Data Protection

Our data protection team advise on how to respond correctly to access requests, comply with legal time frames and exemptions, verify requester identity, redact third-party or privileged information, and provide copies of personal data and supplementary information as required by law. 

• Acted for Portsmouth Historic Quarter Trust in relation to subject access request issues.
• Acted for NotontheHighStreet.com on ROPA, impact assessment, data retention, DSAR and other privacy issues.
• Considered and advised on the applicability of various exemptions when making or receiving subject access requests (SARs/DSARs) including legal professional privilege and confidentiality, negotiations with the subject, confidential references, management forecasts/planning, and unlawful acts or dishonesty.
• Handling Data Subject Access Requests (DSARs) where they are used as a litigation tactic.
• Advised elected officials in relation to subject access requests and related regulatory inquiries.
• Advised on technology and data law for an equine sports charity following the sale of the Tote, on how best to respond correctly and appropriately in relation to an extremely sensitive subject access request and updating their privacy notice.
• Advised an accountancy client in relation to a subject access request, providing advice, support with the document review, and the response to the individual.

Our experts fully appreciate the fact that as one of the leading users of CCTV, the UK has a record number of cameras on the streets which can raise a number of privacy legal issues. We assist organisation using CCTV, whether recording personal images or vehicle registration numbers, to comply with the legal requirements governing how these images are gathered, stored, and used.

• Advised a construction client on employee monitoring and use of CCTV.

Our data protection experts advise organisations on how best to comply with data protection obligations when providing online services that involve children’s data, including social media services used by youngsters.

• Advised a large online gaming brand on data protection compliance, in particular in respect of the processing of children’s data.
• Advising schools on the issues of personal data for those above and below the age of digital majority.
• Advised the owner of a suite of mobile phone apps with over 30 million users on GDPR preparedness.
• Advised on the GDPR compliance issues arising from the launch of an interactive football skills training website for children.
• Regularly advised a major social media platform on new product launches, data usage, monetisation of user-generated content, relationship with third-party platforms and secondary liability issues arising out of user-generated content.
• Advised on data use in targeted social media campaigns.

Our skilled data protection lawyers work closely with organisations to help them develop compliant procedures for the collection, storing, processing, using, disclosing, and transferring of personal data, and how to manage regulatory enquiries and audits and claims from individuals.

• Advised on permissions for collecting personal data in marketing and surveying.
• Advised an online retailer on the legal and regulatory aspects of an innovative personalisation and behavioural advertising initiative.
• Advised a financial services client in relation to carrying out background screening checks (including in relation to criminal convictions).

• Advised on all aspects of an internal data privacy audit of the European subsidiaries of a US-headquartered training services company including implementation of necessary remediation.
• Prepared corporate data protection policies and data retention and deletion (DRAD) policies, and advised on associated issues relating to special categories of personal data and criminal records (convictions and offences).

Our data protection team are perfectly placed to guide clients through the plethora of duties placed upon them under the Data Protection Act 2018 (the Act) which controls the use of ‘personal data’. We advise on registration requirements of the UK Information Commissioner’s Office (ICO) (the body tasked with enforcing the Act) and on other regulations under the Act, for example in relation to how personal data can be lawfully obtained, stored, disclosed, and shared including transfers of personal data outside of the UK. We are also experienced in assisting organisations with their interactions with the ICO on all matters including ad-hoc data transfer agreements, data subject complaints, and enforcement actions.

• Advised Curate Health on data privacy matters relating to the dispense of medicinal products.
• Acted for a UK pension fund updating its data protection policy, breach policy and privacy notice.
• Advised a UK company providing online training courses on its data protection obligations.
• Advised MOO, the print platform, on its data protection compliance programme, including developing notices, policies and training.

• Drafted privacy policies for numerous retail clients.
• Acted for CyberSmart Limited in relation to UK data privacy matters relating to cybersecurity.
• Advised in relation to the relationship between rights arising under data protection laws, the law of defamation, professional regulation of solicitors, and SLAPPs (Strategic Lawsuits Against Public Participation).
• Advised on privacy and image rights for several media platforms and video producers (included privacy impact assessment and controls over the right to be forgotten).
• Provided GDPR training for several clients alongside the Information Commissioner (ICO).
• Designed data breach protocols for clients to use in the event of data-leaks / cyber breaches.
• Advising the Lloyd’s Market Association on data protection and other issues relating to the key market-wide outsourced insurance administration services agreement for all Lloyd’s managing agents.
• Advised on complex multinational data-protection issues for a global project-delivery consultancy.
• Dealt with a national property search company on GDPR compliance including intra group contracts, data processing agreements, customer contracts and requisite policies.
• Advised on wellbeing books by therapists, helping to ensure the privacy rights of patients featured in case studies are protected.
• Advised owners of The Old War Office Hotel on GDPR compliance matters.

• Advised Notonthehighstreet.com on its DPA and GDPR compliance. This included a complex audit covering the retail sector.
• Advised on the data protection, defamation and data protection aspects of the acquisition of a market intelligence service.
• Advised in relation to and carried out data protection impact assessments (DPIAs).

With extensive experience in advising organisations in all areas involving human resources, our data protection lawyers work with our employment team to advise on the statutory obligations in relation to the collection, storage, and use of employee data, including transfers of such data to headquarters outside of the UK and outside of the EEA, transfers of employees on the sale or purchase of a business, and disclosure of employees’ personal data.

• Prepared bespoke privacy notices for a wide variety of businesses covering employees, contractors, websites, clients, customers, guests, and patients.
• Acted for a client in relation to a data breach by a former staff member and a subsequent regulatory investigation.
• Advised a regional financial services client in relation to its website privacy and cookie policy and assisted that client with a complaint in relation to their use of cookies.

Our data protection lawyers are skilled at dealing with all matters in relation to the General Data Protection Regulation (GDPR), which will apply where organisations collect and process personal data of EEA individuals even if the collection, storing, and processing of that personal data occurs in the UK.

• Advised owners of The Old War Office Hotel on GDPR compliance matters.
• Advised an SME providing software as a service on the changes required to its suite of contracts to comply with GDPR.
• Advised an actuarial company on GDPR compliance including all necessary customer contract amendments, policies and data processing agreements.
• Dealt with a national property search company on GDPR compliance including intra group contracts, data processing agreements, customer contracts and requisite policies.
• Advised the owner of a suite of mobile phone apps with over 30 million users on GDPR preparedness.
• Acted for a client in relation to a data breach by a former staff member and a subsequent regulatory investigation.
• Successfully acted for a consumer beauty brand in an ASA investigation into alleged CAP code breaches by a paid celebrity endorser.
• Advised an eCommerce platform provider on drafting modifications to a website development agreement and IT services contract with a focus on GDPR compliance.
• Advised MOO, the print platform, on its data protection compliance programme, including developing notices, policies and training.
• Advised Tesco Mobile, a joint venture between Tesco and Telefonica, on technology/data contracts, ranging from routine technology services agreements to business-critical technology development and outsourcing projects, and advised on regulatory aspects of new product offerings and data processing agreements.

Many businesses routinely transfer data overseas, whether to another group company, to a third party for sub-processing or for other reasons. This process can be fraught with legal compliance issues. Our data protection lawyers are well placed to advise organisations of all sizes on legitimising these overseas transfers of personal data and on the requirements for on-ward transfer.

• Advised an international client in the racing industry in relation to the transfer of data internationally, both within and outside of companies in its group.
• Advised an international client in relation to a number of data breaches, including assessing the issues and reporting the breaches to the ICO.
• Advised an international retail client in relation to all aspects of its data protection compliance, including in relation to its new projects, assisting with the completion of data protection impact assessments, reviewing the data protection provisions in the contracts, meeting with vendors, and advising in relation to potential issues and next steps.
• Regularly advised a major social media platform on new product launches, data usage, monetisation of user-generated content, relationship with third-party platforms and secondary liability issues arising out of user-generated content.

The value of personal data, collected by an organisation, can be hugely significant, as long as it has been collected in a legally compliant way. Our data protection experts work with businesses to ensure that personal data is collected in a way that facilitates best practice in future marketing activities and advise on how to comply with direct marketing regulations so as to run legally compliant marketing campaigns.

• Advised on the data protection, defamation and data protection aspects of the acquisition of a market intelligence service.
• Advised on IP, contract and advertising law issues for the ecommerce retailer Guthy-Renker UK Limited.
• Negotiated technology licences for ad serving on flagship websites such as BBC.com (the international version of BBC.co.uk), BBCGoodFood.com and TopGear.com.

Our data protection specialists assist companies in reviewing their existing privacy notices and other relevant internal policies concerning personal data, and help them draft appropriate policies and notices to ensure that they will remain compliant.

• Advised businesses in the professional services, leisure and hospitality, retail, public relations (PR), consulting, CCaaS, health and medical, information and intelligence, and security industries extensively in relation to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
• Prepared bespoke privacy notices for a wide variety of businesses covering employees, contractors, websites, clients, customers, guests, and patients.
• Advised on privacy and image rights for several media platforms and video producers (included privacy impact assessment and controls over the right to be forgotten).
• Provided advice on various eprivacy and technology aspects to company in investigating its company affairs, obtaining third party documentation and defending claims brought against the company by third parties.
• Advised on data protection and ePrivacy aspects forward flow funding by a Jamaican Bank of second lien mortgage loans originated by a specialist consumer and secured lending business.
• Advised on technology and data law for an equine sports charity following the sale of the Tote, on how best to respond correctly and appropriately in relation to an extremely sensitive subject access request and updating their privacy notice.
• Advised a regional financial services client in relation to its website privacy and cookie policy and assisted that client with a complaint in relation to their use of cookies.
• Advised a Japanese electronics manufacturer on the pan-European roll-out of a new generation of “smart TVs”, including drafting and localisation of device terms and conditions and privacy policies and advice on the regulatory implications of data capture via user devices and monetisation of such data.

Our team of data protection lawyers advise businesses on providing telecommunications and other data services and government organisations providing public services and holding public data. We guide these businesses and government regulations through the miasma of their obligations on all retained data and requests for disclosure, working closely with them to ensure that they have appropriate policies and procedures in place relating to such retained data.

• Advised businesses in the professional services, leisure and hospitality, retail, public relations (PR), consulting, CCaaS, health and medical, information and intelligence, and security industries extensively in relation to the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
• Prepared corporate data protection policies and data retention and deletion (DRAD) policies, and advised on associated issues relating to special categories of personal data and criminal records (convictions and offences).
• Acted for NotontheHighStreet.com on ROPA, impact assessment, data retention, DSAR and other privacy issues.