal data when you, send us feedback, contact us for any reason, sign up to a service, purchase or request services, respond to a survey, subscribe to updates and bulletins, register for events, make an enquiry with us or report a problem with the Website.
We may also obtain special category data about you if you volunteer it during the completion of an online form (such as details regarding your membership of the BMA) or when making an enquiry or during the course of the provision of the services. If you volunteer such information, you will be asked to consent to our processing of it for the purposes we inform you of.
Occasionally we may receive information about you from other sources, for example any insurance companies or cyber security providers, or cloud service providers you connect with through the Website, or from any third party websites and applications that integrate or communicate with the Website in relation to you. If so, we will add this information to the personal data we already hold about you in order to help us carry out the activities listed below.
How long we keep your personal data
Subject to the below, we will keep your personal data only for the purposes set out in the table below for:
Where you have instructed us to act for you we will keep your file and the personal data within it for a period of at least 7 years from the completion of the matter, we will then schedule the file for destruction;
Where you have made an enquiry with us about the provision of service but have not instructed us then we will keep your personal data for a period of 12 months from the date you make the enquiry;
Where we are processing your personal data only on the basis of consent (where no other legal basis for consent exists) then we will keep your information for a period of 5 years or until consent is withdrawn (whichever is sooner);
The purpose and legal basis for the processing
From 25 May 2018, under applicable Data Protection Requirements we may only process your personal data if we have a “legal basis” (i.e. a legally permitted reason) for doing so. For the purposes of this Policy, our legal basis for processing your personal data, and the reasons that we process your personal data, are set out in the table below
|How we use your personal data||The legal basis for our doing so|
|To help us identify you, including checking that you are a member of the BMA or of the BMA Group staff – this is to enable us to confirm that you can benefit from discounted rates.||We will only process your membership details or the fact that you are a member of the BMA for the express purpose that we tell you about when we ask for the data.|
|If you have instructed us to act on your behalf – to provide legal services to you in accordance with your instructions, this will include billing you. As part of this we will need to:
||The performance of a contract to which you are a party or in order to take steps at your request prior to entering into that contract.
Anti-money laundering and electronic searches are carried out for compliance with a legal obligation to which we are subject. Further information about the anti-money laundering checks we may carry out are set out in our terms and conditions that will be sent to you if you instruct us to provide services.
|To operate, administer, maintain, provide, analyse and improve the Website and the services available through the Website.||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to users through the Website, which requires the processing of your personal data to enable us to provide these services.
This processing is necessary for the legitimate interests we pursue.
|To investigate and address any comments, queries or complaints made by you regarding the Site, and any similar or related comments, queries or complaints from other users.||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to our users through the Website, which requires the processing of your personal data to enable us to provide these services.|
|For administration, maintenance and improvements of the Website and/or our services.||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to our users through the Website or otherwise, which requires the processing of your personal data to enable us to provide these services.|
|To contact you for marketing purposes (see the information under ‘Marketing and opting out’ below) and to communicate with you and provide you with information concerning legal updates that we believe will be of interest to you.||If we contact you by post this processing is necessary for the legitimate interests we pursue in informing you about changes to the law that may be relevant to you or other services we provide;
We will only contact you for marketing purposes by email if:
|To notify you about changes to our services or the Website.||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to our users through the Website or otherwise, which requires the processing of your personal data to enable us to provide these services.|
|To ensure that content from the Website is presented in the most effective manner for you and for your device and customising the Website and its content to your particular preferences.||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to our users through the Website, which requires the processing of your personal data to enable us to provide these services.|
|To allow you to participate in interactive features of the Website, including inputting information and providing feedback.||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to our users through the Website, which requires the processing of your personal data to enable us to provide these services.|
|To conduct research, statistical analysis and behavioural analysis (including anonymizing data for these purposes).||Subject to your rights set out below under the heading ‘Your rights’, the legitimate interest of providing services to our users through the Website or otherwise, which requires the processing of your personal data to enable us to provide these services.|
|To disclose your information to selected third parties as permitted by this Policy.||Your consent where given separately for that particular purpose.|
|To comply with our legal obligations, including obligations relating to the protection of Personal Data.||Where required by (but not limited to) any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity.|
Your consent to processing
As noted above, you will be required to give consent to certain processing activities before we can process your personal data as set out in this Policy. Where applicable, we will seek this consent from you when you first submit personal data to us or through the Website.
If you have previously given consent you may freely withdraw such consent at any time. You can do this through your account on the Website or by notifying us in writing (see ‘Marketing and opting out’ below).
If you withdraw your consent, and if we do not have another legal basis for processing your information (as set out above), then we will stop processing your personal data. If we do have another legal basis for processing your information then we may continue to do so subject to your legal rights (for which see information under ‘Your Rights’ below).
Please note that if we need to process your personal data in order to operate the Website and/or provide our services, and you object or do not consent to us processing your personal data, the Website and/or those services may not be available to you.
Marketing and opting out
Where you have previously instructed us we may contact you by telephone and email and post about similar or related services that we provide that may be of interest to you. We will inform you during the client opening process if we intend to use your data for such purposes and give you the opportunity to opt-out of receiving such information from us.
If you have given your consent, we may share your personal data with organisations who are our business partners or outsourced service providers (for instance those providing administration, case management, marketing, search optimization, or legal services on our behalf) and we or they may contact you (unless you have asked us or them not to do so) by mail, telephone, SMS, text message, fax and email about products, services, bulletins, promotions, special offers and events that may be of interest to you.
You have the right at any time to ask us, or any third party, to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to email@example.com, or contact the relevant third party using their given contact details, giving us or them enough information to identify you and deal with your request. Alternatively, you can follow the unsubscribe instructions in emails you receive from us or them.
Once you have unsubscribed from marketing emails, we will retain your details to ensure that you are not contacted for marketing purposes unless you request to receive such emails again.
Disclosure of your personal data
We may disclose your personal data to:
- other companies within our group of companies (which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006);
- our agents and outsourced service providers or third-party contractors to enable them to undertake services for us and/or on our behalf (and we will ensure they have appropriate measures in place to protect your personal data);
- credit reference agencies – see ‘Credit checking’ below;
- if we are under a duty to disclose or share Personal Data in order to comply with any legal obligation, including (but not limited to) any request or order from law enforcement agencies and/or HMRC in connection with any investigation to help prevent unlawful activity;
- to any prospective buyer or seller (and their representatives) in the event that we sell or buy any business or assets.
We may disclose aggregated, anonymous information (i.e. information from which you cannot be personally identified), or insights based on such anonymous information, to selected third parties, including (without limitation) analytics and search engine providers to assist us in the improvement and optimisation of the Website. In such circumstances we do not disclose any information which can identify you personally.
Keeping your personal data secure
We, our business partners or outsourced service providers referred to above will use technical and organisational measures to safeguard your personal data. While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that are transferred from you or to you via the internet.
We may monitor and record communications with you (such as telephone conversations and emails) for the purposes of provision of services, quality assurance, training, fraud prevention and compliance purposes. Any information that we receive through such monitoring and communication will be added to the information we already hold about you and may also be used for the purposes listed in the table above.
To enable us, other companies in our group and our outsourced service providers to make credit decisions about you and members of your household and for fraud prevention and money laundering purposes, we may search the files of credit reference and fraud prevention agencies (who will record the search). We may disclose information about how you conduct your account to such agencies and your information may be linked to records relating to together people living at the same address with whom you are financially linked. Other credit grantors may use this information to make credit decisions about you and the people with whom you are financially associated, as well as for fraud prevention, debtor tracing and money laundering purposes. If you provide false or inaccurate information and we suspect fraud, we will record this.
We employ third party suppliers to provide services including utilising the services of a credit reference agency (https://www.transunion.co.uk/legal-information/bureau-privacy-notice).
Third Party Websites
Our website may, from time to time, contain links to and from the websites of our partner networks, advertisers, affiliates and others. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
Information about other individuals
If you give us information on behalf of someone else, you can confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:
- give consent on his/her behalf to the processing of his/her personal data;
- receive on his/her behalf any data protection notices;
- give consent to the transfer of his/her personal data abroad.
Transfers of personal data outside of the EEA
From time to time we may need to transfer your personal data to countries outside the European Economic Area, which comprises the EU member states plus Norway, Iceland and Liechtenstein (“EEA”).
Such countries may not have similar protections in place regarding protection and use of your data as those set out in this Policy. Therefore, if we do transfer your personal data to countries outside the EEA we will take reasonable steps in accordance with applicable Data Protection Requirements to ensure adequate protections are in place to ensure the security of your personal data including:
- use of approved contractual clauses;
- ensuring that we only transfer your personal data to persons or entities that are appropriately authorised and/or accredited to process personal data in compliance with applicable Data Protection Requirements;
- By submitting your personal data to us in accordance with this Policy you consent to these transfers for the purposes specified in this Policy.
If you are an individual, this section sets out your legal rights in respect of any of your personal data that we are holding and/or processing. If you wish to exercise any of your legal rights you should put your request in writing to us (using our contact details firstname.lastname@example.org below) giving us enough information to identify you and respond to your request.
You have the right:
- to request access to information about personal data that we may hold and/or process about you, including: whether or not we are holding and/or processing your personal data; the extent of the personal data we are holding; and the purposes and extent of the processing.
- to have any inaccurate information we hold about you be rectified and/or updated. If any of the personal data that you have provided changes, or if you become aware of any inaccuracies in such personal data, please let us know in writing giving us enough information deal with the change or correction.
- in certain circumstances to request that we delete all personal data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example where we need to retain the personal data for legal compliance purposes. If this is the case, we will let you know.
- in certain circumstances to request that we restrict the processing of your personal data, for example where the personal data is inaccurate or where you have objected to the processing (see below).
- to request a copy of the personal data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example where the processing is carried out by automated means. If you request the right to data portability and it is not available to you we will let you know.
- in certain circumstances to object to the processing of your personal data. If so, we shall stop processing your personal data unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing then we will let you know.
- in certain circumstances not to be subject to a decision based solely on automated processing, for example where a computer algorithm (rather than a person) makes decisions which affect your contractual rights. Please note that this right is not available in all circumstances. If you request this right and it is not available to you we will let you know.
- to object to direct marketing, for which see above.
Complaints to the ICO
If you have any concerns about how we collect or process your Data then you have the right to lodge a complaint with a supervisory authority, which for the UK is the UK Information Commissioner’s Office (“ICO”). Complaints can be submitted to the ICO through the ICO helpline by calling 0303 123 1113. Further information about reporting concerns to the ICO is available at ico.org.uk/concerns/.
‘Cookies’ and related software
Our software may issue ‘cookies’ (small text files) to your device when you access and use the Website and you will be asked to consent to this at the time (e.g. when you first visit our website). Cookies do not affect your privacy and security since a cookie cannot read data off your Website or read cookie files created by other sites.
You can set your Website not to accept cookies if you wish (for example by changing your browser settings so cookies are not accepted), however please note that some of our Website features may not function if you remove cookies from your Website. For further general information about cookies generally please visit aboutcookies.org or allaboutcookies.org.