Privacy policy

The Law Society of Scotland is the data controller for the personal information held for the purposes of the Data Protection Legislation.

The Legal Aid and Solicitors (Scotland) Act 1949 established the Law Society of Scotland. For further detail on our structure and departments, please see here. 

We were created by statute and, working together with other statutory and regulatory bodies, have numerous functions to fulfil. This includes the regulation of solicitors, solicitor advocates, some paralegals, firms of solicitors, incorporated practices and licensed providers which are established by legislation. We have regard when carrying out our functions not just to the interests of the solicitors’ profession but also to the interests of the public in relation to that profession.

Further detail as to why we process personal information is at Use of personal information. We also share certain personal information (for example with the Scottish Solicitors’ Discipline Tribunal and the Scottish Legal Complaints Commission) and we explain more about this in Disclosure of your information.

We keep our privacy policy under regular review.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Members of the Society are able to amend or update certain details when signed into their profile on our website. Members also reminded of their duty to co-operate with the Society in order to allow its regulatory functions to be properly fulfilled.

It may also be the case that you can exercise your right of correction if the data we hold is incorrect. See request correction in the glossary.  

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Please note that there are minimum browser requirements for optimum use of our website. These minimum browser requirements will change from time to time. If you experience difficulties accessing our website you might consider updating your browser to the newest version, trying a different browser or in extreme circumstances trying to access our website from a different machine or device. It is also possible that our site (or part of it) from time to time, is inaccessible due to maintenance or other reasons in which case it may be useful to check back later

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Type of information

We usually collect and process personal data because of our regulatory powers and duties. Typically this depends on your interaction with us or the solicitors, firms of solicitors, incorporated practice or other licensed providers that are regulated by us. As such, we may collect, use, store and transfer different kinds of personal data about you.

Broadly speaking, the majority of persons from whom we collect data fall into the following categories:

1. Applicants (for jobs within the Society; to join the profession; to be a committee member or join another position within the profession; to become accredited)
2. Persons making complaints
3. Persons making enquiries
4. Society members (current, past and prospective)
5. Visitors to our website and other persons connected in some way in relation to the Society or our work
6. Society employees and contractors (data in relation to these persons is processed under a separate policy and not referred to further here)

Where someone makes an application to the Society, this will involve the disclosure of personal information related to that application. The information will be used to assess the application and may be retained in order to see an individual’s regulatory history. The type of information processed would depend on the kind of application being made. For example the applicant’s identity and contact details would usually always be required, but we may also need to consider an applicant’s education, qualifications, career history, data in relation to behaviour and/or regulatory record, and special category data may be processed as part of this process. Where you are applying to be admitted as a solicitor, the Standard Disclosure Scotland check will require to be completed and verified (which will check your credit and criminal record).

Should you fail to provide the information requested as part of an application, this may result in the refusal of an application or the subsequent withdrawal of an award, application or position.

Where the Society receives information in relation to complaints this may include a wide range of personal information. For example information on the identity of the complainant and their contact details, information about the complaint itself, related parties and who or what is being complained about. Depending on the nature of the complaint this could also include data in relation to a regulated person’s behaviour or disciplinary record (or that of their firm), finances, transactions and special category data may be processed when dealing with the complaint.

Data received in relation to complaints may also be used for research, to comply with equality and diversity regulations, to assist with regulatory objectives, to monitor and improve how the Society deals with complaints, to assist with inspections and interventions, to fulfil a public task or perform a function in the public interest and protect members of the public.

The type of information received and processed in relation to an enquiry will vary in accordance with the nature of the enquiry, how it is made and how this develops. For example, if the enquiry is of a general nature, and for contact details of a certain firm, we will provide those details. If the enquiry develops into something else, such as a complaint, the wide range of different types of information that can form part of a complaint would then be processed. If the enquiry is made electronically, then certain technical data and contact information would be processed when dealing with that enquiry.

If you are/were planning to be a member of the Society, over the course of your career, a wide variety of personal information may be processed (depending on the nature of your interaction with the Society). This will include but is not limited to information about your membership status, whether or not a practising certificate is held or restricted in some way, information in relation to your behaviour/conduct, education, qualifications, employment, firm, career, transactions (such as in relation to CPD purchases), CPD records, and financial details.

Where you operate as a sole practitioner we will also need to process information akin to that required from larger firms (and require to see information in relation to bank accounts, client account, employee records etc).

Certain of the information processed by the Society will be able to be maintained and updated by a member logging into their account and entering or updating their profile details. For example, contact details, marketing and communications preferences and practising certificate renewals.

From time to time the Society will also request and process personal information (which could include special category data) from members to assist in relation to projects being undertaken and research being carried out. The information processed will be to assist as part of the Society’s obligations to comply with their equality and diversity monitoring duties, to assist with the achievement of regulatory objectives and for the Society’s other legitimate interests (such as fulfilling a public task, performing a function in the public interest or protecting members of the public).

Because of the wide remit of the Society, information will be processed in relation to others who may not fall neatly into the categories above, and the nature of that personal information will depend on the work being carried out and/or the nature of the interaction.

For example, if someone attends a Society event or webinar, their identity and contact details will be processed for registration and security purposes. Special category data may be provided for catering and accessibility reasons. Personal data may be provided if someone registers for a newsletter, acts as an organisation’s contact, or participates in a questionnaire, survey or response submission. Where photographs or recordings are taken at an event, or you supply a photograph to be included with content for the Society’s website, biometric data will be processed.

Another example could be where someone is a witness to an investigation, inspection or intervention carried out by the Society, that person’s personal data will be processed. Equally someone’s personal data may be processed by the Society if they contribute to a consultation or participate in other research and policy work being carried out by the Society.

When someone visits our website, cookies (please see below for further details) may be used to help our website function, together with data in relation to how the website is used by visitors and technical data (See Automated technologies or interactions in How we use your data).

We have grouped together a non-exclusive list of some of the most common types of information that we process as follows:

• Identity Data includes any information that is used to identify you such as your name, title, image etc.
• Contact Data includes any information we use to get in touch with you, and whether those details are in relation to electronic data, such as email addresses or physical location (for example your home address, billing address, the firm you work at etc…).
• Educational, School, Organisational and Career Data. Some examples include:
  • if you are a member of the Society, your CPD activities and training, the categories of work you do and your areas of interest;
  • school details if you are a school student who participates in one of our programmes;
  • if you participate in any of our grant or charitable functions.
• Behavioural / Conduct Data when dealing with complaints, disciplinary matters etc
• Employment Data includes employment and job application details such as employment history, qualifications and equality monitoring information
• Membership Data includes (where you are a current, prospective or previous member of the Society), data in relation to your status within the Society, the type of membership you hold, whether or not you hold a practicing certificate
• Financial Data this could include bank account details, client account and other financial records
• Transaction Data includes details about payments to/from you and details of products and services you have purchased from us
• Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location and other technology on the devices you use to access this website
• Profile Data includes your username, password, your interests/preferences, feedback and survey responses
• Usage Data includes information about how you use our website, products and services (including without limitation the URL you have last used and the URL you next go to, your browser information and your IP address)
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties (including for example, the Society’s member benefits scheme) and your communication preferences
• Correspondence Data includes information provided during telephone calls, emails or other interactions with us.

Aggregated Data

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

In certain circumstances, our collection of the different categories of data set out above may include the collection of Special Categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also may collect criminal convictions and offences data, for example as part of the Society’s assessment as to whether or not a person is “fit and proper” to be a solicitor in terms of the Solicitors (Scotland) Act 1980.

In the majority of cases, special category data is processed either in the public interest to achieve regulatory objectives (including the protection of the public from misconduct, unfitness or incompetence) or to comply with equality duties.

Consequences if you fail to provide personal data

We need to collect and process personal data for various reasons. Some of these reasons are required by law, some are necessary for us to carry out or enter into a contract or to process data for legitimate interest reasons (please see Use of Personal Information for further details). In particular for members of the Society, personal data is required to be processed as part of the Society’s statutory duties and obligations, including to work in the public interest. The Society is strongly committed to achieving through our work the promotion of a strong, varied and effective legal profession working in the interests of the public and protecting and promoting the rule of law.

If you fail to provide personal data when requested, this may have consequences, for example:

• Partial or whole non-performance. We may not be able to perform a contract we have or are trying to enter into with you (for example, to provide you with CPD services).
• Cancellation. In some cases, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time. We may not be able to carry out a particular function (whether partly or fully).
• Decision-making and referrals. We may be required to make a decision and/or referral based on the information we already hold or have been able to obtain from others. This is particularly important to consider when the Society is dealing with complaints, investigations, interventions, inspections or related matters and its wider duty to act in the public interest.
• Consequences in relation to ability to practise. Members (and prospective members) who fail to provide the relevant (correct) personal information to the Society may experience restrictions, delays and/or difficulties in their ability to practise as a solicitor or other regulated member.
• Lost opportunities. We will have less opportunity to improve our service, spot trends and inform the way we regulate.

We use different methods to collect data from and about you including:

Direct interactions

This includes personal data when you:

• Interact or correspond in some way with us or those we work with. This could take place in various ways, such as online, by post, phone, email, video conferencing or in person.
• Through your actions (for example, when participating in a consultation, when submitting a job application etc).
• Networking (for example, at in-person or virtual events).
• Through your use of our guest Wi-Fi service.
• By virtue of our access to CCTV footage.
• Through inspections and/or interventions over regulated members of the Society.
• Otherwise through providing our regulatory, educational or other services and operating the Society.

Automated technologies or interactions.

We may also collect data from and about you electronically through automated technologies or interactions. For example as you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns including the IP address used, login information, browser type and version, operating systems and platforms when you interact with our website. We may also collect information about your visit including the pages you visited, what you searched for, length of visits and methods used to browse away from the page. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our section on cookies below for further details.

Through third parties or publicly available sources

We will receive personal data about you from various third parties and public sources. Most of the time, this is in order to fulfil our statutory duties and legitimate interests (such as the prevention and detection of crime), this includes but is not limited to personal data obtained from the following sources:

• Publicly available sources such as Companies House and the Electoral Register based inside the UK;
• Others connected to our work (including members of the public, persons making complaints, regulated persons such as solicitors or paralegals, job applicants and employees, persons making enquires or asking for help).
• Internal Third Parties (including the Judicial Factor and the Law Society of Scotland Education Foundation – as set out in the Glossary. 
• External Third Parties (including the Scottish Legal Complaints Commission, who provide a significant proportion of the volume of complaints data that is referred to the Society – as set out in the Glossary. 
• Providers of technical, payment, delivery services and/or analytics providers such as Google (which is based outside the UK);

Cookies

Cookies are small amounts of information, usually in the form of a text file, which we may store on your computer, mobile, tablet or other access device. We may access this file which acts as an easy way to distinguish you from other users of our website. Our system may issue cookies to your computer or other access device when you log on to the website. Cookies make it easier for you to log on to and use the website during your current visit and future visits. They also allow us to monitor website traffic and to personalise the content of the website for you. Some features are only available through the use of a cookie. Allowing use of cookies may allow you to enter your password less frequently when you are using the website. You may set up your computer or other access device to reject cookies (or certain types of cookies) by following the instructions provided with your browser/device.

It is your right to choose if you give your consent to the use of cookies or not, but you should be aware that in some cases you may not be able to use or see all the features of our website, if you do not allow the use of cookies.

We use the following cookies:

• Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services (for example when purchasing CPD or renewing a Practising Certificate).
• Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.

You can find more information about the individual cookies we use and the purposes for which we use them in the table below:

You should be aware that if you click on any link on the website, to another website provided by a third party, it is possible you may encounter cookies or other similar devices placed by those third parties. We do not control the use of cookies or other similar devices by third parties and are not responsible or liable for them. You should review the privacy policy of that third party website to check how they may use or disclose your information.

For example, we may publish profile pages for the Society on various social media websites (such as Twitter, Facebook, Instagram, LinkedIn and YouTube) and link to those websites or of other third parties on our own website or through other means. If you are already a registered user of those third party websites then certain cookies may be set to make it easier for you to use aspects of their website. Certain of our video content on YouTube.com is also embedded as content on our website. If you click on this video content, YouTube (owned by Google) will set cookies on your browser. If you have any concerns about the use of cookies on any third party websites (whether or not linked to from our site), please check that third party’s privacy policy.

If you disclose your personal information to third parties including, but not limited to, third party websites with links on our website, our privacy policy shall not be enforceable against them. We take no responsibility and shall not be liable for third party use of your personal information in such circumstances.

We are a regulatory organisation, and therefore the majority of personal data that we process is in order to carry out regulatory functions, powers and duties.

Most commonly, we will use your personal data in the following circumstances:

• To carry out a task carried out in the public interest and/or in the exercise of our statutory functions.
• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Please see the heading immediately below and our purpose, use and retention schedule for further detail.
• Where we need to comply with a legal obligation to which we are subject. This includes responding to requests by government or law enforcement agencies or for the prevention of crime or fraud.
• Where processing of "special category data" is necessary for our legitimate interests, for reasons of substantial public interest, in the context of legal claims or where another legal ground is available to us under relevant data protection legislation.

Some examples of the Society’s legitimate interests include:

• our interests in fulfilling a task or performing a function in the public interest;
• our interests in protecting members of the public;
• the prevention and detection of crime;
• managing our relationship with:
  • the general public and visitors to our site;
  • members, firms and their staff;
• hosting at our offices, hosting virtual and in-person events; and
• ensuring appropriate standards and compliance with policies, practices or procedures.

View our purpose, use and retention schedule, to find out more about the types of lawful basis (and where relevant legitimate interests) that we will rely on to process your personal data.

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We will get your express opt-in consent before we share your personal data with any company outside the Society group of companies for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time. Communications preferences can be easily changed in the member login section of our website. Alternatively, anyone can request a change to their communications preferences in writing by email or otherwise, provided we can be assured that we are dealing with the appropriate individual and can capture a record of the change.

Your information will enable us to provide you with access to parts of our website suitable for your requirements and the permissions (if any) which you have to access the special areas of the website (referred to in our website Terms and Conditions). Where you have access to your member account, you will be able to view your information online and manage or update parts of your profile. It will also enable us to contact you concerning your queries regarding our services and functions.

We will also use, store and analyse the information we collect so that we can administer, support, improve and develop our operations. This includes (but is not limited to):

• quality control and training purposes;
• fulfilling the Society's regulatory role and its other statutory functions under the Solicitors (Scotland) Act 1980 and other legislation;
• discharging the Society's professional obligations such as ensuring Scottish solicitors have appropriate professional indemnity insurance, formulating and implementing professional practice rules; and developing and offering CPD courses;
• providing a wide range of members' services;
• providing a wide range of public services;
• carrying out the Society's Public Affairs programme, representing the interests of the solicitors' profession in respect of the public and representing the interests of the public in respect of the solicitors' profession; and
• accrediting Scottish solicitors with specialist expertise in particular areas of law; and
• engaging in consultation with the Scottish government, Scottish parliament and other governmental and legislative bodies over legislative and regulatory change.

Typical ways in which the Society makes contact with members

Members cannot opt out of certain communications, such as practising certificate renewal information, general meeting notices and rule changes. All other communication relating to the above areas will be sent to members unless they specifically choose, or have previously chosen, not to receive it. When logged into your account, please review your preferences, categories of work and interests within the “My profile” section. The categories of work selected will drive the “Find a Solicitor” search engine on our website for both you and your firm.

Depending on what you have opted to receive (whether this is by way of electronic communication or otherwise), we may also use your information to let you know about other services and products which we offer which may be of interest to you. In particular, we may use your information to contact you (or you may be contacted by an organisation acting on our behalf) for your views in relation to research projects we are undertaking, on our services and functions, and to notify you occasionally about important changes or developments to the website or our services or functions. More detail about the functions of the Society and the purposes for which your personal information may be processed may be seen elsewhere on the website, and are available on request from the Society at the address below.

We may use the information provided by members of the Society or trainee solicitors regarding their CPD and training to ensure that Scottish solicitors and trainee solicitors have undertaken the required CPD and professional training and to issue reminders to members and trainee solicitors about the required CPD and professional training. We may also use the information to monitor and analyse trends in the solicitors’ profession including (but not limited to) the types of training being undertaken and the demand for different types of training.

The Society’s main method of getting in touch with you will be by using electronic communication (such as email), though we may contact you by other means such as post or by phone (including text). If you change your mind about being contacted in the future, or the methods by which we may contact you, please let us know by contacting us at our contact details set out below or by updating your preferences in the login area of the website.

We may share your personal data with the parties set out below:

• Internal Third Parties as set out in the Glossary.
• External Third Parties as set out in the Glossary.
• Specific third parties listed in the table purposes, use and retention above.
• To a third party or other such body established by law to deal with a change, delegation or transfer of any of the Society’s regulatory operations or functions.
• We also reserve the right to disclose any of the information you provide to us:
  • where a third party has a legitimate interest in it and where we are satisfied disclosure is necessary and lawful (such as a person is making or seeking to establish a legal claim); and
  • where required to do so by law, to comply with a regulatory obligation, to assist in any investigation into alleged illegal or criminal conduct.
• We may also pass aggregate information on the usage of our website and trends in the solicitors’ profession to third parties but this will not include information that can be used to identify you.

We shall never sell or rent your personal information gathered through the website to third parties for their marketing purposes.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Although the great majority of the personal information we process will be stored in servers within the UK, some of the persons or organisations we share information with may be located outside of the UK. One example includes our dealings with our Scots law qualified members who may be living and working abroad, and the jurisdiction that they live in. We will always take steps to ensure that any transfer of information outside of the UK is carefully managed to protect your privacy rights. We will ensure that the transfer of personal data will be protected by appropriate safeguards.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
• Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

The Society’s security measures

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Password security for members of the Society

In accordance with the Terms and Conditions of use of the website, you are responsible for ensuring that any password and user ID, and any other security mechanism issued to you, remain confidential. If third parties have access to your password, user ID or any other security mechanism they can control your personal information and ID. We are not responsible for the consequences of their use of your personal information and ID in these circumstances. If your password or user ID or any other security mechanism is compromised you should contact us immediately, and until you do so we will be entitled to rely on any communications sent to us using your password and user ID and any other security mechanism as if they originated from you.

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data are set out in the table purpose, use and retention schedule.

In some circumstances you can ask us to delete your data, please see Request Erasure in the Glossary below for further information.

In certain other circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

Under certain circumstances, you have rights under data protection laws in relation to your personal data to:

• request access to your personal data
• request correction of your personal data
• request erasure of your personal data
• object to processing of your personal data
• request restriction of processing your personal data
• request transfer of your personal data
• withdraw consent.

For more information on these rights, please contact information@lawscot.org.uk.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. The Information Commissioner's Office – Scotland; Queen Elizabeth House, Sibbald Walk, Edinburgh EH8 8FT; 0303 123 1115; scotland@ico.org.uk; www.ico.org.uk.

We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

All comments, queries and requests relating to our use of your information are welcomed and should be addressed to:

The Data Protection Officer
Law Society of Scotland
Atria One,
144 Morrison Street,
Edinburgh
EH3 8EX
Scotland

E-mail: informationofficer@lawscot.org.uk

Telephone: +44 (0)131 226 7411

Consent: the individual has given clear and informed consent for the Society to process their personal data for a specific purpose.

Legitimate Interest: the interest of our business in conducting and managing our business to enable us to give you the best service or product, and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract: processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Public task: the processing is necessary for the Society to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law.

Comply with a legal obligation: processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Vital interests: the processing is necessary to protect someone’s life.

Internal Third Parties: other organisations related to the Society acting as joint controllers or processors and who are based in the UK and provide the Society with services, including the Judicial Factor and the Law Society of Scotland Education Foundation.

External Third Parties:

1. service providers who are usually based in the UK, but occasionally within the EU and elsewhere. This includes but is not limited to:
   1. payment service providers;
   2. technology, IT and system administration services (who provide us with database hosting, server access and general IT support and maintenance);
   3. fraud prevention agencies; and
   4. credit reference agencies.
2. professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers mainly based in the UK but who also may be located elsewhere (usually this is related to the purpose of processing the data or service in question, for example dealings with the Council of Bars and Law Societies of Europe);
3. HM Revenue & Customs, regulators and professional bodies (including the Scottish Legal Aid Board, the Scottish Legal Complaints Commission, the Scottish Solicitors Discipline Tribunal, the Solicitors Regulation Authority (SRA) and the Law Society in England and Wales) and other authorities acting as processors or controllers based in the United Kingdom or elsewhere;
4. complainants, witnesses and experts (for example in connection with a regulatory investigation or other matter in the exercise of our regulatory functions, powers and duties);
5. social media and/or review sites such as Facebook, Instagram, LinkedIn, Twitter and YouTube (but only where you share information in relation to us, for example by “liking” or commenting on a post and/or we respond to that disclosure);
6. where necessary to fulfil our legal obligations, conduct investigations and/or deliver our services, we may share your information with law enforcement agencies (e.g. the police or the courts).

You have the following rights (subject to the Data Protection Legislation and its various requirements and exemptions):

Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

• If you want us to establish the data's accuracy.
• Where our use of the data is unlawful but you do not want us to erase it.
• Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
• You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.