top of page

Hextalls Ltd t/a Hextalls Law is committed to the protection and safeguarding of personal data (by which we mean personal data as defined in Article 4 of the General Data Protection Regulation EU 2016/679). We understand the importance of data protection. We respect the privacy of individuals whose personal data we process and we will always ensure that it is only used for specific and lawful purposes in accordance with applicable UK data protection legislation.


This policy explains the types of data we will collect and how we may collect, store and use it. It also sets outs the basis upon which we may collect data and your rights in relation to this.


We are a regulated law firm. We are regulated by the Solicitors Regulation Authority and are registered with the Information Commissioner. We work on dispute resolution and contentious claims as well as providing advice to clients on business law, employment law and other issues that arise in the conduct of their business. We also act for individuals on particular matters.


This policy applies to personal data collected by us in connection with the services we offer, and includes any information you provide when you sign up to our newsletter or for any of our events.


We are a data controller and are responsible for the lawful use of your data under the General Data Protection Regulation and the Data Protection Act 2018. We do not require a Data Protection Officer but have appointed a Data Protection Manager and if you have any queries or complaints you should direct these to him in the first instance at Hextalls Law, Charrington’s House, The Causeway, Bishop’s Stortford, Hertfordshire, CM23 2ER.


You can also complain to the Information Commissioner’s Office (ICO) if you have any concerns. The ICO’s details are:

Wycliffe House
Water Lane
Cheshire SK9 5AF
United Kingdom

Telephone: +44 (0) 303 123 1113


The data we collect

In the course of our business we will have to collect personal data, which means personal information about an individual who can be identified from that data. We may need to do this for a number of reasons.


If you are a client we will need to collect your personal data which may include your name, position, address, contact details and business details. We may also collect data on your industry and your business interests. By law we must collect (and copy) information to allow us to verify your identity, such as your passport details and evidence of your home address. This is to satisfy the requirements of the relevant money laundering and anti-terrorism legislation in the UK.


More generally we may have to collect, use, store and transfer the following categories of personal data about certain individuals:

  • Identification details – including name, title, date of birth, passport or other identifying document details, national insurance or tax numbers, driving licence number and other similar information;

  • Individual details – including name, address, gender, marital status, place of work, place of birth, date of birth nationality, employer and employment history, email address and telephone numbers;

  • Financial information – including bank account and payment card details, income and expenditure, tax history, credit history and other financial information;

  • Marketing information – including contact details and preferences for marketing communications;

  • Claims information – including information about any claims you are making or have previously made and information from government departments including the DWP and HMRC as well as possibly surveillance reports and reports of your online activities;

  • Sensitive personal data which could include details about your race and ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, medical information about your health and genetic and biometric data. We may also need to collect information about criminal convictions and offences.

  • Generally, we will obtain this personal data directly from you. Sometimes, we may obtain personal data about you from third parties (for example, a medical expert may provide a report about your health) or public sources (for example, Companies House). Sometimes we may obtain it without your consent as in certain situations we do not need your consent to obtain it but we will always do so in a lawful manner that is compliant with data protection legislation

​Whose personal data do we process?

  • We process personal information about a wide range of individuals including:

  • clients

  • other lawyers and their colleagues

  • claimants, their families and associates

  • witnesses

  • advisers, consultants, professional experts

  • suppliers and service providers

  • our employees

  • potential clients and people who make enquiries of us

Who do we share personal data with?

  • Sometimes we have to share personal data with other people outside our company. This is only ever done on a lawful basis and for legitimate purposes. The types of people we may need to share information with are set out below:

  • clients

  • claimants and their families

  • claimants’ representatives

  • government departments, for example the Department for Work and Pensions or HMRC

  • current, past or prospective employers

  • healthcare professionals

  • suppliers and service providers

  • employment and recruitment agencies

  • regulatory authorities including ombudsmen

  • private investigators and process servers

  • other law firms

  • barristers and their employees

  • courts and tribunals

  • credit reference agencies

  • debt collection agencies

  • tracing agencies

  • law enforcement agencies

  • When we have to share personal data we take appropriate care to ensure we do so through the most secure and appropriate means possible to safeguard it against accidental loss or disclosure.

The basis upon which we use personal data

  • We will only ever process personal data where we have a genuine need and lawful basis to do so. The lawful processing conditions we generally rely on to process personal data are set out below

Personal Data

  • explicit consent of the data subject to the processing of his or her personal data for one or more specific purposes;

  • the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

  • the processing is necessary for compliance with a legal obligation;

  • the processing is necessary for the purposes of our legitimate interests or those of our clients (except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child)

Special Category Data

  • the data subject has given explicit consent to the processing of his or her personal data for one or more specific purposes;

  • the processing relates to personal data which are manifestly made public by the data subject;

  • processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.

  • Sometimes we might process data and rely on different lawful processing conditions to those set out above. If so, we will inform the data subject of this (if we have to do so)

Data Retention

  • We only keep your data for as long as is necessary and where we have a legitimate reason to do so (for example a legal, accounting or reporting requirement). We have a records management policy to ensure that we do not keep data for longer than is required. We have considered retention periods for particular types of data and the periods we apply are determined based upon the type of data that we are holding and the purposes for which it was collected.

  • We have in place a proactive approach to retention and disposal of personal information, which means it is retained for the minimum period necessary and only where there is a legitimate reason or lawful basis to do so. We have Records Management Policy that sets out the processes we follow to manage retention and disposal of personal information and which defines the periods for which personal data is retained.

  • We tell our clients for how long we will keep their data in our terms and conditions.

Data Security

  • We have precautions and procedures in place to ensure that personal data is kept secure. All our staff must adhere to these policies and procedures. Data is kept at our office locations and also in archives within the United Kingdom as well as with our IT service providers.

  • We have in place appropriate and up-to-date storage and security measures and techniques to protect personal data from unauthorised access, improper use or disclosure, unauthorised modification, unlawful destruction or accidental loss. We also limit access to personal data to those employees, agents, contractors and other third parties who need it. We require all third parties with whom we deal to have in place their own confidentiality and security procedures.

  • We have procedures in place to deal with any suspected personal data breach, and will notify the data subject and any applicable regulator of a breach where we are legally required to do so.

International Transfers

  • We may occasionally need to transfer personal data to countries outside of the European Economic Area. If we have to do this we will only do so where there is a lawful basis for the transfer. Where we transfer data overseas we will do so securely and we will seek to ensure that the recipients have in place appropriate data protection policies to safeguard the data that has been transferred.

Your Rights

  • Depending on the reason(s) we have collected your data, you may have the following rights. These apply in most but not all cases.


The Right of Access: You can ask us for a copy of the personal data we hold about you.


The Right of Rectification: This allows you to ask us to correct any inaccuracies in the data that we hold, though we may need to verify the accuracy of the new data you provide to us.


The Right to Request Erasure (the Right to be Forgotten): You can ask us to delete or remove personal data where there is no good reason for us to continue holding/processing it. We may not always be able to comply with this request as there may be good reasons (legal etc…) why we cannot do so.

The Right to Restriction of Processing: You can object to us processing your personal data where we are relying on a legitimate interest (or those of a third party) to do so but there is something about your situation which means you consider us processing that data impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. You can also ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

The Right to Data Portability: This allows you to have your personal information transferred to another organisation in a reusable electronic format. This right does not generally apply to the processing that we undertake but where we have the capability to provide personal data in an electronic, structured and commonly used machine readable format we will try to do so if you ask us to.

We try to respond to all legitimate requests within a month. Sometimes it may take us longer if your request is complex or you have made a number of requests. In this case, we will tell you that it will take longer and keep you updated.



We use cookies on our website. Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device. You can find more information about cookie at: and for a video about cookies.


What if I do not want cookies on my computer?

You can prevent cookies being stored on your computer by changing your browser’s settings. For further guidance on how to do this please visit the website of the browser you use to visit this site, for instance Internet Explorer, Google Chrome, Firefox.

Please be advised that if you do not consent to and allow cookies from this site, parts of it may not work correctly and you are likely to experience longer loading times.


bottom of page