Data Protection and Privacy Policy


Mackay Carter Shaw LLP is committed to safeguarding your privacy.  This policy sets out our approach to data protection and data privacy, explaining why and how we may process your personal information where we are the data controller of that information (also referred to here as “personal data”), and your rights in relation to that information.

Except where this policy explains otherwise, we are the controller in relation to the personal data processed in accordance with this policy.


1.    Information we collect about you

2.    How we use your information

3.    Our updates and communications

4.    Who we give your information to

5.    Where do we store your information?

6.    How we protect your information

7.    How long we keep your information

8.    Your rights

9.    Changes to this policy

10.  Contact Information

11.  Glossary


  1. Information we collect about you

1.1. We may process your personal data (which we have either obtained directly from you or from somewhere else) if:
(a) you are a client, supplier or prospective client of ours;
(b) you otherwise use our services;
(c) you work for a client or a supplier of ours, or for someone who otherwise uses our services; or
(d) you are someone (or you work for someone) to whom we want to advertise or market our services or our events.

1.2. Personal data which is not collected directly from you may be collected from:
(a) your employer (or other companies within the same group as your employer) in connection with your job and how it relates to us;
(b) third parties we work closely with, including but not limited to family members, trustees, business partners, sub-contractors in technical, payment and delivery services, analytics providers, and search information providers;
(c) governmental bodies, regulators, institutions, courts or any other similar establishments; or
(d) any websites or applications (“Apps”) operated by us which you use.

1.3. Personal data collection methods we may use include:
(a) communication in person;
(b) communication by phone, email, fax, SMS or any other electronic communication method;
(c) communication by letters, notices, information sheets or any other paper-based communication methods;
(d) using our website, social media channels, Apps or other technologies; or
(e) visiting us (for example, if you are recorded on CCTV while visiting us).

1.4. Personal data relating to you that we may process includes:
(a) Identity Data including first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, gender, your job function, your employer or department;
(b) Contact Data including billing address, postal address, email address and telephone numbers (these details may relate to your work or to you personally, depending on the nature of our relationship with you or the company that you work for);
(c) Financial Data including bank account and other payment method details;
(d) Transaction Data including details about payments to and from you and other details of services you have received from us;
(e) Profile Data including your username and password, your interests, preferences, feedback and survey responses.  It also includes information you give us or that we obtain when you use our website, obtain or subscribe to our services, supply us with goods or services, enquire about a service, place a service request, enter a survey, or contact us to report a problem, or do any of these things on behalf of the person that you work for;
(f) Client Data including information about how you use our services, website, and applications, as well as personal data which can include Identity, Contact, Financial, Transaction and Profile Data of you and/or your family members, beneficiaries, employees or employers, or other third persons about whom we need to collect personal data by law, or under the terms of a contract we have with you;
(g) Sensitive Personal Data Client Data may include sensitive personal data where it is relevant to the legal services that we provide;
(h) Marketing and Communications Data including your preferences in receiving marketing from us and your communication preferences; and
(i) Technical Data including:
The Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;

Information about your visit to our website/Apps, such as the full Uniform Resource Locators (URL), clickstream to, through and from our website (including date and time), services viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from a page, any phone number used to call us, and direct dials or social media handles used to connect with our fee earners or other employees; and location data which we may collect through our website/Apps and which provides your real-time location in order to provide location services (where requested or agreed to by you) to deliver content or other services that are dependent on knowing where you are.  This information may also be collected in combination with an identifier associated with your device to enable us to recognise your mobile browser or device when you return to the website/App.

2. How we use your information

2.1 The below table sets out the purposes for which we obtain your personal data, alongside the lawful basis for our processing such data:

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new client and complete Client Due Diligence (“CDD”) and conflict checks Identity
Performance of a contract with you
Legal and regulatory requirement
To process and deliver your legal service including but not limited to:
Entering into contracts
Manage payments, fees and charges
Collect and recover money owed to us
Sensitive Personal Data
Performance of a contract with you
Necessary for our legitimate interests (for example: to recover debts due to us)
To manage our relationship with you which will include:
Notifying you about changes to our terms or policies
Marketing and Communications
Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (for example; to keep our records updated)
To administer and protect our business and our website and Apps Identity
Necessary for our legitimate interests (for example; for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation
To provide you with information and communications which relate to your interests Identity
Marketing and Communications
Your consent

3. Our updates and communications

3.1 Where permitted in our legitimate interest or with your prior consent where required by law, we will use your personal information to provide you with information and our services by email, letter, telephone or using our website or Apps.

3.2 You can object to receiving further marketing at any time by updating your contact details within your account, or selecting the “unsubscribe” link at the end of our marketing communications to you.

4. Who we give your information to

4.1 We may share your personal data with:
(a) Any affiliates, who support our processing of personal data under this policy.
(b) Appropriate third parties including:

(i) our business partners, suppliers and sub-contractors for the performance of any contract we enter into or other dealings we have in the normal course of business with you;
(ii) our auditors, legal advisers and other professional advisers or service providers;
(iii) credit reference agencies for the purpose of assessing your credit score where this is in the context of us entering into a contract with you or the person that you work for; and
(iv) company data providers and similar information providers for the purpose of carrying out our client and matter acceptance checks (including client due diligence) in accordance with our legal and regulatory obligations.

(c) In relation to information obtained via our website:

(i) analytics and search engine providers that assist us in the improvement and optimisation of our website, subject to the cookie section of this policy.

4.2 We may disclose your personal information to appropriate third parties:
(a) in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets, subject to the terms of this privacy policy;
(b) if Mackay Carter Shaw LLP or substantially all of its assets are acquired by a third party, in which case personal data it holds about its clients will be one of the transferred assets;
(c) if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our contractual terms or other agreements with you; or
(d) to protect the rights, property, or safety of Mackay Carter Shaw LLP, our clients, or others.  This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.

5. Where do we store your information?

5.1 The data that we process in relation to you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) that may not be subject to equivalent data protection laws.  It may also be processed by staff situated outside the EEA who works for us or for one of our suppliers.

5.2 We may transfer your personal information outside the EEA in order to:
(a) store it;
(b) enable us to provide products or services to (and fulfil our contract with) you.  This includes order fulfilment, processing of payment details, and the provision of support services;
(c) facilitate the operation of our business, where it is in our legitimate interests and we have concluded these are not overridden by your rights; or
(d) meet any legal requirement to transfer such information outside the EEA.

5.3 Where your information is transferred outside the EEA, we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards, such as relying on recognised jurisdictions that provides the same level of protection as EEA countries and ensure that your data is treated securely and in accordance with this privacy policy.

6. How we protect your information

6.1 We have appropriate security measures to prevent your personal data from being accidentally lost, used, altered, disclosed or accessed in an unauthorised way.

6.2 In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to access your data.  They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

6.3 We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

6.4 Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or our Apps, you are responsible for keeping this password confidential.  We ask you not to share your password with anyone.

6.5 The transmission of information via the internet is never completely secure.  Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website or Apps any transmission is at your own risk.  Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

6.6 Our website may, from time to time, contain links to external sites.  We are not responsible for the privacy policies or the content of such sites.

7. How long we keep your information

7.1 We will only retain your personal data for as long as necessary to fulfil the purpose we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

7.2 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

7.3 Details of retention periods for different aspects of your personal data can be requested from us using our contact details.

7.4 In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without notifying you.

8. Your rights

8.1 You have the right under certain circumstances to:
(a) be provided with a copy of your personal data held by us;
(b) request the rectification or erasure of your personal data held by us;
(c) request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example);
(d) object to the further processing of your personal data, including the right to object to marketing as mentioned in ‘Our updates and communications’ section of this document; and
(e) request that your provided personal data be moved to a third party.

8.2 Your right to withdraw consent:
Where the processing of your personal information by us is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us at the contact details at the end of this policy.

8.3 How to exercise your rights:
You can also exercise the rights listed above at any time by contacting us at

8.4 What we may need from you:
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights).  This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.  We may also contact you to ask you for further information in relation to your request to speed up our response.

8.5 Time limit to respond:
We try to respond to all legitimate requests within one month.  Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

8.6 If your request or concern is not satisfactorily resolved by us, you may approach the Information Commissioner’s Office which is the supervisory authority in the UK.  They can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data.

9. Changes to this policy
We may from time to time make changes to this policy.  Any changes will be published on our privacy notices at (and in the case of substantive changes, will be notified to you by email) and will be effective as of the date of publication (which will also be noted on our website).  This policy was last updated in September 2018.

10. Contact Information
Mackay Carter Shaw LLP
Lorton Toys Hill
TN16 1QG

Data Privacy Manager – Tom Mackay (

Mackay Carter Shaw LLP is registered with the UK Information Commissioner’s Officer under the following ICO

Registration number: 23360098

11. Glossary

11.1 Lawful Basis
(a) Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience.  We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.  We do not use your personal data for activities where our interests are overridden by the impact on your rights (unless we have your consent to do so or are otherwise required or permitted to by law).
(b) Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party.
(c) Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

11.2 Your legal rights
(a) Request access to your personal data (commonly known as a “data subject access request”).  This entitles you to receive a copy of the personal data we hold about you and to check that we are processing it lawfully.
(b) Request correction of the personal data that we hold about you.  This enables you to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.
(c) Request erasure of your personal data.  This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
(d) Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.  You also have the right to object where we are processing your personal data for direct marketing purposes.
(e) Request restriction of processing of your personal data.  This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
(f) Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.  Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
(g) Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.  If you withdraw your consent, we may not be able to provide certain products or services to you.