Code of Practice
Chapter 14: Data Protection
Notaries are data controllers and must comply with the obligations of a data controller under data protection legislation, particularly with regard to the collection and retention of sensitive personal data. Notaries must also comply with the obligation under data protection legislation to register with the Information Commissioner’s Office and to provide accurate information with regard to the nature of their notarial practice.
Notaries should be aware of the distinction between personal data and sensitive personal data. Sensitive personal data includes a person’s racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, physical or mental health or condition, and the commission or alleged commission by him of any offence.
The provision of notarial services may involve the processing of sensitive personal data as well as personal data by the inclusion of those data in a notarial act or as part of the notary’s file record.
Notaries must comply with the data protection principles and generally with data protection legislation.
Notaries must implement adequate procedures to keep personal data secure.
- The data protection principles are observed by notaries in the conduct of their practices.
- Data subjects’ personal data that are processed by notaries are properly safeguarded from unauthorised disclosure.
- Data subjects using the services of a notary are aware of what personal data are collected and retained by the notary for the provision of the service requested, how that information is to be stored, for what period, and to whom it may be made available.
- You have a transparent data protection policy appropriate to the nature and size of your notarial practice.
- You obtain the consent of the data subject to the collection, processing and storage of personal data.
- You only obtain personal data for one or more specified and lawful purposes, and do not further process those data in any manner incompatible with that purpose or those purposes.
- You permit data subjects to access information in relation to your processing of their personal data promptly and without charging a fee in excess of the maximum fee prescribed by the Information Commissioner’s Office.
- The personal data that you process in respect of a data subject are adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- You implement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- You publish a privacy statement or a data protection policy on your website, or otherwise provide this statement or policy to clients.
- You have suitable contracts in place with third parties who process personal data on your behalf.
- You process a client’s personal data inaccurately.
- Your records are not kept in a manner that permits you to verify what personal data you retain about a particular data subject and, where necessary, that these data are kept up to date.
- You use clients’ personal data for direct marketing without obtaining express consent.
- You fail to register with the Information Commissioner’s Office.
- You permit personal data to be transferred, including through “cloud” storage, to a country or territory outside the European Economic Area without verifying that that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.