Data Protection and Privacy Policy

The following statement explains our policy regarding the personal information
we collect about you.

  1. Statement of intent
  2. Information on visitors
  3. Submitting personal information
  4. Access to your personal information

1. Statement of intent

From time to time, you will be asked to submit personal information about yourself (eg name and email address etc) in order to receive or use services on our website. Such services include newsletters.

By entering your details in the fields requested, you enable Whitnalls to provide you with the services you select. Whenever you provide such personal information, we will treat the information in accordance with this policy. Our services are designed to give information that you want to receive. Whitnalls will act in accordance with current legislation and aim to meet current Internet best practice.

2. Information on visitors

During the course of any visit to Whitnalls, the pages you see, along with something called a cookie, are downloaded to your computer. Most, if not all, website's do this, because cookies allow the website publisher to do useful things like find out whether the computer (and probably its user) has visited the site before. This is done by checking to see, and finding, the cookie left there on a previous visit.

3. Submitting personal information


The firm has appointed Paul Flynn as the Head of Data Protection.

We have adopted a risk-based approach to data protection, whereby our policies and procedures only cover those areas which apply to our use of personal data. For example, as we currently do not use automated decision making or profiling then we do not have a policy on meeting the rights of data subjects with regard to automated decision making or profiling.


We are bound by our professional body’s relevant professional codes and regulations, including client confidentiality and the protection of client data.

Personal data

Personal data includes any information related to a person that can be used to directly or indirectly identify the person. Such data includes, but is not limited to:

Individual's rights

Individuals, also referred to as ‘data subjects’, have:

Our obligations

Our obligations in respect of personal data include:

Our use of data

We process two different types of personal data: client data and firm data.

When starting a new processing activity, we can only process personal data for the purpose for which it was provided.


All principals and staff receive:

An explanation of the firm’s policies and procedures is included in our induction procedures for new employees.

Relationships with others - suppliers

When entering contracts with suppliers who process or store our data, we ensure that the supplier is fully compliant with the current data protection regime, and the contract addresses the requirements concerning the sharing of data.

The extent of the impact on our firm will depend on whether our firm is acting as a controller or processor.

A data controller is an organization that determines the purpose and methods for processing personal data. A data processor is an organization that processes personal data on behalf of a data controller.

We determine what information to obtain and process in order to do our work, so we may act as “controllers in common” or “joint controllers” with our clients. 

Relationships with others - clients

Our client terms and conditions reflect the firm’s data policies and practices.

When we act as the data processor, we must obtain documented instructions from any data controller on whose behalf we process data.

When we act as a joint controller, we must ensure the other joint controller complies with the regulations and that our contract in respect of the sharing of data is in compliance with the regulations.

Data retention policies

What client data should be hold?

The general principle is that we hold the minimum amount of data necessary.

The data we hold must be adequate, relevant and limited to what is necessary in relation to the purpose for which the data is processed. This applies to both automated personal data and manual filing systems where data is accessible.

How long do we retain personal data?

In general, data should not be retained any longer than necessary for the task performed, or than is necessary to comply with the relevant laws and regulations.

We keep records and working papers for seven years from the end of the tax year, or accounting period, to which they relate or such longer period as the rules of self-assessment may require.

Under the anti-money laundering rules, we must keep records for five years after the relationship ends, and must delete any personal information obtained for the purposes of the anti-money laundering regulations after five years from the end of a business relationship unless:

Any decision to retain personal data beyond the policy noted above should be documented and approved by the Head of Data Protection. A decision to retain personal data beyond the policy above should consider:

Privacy policies

We aim to ensure our privacy policies (also referred to as privacy notices) are clear, use plain language, are transparent and easily accessible.

Our privacy notices include:

Our privacy notices also explain the lawful basis for processing, our data retention policies and the fact that individuals have a right to complain to the ICO if they think there is a problem with the way we are handling their data.

In addition, if we intend to use the client data in a way that is likely to be unexpected or objectionable, then this must be included in our privacy notices.

We communicate our privacy notices through our website, and our terms and conditions.


Consent must be specific, informed, unambiguous, and freely given.

We record how and when customer consent was lawfully gained, including:

We recognise that “consent” is likely to degrade over time, and therefore we need to refresh the consent regularly in accordance with the context, the scope of the original consent and the individual’s expectations.

When obtaining consent, we do not rely on pre-checked boxes or implied consent. Instead, whenever data is collected on them, we require evidence of a positive “opt-in” by the individual separately from the firm’s standard terms and conditions. We also require an “opt-in” for direct marketing to prospective and existing customers.

When consent is withdrawn, we must notify other known holders of the data that consent has been withdrawn and that data should be erased.


A personal data breach is an accidental or unlawful act that has affected the confidentiality, integrity or availability of personal data. A personal data breach occurs whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on individuals.

If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, we must also inform those individuals without undue delay.

Anyone who suspects they are the first person in the firm to identify a personal data breach must inform the Head of Data Protection, or in their absence, their own line manager.

Unless instructed to do so by the Head of Data Protection, or their appointed deputy, no one should attempt to resolve the problem themselves.

It is the responsibility of the Head of Data Protection to ensure that a register of all personal data breaches is maintained that records all breaches together with the firm’s response to those breaches.

Reporting personal data breaches

Any breach that is likely to result in a risk to the rights and freedoms of individuals must be reported to the Information Commissioner’s Office within 72 hours.

If the firm is acting as data processors, we must inform the data controller as soon as feasibly possible and without undue delay.

Where we act as data controllers we must inform the individuals (data subjects) if there is a high risk that they will be impacted adversely by the breach. This must be as soon as feasibly possible and without undue delay.

Subject Access Requests

Data subjects have the right to be informed, which includes the right to request the information held by the firm.

When the firm receives a Subject Access Request, please address requests to the Head of Data Protection via email who will allocate responsibility for responding to the request to a relevant individual.

Unless the information requested would make it more difficult to detect crime or is a matter of national security, the firm must respond to any request within 30 days of receipt of the request. If we decide to refuse a request, we must tell the individual why and that they have the right to complain to the ICO and to seek a judicial remedy. Any refusal must be given without undue delay and at the latest, within one month of receiving the original request.

We will not make a charge for responding to Subject Access Request, unless the requests are manifestly unfounded or excessive.

It is the responsibility of the Head of Data Protection to ensure that a register of all Subject Access Requests is maintained that records all requests together with the date and nature of the firm’s response to those requests.


The Head of Data Protection ensures that an annual critical review of the firm’s compliance with its data protection policies and practices, as well as the effectiveness of those data protection policies and practices is carried out.

The Head of Data Protection will provide evidence of the annual compliance review to the principal responsible for completing the firm’s annual practice assurance review.

After completion, the Head of Data Protection will provide a summary of the evidence of the annual compliance review to the next partners’ meeting, together with details of any changes proposed to the firm’s data protection policies and practices.