This notice tells you what to expect when we collect personal information. Hepburn Delaney Ltd will respect your privacy and look after your personal data.

This Notice contains information about:

  • Who we are and Regulations we follow
  • What is personal data and special category data
  • Why we collect your personal information
  • How is your data collected
  • How we use your data
  • How long we keep information
  • How we keep information secure
  • Your rights
  • How we provide the information
  • Can you see all the information we hold about you
  • Information sharing and third parties
  • Information collected from third parties

1. Who we are and Regulations we follow

Hepburn Delaney Ltd is a Solicitors firm specialising in Family Law, Matrimonial Law, Wills and Probate, Estate Planning and Mediation.

Our services include:

Family Law & Mediation, Wills & Probate, Powers of Attorney, Children Law


Dissolution of Civil Partnership

Judicial Separation

Nullity • Mediation • Unmarried Couples – Separation • Financial Remedy • Wills • Trust Wills • Codicils • Inheritance Tax and Estate Planning, Declaration of Trust • Probate/Estate Administration, • Disputed Inheritance • Deed of Variation • Lasting Powers of Attorney • Deputyship Orders • Enduring Powers of Attorney • Child Arrangements • Specific Issues and Prohibited Steps Orders • Special Guardianship • Advice for Family Members • Child Protection

Our GDPR Owner and data protection representative can be contacted directly here: / 01442 218090

Hepburn Delaney Ltd is the “data controller” of the personal information we hold for the purposes of the UK General Data Protection Regulation (the UK GDPR) and the Data Protection Act 2018 (the Data Protection Act) which supplements UK GDPR and extends its application in the UK.

The Brexit transition period ended on 31 December 2020. Data we collected before the end of 2020 about people who were located outside the UK (EU/EEA) at the end of 2020 will be subject to the EU GDPR as it stood on 31 December 2020 (known as the ‘frozen GDPR’). As part of the new trade deal, the EU has on 28th June 2021 agreed an adequacy decision for the UK. The granting of an adequacy decision means that the personal data of EU/EEA data subjects can now be transferred from the EU/EEA to the UK without any further procedures in place such as Standard Contract Clauses (SCCs) or Binding Corporate Rules (BCRs). The EU Commission will further review this adequacy decision in 4 years.

What countries or territories are covered by adequacy regulations?

The UK has “adequacy regulations” in relation to the following countries and territories, which means it can transfer personal data between the UK and the following countries and territories, without any further procedures:

The European Economic Area (EEA) countries.

These are the EU member states and the EFTA States.

The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.

The EFTA states are Iceland, Norway and Liechtenstein.

EU or EEA institutions, bodies, offices or agencies.

Countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020)

These include a full finding of adequacy about the following countries and territories:

Andorra, Argentina, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.

In addition, the partial findings of adequacy about:

Japan – only covers private sector organisations.

Canada – only covers data that is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

If, during the course of our business relationship with you and/or us processing personal data for and on your behalf, you travel outside the UK and to any of the above listed countries, then the onus is on you to let the firm know specifically which country, as we may have to implement additional safeguards, such as encryption of data/transfer restrictions for the transfer of any personal data from us to you in such countries that may not be covered by the UK adequacy decisions that are in place.

2. What is personal data and special category data

Personal data is defined in the UK GDPR as any information relating to an identified or identifiable natural person. It can include obvious data like your name but also identification numbers, online identifiers and/or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Special category data includes data revealing race or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

3. Why we collect your personal information

This policy applies to information we collect about:

  • visitors to our website
  • employees
  • service providers
  • applicants to work at Hepburn Delaney Ltd
  • clients
  • people who make enquiries
  • others connected to our work

What type of information we may collect:

  • Normal personal data including your name, address, telephone number, date of birth, email address, geographical/location details, bank account details, employment details, National Insurance number, educational qualifications;
  • Personal financial data;
  • Personal identity – we retain copies of passports or identity documents to verify your identity;
  • Special categories of personal data – for example we may process data concerning your health if you give this to us;
  • CCTV images or photos when attending our meetings or events;
  • Recordings of virtual meetings only with your consent
  • Assisting you with the funding of your matter if it involves Legal Aid

As a legal services firm, most of the personal data we process is data relating to our contractual functions, powers and duties.

Data may also be processed because it is necessary for the pursuit of our legitimate interests and/or the legitimate interests of others.

There may be occasions where we process data to comply with legal obligations, particularly in the context of legal proceedings and/or compliance with requests by law enforcement agencies, for example; although, even in these cases, our regulatory functions will also generally be engaged.

We will not generally rely on consent as a basis for processing personal data. In the limited circumstances where we may rely upon consent, we will specifically obtain this in the course of collecting the data.

We may also use data to improve our level of service. Where we do this, we do it to help inform us how to improve the way we work since both we and those we deal with have an interest in us doing so. We may for instance, monitor and/or record calls for quality and accuracy purposes.

Smart Search – Anti Money Laundering and client identification and verification system

We use the services of Smart Search to provide secure digital identity verification and to share key documents as part of our client on-boarding process, in line with SRA regulations and our Anti Money Laundering professional obligations.

All information provided is securely processed by Smart Search using the highest security standards to encrypt your details and keep your personal data safe. You will receive a message to your smart phone or a link to your email address to start your client on-boarding by Smart Search.
The lawful basis that we will use for the processing of your personal data for this identification and verification purpose is to comply with “legal obligation”.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. If you choose not to give us your consent for our mailing list, there will be no effect on your legal contract with us.

4. How your data is collected

We use different methods to collect data from and about you including:


You may give us your identity and contact details by filling in forms or by corresponding with us by post, phone, and email or otherwise. This includes personal data you provide when you:

  • Make an enquiry about our services or instruct us;
  • Through client feedback;
Automated technologies or interactions.

As you interact with our website, we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, and other similar technologies. We may also receive technical data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.

Third parties or publicly available sources.

We may receive personal data e.g. computer IP address, about you from various third parties and public sources as set out below:

  • Technical data from the following parties: analytics providers such as Google based outside the EU;
  • Contact, financial and transaction Data from providers of technical, payment and delivery services.
  • Identity and Contact Data from publicly available sources such as Companies House and the Electoral Register based inside the EU.
  • Referrals and opponents
  • Enquiries made electronically or over the telephone

The nature of our work means that we handle personal information about third parties who are, in some way, connected to the work we do. This category is broad and examples include experts including but not limited to barristers, pension advisors, mortgage brokers, private detectives, medical experts, counsellors, mediators and estate agents.

Some data is collected when people sign up to receive marketing or registering with us for events.

5. How we use your data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • To perform legal and other service;
  • Where we need to perform the contract we are about to enter into or have entered into with you;
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
  • Barristers once client confirms agreement to their instruction;
  • Family members if Hepburn Delaney have written and signed authority;
  • Office of the Public Guardian for registration of Lasting Power of Attorney. This is always with client consent;
  • Share Registrars – Capita, Equiniti, Computershare. Or sometimes directly to the company the deceased held shares with rather than the Registrars;
  • Where we need to comply with a legal or regulatory obligation;
  • To respond to enquiries/communication;
  • Marketing purposes:
    • Please note that opting out of marketing messages will not stop service communications and there will be no effect on your legal contract with us
    • We collect data for marketing emails.  The following information is collected:
      • First name
      • Last name
      • Email address
      • Content details
    •  How you collect the above information
      • Opt-in
      • Digitally / forms / client care letter
      • Face to face
    •  Legal basis for processing
      • Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or by post. You have the right to withdraw consent to marketing at any time.  You can control the marketing communications by contacting Hepburn Delaney directly. You also have the following options:
      • Emails:  You can also click on the ‘unsubscribe’ link in any marketing email you receive, and this will take you to the Contact Preferences section of your account so you can unsubscribe from that method of communication.
  • To expand and maintain our list of contacts;
  • For Hepburn Delaney Ltd business purposes, including internal admin, data analysis, billing and responding to actual or potential fraud;
  • To advertise, provide and assess the effectiveness of our events, promotional campaigns, publications and services, including participating in any legal, chambers or similar ranking or award submissions and/or application process.

We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you.

You will receive marketing communications from us if you have requested information from us or purchased services from us or if you provided us with your details when you entered a competition and, in each case, you have not opted out of receiving that marketing.

We will never sell your personal information.

6. How long we keep the information for?

Hepburn Delaney Ltd will process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will endeavour to keep your information accurate and up to date and not keep it for longer than is necessary. Hepburn Delaney Ltd is required to retain information in accordance with the law, such as information needed for income tax and audit purposes. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices the main ones detailed below. Personal data may be held in addition to these periods depending on individual business needs.

  • until the period that you could make a claim against us has elapsed, which is usually seven years after the matter concluded;
  • if we acted for a child under 18, when they reach their 25th birthday;
  • if we have acted in a matter in which you had suffered mental impairment, or a provisional award has been made, then the file can be kept up to 100 years from the data of birth;
    for the duration of a trust, plus six years;
  • wills and related documents can be kept for 75 years from date the will was signed;
  • probate matters where there is a surviving spouse or civil partner are retained until the survivor has died to deal with the transferable Inheritance Tax allowance;
  • deeds related to unregistered property are kept indefinitely as they evidence ownership;
  • comply with any client instructions to extend the retention period in relation to their documents.

When we receive job applications containing personal information we create or update the information we hold about that person on our systems and files. We use the personal information to process the application and to make a decision about the application itself. We will keep the information for a period of 1 year, after which it will be destroyed.
If you have opted-in to receive our marketing communications you can unsubscribe from our data at any time.

7. How we keep information secure

We are under a general duty to keep personal data and information confidential. Where we share information, we take all reasonable steps to keep it secure, use it fairly and ensure that data protection safeguards are in place. We use secure portals and encryption tools when necessary to ensure data in transit is protected.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our cookies policy below:

Cookie Policy of (

Hepburn Delaney Ltd uses technology to collect information about the use of the website and to distinguish you from other users in order to improve your experience when you browse the Hepburn Delaney Ltd website.

In order to collect the information this website uses cookies. A cookie is a small file of letters and numbers that is sent to your browser and stored on the hard drive of your computer (or internet enabled device) when you visit a website.

These cookies are used throughout the website. These cookies are used for reporting purposes helping us to collect information about how many people use our site, what parts are accessed and where visitors come from.

Our website may link through to third party websites which may also use cookies over which we have no control. We recommend that you check the relevant third party’s privacy notice for information about any cookies that may be used.

You can configure your web browser to refuse cookies, to delete cookies, or to be informed if a cookie is set. You can find out how to do this by clicking “help” on your browser menu.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit
You should note that by deleting or blocking cookies, the website may not function correctly and you may not be able to access certain areas.

8. Your rights

Depending on the information we hold about you, and the reason for us holding it, you have certain rights which are set out below.

The right to rectification

You are entitled to have your records amended if the personal data we hold is inaccurate or incomplete.

The right to erasure

You have a right to request your data is deleted in certain circumstances, i.e. where it is no longer needed for the purposes it was collected; the (rare) occasions where consent is relied upon as the lawful basis for processing, it is withdrawn and there is no other lawful basis for our continuing to process it; you object to the processing (see below) and there are no overriding legitimate grounds to continue; where the data has been unlawfully processed; or where it has to be erased for compliance with a legal obligation.

Withdrawal of consent

By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified. Consent is required for Hepburn Delaney Ltd to process both types of personal data, but it must be explicitly given. Where we are asking you for sensitive personal data we will always tell you why and how the information will be used. You may withdraw consent at any time. Withdrawal of consent by the data subject means an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies withdrawal of consent to the processing of personal data relating to him or her. Withdrawal of consent shall be without effect to the lawfulness of processing based on consent before its withdrawal. Whereas consent covered all processing activities carried out for the same purpose or purposes, withdrawal of consent covers all processing activities carried out for the same purpose or purposes.

The right of access

You have the right to obtain a copy of personal data we hold about you, including the reasons why we hold it, who the data will be shared with as well as details of the period for which the data will be retained.

In most instances, we will provide the information to which you are entitled within one month of receipt of a valid request. Requests which are complex or numerous may however take up to three months.

Requests which are considered manifestly unfounded or excessive will be refused.

The right to restrict processing

You have the right to limit the way we use your personal data if you are concerned about the accuracy of the data or how it is being used. You can also stop us deleting your data.
The right to object to processing

You have the right to object to the processing of your personal data in certain circumstances. If the firm agrees to your objection, we must stop using your data for that purpose unless it can provide strong legitimate reasons to continue to use your data despite your objections.

You have an absolute right to object to the firm using your data for direct marketing and once you exercise this objection, the firm must stop using the data.

The right to data portability

You have the right to ask us to transfer the information you have given to us from one organisation to another or to give that information back to you.

This right will only be applicable if we are processing information based on your consent or under contract and the processing is automated.

The right not to be subject to decision making based on automated processing

You have the right not to be subject to a decision based solely on automated processing i.e. decisions made entirely by technological means, without human intervention.

This right includes profiling for example any form of automated processing for the purpose of evaluating you as an individual.

We confirm that we do not make decisions based on automated processing as all decisions are made by individual/individuals within the firm.

The right to lodge a complaint with a supervisory authority

The Supervisory authority is the Information Commissioner’s Office (ICO) whose contact details are as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Helpline Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. If you are calling from outside the UK, you may not be able to use the 03 number above, so please call +44 1625 545 700.

9. How we provide the information to you

We will send information by secure digital transfer which will be password protected. We can make other arrangements in some cases.

10. Can you see all the information we hold about you?

You may not be entitled to see all the information held about you if an exemption applies. Examples of exemptions include information that:

  • is about another person
  • is subject to legal privilege

If an exemption applies we will explain which exemption applies and we tell you if we have removed any information from the copy we send you.

11. Information Sharing and third parties

We use cloud-based providers who operate within the EU under suitable data protection arrangements and security controls in place in accordance with the requirements in UK GDPR.

We also share data with organisations who perform audit and assurance roles for us and those who provide professional advisory services. This includes legal, medical and other professional advisers; again, with whom we have arrangements to ensure their compliance with our requirements.

12. Information collected from third parties

As explained more particularly below, we also obtain data from third parties. Generally, when we do this, it is in the exercise of our regulatory functions, powers and duties, including:

Complainants, other regulatory bodies, law enforcement agencies and witnesses.

May 2023 updates to email marketing
To be reviewed May 2024