Code of Practice
Chapter 15. Data Protection
Notaries are data controllers and must comply with the obligations of a data controller under the Data Protection Act 2018 (the Act), particularly with regard to the collection and retention of special categories of personal data and criminal records. Notaries must also comply with the obligation under the Act to register with the Information Commissioner’s Office and to provide accurate information with regard to the nature of their notarial practice.
A notary’s clients have the right to know what personal data is being processed, collected and retained.
Notaries should be aware of the distinction between personal data and special categories of personal data. The term “Special categories of personal data” includes a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health or condition, processing of genetic or biometric data, data concerning sex life or sexual orientation and the commission or alleged commission of any offence.
The provision of notarial services may involve the processing of special categories of personal data as well as personal data by the inclusion of those data in a notarial act or as part of the notary’s file record.
Notaries must comply with the data protection principles and generally with the Act.
Notaries must implement adequate procedures to keep personal data secure.
Notaries should inform clients how their personal data will be collected and processed.
- The data protection principles are observed by notaries in the conduct of their practices.
- Data subjects’ personal data that are processed by notaries are properly safeguarded from unauthorised disclosure.
- Data subjects using the services of a notary are aware of what personal data are collected and retained by the notary for the provision of the service requested, how that information is to be stored, for what period, and to whom it may be made available.
- You have a transparent data protection policy appropriate to the nature and size of your notarial practice
- You obtain,where necessary, the consent of the data subject to the collection, processing and storage of personal data or otherwise rely on one or more lawful grounds for processing
- You only obtain personal data for one or more specified and lawful purposes, and do not further process those data in any manner incompatible with that purpose or those purposes
- You permit data subjects to access information in relation to your processing of their personal datapromptly and without charging a fee
- The personal data that you process in respect of a data subject are adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
- You implement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- You publish a privacy statement or a data protection notice on your website, or otherwise provide this statement or notice to clients
- You maintain a record of processing activities as required by the Act
- You have a personal data retention and destruction policy
- You have suitable contracts in place with third parties who process personal data on your behalf
- You process a client’s personal data
- Your records are not kept in a manner that permits you to verify what personal data you retain about a particular data subject and, where necessary, that these data are kept up to date.
- You use clients’ personal data for direct marketing without consent or another lawful ground.
- You fail to register with the Information Commissioner’s Office.
- You permit personal data to be transferred, including through “cloud” storage, to a country or territory outside the European Economic Area without consent of the client or without verifying that that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data or without a suitable contract with the recipient.
- You store either manual or electronic personal data insecurely.