Privacy policy
PRIVACY POLICY STATEMENT OF
COMPANY
NOTARY LIMITED & FLOODLIGHT BUSINESS LIMITED
September 13, 2023
CNL (CNL) and Floodlight Business Limited (Floodlight) respects the privacy of data subjects. This privacy notice will inform data subjects as to how we look after their personal data when they visit our website, contact us or receive notarial services from us or are signatories to documents we notarise where our relationship is with their employer or organisation they represent.
CNL is a UK company owned solely by notary Dawn Stallwood. Notarial acts are performed by Dawn Stallwood through this entity. CNL engages the services of other self-employed independent notaries on a consultancy basis. Each consultant notary engaged with CNL maintains his/her own ICO registration and is bound by the terms of this privacy policy in their processing of personal data of clients (and signatories, as applicable) in the performance of their notarial activities. Floodlight provides client liaison, legalisation co-ordination, administration and invoicing/billing/finance support to Company Notary on an outsourced basis. For the purposes of this privacy policy and GDPR, CNL and Floodlight are data controllers, but it may be the case thatFloodlight is a data processor depending on the support and co-ordination activities it performs from time to time.
1. Important information and who we are
This privacy notice aims to give data subjects information on how CNL collects and processes their personal data through their
interaction with CNL employees, consultants or agents, use of our website, including any data they may provide through our
website when they sign up to our newsletter or updates, make an enquiry about legalisation formalities or complete the contact
us form.
It is important that data subjects read or are made aware by their employer or organisation of this privacy notice together with
any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing
personal data about them so that they are fully aware of how and why we are using their data. This privacy policy supplements
the other notices and is not intended to override them.
We ask our clients to agree to this policy statement when they first deal with us and such agreement then covers future services
and engagement with CNL.
Controller
CNL is the data controller for the purposes of General Data Protection Regulation (GDPR) (collectively referred to as “COMPANY”, “we”, “us” or “our” in this privacy policy).
We have appointed a data privacy manager. Contact details: CNL, Dawn Stallwood – data privacy manager Email address:
notary@companynotary.com Postal address: Coveham House, Downside Bridge Road, Cobham Surrey KT19 0HF UK
Data subjects have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with any concerns before the data subject approaches the ICO so they should please contact us in the first instance.
Changes to the privacy notice and duty to inform us of changes This version was last updated on 13 September 2023. It is important that the personal data we hold about data subjects is accurate and current. Data subjects (or their employer representative who engages with us should please keep us informed if their personal data changes during our relationship with them (or their employer).
Third-party links
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about a data subject. We do not control these third-party websites and are not responsible for their privacy statements. When a data subject leaves our website, we encourage them to read the privacy notice of every website they have visited through us.
2. The data we collect
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
When you provide us with information via our website, the personal information we collect from you at that time is limited to
name, email address, telephone number and the nature of your enquiry.
We may also collect certain Technical Data including internet protocol (IP) address, browser type and version, time zone setting
and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to
access this website.
Should CNL then proceed to perform notarial acts for you (or for an individual or company or organisation you represent or have
made the enquiry on behalf of), then we will collect additional personal information as follows:
• Identity Data of signatories: previous names, marital status, title, date of birth and gender, passport and/or driving licence
and/or National ID card information (including a photocopy or scan of the photo page of such identification documents).
• Contact Data of signatories: includes residential address, delivery address, email address and telephone numbers. We will
ask for a copy or scan of a recent utility bill or council tax statement confirming your residential address.
• Financial Data of signatories: includes bank account and payment card details.
• Transaction Data includes copies of the documentation we are performing notarial acts on, background information to the
transaction, including email correspondence. We may also need to see supporting evidence of a signatory’s authority to sign,
including board minutes, Wills, Power of Attorney or letter of authority. Sometimes we need to see birth, death or marriage
certificates, evidence of divorce, qualification or educational certificates.
• Representative Data: if you are arranging notarial services on behalf of your employer, organisation or individual, we will
maintain your contact information on our records as well.
It is important to point out that although you may have made the initial enquiry of CNL, you may be doing so on behalf of someone
else or the person our notary needs to meet or deal with is a different person to you. So you may or may not be the data subject.
If this is the case, then it is your responsibility to ensure:
- The data subject is aware of this Policy and our Terms of Business, both of which are available fromwww.companynotary.com;
- That you or your employer / organisation (as data controller) have full permission or other lawful basis for processing under GDPR to share their personal data with us and that the information you provide is accurate and relevant to our requirements;
- That they know how we will deal with their personal data, for what reasons we need it and why we retain it;
- That they know we may need to share some of their personal data with relevant third parties in order to complete the notarial acts and international documentation service we, together with Floodlight provide;
- Your organisation is compliant with GDPR as regards their personal data and being their data controller.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from a data subject’s personal data but is not considered personal data in law as this data does not directly or indirectly reveal their identity. For example, we may aggregate their Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with their personal data so that it can directly or indirectly identify them, we treat the combined data as personal data which will be used in accordance with this privacy policy.
It is rare for us to collect any Special Categories of Personal Data (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, criminal convictions and offences, information about health and genetic and biometric data). Where we do, it will most likely in connection with certifying a copy document that references such Special Categories of Personal Data or involves signing a document linked to such matters. Examples would be: a release form in connection with obtaining IVF treatment in Poland or certifying as a true copy a DBS check.
Failure to provide personal data
Where we need to collect personal data by law (including our Notarial Practice Rules and Anti-Money Laundering regulations),or under the terms of a contract to perform notarial services and the data subject fails to provide or make available that data when requested, we may not be able to perform the contract we have or are trying to enter into with the data subject or their employer, organisation or business (as the case may be).
In order to provide notarial services we need to satisfy ourselves as to the Identity, Capacity and ability to Execute of signatories
to documents we are attaching our seal and signature to.
3. How is personal data collected?
We use different methods to collect data from and about data subjects including through:
• Direct interactions. The data subject may give us their personal data by filling in forms online or by corresponding with us by post, phone, email, or meeting with our notary. We use an online practice management workflow suite of tools and resources, which includes an information form, which our notaries (employed of consultant) complete electronically on secure mobile devices (smartphone/iPad/tablet/laptop). This information is then uploaded onto our electronic storage
facility (presently Dropbox for Business, noting that we may move to another, as secure electronic storage facility if we consider appropriate for practice management purposes). We also retain a hard copy of that information form and the contact information is uploaded onto our CRM and financial management system (presently XERO).
• Automated technologies or interactions. As a data subject interact with our website, we may automatically collect Technical Data about their equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.
• Third parties or publicly available sources. We may receive personal data about the data subject from various third parties and public sources, for example UK Companies House or via their employer or client (where you perform services).
4. How we use personal data
We will only use personal data of data subjects when the law allows us to and we will use such personal data in accordance with this Privacy Policy statement and GDPR.
Most commonly, we will use their personal data in the following circumstances:
- Where we need to perform the contract that we are about to enter into or have entered into with them or their employer, organisation, business or client.
- Where it is necessary for our legitimate interests (or those of a third party) and the data subjects’ interests and fundamental rights do not override those interests.
- Where we need to comply with a legal or regulatory obligation.
Generally, we do not rely on consent as a legal basis for processing a data subjects personal data other than in relation to sending third party direct marketing communications to a data subject via email or text message. Data subjects have the right to withdraw consent to marketing at any time by contacting us.
Purposes for which we will use personal data
We have set out below, in a table format, a description of all the ways we plan to use personal data in connection with notarial acts, and which of the legal bases we rely on to do so. Note that we may process personal data for more than one lawful ground depending on the specific purpose for which we are using such data.
Purpose/Activity
To register you or the person or business you represent as a new customer, including meeting any antimoney laundering and notarial practice rules and regulations. Completion of electronic on-boarding and client information forms / practice management system and notarial act workflow management.
To process and deliver notarial services to the data subject (you), your employer / client, including:
- Producing bespoke notarial certificates.
- To meet our legal requirements via Notarial Practice Rules.
- To perform notarial acts and keep electronic copies of them.
- To maintain an electronic notarial register and accounts.
- Send quotations or estimates, manage, manage payments, fees and charges.
- Collect and recover money owed to us.
- To co-ordinate and deal with any requirements for legalisation and embassy certification, this may include liaising with and engaging with the services of consular agents, Visa specialists and chambers of commerce as well as specific embassies and the Foreign and Commonwealth Office (Legalisation Office). This may include providing such agencies and embassies/consulates with photocopy passports/national ID cards/other photoID of signatories to documents (i.e. Power of Attorney, any witnesses and any persons referred to or appointed in such document.
- To co-ordinate and arrange and track the sending of completed documentation to specified recipients (which may include a third party you nominate).
To work with our outsourced provider of international documentation and notarial support services, Floodlight (who will manage the notarial process, legalisation, billing and client on-boarding)
To manage our relationship with customers which will include:
(a) Notifying about changes to our services, our terms or privacy policy
(b) Asking you to leave a review or take a survey
To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
To deliver relevant website content and advertisements to our customers and their representatives and measure or understand the effectiveness of the advertising we serve to them.
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences
To share personal information and client detail and their notarial requirements with our consultant and/or employed notaries for their notarial practice purposes.
To work with Mobile Notary Register Limited who provide through licence a proprietary virtual practice management and workflow system for CNLs’ notarial practice. In the testing stage, this may include testing, pilot studies, ongoing maintenance and bug-fixing, security updates etc. and provide the technical support team with VPN access / remote access for such purposes.
To make suggestions and recommendations to customers about goods or services that may be of interest to them.
Lawful basis for processing including basis of legitimate interest
- Performance of a contract
- Our legal obligations
- Necessary for our legitimate interests
- Performance of a contract
- Necessary for our legitimate interests
- Performance of a contract
- Our legal obligations
- Necessary for our legitimate interests
- Performance of a contract
- Necessary for our legitimate interests
- Performance of a contract Necessary to comply with a legal obligation
- Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
- Necessary for our legitimate interests (for
running our business, provision of
administration and IT services, network security,
to prevent fraud and in the context of a business
reorganisation or group restructuring exercise) - Necessary to comply with a legal obligation
- Necessary for our legitimate interests (to study
how customers use our products/services, to
develop them, to grow our business and to
inform our marketing strategy)
- Necessary for our legitimate interests (to define
types of customers for our products and
services, to keep our website updated and
relevant, to develop our business and to inform
our marketing strategy)
- Performance of a contract
- Our legal obligations
- Necessary for our legitimate interests
- Performance of a contract
- Our legal obligations
- Necessary for our legitimate interests
Necessary for our legitimate interests (to develop our products/services and grow our business)
requested information from us or received notarial services from us and, in each case, they have not opted out of receiving that marketing.
Third-party marketing
We will get express opt-in consent before we share the personal data in our possession of data subjects with any company outside of CNL / Floodlight / Mobile Notary Register Limited for marketing purposes.
Opting out
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of notarial services.
Cookies
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.
Change of purpose
We will only use personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. Disclosures of personal data
We may have to share personal data of our customers or their employees or representatives with the parties set out below for the purposes set out in the table in paragraph 4 above.
- Faculty Office (regulator of the Notaries in England and Wales), The Notaries Society, The Legal Services Ombudsman
- Courier companies (Mailboxes etc, FEDEX, DHL, TNT, Royal Mail) we use to send your completed notarial documents to you or to an address you nominate.
- Embassies (some require copy passport information of signatories for example)
- Third Party legalisation agents, including CDN, London Chamber of Commerce and Industry, CIBT
- Translation Company
- Consultant notaries engaged with CNL
- Our professional advisors, especially our accountants
- To the directors and employees of Floodlight, Mobile Notary Register Limited or Floodlight Business Limited (a company under the control of the sole shareholder of CNL)
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We require all third parties to respect the security of personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use personal data we provide then with for their own purposes and only permit them to process such personal data for specified purposes and in accordance with our instructions.
6. International transfers
Our notarial register and copies of notarial acts is maintained on Dropbox for Business, which means we have the benefit of their data security investments to be GDPR compliant. Their servers are GDPR compliant and may be located outside of the European Economic Area. We reserve the right to change supplier for electronic and online storage, but will not move to a provider less secure than Dropbox for Business. We may also be required to share your personal data with third parties located outside of the EEA. For example, a power of attorney for branch set up in Costa Rica.
7. Data security
Using the Dropbox for Business (or future equivalent) document management and storage service and our own internal processes (including virtual practice management and workflow system tools, under licence from FastField/MergeMobile and/or Mobile Notary Register Limited) we have in place appropriate security measures to prevent personal data in our possession from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to such personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process
personal data on our instructions and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected personal data breach and will notify data subjects and any applicable regulator of a breach where we are legally required to do so.
8. Data retention
We will only retain personal data in our possession for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers for tax purposes. Furthermore, we maintain our notarial register (which contains the detail required by our Notarial Practice Rules) and copies of notarial acts as a permanent record.
In some circumstances we may anonymise personal data (so that it can no longer be associated with the data subject) for research or statistical purposes in which case we may use this information indefinitely without further notice to the data subject.
9. Data Subject legal rights
Under certain circumstances, the data subject has rights under data protection laws in relation to their personal data.
- Request access to your personal data.
- Request correction of your personal data.
- Request erasure of your personal data.
- Object to processing of your personal data.
- Request restriction of processing your personal data.
- Request transfer of your personal data.
- Right to withdraw consent.