This notice applies to all our clients, prospective clients and business contacts about whom we hold personal information.
References to we, our or us in this notice are to C&R Legal Limited of High Street, Lechlade, Gloucestershire, GL7 3AE and 62 Park Road, Faringdon, Oxfordshire, SN7 7BZ.
We are a “data controller" for the purpose of Data Protection Legislation. This means that we are responsible for deciding how we hold and use personal information about you. We are required under the Data Protection Legislation (GDPR) to make available to you the information contained in this notice. We are committed to respecting your privacy. This notice explains how we may use your personal information that we collect before, during and after your relationship with us has ended.
We may update this notice at any time.
Our contact details are set out in the “Contact us” paragraph at the end of this notice.
We control the process of special category data (racial or ethnic origin, biometric data, political opinions, religious or philosophical beliefs, trade union membership, genetic data, data concerning health, data concerning a natural person’s sex life or sexual orientation).
We may collect and process the following types of personal data:
- Identity data (e.g. passport, driving licence and other official identification details, information from a third party, anti-money laundering (AML) checks to include eCOS (electronic AML) and Companies House
- Contact data (e.g. address, email, telephone number)
- Financial data (e.g. bank details, payment history)
- Case-related data (e.g. documents, correspondence, court papers, estate planning information, details of assets and liabilities, information about executors, trustees and beneficiaries, marital and relationship status, information about children or dependents and in some cases – health information for capacity assessments)ate of the likely costs and expenses before you formally instruct us to act. Please do telephone to arrange such a meeting.
We collect data:
- Directly from you when you provide AML information, complete forms and documents that we send to you and when you contact us by letter, telephone, email or when you communicate with us directly is some other way.
- From third parties such as credit reference agencies, AML processors, Companies House, LinkedIn and other web platforms and your employer or the organisation you work for.
We process your data on the following legal bases:
- To perform our contract with you
- To comply with legal obligations
- For our legitimate interests (e.g. conflict checks, improving services)
- Where applicable, based on your consent
We use your data to:
- Identity and AML checks, Sanctions Screening and performing credit checks to include bankruptcy searches and to distribute funds to you in accordance with a deceased’s Will
- Provide legal advice and representation
- Manage our relationship with you
- Comply with legal and regulatory obligations
- Communicate with courts, tribunals, and third parties as required
We may disclose your data with third parties to include, but not limited to:
- Courts and tribunals- Opposing parties and their legal representatives
- Regulators, legal ombudsmen, police, law enforcement agencies and security services, the government, HMRC, land registry, investment advisors (authorised and regulated by the Financial Conduct Authority), insurance companies
- Our professional advisers and service providers (e.g. IT support, accountants).
We ensure all third parties respect the security of your data.
We require third parties to comply strictly with our instructions and data protection laws.
We do not typically transfer your data outside the UK/EEA. If we do, we will ensure appropriate safeguards are in place.
In the course of acting for our clients, we may process personal data relating to individuals who are not our direct clients such as sellers/buyers beneficial owners, guarantors, directors or other third parties connected to the matter. This may include conducting sanctions screening, anti-money laundering checks and other compliance due diligence. Direct notification to such third parties shall not apply under Article 14(5)(b) of GDPR if the provision of such information proves impossible or would involve a disproportionate effort.
We retain your data in accordance with our data retention policy, typically for 6–10 years after your matter concludes, unless a longer period is required by law.
You have the right to:
- Request access to the personal data we hold about you (a Data Subject Access Request or DSAR). In responding, we will carry out searches that are “reasonable and proportionate” under the Data (Use and Access) Act 2025. Please send DSARs by email to Rache Phillips at rachel@candrlegal.co.uk. Such request must be accompanied by your full name, contact details, description of the information you require, proof of your identity and if acting on behalf of someone else, written authority or Power of Attorney. This request is free of charge unless we regard the request to be manifestly unfounded or excessive. We will respond within one month of such DSAR.
- Have any inaccuracies in your data corrected.
- Request that we delete your personal data so it is erased from our records.
- Have the data we hold about you transferred to another organisation computer.
- Object to automated processing, including profiling.
- Object to certain types of processing such as direct marketing.
- Complain to the Information Commissioner’s Office (ICO).
For complex or multiple requests, we may extend this by up to two further monthsbut we will advise if this is necessary within the first month and explain the reasons for the extension.
In the event of a sale, merger, acquisition, insolvency or other change in ownership or control of the business or its assets, personal data, including special category data, may be transferred to a third party as part of that transaction. Any such transfer will only take place where it is necessary for the continuation of business operations and will be subject to appropriate safeguards, in full compliance with GDPR. We will take all reasonable steps to ensure your personal data is handled securely, lawfully, and in accordance with this Privacy Policy. Where legally required, we will notify you of the transfer and provide relevant details about the new data controller.
We have security measures in place to protect misuse of information under our control. We cannot however guarantee that these measures are or will remain adequate. We do however take data security very seriously and will use all reasonable endeavours to protect the information you have provided. Be advised however that the transmission of information over the internet is inherently insecure and we cannot guarantee the security of the data over the internet.
We take appropriate technical and organisational measures to safeguard your data, including secure servers and restricted access protocols.
We operate CCTV at our premises which may record you and your activities. We display notices to make it clear what areas are subject to surveillance. We will only release footage where there is a legal obligation, to protect the vital interests of the data subject or other person.
We use this information as necessary for our legitimate interests in administering your visit, ensuring site security and visitor safety.
We use:
- Measurement (ie analytics) via Google Analytics
- Required design items (google fonts, adobe fonts)
- Required functionality (google tag manager, webflow services/hosting)
For more information, visit our Cookie Policy.
In the event that you have any query or complaint in connection with the information we hold about you please email Rachel Phillips at rachel@candrlegal.co.uk or write to us: Rachel Phillips, C&R Legal Limited, High Street, Lechlade, Gloucestershire, GL7 3AE.
Dated - 24th September 2025
