General Data Protection Regulations

In acting for you on your matter we will be holding personal data about you.  We are sending you this notice to explain how and why your personal data will be used and how long it will usually be retained for.  It provides you with certain information that must be provided by us under the General Data Protection Regulation (EU 2016/679), also known as GDPR.

Data Protection Principles

We comply with Data Protection law and principles, which means that your data will be:


  • Used lawfully, fairly and in a transparent way;
  • Collected only for the purposes explained in this notice and not used in any way that is incompatible with those purposes;
  • Relevant to the purposes we have told you about and limited to what is necessary to achieve those purposes;
  • So far as possible, kept up to date and accurate;

Kept for no longer than is necessary for the purposes we have told you about and in a manner that ensures appropriate security.

Why are we holding personal data about you, and what will we do with it?

We will only use the information we collect to satisfy our contractual and legal obligations and our obligations to comply with the legal obligation imposed upon is and if also acting for the lender, the obligations imposed upon us by that lender and in defending any matter consequential to those obligations.

What sort of data do we hold and where does it come from?

While progressing your matter, we will collect, hold and use the following categories of information about you:

  • Information provided by Lenders if you are in receipt of a mortgage
  • Information you provide to satisfy our source of funds requirements
  • Information from the bankruptcy search provider
  • Information from the Anti Money Laundering search provider
  • Information from your identity documents
  • Bank Account information in order to effect transfer of funds

Sensitive Personal Information:

We may collect, store and use sensitive personal information to help us sufficiently progress your matter and to enable us to identify and protect your rights as a client.

Who will we share your data with?

 We will only share your data with third parties in so far as necessary to properly progress your matter.

We require third-party service providers to take appropriate security measures to protect your personal data.  However, we only allow them to use the data for specified purposes in accordance with our instructions.

We do not permit them to use your personal data for their own purposes.

Might my data be transmitted outside the EEA?

It is unlikely that a need will arise to transmit your data outside the EEA.  If it does the following would have to apply:


  • The European Commission has issued a decision confirming that the country to which we are transferring the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms.
  • Appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism.
  • You have provided explicit written consent to the proposed transfer after being informed of any and all potential risks.

The transfer is necessary for one of the other reasons set out in the GDPR including the performance of a contract between us, reasons of public interest, to establish, exercise or defend legal claims or to protect your vital interests where you are physically or legally incapable of giving consent.

How long will you keep my personal data for?

We have to keep all information relating to your matter for as long as there may be scope for legal challenges to the way in which the matter was dealt with.  After the expiry of that period, we will securely destroy the data in accordance with the Statutory Requirements.

Security of data

We have put appropriate security measures in place to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.


  • We limit access to your personal data and information to those agents and third-party service providers who need it to assist in the administration of the Estate. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put procedures in place to deal with any suspected data security breach and will notify you, and any applicable regulator, of any suspected breach where we are legally required to do so.

Your rights

You have the following rights:

  • Request access – Commonly known as a Data Subject Access Request. It allows you to obtain a copy of personal data we are holding about you.
  • Request rectification – You can require inaccurate personal data to be corrected and any incomplete personal data to be completed.
  • Request erasure – You can require us to delete or remove personal data 1. Which are no longer necessary in relation to the purpose for which they were collected or otherwise processed; or
  1. Where the processing is unlawful; or 3. Where you are exercising your right to object.
  • Request restriction – You can require us to stop processing your personal data for a period:
    1. While we verify the accuracy of personal data which you contest
    2. Where the processing is unlawful
    3. Where we no longer need the personal data on a completed matter, but you require the data for the establishment, exercise or defence of legal claims.
  • Right to object – You have the right to object to the storage and use of your personal data in two circumstances:
    1. If we base the reason we are holding your data on the ground that it is necessary for our legitimate interests or those of a third party, and there is something relating to your particular situation which makes you want to object
    2. If we are using your personal data for direct marketing purposes.

Right to complain – You can complain to the Information Commissioners Office, the UK supervisory authority for data protection issues (


If you have any queries or would like any further information please contact:

  • Jabeer Miah or Sajid Nazir
  • Shepherd & Co. 184 Watling Street East, Towcester NN12 6DB.

If you wish to review, verify, correct or request erasure of your personal information, or object to the processing of your personal data please contact us in writing at:-

Shepherd & Co. 184 Watling Street East, Towcester NN12 6DB.

ICO Number: ZA792695