Data Protection Policy

(September 2025)

1. Introduction to Data Protection

These are the details of my policy on personal privacy and data protection, including my obligation to comply with the Data Protection Principles contained in the General Data Protection Regulation (GDPR) and the Data (Use and Access) Act 2025 to protect the personal privacy of all living people. Sometimes I will be acting as a Data Controller, and at other times I will be acting as a Data Processor with regards to the data that I possess due to my professional services. In each case it will depend on the way in which I am using the data and the reason for its use.

Data Protection Supervisor

If you have any questions or need information on anything to do with data protection, please contact me by email at katie@katiefinch.com.

What is Data Protection?

In simple terms, data protection is the protection of information about living people. This information can be created and kept in many forms - for example, on computer (such as emails), paper, CCTV, photographs, phones, and many others; it covers both facts and opinions about people.

What is the General Data Protection Regulation and the Data (Use and Access) Act 2025?

The GDPR and the Data (Use and Access) Act 2025 impose obligations on businesses that hold personal information and give rights to individuals whose data is held. The Information Commissioner oversees and enforces these regulations in the UK.

2. Data Protection Policy

1. Collection and use of personal data

Data I collect

How this is collected

Purpose of collection

Lawful basis for processing

Identity Data: forenames, last name, email address

Direct interaction or you submit the information on my website to sign up to my newsletter

To initially engage with you to discuss your legal requirements

Consent

Contact Data: business address, email address, telephone number, VAT number

Direct interaction

To continue our work together, and submit my invoice for work done

Performance of a contract with you

Know-Your-Customer Data: copy of passport or ID card, other letters or bills addressed to you

Direct Interaction

It is a legal and regulatory requirement for a lawyer in England and Wales to complete basic Know Your Customer identity checks

Performance of a contract with you

To comply with a legal obligation

Profile Data: Enquiries, survey responses

Direct interaction

To improve the services I offer to my clients

Legitimate interest

Matter specific data: files notes covering your legal instructions and the progress of your matter

Direct interaction

Lawyers maintain file notes of their interactions with their clients in order to effectively manage the matter - this is a regulatory and best practice requirement

Legitimate interest 

Performance of a contract with you

 

2. Security of personal Information

I will:

-       Take positive steps to prevent the accidental, improper, or deliberate disclosure, misuse, or loss of personal information and prevent unauthorized access to it.

-       Limit the disclosure of and access to personal information to those who have a business need to access the information.

3. Disclosure of personal information to others

I will:

-       Not disclose personal information relating to individual contacts at client companies, business contacts, employees, consultants, agents, and contractors without the individual’s consent.

-       Ensure that where any person or organisation processes personal information on my behalf (such as a marketing agency, legal secretary, or IT service provider), I will enter into a written agreement with them requiring them to:

o   Process the personal information only in accordance with my instructions;

o   Maintain adequate information security; and

o   Take reasonable steps to ensure staff who have access to the information are reliable.

4. Disclosure of personal information outside the EEA

I will either:

-       Make sure that personal information is not transferred, whether directly or indirectly, to any country outside the EEA;

-       Make sure that the data subject(s) concerned has/have consented to the transfer of the information; or

-       Make sure that an agreement has been entered into with the organization the data is being transferred to based on the EU standard model clauses or is covered by the EU US or EU-Swiss Privacy Shield Framework.

I will use a secure cloud storage service, for document sharing and storage related to your legal matters, which employs advanced security measures, including encryption and access controls, to protect your data from unauthorized access, disclosure, alteration, and destruction.

5. Subject Access Requests

A person on whom I hold information has the right to be informed of this and to have a copy of the information, subject to a few limited exceptions. He or she must make a written request (which can be by email). Because all personal information is potentially disclosable to the person to whom it relates, I should bear this in mind when recording expressions of opinion about people and ensure that I can justify what I write (e.g., in interview notes or in emails). If his/her personal information is being processed, the individual will be provided with (subject to limited exceptions):

-       A copy of the data

-       The source of the data

-       The purposes for which the data is being processed

-       To whom it may be disclosed

-       An explanation of any unintelligible codes or rating systems.

Compliance with the subject access request is not required where I have complied with an identical or similar request of the data subject in the 6-month period prior to the new request and the data held has not changed substantially in that period. The response to the subject access request should be made promptly and be made no more than one calendar month from receipt of the request.

6. Data Retention

It is my practice to maintain all client data for 6 years from the date I close the matter. Where potential clients make queries that do not lead to a contractual engagement, I will maintain that data for up to 2 years before deleting it. This helps me to create a fuller picture of the industries contacting me about my legal services.

7. Your "Right to be Forgotten"

At any time, you may request that your details are deleted from my files. Please note, however, that I may not always be able to delete the data for specific legal reasons which will be notified to you, if applicable, at the time of your request.

8. Future Developments

The law and practice in relation to data protection is still evolving. This will be reflected, so far as necessary, by amendments to this Policy. If material changes are made, you will be notified.

 

Glossary

Data Controller 

is a person who either alone, or jointly with other people, gives instructions as to what should happen to personal information and how it is to be processed.

Data Processor

means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Subject 

means an individual to whom the personal information relates.

Personal Data or Personal Information 

means any information that relates to a living individual (not companies). It includes information by which that individual can be identified and includes facts and expressions of opinion about individuals.

Process/processing/processed

means almost anything that can be done to personal information - including collecting, recording, storing, transferring, amending, using, holding and destroying the information.

Sensitive Personal Data or Sensitive Personal Information 

means any information relating to an individual’s: 

(a)       racial or ethnic origin; 

(b)       political opinions; 

(c)       religious beliefs;

(d)       trade union membership;

(e)       physical or mental health conditions;

(f)        sexual life;

(g)       criminal offence

(Please note that there are additional restrictions on how this type of information can be used.)

Subject Access Request

means a written request by a data subject made to a Data Controller, who must:

·     inform him whether it has processed or is processing any information concerning him;

·     describe the personal information, the source of the personal information, the purpose for which it is used and any third parties who receive the personal information; and

·     provide the individual with a copy of the personal information except in certain limited circumstances.