> Legal and regulatory > Data privacy > GDPR privacy notice

GDPR privacy notice

Important information about your privacy

Any personal information we collect from you is processed in line with applicable data protection laws including the EU General Data Protection Regulation (GDPR) and this notice. When you use our website, our Privacy Policy located on our website applies.

Withers LLP (“we”, “us” and “our”) is the ‘data controller’ for the personal information you share with us.

If you have any specific concerns around the privacy of your personal information or require further information about how we manage your personal information, please get in touch with us directly:

By post

GDPR Office, Withers LLP, 20 Old Bailey, London, EC4M 7AN

By phone

+44 (0) 20 7597 6303

By email


How we collect data

As a Withers LLP client, we collect personal information about you in connection with our legal products and services in the following ways:

  • from your application for a Withers LLP product or service; (either for yourself or for our client whom you represent)
  • through analysis of your transactions and activities with us
  • publicly available sources, such as Companies House
  • as part of our new business intake procedures in the course of providing you with legal services
  • your personal interactions with us, such as face to face meetings, telephone calls, correspondence, various forms of electronic communications and your use of our website
  • analysis of your dealings and transactions with us
  • by consulting third parties, such as credit reference agencies, market research, surveys, social networking sites, fraud prevention agencies, government and law enforcement agencies
  • reviewing information about you and third parties from sources which are publicly available, such as Companies House.

Information we collect

Personal information we collect may include:

  • basic data such as your name, surname, title, date of birth and gender and your relationship to other persons
  • contact data such as postal address, email address and telephone numbers
  • financial data such as your bank account details, and payments made to and received from you
  • new business intake data such as the numbers of your identity documents and other data provided by you or collected by us as part of our new business intake and client due diligence procedures
  • marketing and communications data such as your preferences in receiving marketing from us and our third parties and your communication preferences
  • matter related data such as Personal data provided to us by or on behalf of our clients or generated by us in the course or providing services to them, which may include special categories of data such as your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data and criminal convictions and offences
  • business administration and administrative purposes.

How the law protects you

We are allowed to use personal information only if we have a suitable legal basis to do so. We will only process your personal data on one of the following legal bases:

  • to fulfil a contract we have with you
  • when it is our legal duty
  • when it is in our legitimate interest and is not overridden by your interests, rights and freedoms
  • when you consent to it.

A legitimate interest is when we have a business or commercial reason to use your information including but not limited to internal administrative purposes, product development and enhancement, preventing fraud, ensuring network and information security. However, this is only where our legitimate interests are not overridden by your interests, rights and freedoms.

How we use your personal information

We may use your personal information for the following purposes:

  1.  to create and administer your client account and administer your account to help tailor our services to you (legal basis: performance of the engagement agreement)
  2. to create and administer your client account and administer your account to help tailor our services to you (legal basis: performance of the engagement agreement)
  3. to communicate with you, and provide information on specific products and/or services when you request it (legal basis: performance of the engagement agreement)
  4. to help us prevent, detect and investigate fraud and other financial crimes (legal basis: fulfilment of legal obligations to which we are subject or our legitimate interest, for example preventing fraud before it takes place)
  5. in order to meet our legal obligations, such as conducting Anti-Money Laundering and Know Your Customer checks (legal basis: fulfilment of legal obligations to which we are subject or our legitimate interest, for example conducting enhanced due diligence in accordance with firm policy)
  6. to maintain the security of our services, as well as to detect and investigate activities that may be illegal or prohibited (legal basis: fulfilment of legal obligations to which we are subject or our legitimate interest that are to ensure the security of our services)
  7. to send you marketing information or legal updates, to invite you to our events or to ask you to participate in customer satisfaction surveys and market research. We will process your data for our legitimate interest that are to promote our services to existing clients. We will seek your consent when required to do so by law. You can oppose to this processing or withdraw your consent at any time by clicking the ‘Unsubscribe’ option in any of our marketing electronic communications or by emailing unsubscribe@withersworldwide.com. Please be aware that this will not affect the lawfulness of any past activities we have undertaken based on your previous consent. It can take a short time for any updates to be applied to our systems, so you may still receive marketing messages while this is happening. We will continue to use your contact details for the purposes referred to in points 1–5 above.
  8. to personalise our service offerings and related communications. (legal basis: your consent).

The processing of personal data about you for the purposes of carrying out the activities referred to in points 1–5 above is strictly necessary. The refusal to provide some of these data could render us unable to perform the tasks related to your matter. The provision of personal information for the purposes referred to in points 6 and 7 is optional. The refusal to provide these data for these purposes will have no consequence for you.

Sharing your personal information

We may share your personal information with:

  • our service providers and third parties who provide services on our behalf
  • agents and administrators who we use to help run your accounts
  • credit referencing agencies
  • fraud prevention and law enforcement agencies
  • regulators, governments, courts, dispute resolution bodies, auditors.

We do this to:

  • prevent fraud and other financial crimes
  • respond to enquiries and complaints
  • undertake transactional analysis
  • evaluate the effectiveness of marketing and for market research and training
  • support the provisions of service
  • comply with legal obligations, court orders, laws or regulations.

Where your personal information will be sent

Your data may be transferred outside of the European Union or the UK from time to time to members or businesses within the Withers LLP group of companies or to trusted service providers and third parties.

In all cases, the transfer will be on the basis of a European Commission adequacy decision or we will implement adequate safeguards to protect your personal information, such as the European Commission approved Standard Contractual Clauses. To obtain further information on the data transfer mechanism on which we rely, please contact us as set out below.

In some countries the law may require us to share certain information, for example with tax authorities. In these cases, we will only share the data with people who have the legal right to see it.


We take all reasonable precautions to keep your personal information secure, including safeguards against unauthorised access, use, or data loss. This includes ensuring our staff, partners and any third parties who perform work on our behalf comply with security standards as part of their contractual obligations.

Retaining your information

We will retain your personal information for as long as is necessary for the purposes described above. Typically, we will retain your data to fulfil our business purposes, to comply with legal and regulatory requirements, or for any legal claims. We may keep your data for longer where this is necessary for statistical and historical research purposes. However, we will ensure all personally identifiable information is removed and at the appropriate time.

What rights and options do you have?

As well as our obligations, and commitment, to respect the privacy of your information, you also have certain rights relating to the personal information we hold about you which are outlined below. None of these are absolute and are subject to various exceptions and limitations.

You can exercise these rights at any time by contacting us using the contact details above.

You may have some or all of the following rights in respect of the information about you that we process:

  • request us to give you access to it
  • request us to rectify and update it
  • request us to restrict our using it, in certain circumstances
  • request us to erase it, in certain circumstances object to our using it, in certain circumstances
  • withdraw your consent to our using it
  • data portability, in certain circumstances
  • request us not to use it for direct marketing.

How we respond to your rights

You can exercise these rights at any time by contacting us using the contact details provided.

  • we may need to validate your identity before we can respond to your request
  • if we are unable to confirm your identity, or have strong reasons to believe that your request is unreasonably excessive or unfounded, we may deny it
  • once we have validated your identity, we aim to respond to your requests within 30 days and no later than three months from receipt of complex requests. We will let you know if we need additional time to complete
  • we will always let you know whether we accept, or refuse, your request.

Making a data protection complaint

If you have any concerns about the use of your personal data, or the way we handle your requests relating to your rights, you can raise a complaint directly with us using the contact details provided.

If you are not satisfied with the way we handle your complaint, you are entitled to raise a complaint directly with a relevant Supervisory Authority:

  • the UK Information Commissioner’s Office via the details available on their website
  • the Italian Garante per la Protezione dei Dati Personali via the details available on their website

Changes to this fair processing notice

We may update this notice (and any supplemental privacy notice) from time to time. We will notify you of the changes where required by law to do so. This notice was last modified on the date noted at the top of this page.

Allan Campbell Chief Information Security Officer

Chief information security officer

Allan Campbell

Should you have any doubt about the authenticity of a communication purportedly coming from Withers please get in touch with Allan.

+44 20 7597 6303 Email Allan