Privacy Policy

What this Privacy Policy covers

Carter Lemon Camerons LLP (“CLC”), a limited liability partnership with company number OC333252, is located at 3rd Floor, 20 King Street, London EC2V 8EG and we are providing this Privacy Policy to explain our data collection, use and storage of any personal data which we process.  We are registered with the Information Commissioner’s Office (“ICO”), registration number Z63322140.  Our VAT registration number is 244 6998 17.  CLC’s trading names and and Carter Camerons are also registered with the ICO.

CLC is committed to protecting your privacy.  This statement of privacy applies to our processing activities in general including the CLC website.  The conditions of processing of personal data and the purposes for which personal data may be collected, stored and used are described in this Privacy Policy.  By using the CLC website, you signify that you are happy with the data protection practices described in this statement.

New legislation

The UK General Data Protection Regulation (GDPR) effective from 25th May 2018 provides rights to individuals regarding the collection, storage and use of their personal data.  This Privacy Policy takes account of the requirements under GDPR and the Data Protection Act 2018.  Also covered in this Privacy Policy are the requirements of the Privacy and Electronic Communications Regulations 2003 updated 2004 and 2011 (PECR).

Who is the Data Controller?

Carter Lemon Camerons LLP

Data Controller contact details

Tel:  020 7406 1000


Responsible person

Ian West

What is personal data?

Personal data means any information about a living individual from which that person can be identified.  It does not include data where the identity has been removed (anonymous data).

What type of data do we collect?

We may collect from you:

  • your full name
  • your job title (if applicable)
  • your email address
  • your postal address
  • your landline telephone number
  • your mobile number
  • your national insurance number
  • your date of birth
  • your marital status
  • copies of your passport and/or driving licence with identifying numbers
  • bank account details

Rights under the UK General Data Protection Regulation

You have the following rights under the GDPR.

  • Access: Data Subject Access Request (DSAR). You have the right to access the personal information we may hold about you by making a DSAR.  On receipt of such a request we will endeavour to respond to you as soon as possible, but at least within one calendar month.  As a security measure, we ask you to provide us with two forms of personal identity to ensure that we do not disclose personal information to a person who has no right to receive it.
  • Rectification: You have the right to request that we amend any personal information that may be incorrect or require updating.
  • Erasure: You have the right to request that we delete any personal information pertaining to you.
  • Data Portability: Under GDPR there is a relatively recent right to data portability, primarily designed to make it easier for individuals to switch between service providers.  This is unlikely to be relevant to your relationship with CLC.
  • The right to restrict or suspend processing: Individuals have a right to ‘block’ or suppress processing of personal data.  If you decide to do this, we will continue to store the data, but process it no further until we have agreed a solution to the issue you have raised.
  • Data breach reporting: You have the right to be informed of a data breach if there is material damage which might affect you.  We have a process in place just in case this unlikely event happens.

Any questions about these rights may be sent to

Do we collect any special categories of personal data?

We may also collect information that is referred to as being in a special category of personal data

Special categories of data under Article 9 of the GDPR are:

“racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

What about children’s data?

Children’s personal data requires additional protection because they may be less aware of the risks involved.  Where we process personal data of children under 16 (for example, in private client services or in matrimonial or family matters) we will follow the relevant regulations including, where appropriate, obtaining consent from the child.

Is data collected from third party or public domain sources?

We may collect your personal data from you, a member of staff, face to face, referrers, solicitors on the other side of a matter or transaction or from a public source.

How do we use your personal data/What are our grounds for lawful processing?

The basis on which we process your personal data is one or more of the following:

  • it is necessary for the performance of our contract with you (i.e. when providing our legal services to you)
  • it is necessary for us to comply with a legal obligation
  • it is in our legitimate interests to do so
  • you have given us your consent (this can be withdrawn at any time by advising us via the email

How to stop receiving marketing communications

CLC will not send marketing communications to individuals who have unsubscribed, opted-out or otherwise asked us to stop direct marketing.  Where we collect contact information from you which may be used for marketing purposes, we will let you know how to stop receiving such information if that’s what you prefer.

Surveys or marketing research

We may contact you from time to time to seek your views via a short survey to assist in planning or promoting our business and in maintaining the quality of our services.  You always have the choice about whether to take part in our research.

Is data processed outside of the UK? – If so how is it protected?

We do not hold personal data outside the UK.  However, to enable us to complete the work we do for you, it may be necessary to transfer your personal data outside the UK.  We will only do this if there is an adequacy regulation in respect of the relevant country, we have put in place appropriate measures to ensure consistency with UK data protection law, a derogation under GDPR applies or we obtain your explicit consent.  A common applicable derogation for us will be when the transfer of personal data is necessary for the provision of our legal services for you or when the transfer is necessary for the establishment, exercise, or defence of legal claims.

Is data shared with third parties and if so, who?

We do not share personal data with third parties for any purposes unless required to by law or we have received your consent to do so.  For example, we may need to share personal data in order to comply with our legal and professional obligations (including in connection with cyber security and to cooperate with professional bodies).

Disclosure to other organisations, e.g. authorities, data processor

We sometimes disclose personal data to our suppliers in order for them to process personal data on our behalf.  When we do so we have a contract in place compliant with the GDPR to ensure the security of any personal data that each processor or sub-processor processes.  We have an obligation to disclose data on legal and tax issues, where they apply, to the regulatory authorities.

Cookie policy

Our website uses cookies and/or other tracking devices.  Details of our cookie policy can be found on our website.

Data security – how we protect your data

We follow appropriate security procedures in the collection, storage and use of your information so as to prevent unauthorised access by third parties.

We process data at our offices at 3rd Floor, 20 King Street, London EC2V 8EG with access restrictions in place and at the sites of our data processors within the UK.  Our IT specialist provider retains our data at a different location equally protected behind the appropriate firewalls and other security devices.

However, the transmission of information via the internet is not completely secure. We cannot ensure the security of your information transmitted by you to us via the internet.  Any such transmission is at your own risk and you acknowledge and agree that we shall not be responsible for any unauthorised use, distribution, damage or destruction of your information, except to the extent we are required to accept such responsibility by the GDPR or the PECR.  Once we have received your information we will use security procedures and features to prevent unauthorised access to it.

External links not covered by this policy

Please remember that when you use a link to go from our website to another website or you request a service from a third party, our Privacy Policy no longer applies.  Your browsing and interaction on any other website or your dealings with any other third party service provider, is subject to that website’s or third party service provider’s own rules and policies.  We do not monitor, control, or endorse the information collection or privacy practices of any third parties.  We encourage you to become familiar with the privacy practices of every website you visit or third party service provider that you deal with and to contact them if you have any questions about their respective privacy policies and practices.  This Privacy Policy applies solely to information collected by us through our website or services and does not apply to these third party websites and third party service providers.

Data Retention Policy

This policy sets out how long we keep client data, including matter files, and when that data will be securely destroyed. All data will be reviewed before secure destruction to determine if there are special factors which should delay destruction.

A record of all such actions is kept for future audit purposes.

The firm’s approach to retaining client personal data is to ensure that it complies with the data protection principles and, in particular, to ensure that:

  • Records are reviewed at appropriate intervals to ensure that they remain adequate, relevant and limited to what is necessary to run the firm’s business of the provision of legal services to clients including compliance with legal or regulatory requirements.
  • Records are safely stored and are protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  • When records are destroyed, whether held as paper records or in electronic format, the firm will ensure that they are safely and permanently erased.

When determining the appropriate retention period for client personal data the firm has regard to the purpose for which that personal data was collected.  However, it also has regard to legal risk and may keep records for at least six years (and in some instances longer) after the relevant contractual relationship with us has ended.

The criteria that we may consider when deciding the appropriate retention period for client personal data may vary but will depend on the following (without limitation):

  • any instructions or rules emanating from our regulator the SRA
  • requirements and recommendations from our insurers
  • the purpose for which we hold the client personal data
  • the amount, nature and sensitivity of the client personal data
  • the potential risk of harm from unauthorised use or disclosure of such client personal data
  • the legal limitation periods for bringing claims and whether we need the client personal data to bring or defend any proceedings
  • any legal or regulatory requirements including accounting or reporting requirements
  • instructions from a data subject.

Generally, client files are marked for review for potential destruction between 80 months and 90 months after closure of the matter.  A longer retention period of up to 20 years may be specified depending on the nature of the matter e.g. will writing, creation of a trust.  However, the firm may depart from those guideline retention periods should there be a legitimate reason for doing so.

What to do if you have a concern

Please contact us at and we’ll be happy to help you.

The Regulator of the GDPR and the PECR is the ICO.  If you feel you wish to draw the Regulator’s attention to the way and the purposes for which we are processing personal data, you may contact the ICO by clicking here

Changes to this Privacy Policy

Amendments to this Privacy Policy are made every time something changes in the way or the purposes under which we process personal data.

When last updated?

November 2023

The partner responsible for this policy is Ian West