This Privacy Policy applies to information held about our clients, contacts, suppliers and other external parties, and, if you are a corporation, any of your employees, officers or other personnel. “We”, “our” or “us” means Hereford Art Ltd, registered office: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE, UK; Company registration no. 15952845.

1. Source of information. We may receive information about you and other individuals directly from you, from a third party connected with you and from a third party connected with us, or publicly available information.
2. Confidential information. We safeguard all the confidential information you disclose to us. We may share your information for the purpose of delivering our services and the services of other consultants to you. We may also share your information with our insurers, our bankers, our regulators, our professional advisers, our accountants, auditors and our staff. In order to provide you (or your organisation) with our services, we may share your personal data with consultants advising other parties in your matter, or with other professionals. We will also share your information with others where you allow it, where we have a legitimate interest in sharing your information, where required by law or regulation, as part of a file audit, where required by our insurers, or where we think it allows us to give you a better service. We will not otherwise share your personal information with any third party except with your prior permission or where permitted or required by law.
3. If you are a data controller or data processor. If you are a data controller or data processor for others, and you provide to us personal data relating to others, then you confirm to us that you have a lawful basis for doing so under data protection law and where that basis is consent, then you confirm you have secured the consent of the data subject to our using their data as part of our acting for you.
4. Special category data. During the course of our engagement, we may need to use special category data. Your acceptance of these terms is your explicit consent to our processing any special category personal data as part of your instructions to us. Special category data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
5. Data controller. When we use personal data about you or others in connection with our engagement, we do so as data controller. Our contact details are set out on page 1 of our Engagement Letter and communications relating to data protection should be addressed to the adviser responsible for your work or to our postal address.
6. Use of personal data. Our core purposes for processing personal data are to operate our business, to provide professional services to our clients, to maintain our client and business records and to comply with law and regulation. In relation to you (or the organisation on behalf of which you instruct us) this primarily involves: providing you with advice or other information that you have requested from us; invoicing you for services we have undertaken for you; keeping records of the work we have carried out for you; and fulfilling our anti-money laundering obligations. These terms deal with our use of your data as part of your instructions to us. In all other respects, our use of data is set out in our Privacy Policy.
7. Lawful basis of processing. Before accepting your instructions, we may need to carry out certain checks (e.g., know-your-client, anti-money laundering and conflict checks). If so, we process your personal data to comply with our legal obligations. When we are providing our advice to you, we process your personal data to provide our professional services to you and to comply with our contractual obligation to provide such services. We will also process personal data where it is in our legitimate interests to do so (for example, as part of the administration of our business and keeping our systems secure).
8. Categories of personal data obtained. The core categories of personal data which we use to provide our professional services to you are: name, e-mail address and other contact details; correspondence with us;
   bank account details and/or other billing details; and copies of your passport, driving licence, birth certificate, national identity card, utility bills and/or other identifying information required to be provided to us for anti-money laundering and client due diligence purposes.
9. Sharing your personal data. Your personal data may be included in the information we share with others as set out in paragraph 1.2. We require the recipient to safeguard it. Typically, any recipient would then become the data controller of the shared data and owe you duties as such. We are not responsible for any use, misuse or loss of your data by third parties with whom we share your data.
10. International transfers. We may hold copies of your personal data and other data on computers outside the UK. Sometimes we will share personal data with third parties outside the UK. If we do this, we will comply with the rules in the UK General Data Protection Regulation.
11. Data retention. We store some files digitally and others in hard copy. In each case we may use third parties to store your files. We normally keep files for seven years from the date of conclusion of your matter but can sometimes keep them longer if required by law. This is explained in more detail in our Information Retention Policy. You can request a copy of this at any time.
12. Destruction and retrieval. We will destroy your files at the end of their storage period, or earlier with your and our consent. Please write and tell us if you object to this. We may charge you if you want us to retrieve your files and transfer them to you or any third party after we have completed our work.
13. Access to file. Where we act for more than one client on the same matter, then that file will belong to all those clients jointly, but not severally. If you would like a copy of your file, then you irrevocably agree that we must not provide the same to you without the prior written consent of all the other clients who also jointly own that file.
14. Failure to provide personal data. We may find it hard to advise you if you do not provide us with information we request (which may include personal data).
15. Your rights. If the UK General Data Protection Regulation applies to you, you have the following rights: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and certain rights in relation to automated decision making and profiling. Where our lawful basis for processing your personal data is consent, you have the right to withdraw consent. You can find out more about your rights on the Information Commissioner's Office (ICO) website at www.ico.org.uk.
16. Supervision (personal data). If you have any questions or concerns, or if you want to exercise your legal rights regarding your data, then you should contact the adviser responsible for your work or write to us at our postal address. We would ask you also write to us in the first instance if you should have a complaint about the way we handle your data. We are supervised by the ICO and, if you prefer, you can make a complaint to them at any time.
17. Contact us. If you have any questions or comments regarding how we handle data, please don’t hesitate to contact us. We may update or amend this policy in the future, if we do we will update our website accordingly, so do check this page to ensure you are happy with the current policy.