Client privacy notice

In the course of our legal and commercial activities, we may obtain a range of personal data about you. This data may be received from you directly, or it may be received from a third party such as another professional advisor, witness, opponent, court, counterparty. We also contract with third party telephone answering services, who may process your personal data on our behalf to direct your call or query. Your personal data may also be obtained from public sources, including public registers, and social, internet and print media.

The types of personal data that we hold will depend upon our relationship with you and the relevant legal or commercial activity. We may also generate personal data about you in connection with our legal and commercial activities, or as part of marketing our services, events and engagements. 

The types of personal data that we hold might include:

• Contact details, including names, addresses (including historic) and telephone numbers. 
• Other personal details, such as your date of birth, previous names, or marital status. 
• "Know your Client" and identification documents including reports by identify verification services, NI numbers, passport and visa details.
• Detail of your education, qualifications, employment, languages, colleagues, business endeavours, current and previous engagement with the legal system, behaviour (including criminal offences and activity) and similar information about you, in connection with relevant legal matters or commercial activity.
• Detail of your family, personal and financial situation, including details of medical issues and disabilities, in connection with relevant legal matters or commercial activity. 
• Other biographical information about you, your background, interests, health (including dietary requirements, allergies and health conditions) and personal life.
• Records of meetings and decisions relating to you.
• Details about services you have purchased from us, or which we have purchased from you. 
• Communications with you, including emails, SMS, letters and other correspondence, as well as social media content, and your responses to surveys and feedback requests.
• Expressions of opinion by, involving or relating to you.
• Financial information (including invoicing information, credit searches, bank account, card and tax details).
• Records regarding compliments, accolades, complaints or investigations prompted by, involving or relating to you.
• Computing and email information relating to usage of our IT systems, IP address(es), domain names, devices used, browser types and versions, time zone settings, operating systems and other technologies on the devices that you use, equipment allocated to you (where relevant), and records of network access.
• Website user information (including user journeys and cookie tracking). To understand how such data is processed, please refer to our website privacy policy.
• Images captured by CCTV cameras at our offices (including indoor and outdoor spaces).
• Information relating to access to our offices and facilities, including Health and Safety records, visitor logs and access card records.
• Recordings of voice calls, events and meetings.
• Photographs and video recordings, provided to or taken by us for identification purposes and, in the case of attendees at events that we host or sponsor, for display on the Mills & Reeve LLP’s website and/or use for marketing purposes.
• Records relating to sponsorship.
• Marketing information and preferences (eg, decisions as to which of our services are relevant/potentially relevant to you, invitations received and made (including your response to them), your preferred location for attending events at our offices, sectors and services that you are interested in, and attendance at events).

Our services are not intended for or directed at children. We may process children’s personal data in the course of providing our services, and will do so only where necessary. 

Contract: To the extent that we have a contract with you (or one is in prospect), the primary legal basis for processing your personal data is that the processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract. This includes processing linked with matter opening and administration, ongoing matter management, and communicating with you and others to fulfil the contract with you.

Legal obligation: Processing of your personal data may be necessary for compliance with our legal and professional obligations to clients, customers, beneficial owners and third parties, as well as obligations to the courts, regulators and law enforcement authorities. This includes compliance with Solicitors Regulation Authority expectations, our compliance with data protection laws, and our duties under law to report suspected money laundering to the National Crime Agency.

Legitimate interests: We may process your personal data in pursuit of our legitimate interests. Our legitimate interests include:

• Maintaining our relationships and communicating with clients, customers, suppliers and third parties.
• Undertaking identity checks and other verification.
• Protecting the safety and wellbeing of everyone while on our premises, and of our staff when engaged in work for the firm regardless of location.
• Maintaining the security of the systems, premises, equipment and information to prevent cyber or physical incidents.
• Recording activities for evidentiary purposes in the case of suspected or actual security or other incidents affecting Mills & Reeve.
• Recording relevant activities for evidentiary purposes in formal Mills & Reeve processes arising from breaches in policies and/or employment terms and conditions.
• Delivering an appropriate level of service to clients.
• Responding to prospect and client tenders and requests;
• Seeking confidential legal advice when necessary and/or establishing or defending legal claims.
• Complying with our wider legal and professional obligations.
• Developing new systems, undertaking training and sharing know-how internally with relevant lawyers.
• Conducting market research on issues that we believe that you have an interest in or could offer useful insights on, to inform commercial decisions, and to assist in product development.
• Processing your data for marketing purposes, in marketing our services, including providing information about our services which are or may be of interest to you, and building our relationships with existing and prospective clients and customers, beneficial owners and third parties.

Public task: We may process your data in furtherance or support of specific tasks that are in the public interest. Examples include disclosures needed by government, state and enforcement entities in order for them to fulfil their roles.

Vital interests: We may also use your personal information, typically in an emergency or where we have significant cause for concern, where this is necessary to protect your vital interests, or someone else’s vital interests.

Consent: In a small number of cases, and only where other lawful bases do not apply, we may process your data on the basis of your consent. At present, we do not use consent as our basis for processing in relation to legal and commercial services that we provide. Consent is relevant to our marketing activity (see below).

The tables below set out our main uses for personal data and connects them to our usual legal bases for doing so. The tables should not be viewed as definitive, as the precise legal basis will depend on the circumstances and context within which the data is processed.


Regarding our clients, customers, and third parties involved in our matters.

Regarding our suppliers and similar third parties.

Regarding marketing

We use your details to provide you with information about our work, activities and matters such as invitations to events and seminars that we think you will find of interest. We may use the information we collect about your interactions with our website to tailor our marketing communications to those areas that we consider are most likely to interest you (“profiling”). We may send you general updates by email or post, including notification of upcoming events and updates or alerts containing relevant legal news.

From time to time we may invite you to events that we run jointly with other organisations. If you register for such an event, then we may share your contact details with that organisation. The invitation to such an event will provide links to the privacy notice of the other organisation so that you can understand how they will process your data.

If the event will be recorded, the recording will be shared with other delegates and may be shared on social media. By joining a recorded meeting you acknowledge that your image, name and any contribution you make to the event may be made available to third parties. We record events for professional, business and regulatory purposes. Where appropriate, the recording may also be edited to highlight relevant content, to reasonably protect the privacy of participants, or to remove unlawful or inappropriate content. Further information regarding our use of recorded material is contained within our privacy notice for recorded events, meetings and calls.

We do not otherwise share your data for marketing purposes.

When you access the Mills & Reeve website, further relevant privacy information and details of the data we collect and process is set out in our website privacy policy and our cookies policy.

You can manage your preferences for marketing communications by signing up here and updating your preferences. Unsubscribe links are also provided within our marketing communications.

Certain personal data is subject to additional safeguards under data protection legislation. Such information includes details of

• Your racial or ethnic origin.
• Your political opinions.
• Your religious beliefs or other beliefs of a similar nature.
• Whether you are a member of a trade union.
• Your physical or mental health or condition.
• Your sexual life.
• The commission or alleged commission by you of any offence.
• Any proceedings for any offence committed or alleged to have been committed by you, the disposal of such proceedings or the sentence of any court in such proceedings.

It may be necessary for us to process some special category or criminal offence personal data in the course of providing our services to clients and customers, to comply with legal or regulatory obligations (including making reasonable adjustments for individuals with disabilities), and to fulfil our obligations to the Solicitors Regulation Authority and the Legal Complaints Service). We may also need to process such data to seek confidential legal advice or establish or defend legal claims.

Special category and/or criminal offence data relating to you may also need to be processed in the course of investigative, disciplinary, grievance, redundancy and other internal processes within the firm. Such data may also need to be shared with law enforcement authorities or regulators, either due to a legal requirement or where it is in the public interest to do so voluntarily, such as where a solicitor is under investigation. We will process such data where it is necessary for, connected to and/or or relates to legal claims including for the purposes of assisting with legal proceedings, obtaining legal advice and/or establishing, exercising or defending legal rights.

Legal bases for processing special category and criminal offence personal data depend on the context of the processing. We have considered the risks and impact associated with the processing of special category and criminal offence data, not least with regard to data minimisation, security and transparency. If you wish to understand more about the legal basis for processing your specific personal data, please contact [email protected].

We do not base our processing of special category data on your consent, save where there are no alternative legal bases. If you voluntarily send us your sensitive personal data, in the absence of another legal basis, we shall treat that as your explicit consent for us to hold and process that data. If data is processed by us on the basis of your explicit consent, you may withdraw your consent at any time: this will not affect the lawfulness of any processing before you withdrew it.

If you decide not to supply personal data that we have requested and as a result we are unable to comply with our professional, legal or regulatory obligations, then we may have to cease acting for or providing a service to you, may be unable to use your services, or may be unable to enter or remain in a relevant contract with you.

Your personal data will be seen and used by our partners and staff (whether lawyers or support staff) in the course of their duties or others lawfully working with us in the ordinary course of our business (for example, former staff or partners working with us on a consultancy basis).

We may need to share your data with relevant third parties for example:

• Credit search agencies, such credit searches using agencies (eg, Equifax, TransUnion, Creditsafe and GlobalX).
• Counterparties, counsel, witnesses, courts and tribunals.
• Professional advisers and consultants, insurers, accountants and auditors.
• Suppliers, including market research, secretarial, marketing, courier, translation, IT or telephone answering services (eg Moneypenny).
• Any person or entity to whom we are required or requested to make disclosure by a court, governmental or taxation authority (for example HMRC), law enforcement agencies or similar bodies.
• Any financial institution providing (or to provide) finance to us.
• Service providers who support our technology and systems administration.
• External auditors who carry out checks as part of our accreditations.
• We may also need to process your data to meet our contractual obligations to the Legal Aid Agency where you receive legal aid to fund your case or advice.

Where we outsource support services or engage consultants and others to support us, relevant personal data is provided to and processed by the provider of such services in accordance with the terms of our contract with them and to the extent appropriate for the performance of that contract.

Please be aware that where information is disclosed to a credit reference agency, the agency may keep a record of that information and disclose it (and the fact that a search was made) to its other customers, including for the purposes of assessing the risk of giving credit and occasionally to prevent fraud, money laundering and to trace debtors.

We might also need to share or transfer your data confidentially with relevant parties and/or their professional advisers if there is a merger, acquisition, change of control, joint venture or other similar arrangement involving Mills & Reeve LLP.

In the course of carrying out the activities referred to above we may transfer your data to other countries, which may not have the same legal protections for your data as the UK. Data may need to be transferred where matters involve clients, customers, suppliers, regulators or other third parties located overseas, or there is an international aspect to a service or matter.

Where data is being transferred outside of the European Economic Area, we will take steps to ensure that your data is adequately protected in accordance with UK legal requirements. Where we are in a contractual relationship with the recipient, such protection will normally consist at minimum of appropriate contractual protections agreed between us and the recipient.

Otherwise for example we may transfer your data if it is necessary for performance of our contractual duties to you, or because we have other legal obligations to transfer the data, or it is necessary for important reasons of public interest. If you require further detail about the protections in connection with any particular relevant transfer, matter or jurisdiction please ask us.

We expect to retain your personal data in accordance with our retention policies. This policy is reviewed periodically and the periods for storage specified in it may alter depending on the requirements of law and regulation, client requirements, best practice and insurance.

We may be obliged to suspend any planned destruction or deletion under our retention policy where legal or regulatory proceedings require it or where proceedings are underway such as require the data to be retained until those proceedings have finished. For example, under current legislation we must hold certain information relating to some trusts until at least 5 years have passed following the final distribution from the trust.

You have the right to request copies of the personal data we hold about you.  If you wish to obtain a copy of your personal data, you may contact us by emailing [email protected].

You also have the right to ask for inaccuracies in your data to be corrected, and in certain circumstances for us to stop processing your data or for your data to be erased.  Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you have any questions about this privacy statement, the practices of this web site or your dealings with this web site, please use the following contact point: [email protected].

If you believe that we have not complied with any of our obligations under data protection laws in the UK, please let us know.  You have the right to lodge a complaint with the Information Commissioner’s Office.