This Privacy Notice describes how we, NNU Immigration Limited of Thomas House, 84 Ecclestone Square, London, SW1V 1PX, collect and use personal data about you prior to your engagement with the firm, during the attorney-client relationship and once the relationship has ended. This notice does not form part of our attorney- client agreement with you.
NNU Immigration is a “data controller”. This means that we are responsible for deciding how we hold and use personal data about you. We are required under the General Data Protection Regulation 2016 (the “GDPR”) to notify you of the information contained in this Privacy Notice.
You can contact us by writing to the above address, marked for the attention of NNU Immigration Limited. Alternatively, you can go to the Contact Us section of our website or by using the contact form below.
1. What kinds of personal data about you do we process?
We will collect, store, and use the following categories of personal data about you:
• Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses
• Date of birth, gender and/or age, your nationality and/or citizenship status
• National Insurance number
• Bank account details and tax status information
• Copies of passports and visas
• Client engagement information
• Career history including work/engagement/project/employment records, project details, job titles, work history, working hours, holidays, training records and professional memberships
• Details of the professional projects/engagements you are or have been involved in
• Health information including mental health
• Details of your assets and beneficiaries
• Your marital status, family, lifestyle or social circumstances and other affairs, if relevant to the attorney-client relationship
• Information about criminal convictions or offences
Some of the personal data above may also fall within “special categories” of more sensitive personal data such as:
• Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
• Information about your health, including any medical condition, health and sickness records Some of the personal data above may also fall within personal data relating to criminal convictions and offences.
2. What is the source of your personal data?
Most of the personal data we collect, store and use about you will be provided by you (or third parties authorized by you) as follows:
• As part of and during the attorney- client engagement process prior to you engaging us as your attorney.
• As part of the attorney-client relationship to enable us to fulfil our contractual obligations to you under our attorney-client agreement.
We may also use and store personal data about you from:
• Information generated about you in fulfilling our contractual obligations under the attorney-client agreement; and
• Information about you that is available from public sources (e.g. Wikipedia, LinkedIn, Facebook).
3. How will we use your personal data and what are our legal grounds for processing your personal data?
We use your personal data primarily for the purpose of acting for you as your immigration lawyers. The situations in which we may use your personal data are set out below along with the legal grounds we will rely upon to process your data. Some of the legal grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
a) The processing of your personal data is necessary for the performance of an attorney-client agreement or to enable us to take steps at your request prior to entering into an attorney- client agreement:
• To make a decision about whether we take you on as a client
• Determining the terms of our attorney-client agreement with you
• Keeping you up to date and reporting to you
• To represent you
• To create a client profile on our database
• Making arrangements for the termination of any attorney-client relationship
b) The processing of your personal data is necessary for our legitimate interests of running a
• Business management and planning
• Dealing with legal disputes involving you and/or our employees
• Updating client records
• To monitor and keep records of our communications with you and our staff
• For market research and analysis and developing statistics
c) To comply with our legal obligations
• Accounting and auditing of our business
• To comply with any obligations under employment law
• For some direct marketing
Change of purpose
We will only use your personal data for those situations listed above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, where this is required or permitted by law.
4. How we use particularly sensitive personal data about you and what are our legal grounds for processing this type of personal data
Special categories of particularly sensitive personal data and personal data relating to criminal convictions and offences require higher levels of protection. We need to have a further legal ground for collecting, storing and using this type of personal data. We may process special categories of personal data in the following circumstances:
a) With your explicit consent
• To collect, hold and disclose data concerning your health to third parties e.g. where disclosure of your health records or a medical examination is a condition of your engagement on a project.
• To hold and disclose any criminal records information relating to you (including alleged offences) e.g. where disclosure of such information to a third party is a condition of your engagement on a project.
• To create a client profile on our database to enable us to schedule visa appointments and prepare visa applications and petitions.
b) Processing is necessary to protect your vital interests or those of another natural person
• To collect, hold and disclose data concerning your health to third parties e.g. where disclosure of your health records is necessary for a medical emergency.
c) The personal data we wish to process has manifestly been made public by you
d) Processing is necessary for the establishment, exercise or defense of legal claims or whenever Courts are acting in their judicial capacity
e) Processing is necessary for reasons of substantial public interest
5. When do we share your personal data with other organizations or individuals?
We will have to share your data with US government agencies including but not limited to the US Department of Homeland Security, US Citizenship & Immigration Service, US Embassies and the US Department of State.
We may have to share your personal data with third parties, including third-party service providers and other entities in the group. We require such third parties to respect the security of your data and to treat it in accordance with data protection legislation.
A situation where we will often provide your personal data to third parties is where it is necessary for the performance of the attorney-client agreement with you such as where we prepare a visa application, where certain categories of your personal data are required by a third party to process certain necessary data for your application (e.g. education evaluation or foreign language translation).
We will not share or use your personal data in a way you would not expect under the attorney- client agreement.
We may also share your personal data with third parties where required by law or where we have another legitimate interest in doing so.
6. Transferring your personal data outside the EU
We are based in the UK, but often we may need to transfer your personal data outside the EU. A common example is where we need to provide your personal data to an US government agency, company or organization outside the EU as a requisite to you providing your services to that company or organization.
We will seek and secure your explicit consent for transferring your personal data outside the EU in circumstances where:
(a) the transfer is not necessary for the attorney-client agreement
(b) the EU Commission has not made an adequacy decision in respect of the country in which the recipient of the personal data is based
(c) the transfer of the personal data is not subject to appropriate safeguards as set out in Article 46 of the GDPR
(d) there are no binding corporate rules in place
(e) no other derogation is applicable.
7. What if you don’t want to share your personal data with us?
If you fail to provide certain information when requested, we may not be able to perform the attorney-client agreement we have entered into with you or we may be prevented from complying with our legal obligations to you (such as filing a visa application to enable you to obtain a US immigration benefit).
8. What should you do if your personal data changes?
You should tell us, so we can update our records. The contact details for this purpose are in this Privacy Notice, otherwise please inform your usual contact at NNU Immigration Limited.
9. How do we keep your data secure?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. The specific measures we have recently implemented are as follows:
Managed Antivirus – This program periodically scans files and processes looking for malicious software which it can then quarantine and delete.
Managed Encryption – Data is encrypted, therefore if lost or stolen the data is unreadable.
Advanced Malware Protection – This a proactive protection against ransomware which is quickly becoming the biggest threat to network security. This blocks requests to access malicious domains that malware and other attacks come from, updated in real-time.
Two Factor Authentication – This ensures no one can access our emails or files even if they have our password.
E-mail Security – Most common way for malicious software to get onto a network is through email. Whether it is by attaching an infected file, including a malicious link or phishing for personal details that can be used at a later date, this service stops these emails getting through, and gives control to the end user to block domains.
10. For how long do we retain your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of the attorney-client agreement and satisfying any legal, accounting, or bar association reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case we may use such information without further notice to you.
Once you are no longer a client of the attorney we will retain your personal data in accordance with our data retention policy and applicable laws and regulations.
11. Your duty to inform us of any changes
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your client relationship with us.
12. Rights of Access, Correction, Erasure, and Restriction
Your rights in connection with your personal data. Under certain circumstances, by law you have the right to:
• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
• Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal data to another party.
If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact NNU Immigration Limited in writing.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
13. Your right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact your usual contact at the attorney. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legal ground for doing so in law.
14. Data Protection Officer
We have not appointed a DPO to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, please contact your usual contact at our office. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
15. Changes to this Privacy Notice
We reserve the right to update this Privacy Notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
If you have any questions about this Privacy Notice, please contact:
NNU Immigration Limited
84 Eccleston Square