Data protection

The Firm processes personal data in compliance with the following data protection principles:

• Processing personal data lawfully, fairly and in a transparent manner. The Firm tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices (see left).
• Collecting personal data only for specified, explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes.
• Processing personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
• Keeping accurate and, where necessary, up to date personal data and taking all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
• Keeping personal data in a form permitting the identification of individuals only for the period necessary for processing.
• Adopting appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
• Being able to demonstrate compliance with the above principles.

A data subject has a number of rights. In certain circumstances, they can:

• request access to, and obtain a copy of, their data;
• request rectification of their data that is incorrect or incomplete;
• request deletion of their data;
• request restriction of the processing of their data;
• object to the processing of their data; and
• request the transfer of their data.

To ask the Firm to take any of these steps, the individual should send the request to privacy@dehns.com .

If a data subject believes that the Firm has not complied with their data protection rights, they can complain to the Information Commissioner.

When developing applications and services that are based on the processing of personal data, the Firm will take into account the right to data protection at the development stage to ensure it is able to fulfil its data protection obligations.

Dehns is also implementing appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This will apply to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

Dehns will only appoint Data Processors (third parties who process personal data on behalf of the Firm) who can provide sufficient guarantees that the requirements of the GDPR will be met and the rights of data subjects protected. When a processor is used, a written contract will be in place which is compliant with the requirements of the GDPR.

The Firm takes the security of personal data seriously. The Firm has internal policies, controls and technical processes in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by authorised personnel in the proper performance of their duties.

Where the Firm engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Dehns has achieved Cyber Essentials certification, demonstrating that we have appropriate cyber security measures in place.

If the Firm discovers that there has been a breach of personal data then, unless it is unlikely to pose a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The Firm will record all data breaches regardless of their effect.

If the breach is likely to result in a high risk of adversely affecting the rights and freedoms of individuals, it will also tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.

Where processing would result in a high risk to individual’s rights and freedoms, the Firm will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

Given the low risk nature and scale of its data processing activities, Dehns is not required to appoint a Data Processing Officer. However, Dehns will always ensure that it has sufficient personnel and resources to discharge its data protection obligations. In particular, Dehns will provide adequate training on relevant data protection matters to its partners and staff.