Privacy notice

This privacy notice provides information on how we collect, use and share your personal data and your related rights pursuant to the UK General Data Protection Regulation (“UK GDPR”) and EU General Data Protection Regulation (“EU GDPR”), as applicable. 

Introduction

Macfarlanes LLP is a law firm authorised and regulated by the Solicitors Regulation Authority (SRA number: 486980). For further details please see our legal and regulatory page.  

This privacy notice sets out how Macfarlanes LLP and its related entities (including Macfarlanes Services Limited and Embleton Trust Corporation Limited) (together herein referred to as “Macfarlanes”, “we”, “us” or “our”) collect, use and share your personal data. It also explains your rights in relation to your personal data and what to do if you have a complaint. We may provide you with additional privacy notices where we believe that it is appropriate to do so. Those additional notices supplement, and should be read together with, this privacy notice. This privacy notice does not apply to any third party websites that may have links to our own website, nor to any third party websites to which our website links.

We take your privacy very seriously. We are committed to processing personal data in compliance with applicable data protection legislation, including the UK GDPR and EU GDPR. Please read this privacy notice carefully alongside any applicable terms and conditions. 

1. Your personal data

Personal data is any information that can be used to identify a natural person. We collect and process the following personal data in the course of providing legal and professional services and running our business, including (but not limited to):

  • identity, contact, biographical and background information such as your full name, address, telephone number, email address, gender, date of birth, nationality, residency, passport details, financial information including bank account details, and application and screening information (such as CVs, qualifications, right to work information, background checks and references);
  • special category data (such as data concerning your health (for example dietary requirements), racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data) or data relating to a criminal record or alleged criminal activity;
  • personal data which may be contained in documents and correspondence as part of a matter on which we are instructed;
  • technical information, such as the number and frequency of visits you make to our website or portals, your geographic location, your operating system and browser type and the search terms you use, which we receive via our technology tools;
  • marketing information such as your marketing preferences; and
  • CCTV images of you when you visit our premises for example when attending meetings or events or making deliveries.

We collect and process personal data about you if you are, for example, a:

  • current, former or prospective client (if an individual), or an employee, officer, representative or ultimate beneficial owner of a current, former or prospective client;
  • beneficiary, trustee or settlor of any trusts in respect of which we act;
  • other third party involved in client matters such as a counterparty (or its personnel) or any witness, expert, intermediary or professional adviser;
  • supplier or a supplier’s personnel or contractor;
  • visitor to our premises; or
  • applicant for a role or work experience opportunity, open day or insight event with us.

We obtain personal data directly from you, your organisation or representatives, from our clients and their advisers, counterparties and their advisers, courts, authorities, public sources and registers, publication databases, our service providers, via our IT systems (including email, CCTV, videoconferencing tools such as Microsoft Teams or Zoom, e-disclosure and collaboration platforms) and, in connection with recruitment applications, from sources including virtual assessment centres and screening providers.

2. Processing your personal data

We determine the purposes for which we process personal data and will therefore, in most circumstances, be the data controller in relation to the processing activities described in this privacy notice.

We process your personal data for different purposes, relying on one or more lawful bases under UK GDPR or EU GDPR, as applicable, including:

  • to provide legal, trustee and trust administration services or related services (such as e-disclosure) to our relevant clients, which, if you are not a client, may involve our handling your personal data on behalf of our clients, and for the administration of our business. This may include the use of technologies, including AI-enabled tools, to support this. 

    Lawful bases: contract; legitimate interests; or where needed, consent. Special category/criminal data condition: establishment, exercise or defence of legal claims; or where needed, explicit consent.

  • to comply with our legal and regulatory (including anti-financial crime legislation which involves conducting customer due diligence (CDD) checks and sanctions screening. We carry out CDD background checks through third party suppliers, including Refinitiv, whose privacy  statement can be found on its website

    Lawful bases: legal obligation; legitimate interests. Special category/criminal data conditions: establishment, exercise or defence of legal claims; substantial public interest (for example, regulatory requirements; preventing fraud or unlawful acts; suspicion of terrorist financing or money laundering).

  • to manage and administer our relationships with our clients, their personnel and intermediaries and our other business, supplier and professional contacts.
     
    Lawful bases: legitimate interests.

  • to establish, exercise or defend our legal rights (including for the prevention, detection, investigation or prosecution of crimes, recovery of monies owed to us, or dealing with queries, complaints or claims and notifying our insurers).

    Lawful bases: legal obligation; legitimate interests. Special category/criminal data conditions: establishment, exercise or defence of legal claims.

  • for recruitment purposes including application management, interviews and assessments, background checks and right to work verification. 

    Lawful bases: contract; legal obligation; legitimate interests; consent where appropriate. Special category/criminal data conditions (as applicable): employment; establishment, exercise or defence of legal claims; explicit consent.

  • to promote our legal services, including sending you and your personnel newsletters, legal updates, marketing communications and other information that may be of interest and inviting you to events. 

    Lawful bases: legitimate interests; consent where required (for example, when subscribing to receive marketing communications for us).

  • for managing events, hospitality and travel arrangements, where applicable. 

    Lawful bases: legitimate interests; consent. Special category conditions: Explicit consent (for example where we need to collect dietary requirements).

  • to record and monitor your visits to our website or portal and your use of our technology tools and to make and retain recordings and transcriptions of meetings and telephone or video calls (where applicable).

    Lawful bases: legitimate interests.

We do not use your personal data for solely automated decision-making or profiling.

3. Sharing your personal data

We may share your personal data with trusted third parties, both within and outside the United Kingdom or the European Economic Area (‘EEA’) including, as appropriate to the activity, with:

  • clients and their representatives;
  • third parties involved in client matters such as counterparties (or their personnel) or any witness, expert, intermediary or professional advisers (such as barristers, overseas law firms accountants) surveyors, notaries, paying agents, trustees and trust counterparties, family offices and other intermediaries;
  • regulatory authorities (for example, SRA, FCA/PRA), government agencies (for example, HMRC), law enforcement agencies (for example, the NCA), courts, tribunals, public registrars (for example Companies House, Land Registry etc.) and other official bodies;
  • our bank and insurers, and our auditors, brokers and other advisers;
  • suppliers to whom we outsource certain support services such as translation and interpreting, photocopying, e-disclosure, data room provision and document review, document management and collaboration platforms, trial/hearing bundle providers, litigation support providers;
  • other suppliers of goods and services (including IT services), including hosting providers of our IT infrastructure, service-desk and security providers, email and collaboration platforms, finance and billing systems, marketing systems and website service providers; and
  • third parties involved in organising events or seminars.

Where we share personal data with such third parties, we do so pursuant to contractual arrangements (that include required data protection terms) or regulatory obligations. 

4. International transfers

Where third parties with whom we share your personal data process it outside the United Kingdom, EEA or an adequate country, we will use appropriate safeguards in accordance with UK or EU data protection law, such as the UK Addendum to the EU Standard Contractual Clauses, the International Data Transfer Agreement, or other recognised transfer mechanisms, to ensure that your personal data remains protected and secure in accordance with applicable data protection laws.

5. Information security and data retention   

We ensure that the personal data we hold is secured by appropriate technical and organisational security measures that are appropriate to the nature, scope, context and purpose of the processing and the risks posed to the rights and freedoms of individuals. Our information security measures are in line with globally recognised information security standards.

We have trained all our personnel on our data protection obligations and have put in place procedures to address any data breaches. We will notify you and any applicable regulator of a data breach where we are legally required to do so.

We retain personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, regulatory, accounting or reporting requirements or for our own legitimate interests including for professional liability reasons. Retention periods vary depending on the category of data and processing context. By way of illustration:

  • Client matter files are typically retained for at least 12 years after matter closure. Certain files may be kept longer or indefinitely where appropriate (for example, trust files; wills and probate records with surviving spouse/partner considerations etc.).
  • Transcriptions in Microsoft Teams or Zoom will be deleted after 30 days.
  • CCTV footage is typically retained for around 30 days.
  • Personal data of unsuccessful candidates is typically retained for 2 years.

6. Cookies and similar technologies

We use cookies on our website to ensure it functions properly and, where you choose, to help us improve how it performs. We use the following types of cookies, which perform different functions as explained below and as further detailed in the Cookiebot.

We use the following types of cookies:

  • Strictly necessary cookies – these cookies are essential for the operation of our website, including page navigation, security, fraud prevention and remembering your cookie preferences. They are always on and do not require your consent.
  • Statistics cookies – these cookies help us understand how visitors use our website by collecting information in an aggregated and anonymised form. They are only used if you choose to allow them.
  • Third-party service cookies – some cookies are set by trusted third-party services that support the website, such as services used for security, video content, interactive content and consent management.

If you reject non-essential cookies, the website will still work, but some features (such as embedded content) may not display as intended.

More information on cookies is available at allaboutcookies.org.

7. Your rights

Under certain circumstances, by law you may have the right to:

  • request access to your personal data and information about how we process it;
  • request rectification or deletion of the personal data that we hold about you;
  • request the restriction of processing of your personal data;
  • request the transfer of your personal data to another party in a machine-readable, commonly used and structured format;
  • object to processing of your personal data where we are relying on a legitimate interest (or that of a third party); or
  • withdraw your consent at any time, where we use consent as our lawful basis.

If you want to exercise any of these rights, please contact us at [email protected].  

The above rights are not absolute, and each is subject to exceptions and qualifications, including for example to protect legal privilege, the rights of others, and to comply with legal and regulatory obligations. We will aim to respond to your request without undue delay and within one month of its receipt. In some cases, for example, if the request is complex, we may not be able to fulfil your request before this date and may need to extend the timeframe. Where we do so, we will let you know about this in our initial reply to your request, or as soon as we become aware that an extension is required.

You also have the right to ask us not to not send you marketing messages by post, telephone or email or any combination of these at any time. You can do this:

  • by replying directly to our marketing message;
  • by unsubscribing from all marketing by clicking the appropriate link in any marketing message you receive from us; or
  • at any time by contacting us at [email protected].

8. Changes to this Privacy Notice 

We may update this privacy notice at any time without notice. The date of the most recent update appears below. Your continued use of this website or our services, interaction with us, (for example, on client matters), application for roles with us or provision of services to us, following the posting of changes to these terms, will mean you accept these changes.

9. Contacting us

If you have any questions about this privacy notice, wish to request further information about any of the above rights, or have any queries or concerns about our use of your personal data, please contact us at [email protected]. We will acknowledge your email within 30 days and take appropriate steps to investigate and respond to you without undue delay. 

If you are not satisfied with our response to your complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner’s Office at ico.org.uk/global/contact-us or call on 0303 123 1113.

_
Last updated: 12 January 2026