Privacy Notice

This notice tells you what to expect when Kingsley Napley uses your personal data as a ‘controller’ of personal data for the purposes of the Data Protection Act 2018 and the UK General Data Protection Regulation. When we use personal data, we are required to do so in accordance with applicable data protection legislation.

When we say ‘we’, ‘our’ or ‘Kingsley Napley’, we are referring to Kingsley Napley LLP, Kingsley Napley Trust Corporation Limited or affiliated entities.

1. If you need further information or have any questions or complaints about our privacy notice or privacy practices please contact our Data Protection Officer using the details below:

• Data Protection Officer, Kingsley Napley LLP, 20 Bonhill Street, London EC2A 4DN
• Email: DPO@kingsleynapley.co.uk

2. This notice describes:

• The personal data that we collect
• How we obtain personal data
• How we use personal data
• The basis upon which we use personal data
• How long we keep personal data
• Who we share personal data with
• Safeguards for transferring personal data internationally
• How we protect personal data
• The legal rights of individuals whose personal data we process

The personal data that we collect
 

3. Personal data means any information relating to an identified or identifiable individual.
4. Because of the wide-ranging nature of our work, and the different reasons why we need to use personal data, what we collect is very varied and includes:

• Identity and contact data – including name, date of birth, email address, postal address, telephone number, passport details, and any other information provided or collected as part of our client take on or employee recruitment processes and as a result of individuals’ interactions with us in the course of our business
• Financial and transaction data – including bank account details, payment card details and details of payments from and to individuals
• Technical and usage data – including information about how individuals use our website
• Marketing data – including communications with individuals for marketing purposes, individuals’ preferences in receiving marketing from us and information provided to us for the purpose of attending events such as dietary information and accessibility requirements
• Information used to provide our services – including information provided to us by or on behalf of our clients or otherwise provided to us or generated by us in the course of providing services to our clients

5. In order to provide our services, we may collect special category data and personal data relating to criminal convictions and offences. Special category data includes personal data which reveals racial or ethnic origin, religious or philosophical beliefs, trade union membership, data concerning health and data concerning a person’s sex life or sexual orientation.

How we obtain personal data
 

6. We obtain personal data in different ways, including through:

• Direct contact – individuals may give us their personal data by corresponding with us by post, email or telephone or otherwise.
• Clients – our clients may give us personal data of individuals (for example a client’s employees) to enable us to provide our services.   
• Third parties or publicly available sources – we may receive personal data of individuals from third parties (for example disclosure by the police or CPS in connection with a prosecution or information provided by a witness) in connection with the provision of services by us to our clients. We may also receive information from business contact databases or enrichment services which use publicly available information to improve the accuracy and detail of data. We may also receive information from sources such as Companies House, HM Land Registry, credit reference agencies and suppliers of information that enables us to comply with our anti money laundering, sanctions and other due diligence obligations.
• Our website – we use cookies to help us to provide users with a good experience when browsing the website and allow us to improve the site. Details of the cookies we use, the information we gather and how cookies can be blocked can be found in our Cookie Policy on our website and in our Legal Notices.

How we use personal data
 

7. We use personal data in a variety of ways including:

• To provide our services to our clients
• To continually improve the quality and efficiency of the services we provide
• To recruit employees and members (who we call partners) of Kingsley Napley LLP
• To manage and supervise our employees and partners
• To promote our services and to manage our relationships with clients, prospective clients and business contacts
• For the purposes of business intelligence to inform the management and development of our services
• For internal training and development purposes
• To meet our legal and regulatory obligations
• To meet our audit and insurance obligations

8. In our work, we may, where appropriate, use artificial intelligence (AI) tools to enhance the quality and efficiency of the advice and services we provide. AI tools may be used when, for example, drafting documents,  conducting legal research and analysing data. Additionally, we may utilise AI tools for internal-facing functions, such as administrative organisation and optimising our processes. They may either be AI tools obtained by collaboration with third-party providers or bespoke tools we have  built and developed. Where we develop our own AI tools, we may use personal data to train and improve these tools. 
9. We use AI based tools in accordance with our regulatory and legal obligations and where personal or confidential data is processed, where we have assessed that information will remain confidential and secure. We do not carry out any automated decision making using AI. We are committed to principles of fair and responsible use of AI within our business.

The basis upon which we use personal data
 

10. We will only use personal data (including special category data and data relating to criminal convictions and offences) when the law allows us to. Most commonly, we will use personal data in the following circumstances:

• Where it is necessary for our legitimate interests (or those of a third party such as one of our clients) and the interests and fundamental rights of the individual whose personal data we are using do not override those interests – for example where we act for a client in bringing regulatory proceedings
• Where we need to do so to perform a contract we are about to enter into or have entered into – for example a contract of employment
• Where it is necessary to comply with a legal or regulatory obligation

11. When we use special category data and data relating to criminal convictions and offences it will normally be when this is necessary for the establishment, exercise or defence of legal claims or where we need to do so as an employer. 
12. Generally, we do not rely on consent as a legal basis for processing personal data other than in relation to sending direct marketing communications where you have opted-in to receive marketing from us. Consent to receiving direct marketing communications can be withdrawn at any time, by contacting us using the contact address above.

How long we keep personal data
 

13. We will keep personal data in accordance with our data retention practices, which apply appropriate retention periods for each category of personal data. In setting retention periods we take account of the purposes for which the personal data was collected, legal and regulatory obligations on us to retain information, limitation periods for legal action and our business purposes. If you want to learn more about our specific retention periods for your personal data established in our retention policy you may contact our DPO at the address given above.

Who we share personal data with
 

14. We may share personal data with third parties including:

• When undertaking necessary enquiries to comply with our anti money laundering, sanctions and other due diligence obligations in connection with employment and provision of client services – for example when verifying identity documents
• In the course of providing services to our clients – for example when instructing a medical expert to produce a report or counsel to provide advice
• When we outsource certain support services – for example reception, administrative or photocopying services
• With suppliers of IT storage, infrastructure and related tools and services for core business purposes
• Our professional advisers – for example our auditors, bankers and insurers
• To regulatory authorities, courts, tribunals and law enforcement agencies – for example our regulator, the Solicitors Regulatory Authority

15. Third parties to whom we transfer personal data are required to respect the security of the data and treat it in accordance with the law. We do not sell personal data to third parties.

Which countries we transfer personal data to
 

16. In the course of providing services to our clients we may need to transfer personal data outside the UK.
17. Whenever we transfer personal data outside the UK, we ensure it is compliant with the law by ensuring:

• One of the exceptions in the UK GDPR applies allowing us to make a transfer without any further safeguards
• We are transferring the personal data to a country covered by an adequacy decision from the UK Secretary of State  
• We put in place one of the ‘appropriate safeguards’ referred to in the UK GDPR such as the UK International Data Transfer Agreement

How we protect personal data
 

18. We have put in place appropriate security measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have put in place appropriate measures to inform our staff about how we collect, handle and keep data secure.
19. We have put in place measures to deal with any suspected personal data breach and will notify relevant individuals and the Information Commissioner of a breach when we are legally required to do so.

The legal rights of individuals whose personal data we process
 

20. Individuals have the rights set out below. If you wish to exercise any of these rights please contact our Data Protection Officer using the contact details given above.

• Request access to their personal data (commonly known as a "data subject access request"). This enables individuals to request a copy of the personal data we hold about them and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about them. This enables individuals to request to have any incomplete or inaccurate data we hold corrected, though we will need to verify the accuracy of the new data provided to us.
• Request erasure of their personal data. This enables individuals to ask us to delete or remove their personal data where there is lawful basis for us continuing to process it. Individuals also have the right to ask us to delete or remove their personal data where they have successfully exercised their right to object to processing (see below), where we may have processed their data unlawfully or where we are required to erase their personal data to comply with local law. Note, however, that we may not always be able to comply with a request of erasure for specific legal reasons which will be notified to the individual, if applicable, at the time of their request.
• Object to processing of personal data where we are relying on a legitimate interest (or that of a third party) and there is something about the individual’s particular situation which makes them want to object to processing on this ground as they feel it impacts on their fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process the data which overrides those rights and freedoms. Individuals also have the right to object where we are processing their personal data for direct marketing purposes.
• Request restriction of processing of their personal data. This enables individuals to ask us to suspend the processing of their personal data in the following scenarios: (a) if the individual wants us to establish the data's accuracy; (b) where our use of the data is unlawful but an individual does not want us to erase it; (c) where the individual needs us to hold the data even if we no longer require it as she/he needs it to establish, exercise or defend legal claims; or (d) the individual has objected to our use of their data but we need to verify whether we have overriding legitimate grounds to use it.
• Withdraw consent at any time where we are relying on consent to process the personal data. However, this will not affect the lawfulness of any processing carried out before consent is withdrawn.
  
  We may need you to provide further information so that we can verify your identity before we can handle your request – we will inform you at the time if we require further information.

Complaints
 

21. You have the right to make a complaint to us about how we handle their personal data. If you would like to make a complaint, please contact us using the contact details given above. We have procedures in place for reviewing and handling complaints. We will acknowledge your complaint within 30 days and will respond to it without undue delay to inform you of the outcome of your complaint. We may need you to provide further information so that we can verify your identity before we can handle your complaint – we will inform you at the time if we require further information.
     
22. Individuals have a right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.co.uk). We would, however, appreciate the chance to deal with any complaints before the ICO is approached so please contact our Data Protection Officer, using the contact details given above, in the first instance.

Changes to this privacy notice
 

We keep our privacy notice under regular review. This privacy notice was last updated in May 2026.