Privacy Policy

Privacy Policy


Privacy Policy


Finn Gledhill is required to comply with the law governing the management and storage of personal data and sensitive personal data, which is outlined in the General Data Protection Regulation 2016 (GDPR) and the Data Protection Act.                                                       

For this reason, protection of personal data and respect for individual privacy is fundamental to the day-to-day operations of Finn Gledhill. We have the appropriate security measure in place which ensures that your data will always be secure and cannot be used or accessed unlawfully.

This policy will set out

  • What information we collect,
  • How we collect, process, store and share your information
  • Why we collect this information
  • Your rights in relation to any information we store
  • Contact details the in the event of a concern/complaint

    What information we collect

    We will collect and process the following data about you in the course of advising/and acting for you. We will only collect data that is relevant to the service we are performing

    Personal data and sensitive personal data we collect can include  

  • Name, address, telephone numbers, date of birth
  • Digital details – email addresses and mobile numbers
  • Information in relation the matter you are instructing Finn Gledhill for advice on or represent you in.
  • Racial or ethnic origin;
  • Medical Records
  • Political opinion;
  • Religious or other beliefs;
  • Trade union membership;
  • Physical or mental health or condition;
  • Sexual orientation
  • Genetic and biometric data;
  • Financial and banking details
  • National insurance numbers and NHS numbers
  • Passport and driving license details
  • Statutory documents relating to the data subject

    How we collect, process, store and share your information

    The majority of the information we collect on you comes directly from you but we may also collect further information from

  • Publicly accessed sources (social media etc.)
  • Directly from third parties (enforcement agencies & prosecution bodies etc.)
  • From other third parties with your consent (insurance companies, employer, doctors etc.)
  • Online case management systems (Crown Court Digital Case System etc.).
    We do not obtain any information from our clients via our website which is for information purposes only.


    Uses made of the personal data we collect

    We are only allowed to use your personal (and sensitive personal) data if have a proper and lawful reason to do so and under the strict guidelines set out in the GDPR.

    The lawful basis is that the processing is necessary in relation to a contract which the data subject has entered into with us (either directly or through an intermediary), or because the data subject has asked for something to be done so they can enter into a contract.

    If we are instructed to act in a case where the data subject is not our client (for example if we prosecute the case) the legal basis is that the processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

    In relation to the legal basis for promotional communications (please see below) the processing is in accordance with the “legitimate interests” condition

    We will use this data to

  • Provide legal services
  • Conduct checks to identify our clients and verify their identity
  • Comply with professional, legal and regulatory obligations that apply to our business, e.g. rules issued by our professional regulator
  • Gather and provide information required by or relating to audits, enquiries or investigations by regulatory bodies
  • Ensure business policies are adhered to, e.g. policies covering security and internet use
  • Improve efficiency, train staff or assess quality control
  • Provide experience and training to pupil barristers and mini pupils
  • Ensure the confidentiality of commercially sensitive information
  • Conduct statistical analysis to help us manage our practice, e.g. in relation to our financial performance, client base, work type or other efficiency measures
  • Prevent unauthorised access and modifications to systems
  • Update client records
  • Complete statutory returns
  • Ensure safe working practices, staff administration and assessments

    We will process data in those ways for the following reasons:

  • To comply with our legal and regulatory obligations
  • For the performance of our service for you or to take steps at your request before providing our service
  • For our legitimate interests or those of a third party; or
  • Where you have given consent.
    A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

    We will only process special category personal data with your explicit consent.


    Who we share your personal data with

    During the course of providing our legal services we will have to share your data with your instructed Solicitor, as well as contacting other organisations about you which would include

  • Solicitors Firms
  • Courts
  • Funding companies, Legal Aid Agency
  • Regulatory bodies (to which we may have legal and regulatory obligations)
  • Our outside service Providers
    We only allow our outside service providers (such as our, couriers, typists and IT Contractors) to handle your personal data if we are satisfied they take appropriate measures to protect your personal data. We also require that they sign and adhere to the policies set out in our data processing agreement

    How long your data will be stored

    We will retain your personal data after we have finished providing our legal services and do so for the following reasons 

  • To respond to any questions, complaints or claims made by you or on your behalf
  • To show that we treated you fairly
  • To keep records required by law
    We will not retain your data for longer than necessary. Different retention periods apply for different types of data. In general we will retain material for 3 – 6 years in accordance with our data retention policy.

    When it is no longer necessary to retain your personal data, we will delete or ensure that any personal or sensitive personal data is anonymised.


    Your rights in relation to any information we store.

    The GDPR gives rights to individuals in respect of the personal data that any organisations hold about them. Everybody working for Finn Gledhill must be familiar with these rights and adhere to Finn Gledhill’ procedures to uphold these rights.

    These rights include

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.


    If you wish to exercise any of these rights or would like a data subject request please contact Marc Gledhill (Information Security Manager) and provide sufficient information for us to identify you. You will also need to let us have proof of your identity (driving licence, passport, utility bills etc.) and inform us of which right you would like to exercise.


    Suspected Breaches


    Even with the security measure we have in place to protect your data, we also have procedures in place to deal with any suspected data security breaches. It we suspect that there is a breach, We will notify you and any applicable regulator (ICO) of a suspected data security breach in accordance with the regulations set out by the GDPR


    How to Complain

    We would hope that any issues you may have in regards to our handling of your secure data could be resolved between ourselves, with  In the event that this is not possible, The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.


    How to Contact us

    If you wish to contact Finn Gledhill in regards to the GDPR and the data we hold on you, your first point of contact should be the Information Security Manager, Marc Gledhill. In the event he is not available then one of the other Partners in Finn Gledhill should be contacted.


  • Marc Gledhill – 01422 330000 –
  • Carol Stevenson -  01422 330000 –
  • Amanda Palfreman – 01422 330000 –