Privacy and General Data Protection Regulation (GDPR) Policy

Samuels Solicitors LLP

Our ICO Registration Number is:  ZA465525

1. Who we are

Samuels Solicitors LLP (“we”, “us”, “our”) is the data controller for personal data we collect and process in the course of delivering legal services to our clients and operating our business. We are committed to protecting your privacy and handling your personal data fairly, lawfully and transparently in accordance with the UK GDPR and the Data Protection Act 2018.

• Registered office: 18 Alexandra Road, Barnstaple, Devon EX32 8BA
• Contact telephone: 01271 343457

• Email: mail@samuels-solicitors.co.uk

   

2. Data protection contact

Our Data Protection Lead is:

• Name: Judith Thompson
• Role: Data Protection Lead
• Email: jmt@samuels-solicitors.co.uk

• Postal: Samuels Solicitors LLP, 18 Alexandra Road, Barnstaple, Devon EX32 8BA

   

3. The personal data we collect

We collect and process the following categories of personal data about clients and, where relevant, related parties (e.g., counterparties, witnesses, beneficiaries):

• Contact details: name, address, email, phone numbers, job title, employer.
• Case information: matter background, correspondence, instructions, evidence, statements, working notes, pleadings, disclosures, and other documents relevant to your matter.
• Financial data: invoices, payment details (excluding full card data processed by payment providers), funding information, costs estimates, and related records.
• Special category data: health data, ethnicity and other sensitive data where necessary for your matter.
• Criminal offence data: where necessary for advising on, establishing, exercising or defending legal claims, or for the administration of justice.

We obtain data directly from you, from your authorised representatives, from third parties (e.g., counsel, experts, other firms, insurers), from publicly available sources (e.g., Companies House, HM Land Registry) and through our IT systems (e.g., access logs, emails, document management).

4. Purposes and lawful bases for processing

We process personal data for the following purposes and under the following lawful bases:

1. Providing legal services and managing our relationship

• Purposes: taking instructions; conflict checks; opening and managing files; advising; drafting; negotiation; advocacy; instructing counsel and experts; billing; credit control; client care.
• Lawful bases: performance of a contract or to take steps at your request prior to entering into a contract; legitimate interests in delivering and improving our services; compliance with legal obligations (e.g., financial, tax, anti-money laundering).

2. Compliance and risk management

• Purposes: identity and verification checks; anti-money laundering (AML) and sanctions screening; regulatory reporting; audits; insurance; complaints handling.
• Lawful bases: legal obligations; legitimate interests in managing risk and ensuring compliance.

3. Use of artificial intelligence (AI) and legal technology

• Purposes: drafting, summarising, document analysis, research support, quality assurance, workflow automation.
• Lawful bases: performance of a contract; legitimate interests in efficient, high-quality service delivery.
• Safeguards: we apply role-based access controls; pseudonymise or minimise input data where feasible; bind providers by contract as processors; and configure AI tools to prevent your data being used to train or improve public or foundation models unrelated to your matter. We review AI-assisted outputs by legally qualified personnel and do not take decisions producing legal or similarly significant effects solely by automated means.

4. Marketing and business development

• Purposes: sending legal updates, invitations and insights to existing clients and contacts.
• Lawful bases: legitimate interests in developing our business; consent where required. You can opt out at any time.

Special category and criminal offence data: Where we process special category data (e.g., health, ethnicity) or criminal offence data, we rely on the legal basis above together with an additional condition under Article 9 UK GDPR and applicable provisions of the Data Protection Act 2018, including where necessary for the establishment, exercise or defence of legal claims or for the administration of justice and legal advice.

5. Who we share your data with

We share personal data only where necessary, proportionate, and subject to appropriate safeguards, with:

• Counsel, experts, mediators, costs draftsmen, courts/tribunals and other parties involved in your matter.
• Our professional advisers and insurers.
• Our vetted third-party processors providing IT, cloud, document management, AI tools, email, telephony, printing, archiving, shredding, typing, analytics and related support services.
• Regulators and public authorities where required by law or regulation.

We ensure processors are bound by written contracts that include confidentiality and security obligations consistent with the UK GDPR.

6. International transfers

We do not routinely transfer personal data outside the UK/EEA. If an exceptional transfer is necessary (for example, at your request or for a specific matter-related requirement), we will implement appropriate safeguards permitted under the UK GDPR and inform you where required.

7. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. Measures include access controls, encryption in transit and at rest where appropriate, multi-factor authentication for systems holding client data, backup and business continuity arrangements, staff training, and supplier due diligence.

8. Retention

We retain client matter files (paper and electronic) for 7 years after file closure, unless a longer period is required by law, regulation, our professional obligations, or to establish, exercise or defend legal claims. At the end of the retention period, we securely delete or destroy personal data or anonymise it for statistical purposes.

• Standard retention: 7 years for paper and electronic files.
• Financial records: at least for statutory accounting periods and as above.

You may request further details of our retention schedule for specific categories of data.

9. Your rights

Subject to applicable exemptions, you have the following rights over your personal data:

• Access: to obtain a copy of your personal data and information about how we process it.
• Rectification: to correct inaccurate or incomplete data.
• Erasure: to request deletion where we no longer need the data, or where consent is withdrawn (if consent was the basis), subject to legal and professional obligations.
• Restriction: to limit processing in certain circumstances.
• Data portability: to receive certain data in a structured, commonly used, machine-readable format and/or request transmission to another controller.
• Objection: to processing based on our legitimate interests (including marketing). We will respect your objection unless we have compelling legitimate grounds or the processing is for legal claims.
• Automated decision-making: we do not make decisions producing legal or similarly significant effects solely by automated means.

To exercise your rights, contact Judith Thompson using the details above. We may need to verify your identity. We aim to respond within one month, which may be extended by two further months for complex requests.

10. AI and automated decision-making

We use AI-enabled tools as described in section 4 for limited, clearly defined purposes that support—rather than replace—our professional judgement. We do not rely on solely automated decision-making that produces legal or similarly significant effects for you. You may object to our use of AI tools based on legitimate interests and request that your data be excluded from such tools (subject to service limitations). We will accommodate such requests where feasible.

11. Children’s data

We do not target our services at children. Where a matter involves children’s data (e.g., family, changing names, probate or litigation matters), we process such data only as necessary for the matter and apply enhanced safeguards.

12. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve them. You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)

• Website: www.ico.org.uk
• Telephone: 0303 123 1113

• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

   

13. Changes to this policy

We may update this policy from time to time. The latest version will be available on our website or on request. Material changes will be notified to clients where appropriate.

14. Contact us

For any questions about this policy or our data protection practices, please contact Judith Thompson, Data Protection Lead using the details above.

15. Glossary (summary)

• “Controller”: the organisation that determines the purposes and means of processing personal data.
• “Processor”: a service provider that processes personal data on our behalf.
• “Personal data”: information relating to an identified or identifiable person.
• “Special category data”: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for identification, health, or sex life/sexual orientation.
• “Criminal offence data”: data relating to criminal convictions and offences or related security measures.

Note: If there is any conflict between this policy and our engagement terms, the terms that provide the higher standard of protection to your personal data will prevail.