Please read the following information carefully. This privacy notice contains information about what data we collect and store about you and why. It also tells you who we share this information with, the security mechanisms we have put in place to protect your data and how to contact us if you have a complaint.

Who we are?

Heckford Norton Solicitors collects, uses and is responsible for personal information about you. When we do this, we are the ‘controller’ of this information for the purposes of the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

Our Data Protection Officer

Name: Alex Graham

Address: Tudor House, 2 Letchmore Road, Stevenage, Hertfordshire, SG1 3HU

Phone Number: 01438 312 211


What do we do with your information?

Information collected by us

When carrying out our legal services, we may collect the following personal information that you provide to us (list is not exhaustive):

  • Name
  • Address
  • Date of Birth
  • National Insurance Number


How we use your personal information

We use your personal information for the following purposes:

  • To complete the contract for which you have instructed us to act on your behalf
  • To update and enhance our client records
  • To assist with legal and regulatory compliance requirements


Whether information has to be provided by you, and why?

This personal information must be provided by you to us, to enable us to comply with our contractual lawful basis with your consent (Article 6). When we collect information from you, we will inform you whether you are required to provide this information to us.


If you send us personal data about anyone other than yourself you will ensure you have any appropriate consents and notices in place to enable you to transfer that personal data to us, and so that we may use it for the purposes for which you provide it to us.

Legal reasons we collect and use your personal information

We rely on Consent and Contract as the main legal basis for processing your information.

Who will we share your personal information with?

Our work for you may require us to pass on such information to third parties such as expert witnesses, those who organise expert witnesses for the firm and other professional advisers, including sometimes advisers appointed by another party to your matter. We may also give such information to others who perform services for us, such as typing or photocopying. Our practice may be audited or checked by our accountants or our regulator, or by other organisations.

We will share personal information with law enforcement agencies if required by applicable law.

Data Protection in Respect of Money Laundering Checks

We may receive personal data from you for the purposes of our money laundering checks, such as a copy of your passport. These will be processed only for the purposes of preventing money laundering and terrorist financing, or as otherwise permitted by law or with your express consent. 

We will not share your personal information with any other third parties without your consent.

Transfer of your information to countries within the European Economic Area (EEA)

It may be necessary to transfer your personal information to countries within the EEA. These countries are subject to the General Data Protection Regulation (GDPR) which provides effectively identical data protection as the UK GDPR.

Transfer of your information to countries that are outside the EEA

It may be necessary to transfer your personal information to countries that are outside of the EEA or to an international organisation in order to complete the contractual mater you have instructed us to complete on your behalf.

These countries have been deemed by the European Commission to offer adequate protection of personal data. Any transfer will be subject to the international data transfer agreement or the international data transfer addendum to the European Commission’s standard contractual clauses for international data permitted under section 119A of the DPA 2018. These safeguards are designed to protect your privacy rights and provide you with remedies in the unlikely event that your personal information is misused.

If you would like any further information, please contact our Data Protection Officer.

Where will we store your personal data and how long for?

The information is securely stored within each of our office premises and our IT System.  

We keep personal data for 6 years unless otherwise agreed with you or required by law. We will then securely dispose of your information.


We are relying on your explicit consent to complete the legal services you have instructed us on. You provided this consent by signing our terms of business or by virtue of your continued instructions in your matter.


We are relying on you entering into a contract with us as part of the legal services provided to you or because you have asked us to take specific steps before entering into such a contract. By signing our terms of business or by virtue of your continued instructions in your matter you agreed to the continued processing of your information in this way.

You have the right to withdraw this consent at any time, but this will not affect the lawfulness of any processing activity we have carried out prior to you withdrawing your consent. You can opt-out by contacting the Fee Earner responsible for your matter or our Data Protection Officer.

Your data protection rights

Under the UK GDPR, you have a number of important rights that you can exercise free of charge. In summary, these rights are:

  • Access to your personal information and other supplementary information;
  • Rectification – require us to correct any mistakes or complete missing information we hold on you;
  • Erasure – require us to erase your personal information in certain circumstances;
  • Receive a copy of the personal information you have provided to us or have this information be sent to a third party, this will be provided to you or the third party in a structured, commonly used and machine readable format;
  • Object at any time to processing of your personal information for direct marketing;
  • Object in certain other situations to the continued processing of your personal information;
  • Restriction – Restrict our processing of your personal information in certain circumstances;
  • Data portability – ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
  • Request not to be subject to automated decision making which produce legal effects that concern you or affect you in a significantly similar way.


If you want more information about your rights under the UK GDPR, please see the Guidance from the Information Commissioners Office on Individual’s rights under the UK GDPR.

If you want to exercise any of these rights, please contact our Data Protection Officer.

How to make a complaint

The UK GDPR also gives you the right to lodge a complaint with the Information Commissioner’s Office. Their contact details are:

Information Commissioner’s Office

Wycliffe House

Water Lane



SK9 5AF      

Helpline number: 0303 123 1113

Future processing

We do not intend to process your personal information for any reason other than stated within this privacy notice. If this changes, we will inform you in writing.

Changes to this privacy notice

We constantly review our internal privacy practices and may change this policy from time to time.

You can find a copy of our privacy notice on our website.

Get in touch

If you have any questions about this privacy notice or the information we hold about you, please contact the Fee Earner responsible for your matter in the first instance and then, in the alternative, the Data Protection Officer.

Alternative formats

If it would be helpful to have this notice provided in another format please contact us (see ‘Get in touch’ above).