Privacy Policy

We may process your personal data in the course of our business, including

• when you engage us to provide legal or other services;
• when we are engaged to provide legal or other services to third parties and you are connected to the provision of such legal or other services;
• when you contact or request information from us via our website or subscribe to our newsletters or other emails or attend events which we host or are involved with;
• when we engage you or the business you work for to provide goods or services to us on our own behalf or on behalf of our clients;
• when you use our website; or
• when you apply for a job with us (see the section on Recruitment);

The personal data we may process about you includes:

• Contact/identity information such as your name, title, address (business and/or home), telephone number, mobile phone number, job title, gender, marital status, name of employer, IP address and email address as well as information to enable us to check and verify your identity, e.g. your date of birth or passport details.  We may also, where appropriate, collect relevant details of membership of professional or trade associations or trade unions.
• Information relevant to the matter in relation to which legal advice or representation is being sought including information provided to us by or on behalf of our clients, or generated in the course of providing our services or information about relevant or significant litigation or other legal proceedings against you or a third party related to you and details of that third party’s relationship with you. This information may include special category information or criminal convictions information;
• Business information provided in the course of the client, business or contractual relationship between you or your organisation and Shepherd and Wedderburn including for relationship management and file opening procedures such as name, business information, identification and your relationship to a person;
• Technical Information about your use of our IT, communication and other systems including about your use of our website, our online data rooms, our Wi-Fi or information relating to materials and communications we send to you electronically. Where you connect to our WiFi such information would include your device name and also the Internet sites visited whilst connected to our WiFi and other monitoring information;
• Financial and payment data, such as data necessary for processing payments and fraud prevention, including credit/debit card numbers, bank and building society details including security code numbers and other related billing information, as well as, where applicable, information relating to the source of funds and information collected from publicly available resources and credit agencies or any other information needed to enable us to undertake credit or other financial checks on you;
• Information about your visits to our premises and/or provided to us for the purposes of attending meetings and events including information about access or dietary requirements;
• Marketing information including information regarding your preferences where it is relevant to legal or other services that we provide, as well as information about when you receive and read our marketing communications and which events you attend or participate in.

We collect and use this personal data for the purposes described in the section “How and why we use your personal data” below.  If you do not provide the personal data that we need to collect then this may affect our ability to act on your behalf or to provide services to you, for example because this personal data is required to process your instructions or to carry out legally required compliance screening.

Our services are not directed at children however we may process the personal data of children as part of providing services to you, for example in administering a trust. We process such personal data only where necessary and appropriate for the services for which we have been appointed.

We collect most of this personal data from you:

• When you or your organisation use or contact us to provide legal or any other related client services;
• When you or your organisation make an enquiry for our services or otherwise engage with our staff for business related purposes;
• When you visit our premises;
• When you attend a seminar or other event (including training) organised by Shepherd and Wedderburn or where you are a guest of Shepherd and Wedderburn (online or in person)
• Where you sign up to receive information from us;
• Where you or your organisation provide services to us.

We may also collect personal data when you browse or use our website or via our information technology (IT) and other systems, for example:

• Case management, document management, data rooms and time recording systems;
• Automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems;
• Reception logs;
• Our technology partners where you have provided your personal data directly to them in the context of receiving services from us, for example our provider of webinar services.

We use cookies on our website (for more information on cookies, please see our cookie policy).

We may also collect personal data from third party sources including:

• Publicly accessible sources such as electoral registers, Companies House, Registers of Scotland or HM Land Registry;
• Credit reference agencies or government departments or agencies;
• Third party organisations with your consent;
• Third party organisations that you have or have had dealings with where the information is publicly available which may include services such as LinkedIn.

Under data protection law, we can only use your personal data if we have a proper reason for doing so.

This will be for one of the following reasons:

• For the performance of our contract with you or to take steps at your request before entering into a contract, for example because processing is necessary for the performance of a client instruction;
• To comply with our legal and regulatory obligations;
• For our legitimate interests or those of a third party;
• For the establishment, exercise or defence of legal claims or proceedings; or
• Where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own.

We may process special category personal data for the following reasons:

• Where you have given your explicit consent;
• For compliance with a legal or regulatory obligation;
• For the purposes of establishing, exercising or defending legal claims;
• Where it is in your (or someone else’s) vital interests and you or they are physically or legally incapable of giving consent;
• Where you have made the personal data public; and/or
• For compliance with an employment law obligation.

There may be additional reasons which will be notified to you where they apply.

When we refer to special category data we mean information such as race or ethnicity, religious beliefs, sexual orientation, marital status and health. Information about criminal convictions is separate to special category data but is also subject to a higher level of protection.  Therefore when we refer to special category data we include criminal convictions information.

In the next section "The basis on which we use your personal data" will give more information about the way in which your data is used.

We have explained our reasons for using your personal data. We set out below more detail on the ways in which we use your personal data. We use your data:

• To provide legal advice or other services to you/our clients, including technology solutions;
• To ensure the confidentiality of commercially sensitive information;
• To manage and administer your or your organisation's business relationship with Shepherd and Wedderburn, including use for the purposes of processing payments, accounting, auditing, billing and collection and other support services;
• To conduct checks to identify our clients and verify their identity or to check whether or not we might have a conflict of interest in respect of such client or matter or prospective client or matter;
• To screen for financial and other sanctions or embargoes, including credit reference checks with credit reference agencies;
• To comply with professional, legal and regulatory obligations and guidance that applies to our business, e.g. rules issued by our professional regulators;
• To update and enhance client records;
• Where necessary to gather and provide information required by or relating to audits, enquiries or investigations by enforcement authorities, regulatory bodies, courts, tribunals and government agencies, e.g. for Investors in People accreditation or the audit of our accounts;
• To deal with any complaints received;
• To ensure business policies are adhered to, e.g. policies covering security and internet use, and to protect the security of our communications and other systems and prevent and detect security threats, frauds or other criminal or malicious activities;
• For operational reasons, such as ensuring safe working practices, improving efficiency, risk management, training, staff assessment and quality control;
• For statistical analysis to help us improve our services and communications to you or the strength of our relationship with you or to manage our practice, e.g. in relation to our financial performance, client base, work type or other efficiency measures;
• For insurance purposes;
• To identify those who are authorised to deal with Shepherd and Wedderburn on behalf of our clients, suppliers and/or service providers;
• To ensure your needs are catered for in connection with any event you may attend; 
• For marketing our services to you (Further information about the use of your personal data in connection with marketing is given below in the section Marketing); and/or
• For recruitment. See the section Recruitment above.

We will also process personal data which is provided to us by or on behalf of our clients for the purposes of services we provide to them.

Managing our business

In relation to a number of uses of personal data we refer to above we are using such personal data on the basis that it is in our legitimate interests or those of a third party for us to do so. These interests cover a number of aspects of our business operations, namely:

• Ensuring that we are as efficient as we can be so we can deliver the best service for our clients at the best price;
• To allow us to provide bespoke services where requested by our clients;
• Protecting our commercially valuable information and also our intellectual property;
• Preventing and detecting fraud and/or criminal activity that could be damaging for us and/or for our clients;
• For credit control purposes and to make sure our clients can pay for the services we provide;
• For the purposes of risk management and to maintain our accreditations so we can demonstrate we operate to the highest standards; and
• Ensuring we are able to keep up to date with our clients and contacts.

Marketing

We have a legitimate interest in processing your personal data for promotional purposes (see above The basis on which we use your personal data). This means we do not usually need your consent to send you marketing information. However, where consent is needed, we will ask for this consent separately and clearly.

You have the right to opt out of receiving promotional communications at any time by:

• Contacting us at info.marketing@shepwedd.com; or
• Using the ‘unsubscribe’ link in emails or other marketing communications which we send to you.

If you opt-out or ask us to delete your personal data in accordance with your rights set out below, we will retain basic personal data on a suppression list to record your request and to avoid sending you unwanted materials in the future.

You can also update your marketing preferences and give us more detail of the type of information you would like to receive from us by contacting us using this link to our Preference Centre.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

We use personal data to look at whether you read the emails and other materials that we send to you. We also use it to look at whether you click on the links included in such materials and whether and how you visit our website after you click on that link (immediately and on future visits). We do this by using software that places a cookie on your device which tracks this activity and records it against your email address. If you remove this cookie it will not affect your use of our website. Please see our cookie policy for more information about our use of cookies.

Use of website

At a number of points on our website you are asked to provide information, for example, our Contact page and our Careers page. At the point at which information is requested it is clear what the purpose of providing the information is and we will only use the personal data you provide to us for that purpose.

Our website makes use of Google Analytics to look at how our website is used. This is done by placing small text files, known as session cookies, on your device to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website, where visitors have come to the website from and the pages they visited. This information is transmitted to and stored by Google on servers in the US.

You can opt-out of having your site activity available to Google Analytics by installing the Google Analytics opt-out browser add-on. The add-on prevents the Google Analytics JavaScript (gtag.js, analytics.js) that is running on websites from sharing information with Google Analytics about visit activity. 

Further details of our use of cookies can be found in our cookie policy.

Photographs

If you are attending events hosted by us there may be a photographer taking photographs and/or film of the event. These photographs and this footage may be used in our publications, on our website, in social media or in third-party publications to promote Shepherd and Wedderburn and our services and events. If you prefer that your image is not used in this way please contact the event organiser or let our staff or the photographer know at the relevant event.  Alternatively you can contact us as set out in the How to contact us section above.

We share personal data between Shepherd and Wedderburn LLP and its subsidiaries and affiliates where required for the purpose of providing legal advice or other products or services and for administrative, billing and other business purposes.

We also routinely share personal data with:

• Professional advisers acting on our clients’ behalf, e.g. barristers (barcouncil.org.uk/privacy-statement/) or advocates (advocates.org.uk/legal-notices);, other legal specialists (including mediators), medical professionals, accountants, tax advisors, real estate agents, surveyors, valuers or other experts;
• Foreign law firms for the purposes of obtaining legal advice;
• Other third parties where necessary to carry out our clients’ instructions, e.g. a lender, HM Land Registry, Registers of Scotland or Companies House or other government departments or agencies;
• Our client(s) - if we have collected your personal data in the course of providing legal or other services to any of our clients, we may disclose it to that client, and to others in the proper course of our duties or as required or permitted by law;
• Companies providing services for money laundering checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies, fraud prevention agencies and regulatory bodies with whom such personal data is shared;
• Our insurers and brokers, external auditors, banks and other third parties which provide services to us to allow us to fulfil our regulatory obligations and for risk management purposes;
• Courts, law enforcement authorities, regulators or lawyers or other parties where it is reasonably necessary for the establishment, exercise or defence of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process or to comply with our legal and regulatory obligations;
• Third parties for the purposes of collecting feedback on our service provision, to help us measure our performance and to improve and promote our services;
• External service suppliers, representatives and agents that we use to make our business more efficient, e.g. technology service suppliers, marketing agencies, translators or analysis suppliers;
• Third parties involved in hosting or organising relevant events to which you have been invited.

Where we use third parties to process personal data on our behalf we will ensure that appropriate provisions are put in place to protect the security of the personal data  and to ensure that the third parties do not use the personal data for their own purposes. The third parties will only process your personal data on our instructions and will be subject to a duty of confidentiality. We may, in certain circumstances, share your personal data with third parties outside of the UK subject to appropriate safeguards being put in place.

We may also, should the need arise, need to share some personal data with other parties, such as potential buyers of some or all of our business or during a re-structuring. Usually, personal data will be anonymised but this may not always be possible. The recipient of the personal data will be bound by confidentiality obligations.

We may also use aggregated personal data and statistics for the purpose of monitoring website usage in order to help us develop our website and our services. For further information see our cookie policy.

Other than as set out above, we will only disclose your personal data when you direct us or give us permission, when we are required by applicable law or regulations or judicial or official request to do so, or as required to investigate actual or suspected fraudulent or criminal activities.

DocuSign

We may use e-signature software (DocuSign) for the purposes of making signing documents easier.  In order to do this we will need to input your contact details and upload the document (which may itself contain personal data about you) into DocuSign.  Details of how DocuSign will process your personal data can be found in DocuSign’s Privacy Notice, which is available on DocuSign's website.

Personal data about other people which you provide to us

If you provide personal data to us about someone else (such as one of your directors or employees, a member of your family or someone with whom you have business dealings) you should ensure that you are entitled to disclose that personal data to us and that, without our taking any further steps, we may collect, use and disclose that personal data as described in this privacy policy. 

If you are employed by a business or organisation which is a client of Shepherd and Wedderburn or if you are a director, officer, partner, shareholder or member of such a business or organisation, we may use your personal data in the course of providing services to that client. 

Our obligations of professional secrecy to our clients (legal professional privilege/our general duty of confidentiality to our clients) mean we may also receive and process personal data of individuals as part of providing services to our clients. In many of these situations we cannot provide the individuals concerned with the relevant information about our processing of their personal data and indeed the relevant laws allow us not to provide that information.  If we are processing your personal data in such a situation then in carrying out such processing we will adhere generally to the terms of this policy.

We will hold your data for as long as is necessary for the purposes set out in this privacy policy. Different retention periods apply for different types of data. We have in place a retention policy which sets out the different retention periods for the types of information we hold.

The retention periods we apply take account of:

• The nature and sensitivity of the personal data;
• Legal and regulatory requirements and guidance;
• Limitation periods that apply in respect of taking legal action;
• The purposes for which we process your personal data; and
• The operational requirements of our business.

Where applicable, these retention periods may be extended where we retain personal data for compliance with legal or regulatory obligations (such as anti-money laundering laws or professional obligations to conflict check) or for the purpose of dealing with complaints and/or legal claims. It is our normal practice to retain, in electronic form, files and documents relating to services provided for a minimum of ten years after the completion of a matter or closure of our file, whichever is the earlier.

Updating personal data about you

We also need to know that your contact information is accurate and up to date so please advise of any changes on info.marketing@shepwedd.com. You should also contact us on info.marketing@shepwedd.com if you become aware of any inaccuracy in the contact information we hold about you or if you want to change your marketing preferences.  You can also change your marketing preferences by using our Preference Centre or by writing to us at Head of Privacy, Shepherd and Wedderburn, 9 Haymarket Square, Edinburgh, EH3 8FY.

We do not, as a matter of course, transfer personal data to third countries or international organisations. However to deliver services to our clients, it is sometimes necessary for us to share your personal data outside the UK including with Shepherd and Wedderburn in Ireland.  We may also make use of cloud services and in such cases our data will generally be hosted in the UK or EEA.

Transfers outside the UK are subject to special rules under data protection law. Where we do make such transfers, we will mostly rely on derogations which are permitted in terms of UK data protection law, for example that the transfer is necessary for the establishment, exercise or defence of legal claims, or to perform a contract with you or another contract which is in your interests. Occasionally, the transfer may be with your explicit consent. Where we do not rely upon a derogation then depending on which country is involved, there may be an adequacy decision in place which would allow us to transfer to that jurisdiction.

Where none of these apply then we will implement appropriate safeguards in accordance with Article 46 of the UK GDPR and EU GDPR to ensure that the transfer complies with applicable data protection law and that all personal data will be secure. Where we make such transfers in respect of your personal data we can provide you with further information on these safeguards. Please contact our Head of Privacy for further information. (see How to contact us about this policy above).

We will take appropriate technical and organisational measures to keep your personal data confidential and secure. We have appropriate security measures in place which take account, in particular, of the risks arising from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. This is supported by our ISO 27001:2022 and Cyber Essentials Plus certification. 

Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

The transmission of information via the internet is not completely secure. Although we take appropriate and proportionate steps to manage the risks posed, we cannot guarantee the security of your information transmitted to our online services.

You have the following rights, which you can exercise free of charge:

You can ask us to:

• Tell you how your data is being used;
• Provide a copy of your personal data;
• Correct any mistakes in your personal data;
• Delete your personal data - in certain situations;
• Restrict processing of your personal data - in certain circumstances, e.g. if you contest the accuracy of the data; and
• Provide you with a copy of the personal data you provided to us, in a structured, commonly used and machine-readable format and/or transfer that data to a third party - in certain circumstances.

You can object,:

• At any time, to your personal data being processed for direct marketing (including profiling);
• In certain other situations, to our continued processing of your personal data, e.g. processing carried out for the purpose of our legitimate interests.

If you would like to exercise any of those rights, please email us on dataprivacy@shepwedd.com.

If you would like to change your marketing preferences please contact us as set out in the section Updating personal data about you above. 

Your objection (or withdrawal of consent) may mean we cannot perform the services you have requested of us or you may not be able to use the services we offer. We will advise you where this is the case. In certain circumstances even if you withdraw your consent we may still be able to process your personal data if required or permitted by law or for the purpose of exercising or defending our legal rights or those of our clients or meeting our legal and regulatory obligations.

You have the right to complain to the supervisory authority in the UK, the Information Commissioner. The Information Commissioner’s Office may be contacted at https://ico.org.uk/make-a-complaint/

We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner so please contact us in the first instance.

Our contact details can be found in the section above How to contact us about this policy.

Transfers from Ireland

Our Irish subsidiaries and affiliates do not, as a matter of course, transfer personal data to third countries or international organisations. However, to deliver services to the clients of our Irish subsidiaries and affiliates, it is sometimes necessary to share your personal data outside the European Economic Area (EEA).  In particular, data will be transferred to Shepherd and Wedderburn in the UK as may be necessary for providing such services to our clients. .  Our Irish subsidiaries may also make use of cloud services and in such cases our data will generally be hosted in the UK or EEA as providing the highest level of data protection.

Transfers outside the EEA are subject to special rules under Irish and European data protection laws. Where our Irish subsidiaries and affiliates do make such transfers, they will mostly rely on derogations which are permitted in terms of the GDPR, for example, that the transfer is necessary for the establishment, exercise or defence of legal claims, or to perform a contract with you or another contract which is in your interests. Occasionally, the transfer may be with your explicit consent. Where they do not rely upon a derogation then depending on which country is involved, there may be an adequacy decision in place which would permit the transfer to that jurisdiction.

Where none of these apply then our Irish subsidiaries and affiliates will implement appropriate safeguards in accordance with Article 46 of the EU GDPR to ensure that the transfer complies with applicable Irish and European data protection laws and that all personal data will be secure. Where they make such transfers in respect of your personal data we can provide you with further information on these safeguards. Please contact our Head of Privacy for further information (see below).

Complaints

Where your complaint relates to processing of personal data by Shepherd and Wedderburn in Ireland you also have the right to complain to the supervisory authority in the part of the European Union where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in Ireland is the Data Protection Commission who may be contacted at https://www.dataprotection.ie/en/contact/how-contact-us

We would, however, appreciate the chance to deal with your concerns before you approach the Data Protection Commission or your local supervisory authority so please contact us in the first instance.

Our contact details for our Irish subsidiaries and affiliates are set out below:

Head of Privacy 
27/28 Herbert Place  
Dublin 
Republic of Ireland 
D02 DC97 
Email: dataprivacy@shepwedd.com

UK Representative

Our Irish subsidiaries and affiliates have appointed Shepherd and Wedderburn LLP to act as our representative in the United Kingdom to comply with Article 27 of the UK GDPR.  If you are based outside the UK and would prefer to contact our representative in connection with your data privacy rights, please visit https://app.saltiredataprotection.co.uk/enquiry/rs/sandwEU

Contact details for our UK Representative are shown below:

Head of Privacy
Shepherd and Wedderburn LLP
9 Haymarket Square
Edinburgh
EH3 8FY
Email: ukrep@saltiredataprotection.co.uk