Data Protection Policy

 

AIO Legal Services

Last Update: 08/11/ 2025

Purpose

The purpose of this Data Protection Policy is to ensure that AIO Legal Services processes personal data lawfully, fairly, transparently and securely in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.

The Policy establishes the firm’s framework for protecting personal data, preserving client confidentiality, maintaining information security, and ensuring compliance with legal and regulatory obligations. It applies to all personal data processed by the firm, whether relating to clients, prospective clients, employees, consultants, suppliers, counterparties or other individuals.

The firm recognises that the protection of personal information is fundamental to maintaining client trust, safeguarding confidential legal information, and fulfilling its professional obligations as a CILEx Regulation authorised practice.

All Directors, consultants, employees, contractors and any person processing personal data on behalf of the firm are required to comply with this Policy and any associated procedures.

Scope

This Policy applies to all processing of personal data undertaken by AIO Legal Services, regardless of whether the information is held electronically, in paper form, or by any other means.

The Policy applies to all Directors, Compliance Managers, consultants, employees, temporary staff, contractors, agents, outsourced service providers, and any other person processing personal data on behalf of the firm.

The Policy governs the processing of personal data relating to, including but not limited to:

  • clients and prospective clients;
  • former clients;
  • employees and consultants;
  • job applicants;
  • suppliers and service providers;
  • professional advisers;
  • counterparties and their representatives;
  • witnesses and experts;
  • third parties connected with legal matters; and
  • visitors to the firm’s premises and website.

The Policy applies throughout the entire information lifecycle, including the collection, recording, organisation, storage, use, disclosure, sharing, transfer, retention, archiving, and secure disposal of personal data.

All individuals processing personal data on behalf of the firm are required to comply with this Policy, the firm’s Information Security Policy, Records Management Policy, Confidentiality Policy, Cyber Security Policy, and all other relevant internal procedures.

Failure to comply with this Policy may result in disciplinary action, termination of engagement, regulatory reporting where appropriate, and any other action considered necessary to protect the interests of the firm, its clients, and affected individuals.

Legal Framework

AIO Legal Services is committed to processing personal data in accordance with all applicable data protection legislation and professional regulatory requirements.

This Policy is based upon, and shall be interpreted consistently with, the following legislation and regulatory guidance, as amended from time to time:

  • UK General Data Protection Regulation (UK GDPR);
  • Data Protection Act 2018;
  • Privacy and Electronic Communications (EC Directive) Regulations 2003 (where applicable);
  • Human Rights Act 1998;
  • Freedom of Information Act 2000 (where applicable);
  • Computer Misuse Act 1990;
  • Network and Information Systems Regulations 2018 (where applicable);
  • Legal Services Act 2007;
  • CILEx Regulation Code of Conduct and all applicable CILEx Regulation Rules;
  • guidance issued by the Information Commissioner’s Office (ICO); and
  • any other applicable legislation relating to privacy, confidentiality, information security, cyber security, or the lawful processing of personal data.

Where this Policy conflicts with any mandatory legal or regulatory requirement, the applicable law or regulatory requirement shall prevail.

The Compliance Manager shall monitor legislative and regulatory developments and ensure that this Policy is reviewed and updated whenever necessary to maintain compliance.

Data Protection Principles

AIO Legal Services shall process all personal data in accordance with the data protection principles contained within Article 5 of the UK GDPR.

Accordingly, the firm shall ensure that personal data is:

  • processed lawfully, fairly and transparently;
  • collected only for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary for the intended purpose;
  • accurate and, where necessary, kept up to date;
  • retained only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal or regulatory obligations;
  • processed using appropriate technical and organisational measures to ensure its security, integrity and confidentiality; and
  • managed in a manner that enables the firm to demonstrate compliance with all applicable data protection obligations.

The firm shall maintain appropriate policies, procedures, training, security controls, and compliance monitoring arrangements to ensure that these principles are embedded throughout its operations.

All personnel are responsible for protecting personal data and shall process such information only where authorised, necessary for their duties, and in accordance with this Policy and the firm’s professional confidentiality obligations.

Roles and Responsibilities

AIO Legal Services recognises that effective data protection requires clear accountability and defined responsibilities at every level of the organisation. All individuals who process personal data on behalf of the firm are responsible for ensuring that such information is handled lawfully, securely and in accordance with this Policy, applicable legislation and the firm’s professional obligations.

Director

The Director has overall responsibility for ensuring that the firm complies with its obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and all applicable legal and regulatory requirements. The Director shall:

  • promote a culture of data protection and information security throughout the firm;
  • ensure that appropriate policies, procedures and technical measures are implemented and maintained;
  • allocate sufficient resources to support effective data protection compliance;
  • oversee the firm’s data protection governance framework;
  • review significant data protection risks, breaches and compliance reports; and
  • ensure that appropriate corrective action is taken where deficiencies are identified.

Compliance Manager

The Compliance Manager shall oversee the firm’s day-to-day data protection compliance and shall:

  • monitor compliance with this Policy and applicable data protection legislation;
  • provide guidance on data protection obligations and best practice;
  • maintain appropriate records demonstrating compliance;
  • coordinate responses to data protection incidents and personal data breaches;
  • oversee data protection impact assessments where required;
  • monitor compliance with data retention and disposal requirements;
  • review third-party data processing arrangements;
  • coordinate responses to data subject rights requests; and
  • recommend improvements to strengthen the firm’s data protection framework.

Employees, Consultants and Contractors

Every individual processing personal data on behalf of the firm shall:

  • comply with this Policy and all related procedures;
  • process personal data only where authorised and necessary for their duties;
  • maintain the confidentiality of all personal and confidential information;
  • protect personal data against unauthorised access, disclosure, loss or misuse;
  • report actual or suspected personal data breaches immediately;
  • complete all required data protection training; and
  • cooperate fully with compliance reviews, audits and investigations.

Third-Party Service Providers

Where personal data is processed by external suppliers, consultants or service providers, AIO Legal Services shall ensure that appropriate contractual safeguards are in place to protect personal data and ensure compliance with applicable data protection legislation. The firm shall undertake appropriate due diligence before appointing any third-party processor and shall monitor their ongoing compliance where necessary.

Individual Responsibility

Data protection is a shared responsibility. Every person processing personal data on behalf of AIO Legal Services is expected to exercise appropriate care, professional judgement and accountability when handling personal information. Failure to comply with this Policy may result in disciplinary action, termination of engagement, regulatory reporting where appropriate, and any other action necessary to protect the rights of data subjects and the interests of the firm.

Categories of Personal Data

AIO Legal Services processes personal data only where it is necessary for the provision of legal services, the administration of the firm, compliance with legal and regulatory obligations, or for another lawful purpose under applicable data protection legislation.

The categories of personal data processed by the firm will vary depending upon the nature of the legal services provided and the relationship between the individual and the firm. The firm shall ensure that only personal data that is adequate, relevant and limited to what is necessary for the relevant purpose is collected and processed.

The firm may process, where applicable, the following categories of personal data:

  • personal identification details, including names, dates of birth, nationality, photographs and identification documents;
  • contact information, including residential addresses, correspondence addresses, telephone numbers and email addresses;
  • client identification and verification information collected for anti-money laundering and client due diligence purposes;
  • financial information, including bank account details, payment information, billing records and financial transaction data;
  • employment and professional information, including job titles, employers, qualifications, professional memberships and employment history;
  • legal matter information, including case files, correspondence, instructions, evidence, witness statements, contracts and legal advice;
  • communications data, including emails, letters, telephone attendance notes, meeting records and other communications relating to legal matters;
  • technical information, including IP addresses, device identifiers, website usage information and system access logs where collected through the firm’s IT systems or website;
  • supplier and contractor information necessary for the administration of the firm’s business operations;
  • recruitment and human resources information relating to applicants, employees and consultants, where applicable; and
  • any other personal data reasonably necessary for the provision of legal services or the fulfilment of the firm’s legal, contractual or regulatory obligations.

Where necessary and permitted by law, AIO Legal Services may also process special category personal data and criminal offence data. Such information shall be processed only where an appropriate lawful basis and, where required, an applicable condition for processing under the UK GDPR and the Data Protection Act 2018 has been identified. Additional safeguards shall be implemented to protect such information in accordance with the firm’s Information Security Policy and applicable legal requirements.

The firm shall periodically review the categories of personal data it processes to ensure that unnecessary or excessive information is not collected or retained, and that all processing remains proportionate to the legitimate purposes for which the data was obtained.

Lawful Bases for Processing

AIO Legal Services shall process personal data only where there is a lawful basis for doing so under Article 6 of the UK General Data Protection Regulation (UK GDPR). Before commencing any processing activity, the firm shall identify, document and, where appropriate, communicate the relevant lawful basis to the data subject through its Privacy Notice or other appropriate documentation.

Depending on the nature of the processing, the firm may rely on one or more of the following lawful bases:

Performance of a Contract

The firm shall process personal data where processing is necessary for the performance of a contract with a client, supplier, employee, consultant or other individual, or in order to take steps at the request of the data subject before entering into a contract. This includes processing personal data necessary for the provision of legal services, administration of client matters, billing and contractual management.

Compliance with a Legal Obligation

The firm shall process personal data where necessary to comply with legal or regulatory obligations, including obligations arising under anti-money laundering legislation, taxation legislation, court orders, regulatory requirements, legal reporting obligations and the rules governing legal practice.

Legitimate Interests

The firm may process personal data where such processing is necessary for its legitimate interests or those of a third party, provided those interests are not overridden by the rights and freedoms of the data subject. Legitimate interests may include:

  • managing and administering the firm’s business operations;
  • protecting the firm’s legal rights and interests;
  • preventing fraud, financial crime and cybercrime;
  • maintaining information security;
  • managing legal claims and disputes;
  • quality assurance and file auditing;
  • improving the firm’s services;
  • maintaining professional records; and
  • ensuring effective governance, compliance and risk management.

Where reliance is placed upon legitimate interests, the firm shall carry out an appropriate assessment to ensure that the processing is fair, proportionate and compatible with the rights of the data subject.

Consent

Where required by law, the firm shall obtain the data subject’s freely given, specific, informed and unambiguous consent before processing personal data. Consent may be relied upon for particular processing activities, such as certain marketing communications or where no other lawful basis is appropriate.

Individuals may withdraw their consent at any time. Withdrawal of consent shall not affect the lawfulness of any processing undertaken before the withdrawal.

Vital Interests

The firm may process personal data where necessary to protect the vital interests of an individual or another person, including situations involving an immediate risk to life or serious harm where no other lawful basis is reasonably available.

Public Task

Where applicable, the firm may process personal data where such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the firm by law.

The Compliance Manager shall ensure that appropriate records are maintained identifying the lawful basis relied upon for each category of processing activity. Where the purpose of processing changes, the firm shall review the applicable lawful basis before undertaking the new processing activity.

AIO Legal Services shall not process personal data unless a valid lawful basis has been established and the processing is consistent with the principles set out in this Policy and the UK GDPR.

Special Category and Criminal Offence Data

AIO Legal Services recognises that, in the course of providing legal services, it may be necessary to process special category personal data and personal data relating to criminal convictions and offences. Such data shall be processed only where it is strictly necessary for a lawful purpose and in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all applicable legal and regulatory requirements.

Special category personal data includes information relating to an individual’s:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data used for identification purposes;
  • physical or mental health;
  • sex life; or
  • sexual orientation.

The firm may also process personal data relating to criminal convictions, criminal proceedings, alleged offences, sentencing, regulatory investigations or related matters where such processing is necessary for the provision of legal services or compliance with legal obligations.

Special category and criminal offence data shall only be processed where:

  • an appropriate lawful basis under Article 6 of the UK GDPR has been identified;
  • the applicable condition for processing under Article 9 of the UK GDPR or Schedule 1 to the Data Protection Act 2018 has been satisfied, where required;
  • the processing is necessary and proportionate to the purpose for which the information is collected;
  • appropriate technical and organisational safeguards are implemented to protect the information; and
  • access is restricted to authorised individuals with a legitimate business need to process the information.

Where appropriate, additional safeguards shall include:

  • enhanced access controls and user permissions;
  • encryption of electronic records and secure storage of paper records;
  • confidential transmission of sensitive information;
  • secure disposal in accordance with the firm’s Records Management Policy;
  • regular monitoring of access to sensitive information; and
  • periodic reviews to ensure that continued retention remains necessary and lawful.

The firm shall ensure that special category and criminal offence data is not collected or retained unless it is directly relevant to the legal services provided or required to comply with a legal, regulatory or professional obligation. Such information shall not be disclosed to third parties except where authorised by the data subject, required by law, necessary for the administration of justice, or otherwise permitted under applicable legislation.

The Compliance Manager shall oversee the firm’s arrangements for processing sensitive personal data and shall periodically review relevant processing activities to ensure continued compliance with applicable legislation, regulatory guidance and the firm’s data protection and information security policies.

Client Confidentiality

AIO Legal Services recognises that client confidentiality is a fundamental principle of legal practice and is essential to maintaining public confidence, preserving legal professional privilege and complying with the firm’s legal, ethical and regulatory obligations. The firm is committed to protecting all confidential information entrusted to it and shall ensure that such information is handled with the highest standards of care, integrity and security.

All Directors, consultants, employees, contractors and any other individual acting on behalf of the firm owe a continuing duty of confidentiality in respect of all information acquired during the course of their work. This duty continues after the termination of employment, consultancy or any other professional relationship with the firm.

Confidential information shall only be accessed, used or disclosed where:

  • it is necessary for the proper provision of legal services;
  • the individual has appropriate authority to access the information;
  • the client has provided informed consent where required;
  • disclosure is required or permitted by law, court order or regulatory obligation; or
  • disclosure is otherwise permitted under applicable legal or professional rules.

The firm shall implement appropriate technical and organisational measures to safeguard confidential information, including:

  • restricting access to confidential information on a need-to-know basis;
  • maintaining secure electronic and physical storage systems;
  • encrypting sensitive electronic communications and data where appropriate;
  • using secure methods for transferring confidential information;
  • protecting confidential discussions from unauthorised disclosure;
  • securely disposing of confidential documents and electronic records when no longer required; and
  • monitoring compliance with the firm’s information security and confidentiality procedures.

Where legal professional privilege applies, AIO Legal Services shall take all reasonable steps to preserve and protect that privilege. Personnel shall exercise particular care when communicating with clients, third parties, courts, regulators and other professionals to ensure that privileged or confidential information is not disclosed inadvertently.

Confidential information shall not be discussed in public places, disclosed through unsecured communication channels, or shared with unauthorised individuals. Personnel working remotely shall ensure that confidential information remains protected at all times and that appropriate security measures are maintained when accessing or processing client information outside the firm’s office.

Any actual or suspected unauthorised disclosure, loss or compromise of confidential information shall be reported immediately to the Compliance Manager, investigated without undue delay, and managed in accordance with the firm’s Data Breach Management procedures. Where required, appropriate notifications shall be made to affected individuals, the Information Commissioner’s Office (ICO), CILEx Regulation or any other competent authority.

The firm shall periodically review its confidentiality arrangements, information security controls and working practices to ensure that client confidentiality remains protected and that the firm continues to comply with its legal, regulatory and professional obligations.

Data Collection

AIO Legal Services shall collect personal data only where it is necessary for the provision of legal services, the administration of the firm’s business, compliance with legal or regulatory obligations, or another lawful purpose identified under the UK General Data Protection Regulation (UK GDPR).

The firm shall ensure that all personal data is collected lawfully, fairly and transparently, and that individuals are informed of how their information will be used through the firm’s Privacy Notice or other appropriate communications.

Personal data may be collected directly from the individual or, where lawful and appropriate, from third parties, including:

  • clients and prospective clients;
  • authorised representatives;
  • employers or professional advisers;
  • courts and tribunals;
  • government departments and public authorities;
  • law enforcement agencies;
  • financial institutions;
  • regulatory bodies;
  • counterparties and their legal representatives;
  • witnesses and experts;
  • publicly available sources;
  • credit reference or identity verification agencies;
  • anti-money laundering and sanctions screening providers; and
  • other third parties where permitted or required by law.

The firm shall collect only the personal data that is adequate, relevant and limited to what is necessary for the specific purpose for which it is processed. Unnecessary or excessive personal information shall not be requested or retained.

Where personal data is collected directly from an individual, the firm shall, where required by law:

  • identify itself as the data controller;
  • explain the purpose for which the data is being collected;
  • identify the lawful basis for processing;
  • explain any intended disclosures to third parties;
  • inform individuals of their rights under data protection legislation; and
  • provide access to the firm’s Privacy Notice.

Where personal data is obtained from sources other than the individual concerned, the firm shall provide the information required by Articles 13 and 14 of the UK GDPR within the applicable statutory timescales, unless a lawful exemption applies.

The firm shall implement appropriate procedures to verify the accuracy of personal data collected and shall take reasonable steps to ensure that inaccurate or incomplete information is corrected without undue delay.

All personal data collected shall be handled securely from the point of collection and shall be protected against unauthorised access, alteration, disclosure, loss or destruction through appropriate technical and organisational measures. The Compliance Manager shall periodically review the firm’s data collection practices to ensure that they remain lawful, proportionate, transparent and consistent with this Policy and applicable data protection legislation.

Privacy Notices

AIO Legal Services is committed to processing personal data in a transparent and accountable manner. The firm shall provide clear, accurate and easily accessible Privacy Notices informing individuals how their personal data is collected, used, stored, shared and protected, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Privacy Notices shall be provided at the time personal data is collected or, where personal data is obtained from another source, within the timescales prescribed by applicable data protection legislation, unless a lawful exemption applies.

The firm’s Privacy Notices shall be concise, transparent and written in clear and plain language. They shall include, where applicable:

  • the identity and contact details of AIO Legal Services;
  • the categories of personal data collected;
  • the purposes for which personal data is processed;
  • the lawful basis relied upon for processing;
  • where applicable, the conditions relied upon for processing special category or criminal offence data;
  • the categories of recipients with whom personal data may be shared;
  • details of any international transfers of personal data and the safeguards applied;
  • the period for which personal data will be retained, or the criteria used to determine that period;
  • the rights available to data subjects under applicable data protection legislation;
  • the right to withdraw consent where processing is based on consent;
  • the right to lodge a complaint with the Information Commissioner’s Office (ICO);
  • whether the provision of personal data is a statutory or contractual requirement;
  • the consequences of failing to provide requested information, where applicable; and
  • details of any automated decision-making or profiling, where relevant.

The firm shall review its Privacy Notices periodically to ensure that they remain accurate, complete and consistent with current legislation, regulatory guidance and the firm’s processing activities. Where material changes occur, updated Privacy Notices shall be issued promptly to affected individuals where required.

Privacy Notices shall be made readily available through appropriate channels, including the firm’s website, client engagement documentation, recruitment materials and other communications where personal data is collected.

The Compliance Manager shall oversee the preparation, maintenance and periodic review of all Privacy Notices to ensure that they accurately reflect the firm’s data processing activities and continue to satisfy the transparency requirements of the UK GDPR and the Data Protection Act 2018.

Data Minimisation, Storage Limitation and Retention

AIO Legal Services shall ensure that personal data is collected, processed and retained only to the extent necessary for the lawful purposes for which it was obtained. The firm is committed to complying with the principles of data minimisation and storage limitation under the UK General Data Protection Regulation (UK GDPR) by ensuring that personal data remains adequate, relevant, accurate and limited to what is necessary throughout its lifecycle.

The firm shall collect and process only the minimum amount of personal data required to provide legal services, comply with legal or regulatory obligations, administer its business operations, or fulfil another identified lawful purpose. Personal data that is excessive, irrelevant or no longer required shall not be collected or retained.

Before collecting personal data, personnel shall consider whether the information requested is necessary and proportionate for the intended purpose. Where the purpose can reasonably be achieved using less personal data, unnecessary information shall not be requested or processed.

Personal data shall be retained only for as long as necessary to:

  • provide legal services to clients;
  • comply with statutory, regulatory or professional obligations;
  • establish, exercise or defend legal claims;
  • comply with court orders or regulatory investigations;
  • satisfy taxation, accounting and record-keeping requirements; or
  • fulfil any other lawful business purpose.

The firm shall maintain a documented Records Retention Schedule specifying the retention periods applicable to different categories of personal data and business records. Retention periods shall be determined by reference to applicable legislation, regulatory requirements, limitation periods, contractual obligations and the operational needs of the firm.

The Compliance Manager shall periodically review retained personal data to identify information that is no longer required. Where retention is no longer justified, personal data shall be securely deleted, anonymised or destroyed using methods appropriate to the nature and sensitivity of the information.

Electronic records shall be permanently deleted using secure deletion procedures where appropriate, while paper records shall be disposed of through confidential shredding or other secure destruction methods. The firm shall ensure that personal data cannot be reconstructed or accessed following disposal.

Where personal data is required to be retained beyond the normal retention period due to ongoing litigation, regulatory investigations, legal proceedings or other lawful reasons, the information shall be retained only for the period reasonably necessary to fulfil those purposes and shall continue to be protected in accordance with this Policy.

The Compliance Manager shall monitor compliance with the firm’s retention procedures through periodic reviews and audits to ensure that personal data is not retained longer than necessary and that the firm continues to comply with the UK GDPR, the Data Protection Act 2018, CILEx Regulation requirements and all other applicable legal and regulatory obligations.

Data Subject Rights and Subject Access Requests

AIO Legal Services is committed to respecting and protecting the rights of individuals under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The firm shall ensure that all requests relating to personal data are handled promptly, fairly and in accordance with applicable legal requirements.

Subject to any applicable legal exemptions, individuals whose personal data is processed by the firm may exercise the following rights:

  • the right to be informed about how their personal data is processed;
  • the right of access to their personal data;
  • the right to request rectification of inaccurate or incomplete personal data;
  • the right to request erasure of personal data in circumstances permitted by law;
  • the right to request restriction of processing;
  • the right to data portability where applicable;
  • the right to object to certain processing activities;
  • rights relating to automated decision-making and profiling, where applicable; and
  • the right to lodge a complaint with the Information Commissioner’s Office (ICO).

The firm shall maintain procedures to ensure that requests made by data subjects are identified, recorded, acknowledged and responded to within the statutory time limits prescribed by the UK GDPR.

A request by an individual to obtain confirmation of whether the firm processes their personal data, or to obtain a copy of that data, shall be treated as a Subject Access Request (SAR). Subject Access Requests may be made verbally or in writing and shall be referred promptly to the Compliance Manager upon receipt.

Before responding to a Subject Access Request, the firm may take reasonable steps to verify the identity of the requester where there is any doubt as to their identity. Where additional information is reasonably required to identify the data requested or confirm the requester’s identity, the statutory response period may commence once the necessary information has been received.

The firm shall respond to Subject Access Requests without undue delay and, in any event, within one month of receiving the request or, where applicable, within such extended period as permitted by law. Where an extension is necessary due to the complexity or number of requests, the individual shall be informed of the extension and the reasons for it within the initial one-month period.

Where permitted by law, the firm may refuse a request or withhold information where a statutory exemption applies, including circumstances involving legal professional privilege, confidential references, the rights and freedoms of other individuals, ongoing legal proceedings or any other exemption recognised under the UK GDPR or the Data Protection Act 2018. Any refusal shall be communicated to the requester together with the reasons for the decision and information regarding their right to complain to the Information Commissioner’s Office (ICO) or seek a judicial remedy.

The Compliance Manager shall maintain a Data Subject Request Register recording all requests received, actions taken, correspondence, response dates, outcomes and any reliance upon statutory exemptions. Records shall be retained as part of the firm’s compliance documentation to demonstrate accountability and compliance with applicable data protection legislation.

The firm shall periodically review its procedures for handling Data Subject Rights and Subject Access Requests to ensure continued compliance with the UK GDPR, the Data Protection Act 2018, guidance issued by the Information Commissioner’s Office, and the firm’s commitment to transparency, accountability and the protection of personal data.

Rectification, Erasure and Restriction

AIO Legal Services is committed to ensuring that personal data is accurate, complete and processed in accordance with the rights afforded to individuals under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The firm shall maintain appropriate procedures for considering and responding to requests for the rectification, erasure or restriction of personal data.

Right to Rectification

Individuals have the right to request the correction of personal data that is inaccurate or incomplete. Upon receiving such a request, the firm shall assess the information provided and, where appropriate, rectify or update the personal data without undue delay.

Where personal data has been disclosed to third parties, the firm shall, where reasonably practicable and required by law, notify those recipients of the rectification unless doing so proves impossible or involves disproportionate effort.

Right to Erasure

Individuals may request the erasure of their personal data in circumstances permitted by the UK GDPR, including where:

  • the personal data is no longer necessary for the purpose for which it was collected;
  • consent is withdrawn and no other lawful basis for processing exists;
  • the individual successfully objects to the processing;
  • the personal data has been processed unlawfully; or
  • erasure is required to comply with a legal obligation.

The right to erasure is not absolute. AIO Legal Services may refuse a request where the continued processing or retention of personal data is necessary, including for:

  • compliance with legal or regulatory obligations;
  • the establishment, exercise or defence of legal claims;
  • the administration of justice;
  • the exercise of legal professional privilege;
  • the performance of a task carried out in the public interest; or
  • any other exemption recognised under the UK GDPR or the Data Protection Act 2018.

Right to Restriction of Processing

Individuals may request that the firm restrict the processing of their personal data in circumstances permitted by law, including where:

  • the accuracy of the personal data is contested;
  • the processing is alleged to be unlawful and the individual opposes erasure;
  • the firm no longer requires the personal data, but the individual requires it for the establishment, exercise or defence of legal claims; or
  • the individual has objected to the processing pending verification of whether the firm’s legitimate grounds override those of the individual.

Where processing has been restricted, the firm shall continue to store the personal data but shall not otherwise process it unless permitted by law or with the individual’s consent.

All requests for rectification, erasure or restriction shall be referred promptly to the Compliance Manager, who shall assess the request, verify the identity of the requester where appropriate, and ensure that a response is provided within the statutory timescales prescribed by the UK GDPR.

The Compliance Manager shall maintain appropriate records of all requests received, decisions made, actions taken and any reliance upon statutory exemptions. Where a request is refused, the individual shall be informed of the reasons for the decision together with their right to complain to the Information Commissioner’s Office (ICO) and to seek a judicial remedy.

The firm shall periodically review its procedures relating to rectification, erasure and restriction of processing to ensure continued compliance with applicable data protection legislation and regulatory guidance.