Trethowans LLP is a ‘controller’ for the purposes of your personal data. This means that we determine the purpose and means of the processing of your personal data. You will find our contact details at the end of this notice.

The following are some key terms used in this document:

• we, us, our - Trethowans LLP

• our Website - WLIclaims.co.uk

• personal data - Any information relating to an identified or identifiable individual

Below sets out the different categories of personal data we may collect about you.

• Identity Data Your name, your title and your marital status (if we ask for this or if you choose to give this to us)

• Contact Data Your email address, your home postal address (if we ask for this or you choose to give this to us), and your telephone number(s) (landline and/or mobile)

• Claim Data Information that you give us which is relevant to whether you meet the criteria for bringing an individual claim or joining a potential group claim. This includes any information provided to us via forms or questions on our Website

• Technical Data This includes your internet protocol (IP) address, browser type and version, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our Website

• Usage Data This includes information about how you use our Website

• Other Data Information we ask for or that you volunteer to us via our Website and when you correspond with us by email or telephone or information from social media accounts when interacting with us via a personal profile (i.e. Facebook)

We collect and use this personal data for the purposes described in the section: ‘How and why we use your personal data’ (see below).

We also collect, use and share aggregated data such as statistical data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate data to calculate the percentage of users accessing a specific page on our Website. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We will ask you for the personal data we reasonably require to enable us to undertake an initial assessment of whether you might meet the criteria for joining a potential group claim and for contacting you in connection with it. If you do not provide the personal data we ask for, this may delay or prevent us from undertaking the initial assessment or contacting you in connection to it.

We collect most personal data directly from you – via our Website or by email or telephone.

However, we may also collect information from cookies on our Website – for more information on our use of cookies and other similar technologies, please see our cookie policy below.

Under data protection law, we can only use your personal data if we have a proper reason for doing so, for example:

• to comply with our legal and regulatory obligations;

• to take steps at your request before entering into a contract;

• for our legitimate interests or those of a third party; or

• where you have given consent.

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

This section explains what we use your personal data for, how we use your personal data, our lawful basis for doing so and the categories of personal data we use.

• We use your personal data to undertake an initial assessment of whether you meet the criteria for joining a potential group claim and advising you. For this purpose, we will collect relevant information via eligibility questions on our Website. We will assess your answers to our questions and make a decision about whether you might meet the criteria for joining a potential group claim using a solely automated decision making process (see below: ‘How we use your personal data for solely automated decision-making’). We will then advise you of our decision. If, on the basis of your answers we assess that you might meet the criteria for joining a potential group claim, we will collect some further information from you, including your contact details and other limited information relevant to the potential group claim. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies. The lawful bases for using this data under the UK GDPR are that it is (a) necessary to take steps at your request before entering into a contract with you (Article 6(1)(b) UK GDPR); (b) necessary for compliance with a legal obligation to which we are subject (data protection law and solicitors’ professional rules on record maintenance) (Article 6(1)(c) UK GDPR); and (c) necessary for our legitimate interests i.e. to ensure we are following our own internal procedures so we can deliver the best service we are able to (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• We use your personal data to prevent and detect fraud against you or us. For this purpose, we will check and monitor the security of our email and IT systems which hold your personal data and undertake other verification checks of your personal data (as necessary). The lawful basis for using this data is that it is necessary for your and our legitimate interests i.e. to minimise fraud that could be damaging for us and for you (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data for enquiries or investigations by regulatory bodies (e.g. the Solicitors Regulation Authority or the Information Commissioner’s Office) or law enforcement agencies. For this purpose, we will extract your personal data from our IT systems and disclose it as required by law or further to a court order. The lawful basis for using this data under the UK GDPR is that it is necessary for compliance with a legal obligation to which we are subject (e.g. data protection law, solicitors’ professional rules or a court order) (Article 6(1)(c) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data to ensure our business policies are adhered to e.g. policies covering security and internet use. For this purpose, we will check our use of your personal data against our business policies. The lawful basis for using this data is that it is necessary for our legitimate interests i.e. to make sure we are following our own internal procedures so we can deliver the best service we are able to (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data to ensure the confidentiality of commercially sensitive information. For this purpose, we will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data. The lawful bases for using this data are that it is necessary for our legitimate interests i.e. to protect trade secrets and other commercially valuable information (Article 6(1)(f) UK GDPR) and also necessary for compliance with a legal obligation to which we are subject (e.g. solicitors’ professional rules) (Article 6(1)(c) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data for statistical analysis to help us manage this potential group litigation and/or our practice e.g. in relation to our financial performance and other efficiency measures. For this purpose, we will use relevant personal data in data analysis software and also for manual analysis. The lawful basis for using this data is that it is necessary for our legitimate interests i.e. to be as efficient as we can so we can deliver the best service we are able to at the best price (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• We use your personal data to prevent unauthorised access and modifications to our systems. For this purpose, we will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data. The lawful bases for using this data are that it is necessary for compliance with a legal obligation to which we are subject (e.g. data protection law) (Article 6(1)(c) UK GDPR) and also necessary for our legitimate interests or those of a third party i.e. to prevent and detect criminal activity that could be damaging for us and for you (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data to update and maintain our records. For this purpose, we will enter and hold your personal data in the relevant parts of our IT systems and we may hold your personal data in manual records. The lawful bases for using this data are that it is (a) necessary to take steps at your request before entering into a contract with you (Article 6(1)(b) UK GDPR); (b) necessary for compliance with a legal obligation to which we are subject (e.g. data protection law and solicitors’ professional rules) (Article 6(1)(c) UK GDPR); and (c) necessary for our legitimate interests or those of a third party i.e. to make sure we can keep in touch with you where necessary (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data for staff management, training and administration. For this purpose, we will access and use your personal data held in our IT systems and may use it in emails between our staff and for training purposes. The lawful basis for using this data is that it is necessary for our legitimate interests i.e. to make sure we are following our own internal procedures and working efficiently so we can deliver the best service that we are able to (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data to deal with complaints or legal claims against us. For this purpose, we will review your personal data held in our IT systems and may collect other information relevant to the complaint/legal claim. We will review any information collected and assess the merits of any complaint or legal claim. We may also communicate with third parties as necessary to seek advice/representation and/or in connection with legal or prospective legal proceedings. The lawful basis for using this data is that it is necessary for our legitimate interests i.e. to ensure that we are able to respond to any complaints or legal claims made against us (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

• We use your personal data to enforce or apply our Website terms and conditions or any other agreements. For this purpose, we will review your personal data held in our IT systems and if appropriate, use it to take enforcement action, including legal proceedings. The lawful basis for using this data is that it is necessary for our legitimate interests i.e. to enforce our legal rights and protect our business (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• We use your personal data to administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). For this purpose, we will use your personal data held in our IT systems. The lawful bases for using this data are that it is necessary for our legitimate interests i.e. for running our business, network security, to prevent fraud and in the context of a business reorganisation (Article 6(1)(f) UK GDPR) and also necessary for compliance with a legal obligation to which we are subject (e.g. data protection law) (Article 6(1)(c) UK GDPR). Lastly, for this purpose, we use Identity Data, Contact Data and/or Technical Data (each as defined above under “Personal data we collect and use”).

• We use your personal data to improve our Website and your experience (through the use of data analytics). For this purpose, we will use personal data collected via cookies and other similar technologies on our Website. The lawful basis for using this data is that it is necessary for your and our legitimate interests i.e. to understand how our Website is used, keep our Website updated and relevant, improve your user experience and to develop our business (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use Technical Data and/or Usage Data (each as defined above under “Personal data we collect and use”).

• We use your personal data for the transfer of your potential legal matter to another entity capable of assessing and/or progressing your potential claim (including a claims management company or another firm of solicitors) (if applicable)). For this purpose, we will extract your personal data from our IT systems and disclose it to the other firm of solicitors or other entity. The lawful basis for using this data is that it is necessary for your and our legitimate interests i.e. to ensure your potential claim is dealt with appropriately (Article 6(1)(f) UK GDPR). Lastly, for this purpose, we use potentially any personal data that we hold.

Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.

How we use your personal data for solely automated decision-making

• We use the personal data you provide when you answer the eligibility questions on our Website to make an initial assessment as to whether you might meet the criteria to join a potential group claim. The information we have requested from you is the minimum information needed to make that initial assessment. The decision as to whether or not you might meet the criteria for joining a potential group claim is made by a solely automated decision-making process without human involvement and is based on your answers to the questions. The reason why we use a solely automated decision-making process is to manage the potential number of individuals who may answer the eligibility questions, increase efficiency and to ensure decisions are made quickly, fairly and consistently. We have assessed that it is a targeted and reasonable way of achieving our objective. Depending on your answers to our questions, you will be informed either that you may meet the criteria for joining a potential group action or that you may not.

Depending on the circumstances, we may share your personal data with:

• Our insurers, brokers and professional advisers in the event of a complaint or legal claim against us or where we require external advice or assistance (such as solicitors, barristers, IT specialists or other professional advisers) for the purposes of assisting, advising and representing us as necessary. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• Our regulator (i.e. the Solicitors Regulation Authority) for the purpose of assessing our compliance with our regulatory and professional obligations. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• The legal services providers’ complaints body (i.e. the Legal Ombudsman) for the purpose of dealing with a complaint made against us. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• External IT service providers (e.g. our IT platform hosting provider, website hosting provider, IT support, email security, email service provider, document management providers, application software providers) for the purpose of providing the relevant IT service to us. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• Other external service providers (e.g. telephone answering service, data analytics providers) for the purpose of providing the relevant service to us. For this purpose, we may share Identity Data, Contact Data, Group Claim Data, Technical Data, Usage Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• Law enforcement/regulatory agencies for the purpose of their investigations. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• Another entity capable of assessing and/or progressing your potential claim (including a claims management company or another firm of solicitors (if applicable)) for the purpose of progressing your potential claim. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”).

• Other parties that have or may acquire control or ownership of our business or part of our business (and our or their professional advisers) in connection with a significant corporate transaction or restructuring, including a merger, acquisition or asset sale or in the event of our insolvency. For this purpose, we may share Identity Data, Contact Data, Group Claim Data and/or Other Data (each as defined above under “Personal data we collect and use”). Usually information will be anonymised during a transaction and until completion of the transaction but this may not always be possible.

We only allow our service providers to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also impose contractual obligations on service providers to ensure they can only use your personal data to provide services to us. Other recipients, such as our professional advisers are bound by confidentiality obligations.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including:

• to respond to any questions, complaints or claims made by you or on your behalf;

• to show that we treated you fairly;

• to keep records required by law to comply with our legal and regulatory obligations.

We will not retain your data for longer than necessary for the purposes set out in this notice.

If we assess that you do not meet the criteria for joining the potential group claim, any Identity Data, Contact Data or Group Claim Data collected via questions on our Website will not be retained.

It is sometimes necessary for us to share your personal data outside the UK e.g.

• with your and our service providers located outside the UK; or

• if you are based outside the UK.

We will ensure the transfer complies with relevant data protection law by ensuring that e.g.:

• the country to which the personal data is being transferred is subject to an adequacy regulation further to Article 45 of the UK GDPR i.e. it has been decided by the UK government that the particular country ensures an adequate level of protection of personal data;

• the transfer is necessary for the performance of a contract between you and us further to Article 49 of the UK GDPR;

• the transfer is necessary to establish, exercise or defend legal claims further to Article 49 of the UK GDPR;

• there are appropriate safeguards in place between us and the organisation receiving it together with enforceable rights and effective legal remedies for you (e.g. by the use of approved data protection contractual terms); or

• you have provided explicit consent to the proposed transfer after being informed of any potential risks under Article 49 of the UK GDPR.

Where we transfer your personal data outside of the UK, we do so on the basis of an adequacy regulation or (where this is not available) by way of legally-approved standard data protection clauses recognised or issued further to Article 46(2) of the UK GDPR. In the event that we cannot or chose not to continue to rely on either of those mechanisms at any time, we will not transfer your personal data outside the UK unless we can do so on the basis of an alternative mechanism or exception provided by data protection law and reflected in an update to this privacy notice.

Any changes in the transfer mechanisms we rely on to transfer personal data internationally will be notified to you in accordance with the section: ‘Changes to this privacy policy’ (see below).

Please contact us (see below: ‘How to contact us’) if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK.

You have the following rights, which you can exercise free of charge:

• Access: The right to be provided with a copy of your personal data.

• Rectification: The right to require us to correct any mistakes in your personal data.

• To be forgotten: In certain situations, the right to require us to delete your personal data.

• Restriction of processing: In certain situations, the right to require us to restrict processing of your personal data e.g. if you contest the accuracy of the data.

• Data portability: In certain situations, the right to ask us to transfer any personal data you provided to us to another organisation.

• To object: The right to object in certain situations to our continued processing of your personal data e.g. where processing is carried out for the purpose of our legitimate interests unless there are compelling legitimate grounds for the processing to continue or the processing is required for the establishment, exercise or defence of legal claims.

• Not to be subject to automated decision making: The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you.

• To withdraw consent: If you have provided us with a consent to use your personal data you have a right to withdraw that consent easily at any time. To do this, please telephone, email or write to us (see below: ‘How to contact us’). Withdrawing a consent will not affect the lawfulness of our use of your personal data in reliance on that consent before it was withdrawn.

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the Information Commissioner’s Office (ICO) on individuals’ rights.

If you would like to exercise any of those rights, please email, write or telephone our Privacy Officer (see below: ‘How to contact us’) and let us have enough information to identify you e.g. your full name and address as well as what right you want to exercise and the personal data to which your request relates.

We have put in place reasonable and appropriate security measures to endeavour to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

For users of our Website, unfortunately, the transmission of information via the internet is never completely secure. We cannot therefore guarantee the security of your data transmitted via our Website; any transmission is at your own risk. Our Website may, from time to time, contain links to and from other websites. If you follow a link to any of these websites, please note that these websites will have their own privacy policies and we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

We hope that we can resolve any query or concern you may raise about our use of your personal data. If you want to complain about how we have used your personal data, please email or write to our Privacy Officer (see below: ‘How to contact us’). However, if we are not able to resolve your complaint to your satisfaction, you can complain to UK’s data protection authority, the Information Commissioner’s Office (ICO). Further information about how to make a complaint to the ICO can be found on the ICO website www.ico.org.uk.

We may change this privacy notice from time to time and when we do so, we will inform you via our Website. If any changes are likely to have an adverse impact on your rights under data protection law, we will use reasonable endeavours to notify you of the changes in advance in writing or by alternative means.

Please contact us by email, post or telephone if you have any questions about this privacy notice or the information we hold about you.

Our contact details are shown below:

• Trethowans LLP , 1 London Road, Salisbury, Wiltshire, SP1 3HP. Telephone 01722 412512

• Sarah Wheadon - Privacy Officer. gdpr@trethowans.com, The Pavilion, Botleigh Grange Business Park, Hedge End, Southampton SO30 2AF , Telephone 023 8032 1000

If you would like this notice in another format (for example large print) please contact us (see above: ‘How to contact us’).