Privacy notice: customers and employees of clients


We are solicitors, and we provide our clients with legal advice on a range of topics, including trying to resolve disputes and complaints before they turn into litigation, as well as helping them handle requests made under the data protection framework (such as requests for access to personal data, or for erasure). This notice applies to the data we process about customers or employees of clients (or someone else whose data we are processing to advise our client).

  • We keep to a minimum the information we hold about you
  • We use your data to provide services to our clients, and meet our legal obligations
  • We delete your data when it is no longer needed for these things
  • Generally, we do not give your information to third parties, but there are some exceptions
  • You have some privacy rights, but not as many as you might have in other situations
  • We take security seriously
  • You can ask us questions about our processing, but we may not be able to answer you

This page was last updated on 22nd February 2021, to change references to the EEA to the UK

📄 What data we hold

The information we hold inevitably depends on the advice we are being asked to give. It commonly includes:

  • Name and contact information
  • Details of the complaint or question, and correspondence history
  • Background information (such as account notes / product holding and usage information / billing and payment information if you are a customer, or employment / performance records if you are an employee)

Using your information

References to the basis of processing (e.g. "(Basis: Art. 6(f).)") are a reference to the article of the General Data Protection Regulation under which we undertake the processing in question.

  • Advise our client We use the information we hold about you to give our client the best legal advice and service we can. This often includes reading through all the materials, working out what has happened and what needs to be done, and often writing a response for them to send on to you.

(Basis: Art. 6(1)(f): this is necessary for our client's legitimate interests.)

  • Keep records of our advice We keep records of our advice, to help us deal with follow-up questions, and also so we can demonstrate to our clients that we have given them the correct advice if they ask in the future.

(Basis: Art. 6(1)(f): this is necessary for our own legitimate interests.)

  • Fulfil our legal and regulatory obligations As solicitors in a regulated law firm, we have a whole host of professional regulatory obligations. If we have to process personal data to fulfil them — for example, if our regulator, the Solicitors Regulation Authority, demanded information — we will do so.

(Basis: Art. 6(1)(c): we have to do this processing to comply with legal and regulatory obligations.)

Your data and the UK

We do not transfer or process data outside the UK.

Occasionally, to provide a high quality of service, we may work on our clients' matters when we are outside the UK (for example, when on business or even if we are on holiday). If we do this, your data will be stored securely on our devices (which all have full disk encryption), and any access back to our servers in the UK will be encrypted.

Your rights

The data protection framework gives you lots of rights in respect of processing of your personal data, but then it takes some away again where the processing relatins to the giving of legal advice. The relevant remaining rights are:

  • you can object to our processing for the purpose of giving our clients' legal advice, and we would balance your interests against our interests and the relevant client's interests, but this does not apply where the processing is necessary "for the establishment, exercise, or defence or legal claims.
  • you can ask us to correct inaccurate data we are processing about you. But you probably will not know what this is, or even that we are processing your data, since this processing falls outside the scope of the rights of transparency and access.
  • in some situations, the right to require us to erasure your personal data or to restrict our processing of it, but this does not apply where the processing is necessary "for the establishment, exercise, or defence or legal claims".

If you want to exercise any of these rights, please just contact us.

You also have the right to lodge a complaint about our processing with a supervisory authority — you probably want the UK's Information Commissioner's Office.

Third parties

As a general principle, we will not transfer your personal data without your permission to anyone other than the client to which the processing relates.

There are two exceptions to this:

  • It is possible, though unlikely, that we might be forced to disclose your information in response to a court order or other binding mandate.
  • As solicitors, we have professional duties, including to to co-operate with our regulator, the Solicitors Regulation Authority. We will still try to minimise any sharing of your personal data.

Technical security

All our computers are full-disk encrypted, as are our phones and tablets.

Our preference is to use PGP/GPG-encrypted email, but not all of our clients use this. We still offer opportunistic TLS encryption on our mail servers, so even if your data are not end-to-end encrypted, they are still likely to be encrypted in transmission between us and our client.

We have a secure document transfer portal, which we use to transfer data which is either too sensitive or too large for email.

"Normal" phone calls are not encrypted.

Retention periods

Data about clients' matters (e.g. records of advice): duration of the client's relationship with us, then seven years