- We keep to a minimum the information we hold about you
- We use your data to arrange your travel, asset movements, respond to your enquiries, manage our relationship with you, meet our legal obligations, and improve our website
- We delete your data when it is no longer needed for these reasons
- We do not trade your data.
- We do not give your information to third parties without your consent, but there are three exceptions.
- You have lots of privacy rights
- We do not process your data outside of the European Economic Area (EEA) unless necessary for the performance of a contract.
- We are happy to answer questions — contact us
- This page was last updated on 25th May 2018
Information we hold about you
If you contact us we will hold the following information about you
- Your name, identity and contact information
- Information about your business activities
- Information and documents about your enquiries, including communications with you
We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
All our client-facing platforms are accessible via Tor, and you can access this site on Tor (v2 or v3). If you do not want us to see your actual IP address, feel free to visit us via Tor.
Using your data
References to the basis of processing are a reference to the article of the General Data Protection Regulation under which we undertake the processing in question.
Dealing with your enquiry
If you give call us or make contact via our website or by email, we will follow up on your enquiry and see if there is a way in which we can help you.
We keep a record of enquiries received, to help us plan our business strategy and check that we are offering what potential clients want.
(Processing is necessary for the performance of a contract – Basis: Article. 6(b): this is necessary to deliver the service to you.)
Our collection methods are:
- Through engagement (or potential engagement) of our services
- Enquiries via our office, website or booking system
- By communications, including email, telephone, post or social media
- Through engagement of service providers
- Via third parties and/or publicly available resources
We use a fully encrypted document service to send personal and sensitive data.
Day to day phone calls are not encrypted.
We have put in place commercially reasonable and appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
If you have particular security requirements, please contact us to discuss how we can support you.
Information Technology data
We use the logs from our servers to assist in our firm’s security, as well as to determine visitor patterns to the SDI website (e.g. such as working out which pages on the site are most popular, or whether a news event has caused an increase in traffic).
Basis: Article 6(f): processing is necessary for the purposes of the legitimate interests pursued by SDI, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. (The data is not used to identity you)
Your personal data and the EEA
We do not transfer or process personal data outside the European Economic Area (EAA) unless we have your explicit consent or where the nature of the processing requires it (for example, where we are emailing a party to your matter who is based outside the EEA, or because you have chosen to use an email or other communications service which routes data outside the EEA).
Your privacy rights
You have lots of privacy rights in respect of our processing of your personal data.
Click on privacy rights for more detailed information.
You also have the right to lodge a complaint about our processing with a supervisory authority — you probably want the UK’s Information Commissioner’s Office
We do not trade your personal information and as a general principle, we will not transfer your personal data to third parties without your permission.
There are three exceptions to this:
- If you do not pay your bills, we may choose to engage a third party to recover any money you owe us. We’ve never done this, but we want to keep this option open to us.
- It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate.
- We also have a small number of companies providing services to us. We use a call handling centre, which would get to see and to record your telephone number, name and message that you decide to leave operated by MoneyPenny, our online booking system is operated by LimoAnywhere, WolrdPay is used to process credit card bookings by Pay By Link or Stripe to obtain credit card payments, telephony services, which would get to see your phone number if we call you, and a broadband supplier which could see your email address (but not the content of what you send us, if you encrypt it). We also use an external accountancy service but, unless you are a sole trader or a partnership, they are unlikely to see any personal data relating to you.
All of our third party service providers are required to take commercially reasonable and appropriate security measures to protect your personal data.
We only permit our third party service providers to process your personal data for specified purposes and in accordance with our instructions.
Deletion and retention periods
- Data about clients: duration of your relationship with us, then seven years
- Enquiry data: duration of enquiry, then 7 days
- Data about specific matters: duration of the matter, then seven years
- Server logs: up to one year
When assessing what retention period is appropriate for your personal data, we take into consideration:
- The requirements of our business and the services provided;
- Any statutory or legal obligations;
- The purposes for which we originally collected the personal data;
- The lawful grounds on which we based our processing;
- The types of personal data we have collected;
- The amount and categories of your personal data; and
- Whether the purpose of the processing could reasonably be fulfilled by other means.
Subject Access Requests
We strive to be as open as we can be in terms of giving people access to their personal data. A Subject Access Request under the GDPR is your right to request a copy of the information that we hold about you. Such requests must be in writing to the contact us details provided in this policy. If we do hold your personal data we will respond in writing without undue delay and within one calendar month of your request (where that request was submitted in accordance with this policy).
The information we supply will:
- Confirm that your data is being processed;
- Verify the lawfulness and the purpose of the processing;
- Confirm the categories of personal data being processed;
- Confirm the type of recipient to whom the personal data have been or will be disclosed, and
- Let you have a copy of the data in an intelligible form.
Please note that you may need to provide identification in order to prove who you are to access your data.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
In the instance that we do not hold information about you we will also confirm this in writing at the earliest opportunity.