Data protection and privacy notice

This data protection and privacy notice provides information on how OBEP (also referred to in this notice as “we” or “us”) uses personal data relating to:

  • visitors to our website;
  • enquirers and other people who contact us;
  • clients and potential clients; and
  • suppliers, referrers and other business contacts,

(also referred to in this notice as “you”).

It also contains information on marketing communications.

It has been prepared in consideration of the requirements of the EU General Data Protection Regulation and the Data Protection Act 2018 (which have applied since 25 May 2018) and the Privacy and Electronic Communications Regulations 2013 (in relation to direct marketing and cookies).

1. Who is OBEP?

OBEP is an English law firm with a sole principal, Olivia Whitcroft. It is authorised and regulated by the Solicitors Regulation Authority, registration number 563704. The rules of the SRA can be found at:

OBEP is registered as a data controller with the Information Commissioner’s Office, registration number: Z2818829 (although registration requirements have changed as from 25 May 2018).

You can contact OBEP using the contact details set out here: Contact Details

2. What personal data will OBEP collect and why?

2.1. Visiting our website

OBEP does not collect personal data when you visit our website, unless you contact us using the contact details and/or links provided on the website – see section 2.2 below.

We do not use cookies on our website, though the page with the SRA digital badge uses a cookie placed by a third party (see section 2.6 below). We collect IP addresses and store them temporarily in order to monitor flow of traffic to the website. We do not seek to identify anyone from these IP addresses.

2.2. Contacting us

If you contact us (via email, telephone, post or otherwise), we may collect and retain your contact details and the contents of your communication in hard and/or electronic copy. We shall use such details for the purpose of handling your query and keeping records of communications. See also section 2.5 below.

2.3. Clients and potential clients

OBEP collects and processes information about clients and potential clients in order to provide you with legal services and related information, to communicate with you in relation to legal and business issues, for billing and finance purposes, and to manage OBEP’s relationship with you. The data includes includes your name and contact details, communications with you, and information relevant to legal services being provided or business issues being discussed. It may include personal data of your staff, customers, suppliers and other contacts, where relevant to such services and issues – see section 5 below.

Certain information about you and your business or personal circumstances will also be required to carry out client acceptance and risk management procedures. This includes financial details, and information confirming your identity and those of your directors and shareholders.

See also section 2.5 below.

2.4 Suppliers, referrers and other business contacts

OBEP collects and processes information about suppliers, referrers of clients, and other business contacts in order to manage our relationship with you, and to communicate with you in relation to matters relevant to the service you provide, or the circumstances of our relationship with you. The data may include your name and contact details, communications with you, and finance and billing details (where relevant). See also section 2.5 below.

2.5. Other use of your personal data

OBEP may also collect and process personal data (including in all of the above categories) in order to:

  • manage and maintain records of business communications, services and finances;
  • comply with regulatory and other legal obligations, including those of the Solicitors Regulation Authority and under anti-money laundering legislation;
  • prevent or detect fraud or other illegal activities;
  • ensure and monitor equality and diversity;
  • investigate complaints, or protect or enforce OBEP’s legal rights; and
  • manage actual or potential business transactions (e.g. in the case of an acquisition of OBEP’s business).

As well as communicating with you using OBEP’s communications systems (such as email), we may also connect with you or follow you on social media, in order to keep up to date with your activities and business issues of interest.

2.6 SRA Digital Badge

This website may have a page containing the SRA Digital Badge, which demonstrates that OBEP is a law firm regulated by the Solicitors Regulation Authority (SRA). The SRA Digital Badge is managed by Yoshki, which uses Google Analytics to power their reporting functionality, and shares some information with the SRA. Yoshki also uses a cookie when a visitor visits the page containing the SRA Digital Badge.OBEP does not use or control the information collected by the SRA and Yoshki, nor the Google Analytics service or cookies which they use.

For privacy information about the badge, see the Yoshki data and privacy policy which (as at January 2019) is available at (link to third party website): As at January 2019, Yokshi indicates as follows:

  • through the reporting functionality, Yoshki and the SRA have access to information about how many times SRA Digital Badge has been clicked – this is to help manage system performance and to gain insight into usage;
  • Yoshki does not record or store any additional data such as IP addresses, page navigation behaviour, etc., and only tracks user interaction up to the point of click; and
  • of the information it does access, it is shared between the SRA and Yoshki, to facilitate the Digital Badge service.

3. Sensitive personal data

OBEP does not collect or process sensitive personal data unless relevant or incidental to the provision of legal services or one of the above purposes and categories of data, for example where:

  • the legal services you require involve the disclosure of sensitive personal data to OBEP by you;
  • documentation confirming your identity reveals racial or ethnic origin;
  • actions taken to prevent or detect illegal activities give rise to the processing of actual or alleged offences; or
  • steps taken to ensure equality and diversity involve the use of sensitive personal data.

4. Marketing communications

OBEP may send you marketing materials by email or post, or contact you by telephone for marketing purposes. OBEP will only do this if relevant to specific issues or queries raised by you (including other legal services OBEP has provided to you), or otherwise with your consent.

5. How do we collect your personal data?

We collect the majority of your personal data directly from you, but may also receive information from other people within your business or your business contacts. Where you have been referred to OBEP by a third party, we may collect background information from that third party.

We may also collect information from publicly available sources, such as Companies House, the press, your website, LinkedIn, Twitter and other providers of business and financial information.

Where we collect personal data from you relating to other individuals (e.g. your staff, customers, suppliers, directors, shareholders or other business contacts), it is up to you to ensure such individuals are aware of that their details are being disclosed to and processed by OBEP (unless this is not required in accordance with the requirements of the Data Protection Act 2018 and the EU General Data Protection Regulation).

6. To whom may we disclose your personal data?

OBEP may disclose personal data for the purposes outlined at section 2 above to:

  • our service providers and professional advisers. In particular other parties help us with our technology including helping to run our email accounts and store emails, and cloud-based accounting system (though OBEP seeks to minimise personal data stored in the accounting system);
  • our clients (and our clients’ other advisors), where relevant and appropriate to the legal services being provided;
  • regulatory and governmental bodies (including the Solicitors Regulation Authority and HMRC) and law enforcement authorities;
  • any purchaser or (on terms of confidentiality) likely purchaser of OBEP’s business; and
  • other third parties where required or permitted by law, or with your consent.

7. Legal bases for processing of personal data

The legal bases for OBEP’s collection, use and disclosure of personal data (as described above) are as follows:

  • processing necessary for OBEP’s legitimate interests as a business and a provider of legal services, for example, to provide legal services, to handle queries and complaints, to maintain appropriate records of communications, and otherwise to manage our relationship with you;
  • processing necessary for performance of a contract with you, for example use of your information in order to provide you with requested legal services, or to process invoices and payments;
  • processing necessary to comply with a legal obligation, for example anti-money laundering legislation, or requirements of the Solicitors Regulation Authority or HMRC.
  • processing necessary for the legitimate interests of another party, for example our clients who are receiving legal services from us; and
  • other processing of personal data with your consent.

8. Security and retention of your personal data

OBEP takes steps to protect your personal data from misuse or damage. This includes electronic and physical security measures.

Please note that given the nature of the internet, data transmitted over email is not completely secure from unauthorised access or misuse.

OBEP’s standard retention period for client data is eight years following closure of the relevant matter.

If you would like further information about the security measures implemented by OBEP or options for more secure transmission of information to and from OBEP, or about retention practices, please contact OBEP using the contact details set out here: Contact Details

9. International data transfers

OBEP does not generally store or otherwise transfer your personal data outside the UK, other than as follows.

One of OBEP’s accounting systems is provided by a third party cloud provider, whose terms allow for sub-processors and data centres outside the UK and the EEA. OBEP seeks to minimise personal data stored in this accounting system and will not generally use client names. As at the date of this policy, OBEP uses FreeAgent as its provider, which has indicated that its current data centres are in the UK, with only an encrypted back-up outside the EU. However, full detail of its potential sub-processors and data transfers can be found here (as at January 2019, link to third party website):

Relevant personal data may also be transferred outside the UK where appropriate to specific legal services or communications. For example:

  • where you ask OBEP to liaise with other providers of business services in other countries; or
  • where you (or your colleagues or associates), or your communications systems are located outside the UK.

10. Access to your details and other rights

If you would like to access a copy of any personal data which we hold about you, please send a request by email to Olivia Whitcroft: You also have rights, in certain circumstances, to object to OBEP processing your personal data or to request that your personal data is corrected or erased. Please also contact Olivia Whitcroft about these rights.

You also have the right to complain to the Information Commissioner’s Office if you are unhappy about our use of your personal data. See

11. Queries

If you have any queries in relation to the processing of your personal data by OBEP, please contact us using the contact details set out here: Contact Details