DATA PROTECTION POLICY

INTRODUCTION

This Policy (“Policy”) sets out the Data Protection Principles which I, Kirsten Dixon, (“Notary”) commit to comply with when processing personal data in the course of my business as notary public (“Business”).

The Appendix contains a Glossary of the defined terms in this Policy.

COMPLIANCE WITH THIS POLICY

The Business will ensure the protection of personal data in accordance with this Policy by the Notary, all Personnel and Suppliers.

A breach of data protection laws by the Notary, any Personnel or Supplier could result not only in monetary penalties awarded against the Business but also negative publicity which could affect the Business as well as the entire notaries’ profession.

THE DATA PROTECTION PRINCIPLES

The Business shall comply with the following Data Protection Principles when processing personal data.

1.     Fairness and Transparency: The Business must process personal data fairly and provide individuals with information about how and why their personal data is processed.

The Business must provide a privacy notice to each client, Personnel and Supplier to inform them of:

·       the identity of the Business as Controller;

·       the purposes for which their personal data are processed;

·       the legal basis for processing;

·       any legitimate interests pursued by the Business or a third party, if applicable;

·       the recipients or categories of recipients of the personal data, if any;

·       where applicable, the fact that the Business intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the relevant authority, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;

·       the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

·       the existence of the right to request from the Controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;

·       the existence of the right to withdraw consent at any time, if applicable;

·       the right to lodge a complaint with a supervisory authority;

·       whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data; and

·       the existence of Automated Decisions, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

For example, such privacy notice should be included in each client engagement letter or service agreement. If no engagement letter is issued, the privacy notice can be made available on the Business website or in other appropriate and easily accessible form. If the notice is published on the website, a conspicuous link to the website or privacy notice should be included in the Business email footer or other Notary stationery to bring the notice to the data subjects’ attention.

Where a client provides personal data of third party data subjects to the Business, no notice will have to be provided to those third party data subjects by the Business if such information must remain confidential subject to an obligation of professional secrecy. To the extent that no such obligation of professional secrecy applies, the Business should place a contractual obligation on each client and Supplier to ensure that such notice is provided to those third party data subjects on behalf of the Business.

2.     Lawful Processing: The Business must only process personal data, including special category personal data, lawfully where it has a valid basis for the processing. 

Generally, personal data must not be processed without a legal ground. In the context of the Business, personal data are typically processed on the basis that:

·       processing is necessary for the performance of a contract (e.g. engagement letter) to which the data subject (e.g. the client) is party or in order to take steps at the request of the data subject prior to entering into a contract;

·       processing is necessary for the legitimate interests pursued by a client or the Business, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This ground may apply to the processing of the personal data of any third party data subjects whose personal data are provided by the client;

·       a legal obligation to which the Business is subject and where compliance with such obligation necessitates the processing of personal data by the Business;

·       the data subject consents, where such consent is procured from the client; and

·       other legal grounds such as protecting the vital interests of the data subject or processing of personal data in the public interest.

3.     Purpose Limitation: The Business must only collect personal data for a specific, explicit and legitimate purpose. Any subsequent processing should be compatible with that purpose, unless the Business has obtained the individual’s consent or the processing is otherwise permitted by law.

The Business will typically process:

·       the personal data of its clients as required for the purposes of providing its professional services and the administration of its client relationship;

·       the personal data of its Personnel as required for the administration of Personnel, if applicable;

·       the personal data of its Suppliers as required for the administration of its  Supplier relationships, if applicable; and

·       the personal data of its clients, Personnel and Suppliers as is necessary in order to comply with its legal obligations.

The Business will generally not carry out any unsolicited electronic marketing, but to the extent it does, it will have to comply with the law.

4.     Data Minimisation: The Business must only process personal data that is adequate, relevant and limited to what is necessary for the purpose for which it was collected.

The Business should place a contractual obligation on each client to ensure that only the minimum necessary personal data is provided in connection with the professional services sought.

Where a client provides personal data that appears excessive in connection with the professional services sought, the Business will return such personal data to the client and request that only necessary personal data is provided.

5.     Data Accuracy: The Business must take reasonable steps to ensure personal data is accurate, complete, and kept up-to-date.

The Business should place a contractual obligation on each client to ensure that any personal data provided in connection with the professional services sought is accurate, complete and up to date.

The Business will endeavour to keep an accurate record of personal data in relation to its clients and Personnel.

6.     Individual Rights: The Business must allow individuals to exercise their rights in relation to their personal data, including their rights of access, erasure, rectification, portability and objection.

The Business will ensure that all Individual Rights Requests are correctly identified and appropriately responded to, subject to any applicable exemptions.

7.     Storage Limitation: The Business must only keep personal data for as long as it is needed for the purpose for which it was collected or for a further permitted purpose.

The Business will keep all records as long as required by applicable law or as may be necessary having regard to custom, practice or the nature of the documents concerned. For example, the Notaries Practice Rules 2014 require that that notarial acts in the public form shall be preserved permanently. Records of acts not in public form shall be preserved for a minimum period of 12 years.

Save for personal data included in records which must kept for a prescribed period or preserved permanently in compliance with any legal obligations to which the Business is subject, such as the obligation explained above, personal data shall be kept for no longer than necessary for the relevant purpose. For example, any Personnel records should be kept for no longer than 12 months following the termination of employment or contract, unless a longer retention is required under applicable law.  

8.     Data Security: The Business must use appropriate security measures to protect personal data, including where third parties are processing personal data on our behalf.