Given the range of services S&B provides to its clients, we process many categories of personal data.

References to special category data mean data that reveals your racial or ethnic origin, your political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data or any information concerning your sex life or sexual orientation, or your health.

Types of data we collect

These are the types of data we will collect:

  • personal details: full name and title,
  • contact details: work or personal email address and phone number,
  • information to check and verify your identity: date of birth and passport details (including passport image),
  • matter information: information relating to the matter for which you are seeking our advice or representation,
  • financial details: your source of wealth and source of funds (depending on the matter),
  • CCTV images: if you visit our premises, 
  • health/disability information: if you visit our premises.

These are the types of data we may collect (depending on the nature of the matter):

  • national insurance and tax details,
  • bank and/or building society details,
  • details of your professional online presences, e.g. your LinkedIn profile,
  • details of your spouse/partner and dependants or other family members for will matters,
  • your employment status and details, including salary and benefits and where relevant, your employment records relating to sickness and attendance, performance, disciplinary, conduct and grievances (including relevant special category data) for employment matters,
  • your nationality, immigration status and information from related documents, e.g. your passport or other identification documents for immigration matters,
  • details of your pension and/or financial arrangements for pension or family matters,
  • your racial or ethnic origin, trade union membership, gender, sexual orientation, religious or similar beliefs for discrimination claims,
  • your trade union membership for matters funded by trade unions.

This data is required to enable us to provide our service to you. If you do not provide the data we ask for, it may delay or prevent us from providing our services to you.

How we collect your data

We collect most of this data from you direct. We may also collect data:

  • from publicly accessible sources, e.g. Companies House or HM Land Registry,
  • directly from a third party, e.g. credit reference agencies, fraud prevention agencies, client due diligence providers and sanctions screening providers,
  • from a third party with your consent, e.g.:
    • your bank or building society, another financial institution or advisor,
    • consultants and other professionals we may engage in relation to your matter,
    • your employer and/or trade union, professional body or pension administrators,
    • your doctors, medical and occupational health professionals,
    • via cookies on our website – please see our cookie policy,
    • via our IT systems, e.g.:
      • document management and time recording systems,
      • door entry systems and reception logs,
      • automated monitoring of our website and other systems such as our computer networks, CCTV and access control systems, communications systems, email and instant messaging systems.

We may also create personal data about you, for example, if you contact us by phone, we may make a written record of key details of the conversation.

How we use your data

Under data protection law, we can only use your data if we have a legal ground for doing so, e.g.:

  • for the performance of our contract of engagement with you or to take steps at your request before entering into a contract of engagement,
  • to comply with our legal and regulatory obligations,
  • for our legitimate interests or those of a third party, or
  • where you have given us your consent.

A legitimate interest is when we have a business or commercial reason to use your data, provided this is not overridden by your own rights and interests.

The table below explains how and why we process your data:

How we use your data

GDPR legal ground

Marketing our goods and services and sending legal updates to you.

For our legitimate interests, i.e. to offer a high level of service to our clients.

Registering you as a client, providing legal services to you, taking payment and managing the client relationship.

To perform our contract of engagement with you or to take steps at your request before entering into the contract; for our legitimate interests, i.e. to ensure a high level of service; or to comply with our legal and regulatory obligations.

Conducting checks to identify our clients and verify their identity; to carry out anti-money laundering checks; screening for financial and other sanctions or embargoes; other processing necessary to comply with professional, legal and regulatory obligations that apply to our business, e.g. under health and safety regulation or rules issued by our professional regulator.

To comply with our legal and regulatory obligations.

Where we process your personal data to carry out anti-money laundering checks, the data will only be used for the purposes of preventing money laundering or terrorist financing or as permitted under applicable data protection legislation.

Using your data in life or death situations in which there is no time to gain your consent (e.g. in the event of an accident and we have to give your personal details to medical personnel).

To protect your vital interests.

Gathering and providing information required by or relating to audits, enquiries or investigations by regulatory bodies.

To comply with our legal and regulatory obligations.

Operational reasons, such as improving efficiency, training and quality control.

For our legitimate interests, i.e. to be as efficient as we can so we can deliver the best service to you at the best value.

Statistical analysis to help us manage our practice, e.g. in relation to our financial performance, client base, work type or other efficiency measures.

For our legitimate interests, i.e. to be as efficient as we can so we can deliver the best service to you at the best value.

Updating our client records.

For the performance of our contract of engagement with you or to take steps at your request before entering into the contract; to comply with our legal and regulatory obligations; or for our legitimate interests, i.e. making sure that we can keep in touch with our clients about existing and new services.

Statutory returns (e.g. to HMRC or Companies House).

To comply with our legal and regulatory obligations.

Credit reference checks via external credit reference agencies.

For our legitimate interests, i.e. for credit control and to ensure our clients are likely to be able to pay for our services.

External audits and quality checks, e.g. external auditors of both our client files and our client account.

For our legitimate interests, i.e. to maintain our accreditations so we can demonstrate we operate at the highest standards; or to comply with our legal and regulatory obligations.

Where we process special category data, we will only do so with your explicit consent, where you volunteer the information to us unprompted, where we need the data for the establishment, exercise or defence of legal claims on your behalf, where necessary in the interests of public health or otherwise in accordance with the GDPR.

Communications about additional services

We may use your personal data to send you updates by email or by post about legal developments, information about our services (including new services), and/or invitations to events that we believe may be of interest to you.

We will either seek your express consent to send such communications to you, or we will rely on our legitimate interests in promoting our business and building our relationship with you. We will never sell your personal data to other organisations for marketing purposes.

You have the right to opt out of receiving unprompted communications at any time by:

  • using the ‘unsubscribe’ link in emails, or
  • by clicking here to access the unsubscribe page on our website.

We may ask you to confirm or update your preferences if you instruct us to provide further services in the future, or if there are changes in the law, regulation, or the structure of our business.

Data sharing

In addition to the information set out on our privacy page, your data may also be shared with:

  • professional advisors who we instruct on your behalf or refer you to, e.g. barristers, medical professionals, accountants, actuaries, tax advisors or other experts (who are under duties of confidentiality),
  • other third parties where necessary to carry out your instructions, e.g. your mortgage provider or HM Land Registry in the case of a property transaction, or Companies House,
  • credit reference agencies,
  • our insurers and brokers,
  • our bank,
  • the FSCS, in the event our bank collapses and we need to make a claim on your behalf,
  • SBTL,
  • third parties with whom we organise or run events from time to time.

International transfers

It is sometimes necessary to share your data outside the UK, e.g.:

  • with our service providers located outside the UK,
  • if you are based outside the UK,
  • where this is an international dimension to the relevant matter, e.g. assets based abroad.

These transfers are subject to special rules under data protection law. Click here for more details.


We will keep your personal data after we have finished advising or acting for you, either to:

  • respond to any questions or concerns raised by you or on your behalf, or
  • keep records required by law.

We will not retain your data for longer than necessary for the purposes set out in this notice. Our default retention period for most client matters is 15 years from the date of closure of your file. If you would like to know the retention period for a specific matter, please contact our DPO.

Your rights

Under certain circumstances, you have rights in relation to your personal data, including the right to:

  • Request access to your personal data – you may receive a copy of the personal data we hold about you.
  • Request correction of the personal data we hold about you – we will correct any incomplete or inaccurate data we hold about you.
  • Request erasure of your personal data – you may ask us to delete or remove personal data where there is no good reason for us continuing to process it.
  • Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object on this ground.
  • Request restriction of processing of your personal data – you may ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing.
  • Request the transfer of your personal data to another party.
  • Withdraw consent in the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal data. After we have received notification that you have withdrawn your consent in relation to a particular purpose, we will no longer process your information for that purpose, unless we have another legitimate basis for doing so in law.
  • Lodge a complaint regarding the processing of your personal data with the Information Commissioner’s Office or any other relevant supervisory authority.

Contact us

If you want to exercise any of the above rights, please contact: 

Individuals in the UK or outside the EEA

Data Protection Officer, Stevens & Bolton LLP, Wey House, Farnham Road, Guildford, Surrey, GU1 4YD.

Individuals in the EEA

Our EU Representative is Pembroke Privacy Ltd., 3-4 Upper Pembroke Street, Dublin 2, Ireland.


Search our site