Make an enquiry
Menu

Thorntons Law LLP Applicant Privacy Notice

Thorntons Law LLP (“we”, “us, “our”) respects your privacy and are committed to protecting your personal data.  This Privacy notice sets out the ways in which we collect, use and store your personal data.  It also explains the legal rights you have in relation to your personal data.

About us 

Thorntons Law LLP is a limited liability partnership, registered in Scotland (No. SO300381), whose registered office is Whitehall House, 33 Yeaman Shore, Dundee, DD1 4BJ.

You can contact us at the above address, addressing any request to the Data Protection Officer.  You can also contact us by email at  privacy@thorntons-law.co.uk

Our commitment to you

We process your personal data in accordance with the overarching principles and requirements set out in the UK General Data Protection Regulation and the Data Protection Act 2018 (‘Data Protection Law’). What this means is that Thorntons processes your data in a way that is:

  • Lawful, fair and transparent;
  • Compatible with the purposes that we have told you about;
  • Adequate and necessary, we only use the data we need to use for the reason we told you;
  • Accurate and up to date;
  • Not excessive, we only keep your data for as long as we need it; and
  • Secure and protected. 

Why we process your personal data

We are a full service law firm and Estate Agency and we need to process personal data for a number of reasons as part of our recruitment and onboarding processes.

Who is the Applicant Privacy Notice addressed to?

This privacy notice explains how we process your personal data if you are: 

  • a job applicant, applying for a traineeship or voluntary work, whether applying directly to us or via a recruitment agency; 
  • a successful applicant, prior to the confirmation of your appointment with Thorntons Law;
  • a referee or a recruitment agent. 

Please refer to the Employee Privacy Notice once your appointment has been confirmed with our firm. 

Ways we collect your personal data

There are a number of ways in which we may collect personal data about you, these include:

  • From you directly where you contact us in writing, by e-mail, when you meet with our team in person or by video call, by telephone, through our online portal, website or social media platform. You may contact us to provide a reference, enquire about a role, submit an application, schedule an interview, participate in recruitment exercises, provide pre-screening employment information or to express an interest to work with us.
  • From a recruitment agent we have engaged to match candidates to our vacancies, or through an online recruitment platform we used to advertise the role.
  • From your current and/ or former employers and/ or referees as part of our reference checks.
  • From providers of psychometric tests as part of our recruitment exercise.
  • From providers of identity verification and compliance services as part of our onboarding background checks.
  • Via CCTV operating in any of our office sites or buildings.
  • From the devices you use when you access our website.
  • From publicly available information about you such as your LinkedIn profile or your current employer website profile.

What personal data do we process for Applicants, Recruiters and Referees?

Data TypeInformation Collected
Enquiry Data

Personal data you provide when you make an enquiry to us regarding a role via our website or via social media.

May also applies if you are a successful candidate.

Applicant’s Contact Personal Data

Full Name

Postal address

Email address (personal and/or business)

Phone Numbers

Occupation

Recruitment Data (including special category data)

CVs and covering letters

Completed application forms which may include contact details, career history, qualifications and skills, hobbies and interests.

Information communicated in job interviews or through our recruitment processes.

Equality Monitoring Data (including special category data)

We may collect and process gender, gender identity, ethnic origin, disability, religion and sexual orientation information at the application stage to ensure meaningful equal opportunity monitoring and reporting.

May also apply tif you are a successful candidate.

Health and Medical Data (also special category data)We may collect information about your health e.g. your disability status in order to provide appropriate adjustments during the recruitment process.
Financial DataIn the course of the recruitment process, we may collect information relating to your current/previous salary and salary expectations.
Criminal Convictions Data

At the application stage, you may be asked to disclose the following:

Convictions (as well as spent convictions, if applying for an Advocate and Solicitor’s role).

In accordance with the Rehabilitation of Offenders Act 1974, you will not be asked to disclose any spent convictions, unless the job you are applying for fall into the following category: Advocates and Solicitors.

In accordance with the Exclusions and Exceptions (Scotland) Order 2003, these jobs are exempted from the right not to declare spent convictions.

Convictions/offences in the past 5 years in relation to driving records. This information is required for insurance purposes and only if relevant for the post for which you are applying.

Right to Work in the UK

British citizen status, UK work permit status or right to live in the UK status.

Proof of status will be required for successful candidates.

This information is legally needed to prove you have a right to work in the UK.

Psychometric Data

We occasionally use recruitment aptitude tests, involving profiling, as part of our selection.

No automated decision-making takes place as we do not solely rely on the output of these tests to make a recruitment decision.

CCTV DataOur office locations may operate CCTV and where they do this is clearly signposted. If you visit our offices your images may be captured on CCTV for security purposes.
Personal Data within correspondenceCopies of letters, e-mails received or sent by us, and information you have provided to us in letters, e-mails, texts and audio recordings taken in relation to the recruitment process and employment. We may also keep notes and records of matters we discuss.
Website Data

Includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Our external website uses cookies and we may collect information about how you use our website.

Video telecommunication and collaborative platform Data

When invited and participating to a virtual meeting, the following types of information may be recorded:

•        your registration and participant information such as name, email address and other contact/profile details.

•        direct interactions generated in meetings such as audio, video, chat messaging content, comments.

By default, applicants interviews are not recorded.

Recruiters and referees’ personal data

Name

Occupation

Company/ organisation

Business or personal email address

Business or personal phone number

Business or personal postal address

Your relationship to the applicant

Any information provided to us in emails, letters, calls in relation to the recruitment process of an applicant.

What additional personal data do we process for successful candidates?

Data TypeInformation Collected
Applicant’s Contact Personal Data

Full Name

Postal address

Email address (personal and/or business)

Phone Numbers

Occupation

Your relationship to other persons

Your emergency contacts

Identity Verification Data

Date of birth

Gender

Photograph/Video

Photographic ID document

Address history

Credit data (soft credit checks)

Other identity evidence as required to meet our regulatory obligations.

Health and Medical Data (also special Category Data)If the course of your onboarding, we may process additional information about your health in order to provide equal access and workplace adjustments and to ensure meaningful equal opportunity monitoring and reporting.
Biometric Data (also special category data)

Facial similarity checks are run when completing your ID verification with our Due Diligence Supplier.

The biometric technology compares an image of your face to the image on your ID document.

other screening information held in public recordsInformation held in public records, such as registers of insolvency, death, public offices held and any adverse information in the public domain for specific role types, or type of work undertaken.
Financial and Credit Data

Information about your bank details to facilitate remuneration

UK National Insurance number for taxation reasons

Credit reports (hard credit checks) for specific role types

Criminal Convictions and offences DataAs the nature of our work requires a high degree of trust and integrity we undertake a basic disclosure of your criminal records for certain role types.
References

Information provided by the referees regarding your last employment and/ or character.

References are given in confidence, and not disclosable to the job applicant in most cases.

Professional regulation DataAny relevant professional and academic qualifications, professional registration and disciplinary checks.
Enquiry DataPersonal data you provide when you make an enquiry to us regarding a role via our website or via social media.
Recruitment Data (including sensitive data)

Any information communicated through our recruitment processes.

Information about any other adjustments required and scheme enrolments, such as childcare requirements, death-in-service scheme and flexible working preference.

If you fail to provide personal data

Where we need to collect your personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may not be able to perform our obligations but we will notify you if this is the case at the time.

Why we use your personal data

We will use your personal data where it is necessary for us to:

  • comply with our legal obligations; or
  • enter into and perform a contract with you; or
  • fulfill our legitimate interests.

We may ask for your consent to process your personal data under certain circumstances and where we do we ensure that it is freely given, specific, informed and unambiguous. You may withdraw your consent at any time by emailing privacy@thorntons-law.co.uk.

Purposes of Processing

PurposeLawful Basis of Processing

To communicate with candidates, recruitment agencies and websites advertising our vacancies, placements and traineeships regarding applications, interviews, feedback and role offer.

 

Performance of an Employment Contract

Legitimate Interests – to contact you to respond to communications from you.

To populate our internal directory and systems with a picture of the successful candidate.Consent
To assess your skills, qualifications, employment history and suitability for the role.

Consent

Performance of an Employment Contract

To make decisions on your suitability for

shortlisting for interview, interview and offer of the role.

Consent

Performance of an Employment Contract

To provide equal opportunity monitoring and reporting

Explicit consent

You have the right to withdraw your consent at any time

To provide equal access and workplace adjustments during the recruitment processEmployment - processing that is necessary for carrying our obligations or exercising rights, imposed or conferred by law in connection with employment. 
Financial management and planning, including payroll

Performance of an Employment Contract

Legal obligation

To comply with pre-employment vetting checks, which may vary depending on role type, including reference checks, identity verification, prevention of financial crime, probity checks (criminal convictions, credit reports), right to work.

 

 

Performance of an Employment Contract

Legal Obligation to ensuring our business is carried out in compliance with the law or with our regulators’ guidance.

When processing special category data:

For reasons of substantial public interest - processing that is necessary for preventing fraud and suspicion of terrorist financing or money laundering.

Employment – processing that is necessary for carrying out obligations or exercising rights, imposed or conferred by law in connection with employment.

Record-keeping

Legal obligation – we are required to retain certain information about you to comply with legal requirements

Legitimate Interests – to establish, exercise and/or defend any legal claims that may be brought by or against us in connection with your recruitment (i.e. discrimination claims)

Cookies – we use cookies that are essential for the functionality of our website and we also use non-essential cookie which help us to understand how our website is used by visitors. Both essential and non-essential cookies use certain personal data. More information on our use of Cookies can be found in our Cookies policy.

Legitimate Interests – functional cookies which are necessary for the operation of our website.

Consent – cookies which track how you interact with our website.

IT and Security – we may use personal data to administer and protect our business and this website (including  troubleshooting,  data  analysis, testing, system maintenance, support, reporting and hosting of data) and to carry out system upgrade or system replacement.

Performance of an Employment Contract

Legitimate Interests – to ensure our website is secure and functioning.

Legitimate Interests – to ensure we use the most appropriate systems.

Where we store your personal data and information security

We take appropriate technical and organisational measures to secure your personal information and protect it against unauthorised or unlawful processing as well as against its accidental loss or destruction or damage. Some of these measures include:

  • Using secure cloud-based servers to store your personal data, based in the UK and he EU.
  • Verifying the identity of individuals that access your personal data.
  • Regular review of our Information Security Management System.
  • Utilising a number of anti-virus and anti-malware systems at the gateway, on email and on endpoints to protect against cyber threats and encryption technologies to protect personal data where appropriate.
  • Deploy data loss prevention software from Egress to help detect and mitigate the risk of data loss.
  • Restricting access only to those employees who need to know the information in order to deliver the service to you.
  • Providing regular data protection and information security training to all our employees.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted.

Once we have received your personal data, we will use strict procedures and security features as outlined above to try to prevent unauthorised access to your personal data.  We cannot be held responsible for the security of your personal data collected by websites that our site may link to.  Such third parties shall have their own privacy notices and you should read these carefully.

Sharing personal data

If we share personal information with external third parties, we shall keep this to a minimum and take reasonable steps to ensure that recipients shall only process the disclosed personal data for those purposes and in accordance with our instructions.

In the course of the recruitment and onboarding processes, we may be required to share your personal data with third party service providers.

We will not transfer your personal data to anyone else without your permission, except:

  • Where we are obliged by law or regulatory obligations.
  • Where we share your information with third party service providers.
  • Where we share your information with third parties who provide essential services.
  • Where some or all of our assets are purchased by a third party.

We will never sell your information or disclose it for direct marketing purposes.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes.

The types of organisations/groups that we may share personal data with are set out below:

  • suppliers and service providers used by Thorntons to conduct the recruitment exercise, such as call, video telecommunication and messaging platforms; cloud-based servers and systems for data storage, secure file sharing; employment agencies.
  • suppliers and service providers used by Thorntons to manage the relationship with applicants, recruiters and referees, such as; cloud-based servers and systems (i.e. for network security monitoring, HR recruitment management, employment vetting management such as digital identity and criminal records verification providers, credit reference agencies).
  • financial organisations
  • government departments
  • the courts
  • other professional advisers and consultants such as recruitment/consulting agencies, external law firms.
  • regulatory authorities

A full list is available on request.

International transfers

We may transfer your personal information outside the UK and when we do, we have appropriate safeguards in place to afford your personal data with an adequate level of protection.

When we use Zoom Video Conferencing, some personal data is transferred to the EEA and also to the US. When transferring personal data to the EEA countries, the appropriate safeguards we rely upon are covered by the UK Adequacy Regulations, which provide a similar protection to the UK data protection regime. When transferring personal data to Zoom in the US, the appropriate safeguards we rely upon when transferring personal data to them are Standard Contractual Clauses (‘SCCs’), which incorporate standard data protection clauses recognised by the UK data protection regime. For further details, see the global Zoom Data Processing Addendum at https://explore.zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf You can ask at any time for further information on the specific SCCs used by us.

How long we will keep your personal data for

We keep the personal data that we obtain about you during the recruitment process for no longer than is necessary for the purposes for which it is processed. How long we keep your data will depend on whether your application is successful and you become employed by us, the nature of the data concerned, and the purposes for which it is processed. We have a Records Management and Retention Policy which sets out the periods and rules for retaining and reviewing all data that we hold.

We will keep recruitment data (including interview notes) for no longer than is reasonable, taking into account the limitation periods for potential claims, after which they will be destroyed. If there is a clear business reason for keeping recruitment records for longer than the recruitment period, we may do so with your consent.

If your application is successful, we keep your data during and after your employment for no longer than is necessary for the purposes for which the personal data is processed, taking into account our record-keeping obligations, unless we are required to retain it longer to defend against or initiate a legal claim.

Changes in personal information

It is important that the personal data we hold about you is accurate and up-to-date. Please keep us informed if your personal information changes while we hold your details.

Questions and concerns

If you have any questions or concerns on how we collect, handle, store or secure your personal data, please contact our Data Protection Officer by email at  dpo@thorntons-law.co.uk or by post to the  Data Protection Officer, Thorntons Law LLP, Whitehall House, 33 Yeaman Shore, Dundee, DD1 4BJ.

You have the right to lodge a complaint with the Information Commissioners Office (ICO) if you think we have infringed your rights. The ICO’s contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

www.ico.org.uk

Your rights

You have various rights under data protection law. As an individual you have the following rights:

Right to be informedThis Privacy Notice provides you with details as to how we collect and use your personal data
Right to accessYou have a right to request access to the personal data we hold about you by making a “subject access request”. You will be provided with a copy of all personal information that we hold about you. There will be no charge for providing you with this information
Right of rectificationYou have a right to request that we correct or complete any inaccurate or incomplete personal data we hold about you
Right of erasureYou have the right to ask us to delete your personal data where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for retaining it. If we are required to keep your personal data to comply with our legal or regulatory obligations or legitimate interests in legal proceedings or claims, then we may have to decline your request
Right to restrict processingYou have the right to request that we restrict the processing of your personal data that we hold about you for specific reasons. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or the protection of the rights of another person, or for an important public interest, then we may have to decline your request
Right to data portabilityYou have a right to obtain and reuse the personal data that we hold about you for your own purposes in certain circumstances
Right to objectYou have a right to object to us processing your personal data. If we are required to keep your personal data to comply with our legitimate interests in legal proceedings or claims, or can demonstrate our compelling legitimate interests or our appropriate safeguards in place for the specific purpose of scientific, historic research or statistics necessary for the performance of a task carried out in the public interest, then we may have to decline your request

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time Limit to respond

We try to respond to all legitimate requests within one month from the date we receive it. Occasionally we may extend the time for response by up to two months if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Changes to our privacy notice

We may be required to update this Privacy Notice from time to time.  The up-to-date version will always be on our website and we will communicate material updates to our clients from time to time.  We will not process your personal data for purposes other than those set out in this document or which may be prejudicial to your interests without letting you know and giving you the opportunity to review and object to any such amended processing.

Contact us

If you have any questions regarding this Privacy Notice, please contact our Data Protection Officer, Whitehall House, 33 Yeaman Shore, Dundee, DD1 4BJ, Tel No. 01382 229111 or by e-mail – dpo@thorntons-law.co.uk