General Privacy Notice for Clients
We are committed to protecting your privacy when you use our services and we ask that you read this Privacy Notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
This Privacy Notice was last updated and published on 1 June 2026. We may change this Privacy Notice from time to time without notice to you. You should check this notice occasionally to ensure you are aware of the most recent version.
Who are we?
Ellisons Legal LLP (‘Ellisons’) is a Limited Liability Partnership (LLP) registered in England and Wales under partnership number OC441111 authorised and regulated by the Solicitors Regulation Authority, SRA number: 8001031. We are a ‘controller’ of personal information under the UK General Data Protection Regulation (“UK GDPR”) and other relevant UK and EU legislation. Ellisons Legal LLP’s ICO registration number is: Z5427063.
We comply with the Data Protection Act 2018, the UK GDPR and the Data (Use and Access) Act 2025, together with other applicable data protection laws (“Data Protection Laws”).
We are subject to strict duties of confidentiality and legal professional privilege. This means that information you provide to us in connection with legal advice is protected in accordance with our professional obligations in addition to Data Protection Laws.
What information will we collect from you?
We will only collect information from you that is relevant to the matter that we are dealing with. In particular, we may collect the following information from you which is defined as ‘personal data’:
In relation to Personal Injury and Medical Negligence services, we may also collect information relating to injuries and losses suffered and apply to obtain police records, rehabilitation records, expert medical reports, insurer correspondence, and any other details relating to liability and/or quantum.
We may obtain accident or incident-related personal data from medical experts, police forces, hospitals and medical treatment providers, employers, insurers, witnesses, case managers, and rehabilitation providers.
If you do not provide personal data where it is required as part of our engagement, we may not be able to act for you or may need to cease acting.
We may also collect information that is referred to as being in a ‘special category’. This could include:
In the context of the legal services that we provide, this may include medical records, criminal offence data and other sensitive personal data required to advise on, or pursue, legal claims.
How do we obtain your personal data?
We may obtain your personal data from:
How will we use your information?
We will mainly use your information for the provision of legal advice, and this is necessary for the performance of the contract between us. We may also use it for:
In relation to Personal Injury and Medical Negligence litigation, we will also use your information for investigating liability, assessing damages, obtaining expert evidence, pursuing litigation, securing interim payments, and negotiating settlement.
We may anonymise personal data so that it can no longer be linked to you and use this information for our own business purposes.
We will only send marketing communications where permitted by law, including where you have provided consent or where we are permitted to do so in a business-to-business context. You can opt out at any time.
We do not carry out automated decision making or profiling which produces legal or similarly significant effects on you.
On what basis will we process your data?
We process your personal data and rely on the following legal bases depending on the nature of the services we provide:
We will process your ‘special category’ data on the following additional conditions:
How do we keep your personal information secure?
Ellisons is committed to ensuring that your information is secure. We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. These measures include access controls, encryption where appropriate and regular review of our security practices. We limit access to your personal information to those who have a genuine business need to know it
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Who will we share your information with?
Under the SRA Code of Conduct, there are very strict rules about who we can share your information with, and this will normally be limited to other people who will assist with your matter. This may include:
Third party service providers who assist us in securely screening and/or processing documents, including the use of artificial intelligence (AI) based tools for tasks such as document review, organisation, indexing or pagination. These providers act strictly as our data processors and only process personal data on our instructions, under contract, and in compliance with Data Protection Laws. They are required to maintain confidentiality and implement appropriate technical and organisational security measures. We ensure that any use of artificial intelligence or automated tools is subject to appropriate human oversight. We do not use such tools to make decisions that have a legal or similarly significant effect on you.
Where you authorise, we may also disclose your information to your family, associates or representative. We may also disclose your information to debt collection agencies if you do not pay our bills.
In certain circumstances we may need to disclose personal information about you to relevant authorities, if there is a legal obligation to do so. For further details on this, please refer to our Terms and Conditions .
We may sometimes also need to make a disclosure for the purpose of our business (this includes our auditors, external assessors and our insurers and when we outsource legal activities or any operational functions. We will always seek a confidentiality agreement with these outsourced providers and ensure that they are compliant with Data Protection Laws.
How long will we keep your information for?
We retain personal data in accordance with legal, regulatory and professional obligations. This will typically include:
We may retain personal data for longer where necessary to defend legal claims or comply with regulatory obligations.
Transfers outside the EEA
We may transfer your personal data outside the United Kingdom or the European Economic Area where necessary for your matter or our business operations.
Where we do so, we ensure appropriate safeguards are in place, including:
What rights do you have?
You have the following rights:
To exercise your rights, please contact our Data Protection Officer.
In relation to the right to see the information that we hold about you, you need to provide a request in writing to our Data Protection Officer together with proof of identity. We will usually process your request free of charge and within 30 days, however, we reserve the right to charge a reasonable administration fee and to extend the period of time by a further two months if the request is manifestly unfounded or vexatious and/or is very complex.
Who can you complain to?
If you have concerns about how we use your personal data, please contact us in the first instance.
We are committed to handling complaints in a clear and accessible way.
We will:
You can submit a complaint using our electronic complaints form at www.ellisons.com or at Annex A of this Privacy Notice.
You should raise your complaint with us before contacting a supervisory authority, such as the Information Commissioner’s Office.
If you are not satisfied with our response, you have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the ICO who can be contacted at via their website at www.ico.org.uk or by telephone on 0303 123 1113.
| Data Protection Officer | |
| Name: | Ryan Cracknell (Partner) |
| Email: | dataprotection@ellisons.com |
| Postal Address: | The Bath House, Le Cateau Rd, Colchester, Essex, CO2 7NA |
Ellisons is a trading name of Ellisons Legal LLP. Ellisons Legal LLP is authorised and regulated by the Solicitors Regulation Authority (SRA Number 8001031) | © Ellisons