Privacy Notice Template
How We Use Your Personal Information
─────────────────────────────────────
E-Solicitors Marketplace
─────────────────────────────────────
Version 1.0 - January 2026
England and Wales
Guidance for Solicitors
- Under the UK GDPR, you must provide individuals with specific information about how you process their personal data. This is typically done through a Privacy Notice. Failure to provide adequate information is a breach of data protection law.
Purpose of This Template
This template provides a comprehensive Privacy Notice for solicitors' firms. It covers:
Information required under Articles 13 and 14 of the UK GDPR
Categories of personal data processed
Lawful bases for processing
Data sharing and international transfers
Retention periods
Individual rights
Support for vulnerable clients exercising rights (SRA Rules 3.4, 6.2)
Accessibility and alternative formats (Equality Act 2010)
Legal Requirements
ℹ UK GDPR Article 13: Where personal data is collected from the data subject, the controller shall provide specified information at the time the data is obtained.
ℹ UK GDPR Article 14: Where personal data has not been obtained from the data subject, the controller shall provide specified information within a reasonable period.
When to Provide This Notice
The Privacy Notice should be provided:
On your website (prominently accessible)
At the point of collecting personal data
In your Client Care Letter or Terms of Engagement (by reference)
On request from any individual
In alternative formats where required (Equality Act 2010)
How to Use This Template
Review and adapt all sections for your firm's actual practices
Complete all variable fields with your firm's specific details
Delete sections that don't apply to your firm
Remove all DRAFTING NOTES before publishing
Have the notice reviewed by someone with data protection expertise
Publish on your website and keep updated
Make available in alternative formats for clients who need them
Privacy Notice
[DRAFTING NOTE: Add firm branding/logo. Complete all variable fields. Review all sections to ensure accuracy for your firm.]
─────────────────────────────────────
Firm Name:
[Enter full legal name of firm]
Last Updated:
[Enter date]
─────────────────────────────────────
This Privacy Notice explains how we collect, use, store, and protect your personal information. Please read it carefully.
1. Who We Are
1.1 Data Controller
We are the 'data controller' for the personal information we process. This means we are responsible for deciding how we hold and use your personal information.
Firm Name:
[Enter full legal name]
Trading Name (if different):
[Enter trading name or delete]
Registered Office / Address:
[Enter address]
Company Number (if applicable):
[Enter company number or N/A]
SRA ID Number:
[Enter SRA ID]
1.2 Contact Details
If you have any questions about this Privacy Notice or how we handle your personal information, please contact us:
Data Protection Contact:
[Enter name or 'Data Protection Officer']
Email:
[Enter email address]
Telephone:
[Enter telephone number]
Postal Address:
[Enter address]
1.3 Our Regulatory Status
We are authorised and regulated by the Solicitors Regulation Authority (SRA). You can verify our status at www.sra.org.uk.
We are also registered with the Information Commissioner's Office (ICO) as a data controller:
ICO Registration Number:
[Enter ICO registration number]
1.4 FCA Regulation (If Applicable)
[DRAFTING NOTE: Include ONLY if you conduct FCA-regulated activities. Delete if not applicable.]
We are also authorised/regulated by the Financial Conduct Authority for certain activities. Our FCA registration number is:
[Enter FCA number if applicable]
You can verify our status at www.register.fca.org.uk.
2. Accessibility and Support
2.1 Alternative Formats
In accordance with the Equality Act 2010, this Privacy Notice is available in alternative formats on request, including:
Large print
Audio format
Easy read
Other languages
Please contact us if you would like this information in a different format.
2.2 Support for Vulnerable Clients
If you have any particular needs or circumstances that may make it difficult for you to understand this notice or exercise your rights, please tell us. In accordance with SRA Code Rules 3.4 and 6.2, we will:
Provide additional time if you need it
Explain information in simpler terms
Allow a support person to assist you
Arrange interpreter or translation services if needed
Make reasonable adjustments to help you access your rights
2.3 Mental Capacity
If you lack mental capacity to understand this notice or exercise your data protection rights, these may be exercised on your behalf by:
An attorney under a Lasting Power of Attorney
A Court of Protection Deputy
In appropriate circumstances, a family member or carer acting in your best interests
We will apply the presumption of capacity in accordance with the Mental Capacity Act 2005.
2.4 Equality and Non-Discrimination
In accordance with SRA Principle 6 and the Equality Act 2010, we will not discriminate against you in how we handle your personal information regardless of:
Age, disability, gender reassignment, marriage/civil partnership
Pregnancy/maternity, race, religion/belief, sex, sexual orientation
3. Information We Collect About You
3.1 Categories of Personal Data
We may collect and process the following categories of personal information about you:
Identity Data - Full name, title, date of birth, gender, photograph, signature, National Insurance number
Contact Data - Address, email address, telephone numbers
Identification Documents - Passport, driving licence, utility bills, bank statements (for ID verification under MLR 2017, LSAG 2025, ECCTA 2023)
Financial Data - Bank account details, payment information, income details, credit history
Transaction Data - Details of payments to and from you, details of legal services provided
Professional Data - Employer, job title, professional qualifications, work contact details
Technical Data - IP address, browser type, device information, login data, website usage
Communications Data - Emails, letters, call recordings, meeting notes, file notes
Marketing Data - Your preferences for receiving marketing, communication preferences
3.2 Special Category Data
Some of the information we process may be 'special category' personal data, which requires additional protection. This includes information about:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (for identification purposes)
Health data
Sex life or sexual orientation
We may also process information relating to criminal convictions and offences.
[DRAFTING NOTE: Only include special category data types that you actually process. Delete those that don't apply.]
3.3 Information About Others
In the course of providing legal services, we may receive personal information about people other than our client, such as:
Family members (e.g., in family law or estate planning matters)
Witnesses
Other parties to a transaction or dispute
Beneficiaries
Employees (in employment matters)
If you provide us with information about other people, you should ensure they are aware of this Privacy Notice.
4. How We Collect Your Information
4.1 Information You Provide
We collect most of the information we hold about you directly from you. This includes information you provide when you:
Instruct us to provide legal services
Complete our client onboarding forms
Provide identity verification documents
Correspond with us by email, letter, telephone, or in person
Complete surveys or provide feedback
Register on our website or portal
Attend our events or seminars
Subscribe to our newsletters or publications
4.2 Information from Third Parties
We may also receive information about you from third parties, including:
Other solicitors or professionals - Information about your matter from other advisers involved
Courts and tribunals - Court documents, judgments, orders
Government agencies - Land Registry, Companies House, HMRC (where authorised)
Credit reference agencies - Credit checks (for AML purposes)
Identity verification services - Electronic ID verification results
Sanctions screening providers - PEP and sanctions checks
Other parties to your matter - Correspondence and documents from other side
Your employer - If your employer instructs us on your behalf
Insurance companies - Policy details, claims information
Banks and lenders - Mortgage details, account information
4.3 Information from Public Sources
We may collect information about you from publicly available sources, including:
Companies House
Land Registry
Register of Overseas Entities (ECCTA 2023)
Court records
Electoral register
Professional registers
Social media profiles (where relevant to your matter)
News articles and publications
- WHY WE USE YOUR INFORMATION (PURPOSES)
5.1 Providing Legal Services
Our primary purpose for processing your personal information is to provide you with legal services. This includes:
Advising you on legal matters
Preparing legal documents
Conducting legal research
Corresponding with other parties
Attending court or tribunal hearings
Negotiating settlements
Managing your matter
5.2 Other Purposes
We also use your information for the following purposes:
Client onboarding - Verifying your identity, conducting conflict checks, opening your file
Anti-money laundering - Conducting CDD under MLR 2017, LSAG 2025, ECCTA 2023, source of funds checks, ongoing monitoring
Billing and payments - Sending invoices, processing payments, recovering debts
Administration - Managing our relationship with you, file management, archiving
Communication - Keeping you informed about your matter, responding to enquiries
Marketing - Sending newsletters, updates, event invitations (with your consent)
Business development - Analysing our services, improving client experience
Training and quality - Supervising staff, quality assurance, file reviews
Risk management - Managing insurance, handling complaints, defending claims
Legal and regulatory compliance - Complying with SRA rules, FCA rules (where applicable), court orders, legal obligations
IT and security - Maintaining systems, preventing fraud, ensuring security
6. Legal Bases for Processing
6.1 Overview
Under data protection law, we must have a lawful basis for processing your personal information. The lawful bases we rely on are:
6.2 Contract
Processing is necessary for the performance of a contract with you, or to take steps at your request before entering into a contract.
Example: We process your information to provide you with the legal services you have instructed us to perform.
6.3 Legal Obligation
Processing is necessary for compliance with a legal obligation to which we are subject.
Example: We are required by the Money Laundering Regulations 2017, LSAG 2025, and ECCTA 2023 to verify your identity and keep records. We are required by the SRA to maintain client files.
6.4 Legitimate Interests
Processing is necessary for our legitimate interests or those of a third party, except where your interests or fundamental rights override those interests.
Our legitimate interests include:
Running our business efficiently
Providing high-quality legal services
Marketing our services (to existing and prospective clients)
Keeping our records updated
Managing risk and protecting our business
Defending legal claims
6.5 Consent
In some cases, we rely on your consent to process your personal information. Where we do so:
We will ask for your consent clearly and explain what you are consenting to
You can withdraw your consent at any time
Withdrawing consent does not affect the lawfulness of processing before withdrawal
Example: We will ask for your consent before sending you marketing communications (unless you are an existing client).
6.6 Legal Claims
Processing is necessary for the establishment, exercise, or defence of legal claims.
Example: We may process your information when advising you on litigation or when defending a complaint against us.
6.7 Special Category Data
Where we process special category data (such as health information), we rely on one of the following additional conditions:
Your explicit consent
Processing is necessary for the establishment, exercise, or defence of legal claims
Processing is necessary for reasons of substantial public interest
Processing relates to personal data you have manifestly made public
7. Who We Share Your Information With
7.1 Overview
We may share your personal information with third parties in certain circumstances. We will only share information where there is a lawful basis to do so and, where appropriate, with your knowledge or consent.
7.2 Categories of Recipients
We may share your information with the following categories of recipients:
Other parties to your matter - Other side's solicitors, counterparties - Progressing your matter
Courts and tribunals - County Court, High Court, Tribunals - Conducting litigation
Barristers and counsel - Barristers we instruct - Legal advice and representation
Expert witnesses - Medical experts, surveyors, valuers - Expert evidence
Government bodies - Land Registry, Companies House, HMRC - Registration, searches, compliance
Regulators - SRA, ICO, Legal Ombudsman, FCA (where applicable) - Regulatory compliance, complaints
Professional indemnity insurers - Our insurers, claims handlers - Insurance purposes, defending claims
Lenders and funders - Banks, mortgage companies - Your transaction
Service providers - IT, storage, verification, outsourcing - Business operations
Credit reference agencies - Experian, Equifax, TransUnion - AML checks, credit checks
Auditors and accountants - External auditors - Audit and accounts
Successors - Firms acquiring our business - Business transfers
7.3 Service Providers
We use third-party service providers to help us deliver our services. These may include:
IT and hosting providers
Cloud storage providers
Case management system providers
Electronic ID verification providers
Document signing platforms
Email and communication platforms
Payment processing services
Archiving and storage services
Transcription and translation services
Where we use service providers, we have contracts in place that require them to keep your information secure and confidential, and to only use it for the purposes we specify.
7.4 Legal Disclosure
We may disclose your information where required by law, including:
To comply with a court order or legal process
To respond to requests from law enforcement
To comply with regulatory requirements
To protect our rights, property, or safety, or that of our clients or others
To report suspected money laundering to the National Crime Agency (NCA)
7.5 Professional Obligations
- Our duties of confidentiality as solicitors are separate from (and additional to) our data protection obligations. Information protected by legal professional privilege will not be disclosed except in accordance with the law.
7.6 Tipping Off
- If we suspect money laundering or terrorist financing, we are required by law to report this to the National Crime Agency. We are prohibited from telling you if we have made such a report. 'Tipping off' is a criminal offence under the Proceeds of Crime Act 2002.
8. International Transfers
8.1 Overview
Your personal information may be transferred to, and processed in, countries outside the United Kingdom. This may occur because:
Your matter involves parties in other countries
We use service providers based in other countries
Our IT systems or storage are located in other countries
8.2 Safeguards
Where we transfer personal information outside the UK, we ensure that appropriate safeguards are in place to protect your information. These safeguards may include:
Transfers to countries that the UK government has determined provide adequate protection (adequacy regulations)
Use of standard contractual clauses approved by the UK government
Transfers to organisations that have binding corporate rules
Transfers to certified organisations under approved certification mechanisms
8.3 More Information
If you would like more information about international transfers and the safeguards in place, please contact us using the details in Section 1.
9. How Long We Keep Your Information
9.1 General Approach
We will keep your personal information for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements.
When determining how long to keep information, we consider:
The nature and sensitivity of the information
The potential risk of harm from unauthorised use or disclosure
The purposes for which we process the information
Whether we can achieve those purposes by other means
Legal, regulatory, and professional requirements
9.2 Retention Periods
The following table sets out our general retention periods:
Client matter files (general) - 6 years from file closure - Limitation period for most claims
Conveyancing files - 15 years from file closure - Title issues may arise later
Wills (original) - Indefinitely or until death/Will replaced - May be needed at any time
Probate files - 12 years from file closure - Administration period + limitation
Personal injury (adults) - 6 years from file closure - Limitation period
Personal injury (children) - Until 21st birthday + 6 years - Limitation runs from age 18
Family law files - 6 years from file closure - Limitation period
Criminal files - 6 years from file closure - Or longer if sentence ongoing
AML/CDD records - 5 years from end of relationship - MLR 2017, LSAG 2025 requirement
Billing and accounts - 6 years - Tax and limitation requirements
Marketing consents - Until consent withdrawn - GDPR / PECR requirements
9.3 After Retention Period
When your information is no longer required, we will securely delete or destroy it. In some cases, we may anonymise the information so that it can no longer identify you, in which case we may use this information indefinitely.
10. Your Rights
10.1 Overview
Under data protection law, you have certain rights in relation to your personal information. These rights are not absolute and may be subject to exemptions.
10.2 Your Rights Explained
Right of access - You can request a copy of the personal information we hold about you (a 'subject access request')
Right to rectification - You can ask us to correct any inaccurate or incomplete information we hold about you
Right to erasure - You can ask us to delete your personal information in certain circumstances (the 'right to be forgotten')
Right to restrict processing - You can ask us to restrict the processing of your information in certain circumstances
Right to data portability - You can ask us to provide your information in a structured, commonly used format so you can transfer it to another organisation
Right to object - You can object to processing based on legitimate interests or for direct marketing purposes
Right to withdraw consent - Where we rely on consent, you can withdraw it at any time
Right not to be subject to automated decision-making - You can ask not to be subject to decisions based solely on automated processing
10.3 Support to Exercise Your Rights
If you have any particular needs or circumstances that may make it difficult to exercise your rights, please tell us. In accordance with SRA Code Rules 3.4 and 6.2, we will provide support and make reasonable adjustments.
If you lack mental capacity to exercise your rights, these may be exercised on your behalf by an attorney under a Lasting Power of Attorney, a Court of Protection Deputy, or in appropriate circumstances, a family member or carer acting in your best interests (Mental Capacity Act 2005).
10.4 Exercising Your Rights
To exercise any of your rights, please contact us using the details in Section 1. We will respond to your request within one month. In some cases, we may need to extend this period by up to two months, in which case we will let you know.
We may ask you to verify your identity before responding to your request.
In most cases, there is no fee for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive.
10.5 Exemptions
Some of these rights are subject to exemptions. For example:
We may not be able to delete information that we are required to keep by law
Legal professional privilege may apply to some information
We may need to retain information for the establishment, exercise, or defence of legal claims
10.6 Right to Complain
If you are unhappy with how we have handled your personal information, you have the right to complain to the Information Commissioner's Office (ICO):
ℹ Information Commissioner's Office: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF | Telephone: 0303 123 1113 | Website: www.ico.org.uk
We would, however, appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first.
11. Complaints About Our Service
11.1 Our Complaints Procedure
If you are unhappy with any aspect of our service (including how we have handled your personal information), you can complain using our complaints procedure. Please contact:
[Enter complaints handler contact details]
11.2 Legal Ombudsman
If you are not satisfied with our response, you can complain to the Legal Ombudsman:
ℹ Legal Ombudsman: PO Box 6167, Slough, SL1 0EH | Telephone: 0300 555 0333 | Email: enquiries@legalombudsman.org.uk | Website: www.legalombudsman.org.uk
Legal Ombudsman Time Limits
- You must complain to the Legal Ombudsman within ONE YEAR of the act or omission being complained about AND within SIX MONTHS of receiving our final response to your complaint.
11.3 Financial Ombudsman Service (If Applicable)
[DRAFTING NOTE: Include ONLY if you conduct FCA-regulated activities. Delete if not applicable.]
If your complaint relates to FCA-regulated activities, you may be able to complain to the Financial Ombudsman Service:
ℹ Financial Ombudsman Service: Exchange Tower, London, E14 9SR | Telephone: 0800 023 4567 | Email: complaint.info@financial-ombudsman.org.uk | Website: www.financial-ombudsman.org.uk
12. Data Security
12.1 Our Commitment
We take the security of your personal information seriously. We have implemented appropriate technical and organisational measures to protect your information against:
Unauthorised or unlawful processing
Accidental loss, destruction, or damage
12.2 Security Measures
Our security measures include:
Encryption of data in transit and at rest
Secure access controls and authentication
Regular security assessments and testing
Staff training on data protection and security
Physical security of our premises
Secure disposal of confidential waste
Regular backups and disaster recovery procedures
Incident response procedures
12.3 Data Breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.
12.4 Your Responsibilities
You also have a role to play in keeping your information secure:
Keep your passwords confidential
Check that you are sending information to the correct recipient
Be vigilant about phishing and scam emails
Let us know if your contact details change
Verify bank details by telephone before making payments
- Fraudsters sometimes intercept emails and change bank details. Always verify payment details by calling us on a known number, not one provided in an email.
13. Changes to This Privacy Notice
13.1 Updates
We may update this Privacy Notice from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
13.2 Notification
If we make significant changes to this notice, we will notify you by:
Posting a prominent notice on our website
Sending you an email (if we have your email address)
Other appropriate means
14. How to Contact Us
14.1 Questions and Complaints
If you have any questions about this Privacy Notice or how we handle your personal information, please contact us:
Contact Name:
[Enter name]
Email:
[Enter email]
Telephone:
[Enter telephone]
Address:
[Enter address]
14.2 Subject Access Requests
To make a subject access request (to obtain a copy of the personal information we hold about you), please:
Contact us using the details above
Provide enough information for us to identify you
Describe the information you are requesting
We will respond within one month of receiving your request (and any information needed to verify your identity).
14.3 Information Commissioner's Office
If you are not satisfied with our response, you have the right to complain to the ICO:
ℹ Information Commissioner's Office: www.ico.org.uk | Telephone: 0303 123 1113
─────────────────────────────────────
Thank you for taking the time to read this Privacy Notice.
Firm Name:
[Enter firm name]
Date:
[Enter date]
Document Information
This Privacy Notice Template is issued by [Platform Name] for solicitors using the Platform.
Document Version: 1.0
Effective Date: January 2026
Last Updated: January 2026
Next Review: July 2026
─────────────────────────────────────
Regulatory Framework
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Privacy and Electronic Communications Regulations 2003 (PECR)
SRA Standards and Regulations 2019 (as amended 2025)
SRA Code of Conduct - Rules 3.4, 6.2 (Vulnerable Clients)
SRA Principle 6 (Equality, Diversity and Inclusion)
Money Laundering Regulations 2017 (as amended)
LSAG Anti-Money Laundering Guidance 2025
Economic Crime and Corporate Transparency Act 2023 (ECCTA 2023)
Proceeds of Crime Act 2002
Equality Act 2010
Mental Capacity Act 2005
FCA Handbook and Consumer Duty 2023 (where applicable)
Related Documents
Terms of Engagement Template V1.0
Client Care Letter Template V1.0
Identity Verification Request Template V1.0
Complaints Procedure Template V1.0
Regulatory Protections Template V1.0
Platform Privacy Policy V1.0
Useful Links
ICO: www.ico.org.uk
ICO Guide to the UK GDPR: ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/
SRA: www.sra.org.uk
Law Society Data Protection Guidance: www.lawsociety.org.uk
─────────────────────────────────────
- DISCLAIMER: This template provides general guidance on privacy notices for solicitors. It does not constitute legal advice. Firms must ensure their privacy notice accurately reflects their actual data processing practices. Data protection requirements may change - always check current guidance. Consider having your privacy notice reviewed by a data protection specialist.
[Platform Name]
Operated by: [Company Name]