Data Protection Act 2018 and GDPR Privacy Notice for Clients and Third Parties

Table of contents

1. Introduction

The EU’s General Data Protection Regulations (GDPR) and the UK Data Protection Act 2018 both apply from 25 May 2018.

We are sending you this privacy notice to ensure transparency regarding our client data in terms of what information is held, how it is stored, why we hold it, and what we do with it. This notice tells you what we do with your personal information when you make contact with us or use one of our services.

2. Personal information

In providing you with legal advice, we will process and store your personal information, which may include special category data such as health details. We have legal and professional obligations to keep your personal information and special category data confidential. We comply with UK and EU data protection laws and with the Solicitors Regulation Authority rules on client and data confidentiality.

3. Securing information

We are committed to keeping your personal information secure. We have put in place physical, electronic and operational policies and procedures designed to safeguard and to secure the information we collect and hold.

4. What information do we hold about you?

The information we hold about you may include personal information and special category data. It will typically include:

  • Your name, address, phone number/s, email address/es;
  • Identifiers such as date of birth; National Insurance, passport, visa, driving licence numbers; photographs or other digital images;
  • Financial details to include bank details, mortgage account, means questionnaire;
  • Names of and other personal information on your family and relationships;
  • Details of your property;
  • Social media information;
  • Special category and (in some cases) criminal conviction data including health records, Trade Union membership, political affiliations, sexuality, ethnic origin, criminal records.

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children while handling a matter. The information in the relevant parts of this notice applies to children as well as adults.

5. Where has the data come from?

The data we hold will have come from:

  • you in person, by telephone, by email, by SMS/text, or from your use of our website, through your initial enquiry, request for a quote, initial instructions, and when we deal with your matter; or when you subscribe to our e-newsletter;
  • an intermediary, such as a financial advisor or a claims management company, who refers you to us;
  • another firm that transfers your file to us;
  • a client who names you as a joint party in a matter or other transaction;
  • a client who has named you as a witness in their matter.

It is very important to ensure that we hold up to date information, so please remember to tell us about any of the following as soon as possible:

  • changes of personal circumstances, such as relationship status or the birth of children;
  • changes of name or address;
  • change of contact details including mobile phone number and email address;
  • bank details.

6. What will we do with your data?

We will process your data only for the purpose of providing you with the legal services described in the enclosed client care letter. If the scope changes, we will tell you. With your consent, we may also use the data for advising you of our other products and services which we think may be of interest to you.

We will never sell your personal data to anyone.

7. Who is the data shared with and why?

We may share information about you:

  • within the firm to enable us to deal with your matter effectively and efficiently;
  • with other law firms acting for other parties in the same matter;
  • with counsel;
  • with experts;
  • with our outsourced providers including for example our externalized processing function, accounts function, IT consultant, risk and compliance consultant;
  • with an external insurer, for example if certain types of insurance are required as part of your matter;
  • with the intermediary who introduced you to us including for example a financial advisor, claims management company;
  • with law enforcement agencies where required, for example under a Court order.

This may involve them handling your personal information. The firm requires all third parties to sign a confidentiality and compliance document to confirm that your data is protected.

8. What is the lawful basis for processing your data?

The legal bases we rely on to process your personal data are as follows:

  1. Performance of our contract with you under article 6(1)(b) GDPR;
  2. Compliance with a legal obligation to which we are subject, under article 6(1)(c) GDPR;
  3. Consent under article 6(1)(a) GDPR, where you have given consent to the processing of your personal data for one or more specific purposes as listed in our Consent Form. Otherwise, we rely on (1) and (2).

If the information you provide us contains special category data, such as health, religious or ethnic information the legal basis in GDPR we rely on to process it is:

  • Consent under article 9(2)(a);
  • Establishment, exercise or defence of legal claims under article 9(2)(f);
  • Consent for processing information relating to criminal convictions under Data Protection Act 2018 Schedule 1 Part (3)(29).

9. Transfer of data to third countries

Whilst we store our data in the United Kingdom (or the European Economic Area, to which equivalent protections apply) we will, with your consent, transfer your data to third countries if your matter requires. For example, if you are a resident of China, we will email you there. You must be aware that third countries do not offer the same degree of protection as the UK and in particular email correspondence might be subject to government surveillance or other interception or monitoring. We are not responsible for data security in third countries. If requested we will agree suitable password protection for email correspondence.

10. Your Data Protection Rights

Under data protection law, we need to tell you about your rights. Those available to you depend on our reason for processing your information:

  • Right of access – you can ask for copies of your personal information. There are some exemptions, which means you may not always receive all the information we process;
  • Right to rectification – you can ask us to rectify information you think is inaccurate, or incomplete;
  • Right to erasure – in certain circumstances, you can ask us to erase your personal information;
  • Restriction of processing – in certain circumstances you can ask us to restrict processing to specified activities;
  • Objection to processing – for example to direct marketing;
  • Data portability – you can ask us to transfer the information you gave us to another firm, or to give it to you;

11. Keeping information

We will keep your information for only as long as necessary and in accordance with UK and EU law. We will retain your file for at least 7 years. Even if your matter does not complete, the Money Laundering Regulations 2017 require us to keep evidence of your identity, with supporting documentation, for 5 years after we complete our work for you.

12. Technical and Organisational Security Measures

We take great care of our clients’ data. We have robust data protection and information security policies. Our database is encrypted, and backed up frequently. All our systems are password-protected, with appropriate anti-virus and other security measures. Access is on a need-to-know basis only. We do not set out bank details in emails.

13. Your Right to Complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact our Data Protection Officer at and we’ll investigate and respond in accordance with our complaints procedure.

If you remain dissatisfied, you can complain about the way we process your personal information to the Information Commissioner. You should do this within three months of our response.

You can contact the Information Commissioner’s Office:

By phone: 0303 123 1113 or 01625 545745

By email or live chat on the ICO website:

By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

You should also write to our Data Protection Officer if you would like a copy of the personal information we hold about you, or to ask us to correct any inaccurate information, or to remove (where justified) your personal information from our records.

Cheval Legal Limited