This policy applies between you, the user of this website and Hoyle Law the owner and provider of this website. This policy applies to our use of your data collected by us.

Policy scope

This policy applies only to the actions of Hoyle Law and users with respect to this website. It does not extend to any websites that can be accessed from this website including, but not limited to, any links we may provide to social media websites.


In order to operate as an employer and to provide legal advice and services we obtain, store, and use personal information about clients, staff and others.

In broad terms we hold information about our staff, unsuccessful job applicants, the staff of our business contractors and partners, clients, experts, counsel, Courts, government bodies and agencies, unconverted client enquiries, potential clients and other individuals connected to client case.  

Data collected of subjects under 18 (Minors)

We only collect data from under 18-year-old persons when necessary, and in 100% of cases will always deal with a responsible, directly related, litigation friend that must be an adult.

Data storage and security

Data security is of great importance to Hoyle Law and to protect your data we have put in place suitable procedures to safeguard and secure data collected via this website in accordance with the principles of the General Data Protection Regulation (GDPR) 2018.   

We store most of our information electronically, but this does not involve data being moved outside of the EEA.  Where this becomes necessary and for those countries which have not been specifically approved for such purposes under article 45 of the GDPR, we are nonetheless satisfied that appropriate safeguards are in place for ensuring the security of this data and for ensuring enforceable legal rights for accessing this data (article 46 of the GDPR). We inform our clients within our privacy notice of data transfers outside of the EU.      

Unfortunately, the sending of information via the internet is not totally secure and on occasion such information can be intercepted. We cannot guarantee the security of the data that you choose to send us electronically and sending such information is entirely at your own risk.

Data retention policy

Any personal data you submit will be retained by Hoyle Law for a maximum of 6 years, or until your policy with us has ended, unless we are obliged or permitted by law to do so.

The GDPR provides the following rights for individuals:

  1. Right to be informed

You have the right to be informed about how we use the information you have provide us with. This is covered within this Privacy Policy and is available to request

  1. Right of access

You have the right to access all personal data that we hold about you. To access such information, we request that you provide us with a Subject Access Request

  1. Right to rectification

You are entitled to have personal data rectified if it is inaccurate or incomplete. We will respond within one month

  1. Right to erasure

You have the right to erasure in certain circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • When you withdraw consent
  • When you object to the processing and there is no overriding legitimate interest for continuing the processing
  • Your personal data must be erased in order to comply with a legal obligation
  • We may refuse to comply with a request for erasure in rare circumstances such as in the event of exercise or defence of legal claims.
  1. Right to restrict processing

You have the right to block or suppress processing of your personal data. When processing is restricted, we are permitted to store your personal data but not further process it. We will retain just enough information about you to enable that the restriction, as directed by you, is respected in the future

  1. Right to data portability

have the right to request the movement, copy or transfer of your personal data easily from us to you or your requested destination, in a safe and secure manner

  1. Right to object

Processing based on legitimate interests or direct marketing

  1. Right to complain

You have the right to complain to us if you feel your data has been processed incorrectly, been misused or we have not met your data processing expectations. How to complain? Please see our complaints policy on this website.​​

Hoyle Law may, from time to time, employ the services of other parties for dealing with matters that may include, but are not limited to, payment processing, delivery of purchased items, search engine facilities, advertising and marketing. The providers of such services have access to certain personal data provided by users of this website.

​Any data used by such parties is used only to the extent required by them to perform the services that Hoyle Law requests. Any use for other purposes is strictly prohibited. Furthermore, any data that is processed by third parties shall be processed within the terms of this policy and in accordance with (new GDPR regulations).​

This website may, from time to time, provide links to other websites. Hoyle Law has no control over such websites and is in no way responsible for the content thereof. This policy does not extend to your use of such websites. Users are advised to read the Privacy Policy or statement of other websites prior to using them.​

In this policy the following terms shall have the following meanings:


means collectively all information that you submit to Hoyle Law via the website. This definition shall, where applicable, incorporate the definitions provided in the Data Protection Act 1998;


means a small text file placed on your computer by this website when you visit certain parts of the Website and/or when you use certain features of the website. Details of the cookies used by this website are set out in Clause 12;

“Hoyle Law”

means the company Hoyle Law authorised and regulated by the Solicitors Regulation Authority. Hoyle Law Ltd is registered in England and Wales, Company Registration number: 13289416. VAT Number: 419018214..

“UK and EU Cookie Law”

means the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011.


means any third party that accesses the website and is not employed by Hoyle Law and acting during their employment.


means the website that you are currently using ( and any sub-domains of this site unless expressly excluded by their own terms and conditions.

Data protection and cyber security

We are committed to ensuring:

  • Efficient and effective use of the information which we hold
  • We handle information about clients and third parties fairly and responsibly, including in compliance with relevant legal requirements and the General Data Protection Rules and legislation (GDPR)
  • Our information is kept secure.

How we use personal data

In order to work with our clients and staff it is necessary to obtain their data, store and use their personal information.  This will include sharing it at certain points with other parties, for example, with opponents in the case of clients and tax officials in the case of employees.  It may also involve, in the case of working with clients, disclosing information where required to do so by law such as under anti-money laundering legislation and retaining a small amount of personal data after a file has been destroyed to comply with rules on conflicts of interest.

Upon receiving client enquiries, we may in the future contact those individuals via a newsletter or similar provided that we have a clear opt out option upon receipt of the communication.  We will provide the individual with clear information on how to opt out in the first of such communications at the latest (this is permitted under the GDPR Article 21.4).  

We do sometimes work with sensitive personal data (i.e. race or ethnicity, political opinions and trade union membership, religious beliefs, health, sex life and genetic or biometric data) which we hold.   When using this type of data, we are transparent with staff and clients about how such information is used and seek agreement to information being used in this way in the respective contracts.

For clients, working with this information will often be necessary in order to pursue or defend their legal matter.  In personal injury cases details of health must be processed for example. For staff this will typically be in order to comply with employment or equality legislation, namely around making reasonable adjustments and monitoring absences.  Using sensitive information to pursue legal claims or comply with employment legislation is permitted under GDPR.  

Risk assessment

In accordance with ICO guidance we have made an assessment of the risks posed to the information which we hold.  In particular, we have assessed our information’s sensitivity, financial value and what damage or distress could be caused if there was a security breach (e.g. if the information was destroyed, corrupted or improperly accessed by a third party).  We have also considered the nature of our business and our working environment.  Having done so, we have assessed the work across our firm as posing a moderate risk. The reasons for this are as follows:

  • As a law firm we recognise that our operations automatically carry a certain level of risk in that we will handle personal and business affairs on a confidential basis. Particularly hackers may be interested in obtaining client information and certainly banking information
  • We do not generally hold very sensitive information but will from time to time hold some sensitive personal data as defined in data protection rules 
  • We would not generally expect to hold especially sensitive information relative to other law firms such as information affecting national security
  • Our firm is led by senior experienced qualified lawyers with significant experience of protecting confidential information
  • We operate on a broadly paperless basis which we believe helps reduce the risk of an information breach
  • There is a low risk of fire, flood, electricity being cut off or another similar major incident and have a contingency plan in place in the unlikely event that such a situation arises
  • We rarely share personal information and in particular the more sensitive categories of information outside of our business
  • Personal information is not shared outside of the EU.

Our Information Officer (or Data Protection Officer) oversees GDPR compliance and best practice including:

  • Promoting good data protection knowledge and best practice in the business including ensuring that there is appropriate training
  • Monitoring compliance in practice including periodic audits
  • Providing advice on data protection impact assessments and monitor performance
  • Act as a point of contact for the ICO.

In terms of ensuring that our staff manage information safely and in accordance with the requirements of the GDPR, we have a policy on the standards expected when working with business information.  This includes:

  • Client confidentiality and data protection, including guidance on the data protection principles including use of information for specified purposes only and keeping information up-to-date and a procedure for processing subject access requests and the exercise of other rights under the GDPR
  • Information security and acceptable use policies, including standards on keeping information safe in the office, on the go and when working at home
  • Publicity policies, including a policy covering use of email, social media and adding content to our website
  • Bogus law firm and fraud risks, including the need to verify the identity of solicitors we work with and exercising great caution in the context of banking information
  • File retention and destruction
  • Training all staff on confidentiality, how to keep information safe and the requirements of the General Data Protection Regulation (GDPR) as far as this is relevant to their role.  There is induction training for all new staff and rolling refresher training every 2 years.

In addition, we work hard to make sure that our infrastructure and processes as a business maintain the security of our information. We have obtained expert input from our IT team in ensuring best practice in the following areas:

  1. Encryption of devices such as laptops
  1. Anti-virus and anti-malware software
  1. Firewalls
  1. Disaster recovery systems and backups
  1. Software updates / patching
  1. Secure remote connections i.e. a VPN (virtual private network).

Patches / software updates will be deployed without delay and if IT assets need to be disposed of we will make use of a reputable contractor for this purpose who are ISO27001 or equivalent certified.

Privacy notices

We are registered with the ICO and provide a privacy notice to every client within our standard terms and conditions to explain how we use their information including:

  • Who we are
  • The contact details for our information officer
  • How we propose to process the information we are gathering (including identifying the third parties with whom we typically will be sharing information)
  • Why we are proposing to use it in this way
  • What condition we are relying upon to use information in this way.  Where we rely upon consent, we will highlight the right to withdraw consent.  Where we need the information to comply with the law or to deliver the contract for services to the client, we will explain that we may not be able to act in the matter without receiving the necessary information.  For marketing which relies upon the ‘legitimate interests’ condition we specifically explain that we make use of established relationships to raise awareness of changes and services which we feel may be of interest
  • Whether information is to be transferred outside of the EU and, if so, upon what safeguards or other grounds we rely in order to do this 
  • How long their information will be stored for, including our right to retain papers in order to exercise a lien and to demonstrate a legally admissible record at a later date of the work we have performed should it be necessary to do so
  • A reminder of the rights to access information, have it rectified or erased and where applicable to have it delivered in a ‘portable’ format such as a CSV file
  • The right to lodge a complaint with the Information Commissioner’s Office (ICO) about how personal data has been handled
  • Details of any automated decision-making processes which we make use of (which we do not anticipate currently).

While we acknowledge that under the GDPR, privacy notices should also be given to individuals whose personal data we hold because it has been given to us by someone else, such information is held confidentially and is privileged.  For example, a client may give us information about other individuals connected to their legal matter, but this will typically be confidential and privileged.  As such we would not be required to provide such a privacy notice under the GDPR (Article 14.5(d)).  In other cases, we will however take steps to provide the necessary information about how we handle personal data to other individuals within a reasonable time period of receiving it and in any event within one month (Article 14.3).  

Our website

We take care to ensure that our website is secure, up-to-date, does not infringe copyright and is compliant with SRA requirements and applicable accessibility standards.  

Our website provides appropriate information to users on privacy and cookies.

Identity theft and bogus law firms 

Our COLP (Compliance Officer for Legal Practice) is responsible for considering SRA guidance on bogus law firms and fraud in the context of our business and staying up-to-date with scam alerts and trends.  In response to this, they have identified:

  • A requirement to verify the authenticity of unknown law firms which we work with (together with clear guidance on how to do so)
  • Guidance on the warning signs of bogus law firms; and
  • Set out a procedure of oversight where issues arise.

Trends or alerts which pose a particular risk to us will be shared by our COLP with colleagues in a particular department or throughout the firm as appropriate.

In order to minimise the risks of identity theft, a member of staff periodically:

  • Conducts internet searches against the name of our firm and our senior lawyers to check whether our identity is being misused; and
  • Checks our authorisation on the Law Society Find a Solicitor web service to ensure that the details remain accurate and up-to-date
  • Keeps a record of these checks.

Changes to this policy

Hoyle Law reserves the right to change this policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the website and you are deemed to have accepted the terms of the policy on your first use of the website following the alterations.

How to contact us regarding this policy

You can contact us via our web site contact us page, or via telephone or via post at our address.