AIO LEGAL SERVICES
PRIVACY POLICY
Effective Date: 22/08/2025
Last Update: 03/05/2026
1. Introduction
1.1 AIO Legal Services (“AIO”, “the Firm”, “we”, “us” or “our”) is committed to protecting the privacy, confidentiality and security of the personal information entrusted to us. We recognise that the trust placed in us by our clients, employees, business partners and other individuals is fundamental to the delivery of our legal services. Accordingly, we are committed to processing personal data fairly, lawfully, transparently and securely in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), and all other applicable data protection and privacy legislation.
1.2 This Privacy Policy explains how AIO Legal Services collects, uses, stores, shares, transfers, retains and otherwise processes personal data when providing legal services, conducting its business operations, complying with its legal and regulatory obligations, communicating with clients and third parties, recruiting personnel, and operating its website and associated digital platforms.
1.3 This Privacy Policy applies to all personal data processed by AIO Legal Services, regardless of the format in which it is held, including information obtained directly from data subjects, through third parties, publicly available sources, regulatory bodies, courts, government authorities, business partners, electronic verification providers and other lawful sources.
1.4 As a regulated legal practice, AIO Legal Services processes personal data not only for the performance of contractual obligations but also to comply with its legal, regulatory and professional responsibilities, including anti-money laundering, counter-terrorist financing, sanctions compliance, conflict of interest checks, professional indemnity insurance requirements, risk management, regulatory reporting, legal proceedings and the establishment, exercise or defence of legal claims.
1.5 By instructing AIO Legal Services, communicating with us, visiting our website or otherwise interacting with the Firm, you acknowledge that your personal data may be processed in accordance with this Privacy Policy. Where your consent is required by law for a particular processing activity, we will obtain such consent before processing your personal data for that purpose. Where processing is carried out on another lawful basis under the UK GDPR, your personal data will be processed in accordance with that lawful basis irrespective of consent.
1.6 AIO Legal Services reviews this Privacy Policy periodically to ensure that it remains accurate, reflects changes in our legal and regulatory obligations, and continues to represent best practice in data protection and information governance. The most recent version will always be made available on our website and, where appropriate, notified to affected individuals.
2. Data Controller
2.1 AIO Legal Services is the data controller responsible for determining the purposes and means of processing personal data in connection with the provision of our legal services, the operation of our business and compliance with our legal, regulatory and professional obligations.
Our contact details are as follows:
Data Controller: AIO Legal Services
Registered Office: 960 Capability Green Business Park, Luton, England, LU1 3PE
Email: in**@********rs.com
Website: www.aiolawyers.com
2.2 Where required by applicable law or where considered appropriate to support effective data governance, AIO Legal Services shall appoint a suitably qualified Data Protection Lead or other designated individual responsible for overseeing compliance with data protection legislation, this Privacy Policy and the Firm’s internal data protection policies and procedures. The appointment of such an individual shall not affect AIO Legal Services’ overall responsibility as the data controller.
2.3 AIO Legal Services regularly reviews its data protection governance arrangements to ensure compliance with applicable legislation, regulatory requirements and recognised best practice. Responsibility for data protection compliance is shared across the Firm, with all directors, consultants, employees and contractors required to process personal data in accordance with this Privacy Policy, the Firm’s Data Protection Policy and their respective confidentiality obligations.
2.4 Where AIO Legal Services processes personal data jointly with another organisation, or processes personal data on behalf of another data controller, such processing shall be carried out in accordance with the applicable data sharing arrangements, contractual obligations and data protection legislation. Where appropriate, we will inform you of the identity of any joint controller or the capacity in which we process your personal data.
2.5 If you have any questions regarding this Privacy Policy, wish to exercise your rights under applicable data protection legislation, or have concerns regarding the way in which AIO Legal Services processes your personal data, you should contact us using the details set out above. We will respond to your request in accordance with the UK GDPR, the Data Protection Act 2018 and any other applicable legal or regulatory requirements.
3. Our Commitment to Confidentiality
3.1 As a regulated legal practice, AIO Legal Services owes its clients a fundamental duty of confidentiality in addition to its obligations under the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable legislation. We recognise that the protection of confidential information is central to the solicitor-client relationship and to the proper administration of justice. Accordingly, we maintain appropriate legal, organisational and technical safeguards to preserve the confidentiality, integrity and security of all information entrusted to us.
3.2 Where applicable, communications between AIO Legal Services and its clients may also be protected by legal professional privilege. Such privilege belongs to the client and may only be waived by the client or otherwise displaced in accordance with applicable law. We encourage clients to take appropriate steps to preserve the confidentiality of privileged communications, as disclosure to third parties may result in privilege being lost.
3.3 Information obtained during the course of providing legal services will be treated as strictly confidential and will not be disclosed except where such disclosure is lawful, necessary or permitted, including where:
the client has provided informed consent or instructed us to make the disclosure;
the disclosure is necessary for the provision of the requested legal services, including sharing information with barristers, advocates, expert witnesses, foreign lawyers, consultants, professional advisers, approved service providers or other persons engaged in connection with the client’s matter;
the disclosure is required or authorised by law, court order or other legally binding process;
the disclosure is required by a regulator, law enforcement agency or other competent authority acting within its lawful powers;
the disclosure is necessary to comply with our legal, regulatory or professional obligations, including anti-money laundering, counter-terrorist financing, sanctions compliance, conflict of interest checks, professional indemnity insurance requirements, auditing or risk management;
the disclosure is necessary for the establishment, exercise or defence of legal claims, the recovery of unpaid fees, the defence of complaints or regulatory proceedings, or the protection of the legal rights and legitimate interests of AIO Legal Services where permitted by law;
the disclosure is necessary for the prevention, detection or investigation of crime, fraud or other unlawful activity; or
the disclosure is otherwise permitted or required under applicable legislation, professional rules or recognised legal principles.
3.4 AIO Legal Services requires all directors, consultants, employees, contractors, agents and third-party service providers who have access to confidential information to maintain strict confidentiality and to process personal data only for authorised purposes. Appropriate contractual, professional and organisational safeguards are implemented to ensure that confidentiality obligations continue to apply whenever confidential information is shared with authorised third parties.
3.5 Our duty of confidentiality continues after the completion or termination of our engagement and will remain in force for so long as required by law, applicable professional obligations and the continuing confidential nature of the information concerned.
4. Personal Data We Collect
AIO Legal Services collects and processes personal data that is necessary for the provision of legal services, compliance with legal and regulatory obligations, the operation of our business, the administration of client relationships and the protection of our legitimate interests. The categories of personal data we process will vary depending upon the nature of your relationship with us and the legal services requested.
Identity Information
Full name.
Date of birth.
Nationality.
Passport details.
Driving licence details.
Government-issued identification documents.
Contact Information
Residential address.
Business address.
Email address.
Telephone numbers.
Business Information
Company details.
Shareholder information.
Directorship information.
Corporate records.
Business ownership information.
Financial Information
Bank account details.
Payment information.
Billing information.
Source of funds information.
Source of wealth information.
Legal Matter Information
Documents and information relating to legal matters.
Contracts and commercial agreements.
Correspondence.
Regulatory documentation.
Litigation-related information where applicable.
Technical Information
IP addresses.
Browser information.
Device information.
Website usage data.
Cookie data.
Special Category Data
Where necessary and lawful, we may process special category personal data including information relating to:
Health.
Ethnic origin.
Religious beliefs.
Trade union membership.
Biometric data.
Such information will only be processed where a lawful basis exists and where appropriate safeguards are implemented.
5. How We Collect Information
Personal data may be collected directly from:
Clients.
Prospective clients.
Employees and consultants.
Professional advisers.
Referrers.
Website users.
Information may also be obtained from:
Public registers.
Companies House.
Regulatory bodies.
Government agencies.
Credit reference agencies.
Anti-money laundering verification providers.
Professional service providers.
Third parties authorised by clients.
6. Lawful Bases for Processing
6.1 AIO Legal Services will only process personal data where there is a lawful basis to do so under the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and other applicable legislation. Depending on the nature of our relationship with you and the purpose of the processing, we may rely on one or more of the following lawful bases.
6.2 Contractual Necessity
We process personal data where it is necessary to take steps at your request before entering into a contract or to perform our contractual obligations, including providing legal advice, delivering legal services, administering your instructions, communicating with you, issuing invoices and managing our client relationship.
6.3 Legal Obligation
We process personal data where necessary to comply with our legal, regulatory and professional obligations. This includes, but is not limited to, compliance with anti-money laundering and counter-terrorist financing legislation, financial sanctions requirements, tax legislation, court orders, regulatory reporting obligations, professional conduct rules, record-keeping requirements and requests made by competent authorities.
6.4 Legitimate Interests
We may process personal data where it is necessary for the legitimate interests pursued by AIO Legal Services or a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include, amongst other things:
providing, improving and managing our legal services;
protecting the security and integrity of our systems and information;
conducting conflict of interest checks;
managing legal risk, regulatory compliance and professional indemnity insurance;
preventing fraud, financial crime and cyber threats;
recovering outstanding fees and enforcing our legal rights;
responding to complaints, legal proceedings or regulatory investigations;
maintaining business records and internal governance; and
communicating with existing or former clients regarding our legal services where permitted by law.
6.5 Consent
Where consent is required by law, AIO Legal Services will obtain, record and manage your consent before processing your personal data. Where processing is based on consent, you may withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of any processing carried out before consent was withdrawn. Where consent is withdrawn, we may be unable to continue providing certain services where no alternative lawful basis exists.
6.6 Establishment, Exercise or Defence of Legal Claims
We process personal data where necessary for the establishment, exercise or defence of legal claims, the provision of legal advice, litigation, arbitration, mediation, regulatory proceedings, debt recovery, enforcement proceedings or other dispute resolution processes. This lawful basis also permits the processing of special category personal data where authorised by applicable law.
6.7 Vital Interests
In exceptional circumstances, we may process personal data where necessary to protect the vital interests of an individual or another person, including where processing is required to protect life or prevent serious harm and the individual is incapable of providing consent.
6.8 Public Task
Where applicable, we may process personal data where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in AIO Legal Services or another competent authority.
6.9 AIO Legal Services will identify and document the appropriate lawful basis before processing personal data and will only use personal data for the purposes for which it was collected or for another compatible purpose permitted by applicable law. Where we intend to process personal data for a materially different purpose, we will provide appropriate information to the affected individual unless an exemption under applicable legislation applies.
6.10 Where we process special category personal data or criminal offence data, we will also identify and document the relevant additional condition required under the UK GDPR, the Data Protection Act 2018 and any other applicable legislation, and we will implement appropriate safeguards to protect such information.
7. Purposes of Processing
7.1 AIO Legal Services processes personal data solely for lawful, specified and legitimate purposes and will not process personal data in a manner that is incompatible with those purposes unless permitted or required by applicable law. The purposes for which we process personal data will depend upon the nature of the legal services requested, our relationship with the individual concerned and our legal, regulatory and professional obligations.
We may process personal data for one or more of the following purposes:
providing legal advice and legal services;
evaluating enquiries, accepting instructions and onboarding clients;
verifying identity and carrying out customer due diligence, enhanced due diligence and ongoing monitoring;
complying with anti-money laundering, counter-terrorist financing, financial sanctions and fraud prevention legislation;
conducting conflict of interest checks and maintaining professional independence;
complying with legal, regulatory, professional and insurance obligations;
communicating with clients, prospective clients, courts, tribunals, regulators, professional advisers, third parties and other persons connected with a legal matter;
preparing, negotiating, reviewing and managing legal documents, contracts, transactions and legal proceedings;
managing litigation, arbitration, mediation, dispute resolution, enforcement proceedings and regulatory matters;
issuing invoices, processing payments, recovering outstanding fees and managing our financial affairs;
administering client relationships, maintaining client records and responding to enquiries, complaints and feedback;
protecting the legal rights, interests and property of AIO Legal Services, its clients and third parties;
establishing, exercising or defending legal claims and responding to regulatory investigations or professional disciplinary proceedings;
managing legal, regulatory, operational and cybersecurity risks, including business continuity, information security and incident management;
preventing, detecting and investigating fraud, money laundering, terrorist financing, sanctions evasion, cybercrime and other unlawful activities;
monitoring, auditing and improving the quality, consistency and effectiveness of our legal services, governance arrangements and internal procedures;
recruiting, engaging and managing employees, consultants, contractors and other personnel where applicable;
administering and securing our website, IT systems, electronic communications and digital platforms, including analysing website performance and preventing unauthorised access;
maintaining internal business records, financial records, compliance records and corporate governance documentation;
sending legal updates, newsletters and information relating to our legal services where permitted by applicable law and in accordance with your communication preferences; and
fulfilling any other purpose that is compatible with the original purpose for which the personal data was collected or that is otherwise authorised or required by applicable law.
7.2 AIO Legal Services will only process personal data that is adequate, relevant and limited to what is reasonably necessary for the relevant purpose. Where we intend to use personal data for a purpose that is materially different from the purpose for which it was originally collected, we will ensure that such processing is supported by an appropriate lawful basis and, where required, provide the affected individual with appropriate privacy information before commencing the new processing activity.
8. Anti-Money Laundering Checks
8.1 As a regulated legal practice, AIO Legal Services is subject to the Proceeds of Crime Act 2002, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, the Terrorism Act 2000, the Sanctions and Anti-Money Laundering Act 2018 and other applicable anti-financial crime legislation. We are therefore legally required to undertake customer due diligence and other compliance measures before accepting instructions and, where necessary, throughout the duration of our engagement.
8.2 To comply with our legal, regulatory and professional obligations, we may collect, verify and process personal data for anti-money laundering, counter-terrorist financing, sanctions compliance and fraud prevention purposes. This may include:
verification of identity;
verification of residential or business address;
verification of beneficial ownership and corporate structure;
source of funds checks;
source of wealth checks;
ongoing customer due diligence and transaction monitoring;
screening against UK and international financial sanctions lists;
politically exposed person (PEP) screening;
adverse media and reputational risk screening;
fraud prevention and financial crime risk assessments; and
obtaining information and supporting documentation from publicly available sources, electronic verification providers, credit reference agencies, government registers, regulatory bodies or other lawful third-party sources where appropriate.
8.3 AIO Legal Services may undertake these checks before accepting your instructions, periodically during our engagement and whenever there is a material change to your circumstances, your legal matter or the applicable legal and regulatory requirements.
8.4 The personal data collected for anti-money laundering and compliance purposes may be shared with electronic verification providers, professional advisers, competent authorities, law enforcement agencies and other organisations where required or permitted by law. We may also retain records of customer due diligence, risk assessments and related documentation for the period prescribed by applicable legislation and our internal Records Management Policy.
8.5 Where we know, suspect or have reasonable grounds to suspect that money laundering, terrorist financing, sanctions evasion or other financial crime has occurred or may occur, we may be required to make disclosures to the National Crime Agency, the Office of Financial Sanctions Implementation or another competent authority. In such circumstances, we may be prohibited by law from informing you that a report has been made or that an investigation is being undertaken.
8.5 Failure or refusal to provide the information or documentation reasonably requested for customer due diligence or compliance purposes, or the provision of inaccurate, incomplete or misleading information, may prevent AIO Legal Services from accepting or continuing your instructions. In such circumstances, we reserve the right to refuse to act, suspend the provision of legal services or terminate our engagement in accordance with our Terms of Service, without liability for any resulting delay or inability to provide the requested services.
9. Information Sharing
9.1 AIO Legal Services treats all personal data and confidential information with the utmost care and will only disclose personal data where there is a lawful basis to do so and where such disclosure is necessary, proportionate and consistent with our legal, regulatory and professional obligations. We do not sell, rent or otherwise disclose personal data to third parties for their independent marketing purposes.
Depending upon the nature of your legal matter, we may share personal data with one or more of the following categories of recipients:
courts, tribunals and arbitration institutions;
government departments, public authorities and statutory bodies;
law enforcement agencies and competent authorities;
regulatory bodies, including those responsible for regulating legal professionals and financial crime compliance;
the National Crime Agency, the Office of Financial Sanctions Implementation and other competent authorities where disclosure is required or authorised by law;
professional indemnity insurers, insurance brokers, loss adjusters and legal representatives acting on behalf of our insurers;
solicitors, foreign lawyers, barristers, advocates and other external legal advisers instructed in connection with your matter;
expert witnesses, investigators, translators, interpreters, forensic specialists and other professional consultants;
accountants, auditors, tax advisers and other professional advisers where necessary for the provision of legal services or compliance with legal obligations;
anti-money laundering, identity verification, sanctions screening and fraud prevention service providers;
banks, payment service providers and financial institutions involved in processing payments or legal transactions;
cloud service providers, document management providers, secure hosting providers, IT support providers, cybersecurity providers and other technology service providers engaged by AIO Legal Services;
process servers, couriers, document handling providers and other suppliers engaged in connection with the delivery of legal services;
third parties involved in your legal matter where disclosure is reasonably necessary to carry out your instructions or protect your legal interests; and
any other person or organisation where disclosure is required or permitted by law, a court order, regulatory obligation or your express instructions.
9.2 Before sharing personal data with third-party service providers, AIO Legal Services undertakes appropriate due diligence and, where required, enters into contractual arrangements to ensure that personal data is processed securely, confidentially and in accordance with applicable data protection legislation. Third-party processors are only permitted to process personal data on our documented instructions and for authorised purposes.
9.3 Where personal data is transferred outside the United Kingdom, AIO Legal Services will ensure that appropriate safeguards are implemented in accordance with the UK GDPR and other applicable legislation to protect the privacy, confidentiality and security of the information being transferred.
9.4 Where reasonably necessary and permitted by law, AIO Legal Services may also share personal data within its group, with affiliated businesses, professional advisers or successor entities for the purposes of business continuity, regulatory compliance, risk management, professional indemnity insurance, corporate restructuring, mergers, acquisitions or the sale or transfer of all or part of its business. Any such disclosure shall remain subject to appropriate confidentiality and data protection obligations.
9.6 All disclosures of personal data are limited to the minimum information reasonably necessary to achieve the relevant lawful purpose, and appropriate technical and organisational measures are implemented to safeguard personal data throughout the disclosure process.
10. International Transfers
10.1 AIO Legal Services may transfer, store or permit access to personal data outside the United Kingdom where this is necessary for the provision of legal services, the operation of our business, the use of trusted technology platforms or compliance with our legal, regulatory and professional obligations. Such transfers may occur where we instruct foreign lawyers, communicate with overseas clients or counterparties, engage international service providers or utilise cloud-based systems with infrastructure located in multiple jurisdictions.
10.2 Where personal data is transferred internationally, AIO Legal Services will ensure that an appropriate level of protection is maintained in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018 and other applicable legislation. Appropriate safeguards may include:
adequacy regulations issued by the UK Government;
the UK International Data Transfer Agreement (IDTA);
the UK Addendum to the European Commission’s Standard Contractual Clauses;
Standard Contractual Clauses approved or recognised under applicable legislation;
binding corporate rules where applicable;
approved codes of conduct or certification mechanisms recognised under data protection legislation; and
any other lawful transfer mechanism recognised under applicable law.
10.3 Before transferring personal data internationally, AIO Legal Services will assess the nature of the transfer, the destination country, the recipient organisation and the legal protections available to ensure that personal data continues to receive a level of protection that is substantially equivalent to that required under UK data protection legislation. Where appropriate, we will implement supplementary technical, contractual and organisational safeguards to protect the confidentiality, integrity and security of the transferred personal data.
10.4 Where international transfers are necessary to provide the legal services you have requested, including the instruction of overseas legal advisers, experts, professional consultants or other third parties connected with your legal matter, you acknowledge that your personal data may be transferred to jurisdictions whose data protection laws differ from those of the United Kingdom. In all such cases, AIO Legal Services will take reasonable steps to ensure that personal data is transferred only where a lawful transfer mechanism exists and appropriate safeguards have been implemented.
10.5 AIO Legal Services regularly reviews its international data transfer arrangements to ensure continued compliance with evolving legal, regulatory and technological requirements and will update its transfer mechanisms where necessary to maintain appropriate levels of protection for personal data.
11. Data Security
11.1 AIO Legal Services is committed to maintaining the confidentiality, integrity, availability and resilience of the personal data and confidential information entrusted to us. We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, misuse or any other form of unlawful processing, taking into account the nature of the personal data, the risks involved and the requirements of applicable data protection legislation.
11.2 Our information security framework is regularly reviewed and updated to reflect changes in technology, legal requirements, emerging cybersecurity threats and recognised industry best practice.
Our security measures include, where appropriate:
encrypted systems, devices, databases and communications;
password protection, multi-factor authentication and secure user authentication controls;
role-based access controls and the principle of least privilege, ensuring that access to personal data is restricted to authorised personnel with a legitimate business need;
secure electronic document management systems and secure physical storage for paper records;
firewalls, endpoint protection, malware detection, intrusion monitoring and other cybersecurity safeguards;
continuous monitoring of our IT infrastructure, network activity and security events where appropriate;
secure backup, disaster recovery and business continuity arrangements designed to minimise the risk of data loss;
regular software updates, security patch management and vulnerability management procedures;
confidentiality obligations applicable to all directors, consultants, employees, contractors and authorised third-party service providers;
staff training and awareness programmes relating to data protection, confidentiality, cybersecurity and information security;
secure disposal and destruction procedures for personal data and confidential documents in accordance with our Records Management and Data Retention Policies;
due diligence and contractual safeguards when engaging third-party processors and technology providers; and
documented incident management, business continuity and personal data breach response procedures.
11.3 Although AIO Legal Services applies appropriate technical and organisational measures to safeguard personal data, no method of electronic transmission, storage or information system can be guaranteed to be completely secure. Accordingly, while we take all reasonable steps to protect personal data, we cannot guarantee absolute security. Individuals who communicate with us electronically are encouraged to take appropriate precautions to protect their own devices, passwords and electronic communications.
11.4 In the event of a personal data breach, suspected cybersecurity incident or other security event affecting personal data, AIO Legal Services will investigate the incident promptly, take appropriate steps to contain and mitigate its effects, maintain appropriate records of the incident and, where required by applicable law, notify the Information Commissioner’s Office, affected individuals and any other competent authority within the applicable statutory timescales.
11.5 AIO Legal Services regularly reviews, tests and updates its information security controls to ensure that they remain effective, proportionate and appropriate to the nature of the legal services we provide, the personal data we process and the evolving cybersecurity landscape.
Data Retention
Personal data shall be retained only for as long as necessary to fulfil the purposes for which it was collected.
Retention periods may vary depending upon:
Legal requirements.
Regulatory requirements.
Limitation periods.
Nature of the legal matter.
Client files will generally be retained for a minimum period of six years following completion of the matter unless longer retention is required by law or justified by the nature of the instructions.
Your Rights
Individuals may have the following rights:
Right of access.
Right to rectification.
Right to erasure.
Right to restrict processing.
Right to data portability.
Right to object.
Rights relating to automated decision-making.
Certain rights may be restricted where legal professional privilege, confidentiality obligations or other legal exemptions apply.
14. Data Breaches
14.1 AIO Legal Services maintains documented procedures for identifying, reporting, investigating, managing and responding to actual or suspected personal data breaches. All directors, consultants, employees, contractors and other individuals acting on behalf of the Firm are required to report any actual, suspected or potential personal data breach immediately upon becoming aware of it.
14.2 Upon receiving notification of a suspected breach, AIO Legal Services will promptly investigate the incident to determine its nature, scope, cause and potential impact on affected individuals and the Firm. Appropriate measures will be taken without undue delay to contain the breach, mitigate any risks, preserve relevant evidence, restore the security of affected systems where applicable, and reduce the likelihood of recurrence.
14.3 Where required by the UK General Data Protection Regulation, the Data Protection Act 2018 or any other applicable legislation, AIO Legal Services will notify the Information Commissioner’s Office (“ICO”) without undue delay and, where feasible, within the statutory time limits. Where a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay unless an exemption under applicable legislation applies.
14.4 Not every security incident constitutes a reportable personal data breach. AIO Legal Services will assess each incident on its individual facts, taking into account the nature of the personal data involved, the number of individuals affected, the likelihood and severity of any potential harm, the effectiveness of any mitigating measures and our legal and regulatory obligations before determining whether notification is required.
14.5 AIO Legal Services will maintain an internal register of all personal data breaches and security incidents, including those that do not require notification to the ICO, together with details of the investigation, risk assessment, corrective actions implemented and lessons learned. This register forms part of the Firm’s ongoing information governance, risk management and compliance framework.
14.6 Following any personal data breach or significant security incident, AIO Legal Services will review the circumstances giving rise to the incident and, where appropriate, implement additional technical, organisational and procedural measures to strengthen information security, improve compliance and reduce the risk of future occurrences.
15. Cookies and Website Analytics
15.1 AIO Legal Services uses cookies and similar technologies on its website to ensure the proper operation, security and performance of the website, to enhance user experience, to analyse website usage and, where permitted, to improve our legal services and online content. Cookies also assist us in maintaining the security of our website, detecting fraudulent or malicious activity and administering our digital platforms efficiently.
15.2 Cookies are small text files that are placed on your device when you visit a website. They enable websites to recognise your device, remember certain preferences and collect information about how visitors interact with the website.
15.3 Subject to applicable law, AIO Legal Services may use the following categories of cookies and similar technologies:
strictly necessary cookies required for the operation, security and functionality of the website;
functionality cookies that remember user preferences and improve website usability;
performance and analytics cookies that help us understand how visitors use our website, identify technical issues and improve website performance;
security cookies designed to prevent fraud, detect unauthorised access and protect the integrity of our systems; and
preference or consent management cookies used to record and manage your cookie choices.
15.4 Where required by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”) and the UK GDPR, non-essential cookies will only be placed on your device after you have provided your informed consent through our cookie consent mechanism. You may withdraw or amend your cookie preferences at any time through our website or your browser settings.
15.5 Most web browsers allow you to control, restrict or disable cookies through their settings. Please note that disabling certain cookies may affect the functionality, performance or availability of some features of our website and may prevent certain services from operating correctly.
15.6 Our website may also utilise reputable third-party analytics and website management services to help us understand website usage, improve user experience, monitor website performance and maintain the security of our online systems. Where such services process personal data on our behalf, they do so under appropriate contractual arrangements and in accordance with applicable data protection legislation.
15.7 For further information regarding the cookies we use, the purposes for which they are used, the retention of cookie data and how you can manage your preferences, please refer to our separate Cookie Policy, which forms part of AIO Legal Services’ wider information governance framework.
16. Complaints
16.1 AIO Legal Services is committed to processing personal data fairly, lawfully, transparently and securely. If you have any questions, concerns or complaints regarding the way in which we collect, use, disclose, retain or otherwise process your personal data, we encourage you to contact us in the first instance so that we have the opportunity to investigate your concerns and seek to resolve the matter promptly and fairly.
16.2 Privacy-related enquiries, requests and complaints should be submitted using the contact details set out in this Privacy Policy. Upon receipt of a complaint, AIO Legal Services will acknowledge it, investigate the issues raised in accordance with our internal complaints procedures and applicable data protection legislation, and respond within a reasonable period. Where additional time is reasonably required due to the complexity of the complaint or the volume of information involved, we will inform you accordingly.
16.3 The submission of a complaint will not adversely affect your legal rights or your ongoing relationship with AIO Legal Services. We will handle all complaints confidentially and will not discriminate against or disadvantage any individual for exercising their rights under applicable data protection legislation.
16.4 If you remain dissatisfied with our response, or believe that AIO Legal Services has processed your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (“ICO”), the United Kingdom’s independent supervisory authority for data protection matters. We would, however, appreciate the opportunity to address your concerns before you approach the ICO.
Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Telephone: 0303 123 1113
16.5 The right to lodge a complaint with the Information Commissioner’s Office does not affect any other legal rights or remedies that may be available to you under the UK General Data Protection Regulation, the Data Protection Act 2018 or any other applicable legislation. AIO Legal Services will cooperate fully with the Information Commissioner’s Office and any other competent authority in relation to any investigation, enquiry or regulatory matter concerning the processing of personal data.
17. Changes to This Privacy Policy
17.1 AIO Legal Services reserves the right to amend, update or replace this Privacy Policy at any time to reflect changes in applicable legislation, regulatory guidance, professional requirements, judicial decisions, technological developments, cybersecurity risks, business operations or our information governance practices.
17.2 Where changes are material or are likely to have a significant impact on the way in which personal data is processed, AIO Legal Services will take reasonable steps to bring those changes to the attention of affected individuals where required by applicable law. Minor amendments, editorial changes or updates made to improve clarity or reflect operational changes may be made without separate notice.
17.3 The most current version of this Privacy Policy will always be published on our website and will supersede all previous versions from the date of publication. We encourage individuals to review this Privacy Policy periodically to remain informed about how AIO Legal Services protects and processes personal data.
17.4 Where we propose to process personal data for a purpose that is materially different from that described in this Privacy Policy, we will, where required by applicable data protection legislation, provide appropriate privacy information and, where necessary, obtain any required consent before commencing such processing.
17.5 Nothing in this Privacy Policy shall limit or affect any rights or obligations arising under applicable data protection legislation, professional rules or any contractual arrangements between AIO Legal Services and its clients.
