1. Introduction
   FB Solicitors is committed to protecting the privacy and personal data of all individuals with whom we interact. This Privacy Policy explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and any other applicable data protection legislation.

We act as a Data Controller in respect of the personal data we process in the course of providing legal services and operating our business.
This policy applies to clients and prospective clients; opposing parties and their representatives; witnesses; counterparties; visitors to our website; and employees, contractors and job applicants (subject to our separate Employee Privacy Notice).

2. Data Controller Details
   The Data Controller responsible for your personal data is:
   FB SOLICITORS
   SUITE E & F,
   THE CLOCK HOUSE
   BARKING
   IG11 8EQ
   Email: office@fbsolicitors.com
   Telephone: +44 (0)208 264 4800

Our Data Protection Officer (DPO) / Data Protection Lead can be contacted at the above address or email, marked for the attention of the Data Protection Officer.

3. What Personal Data We Collect
   3.1 Data You Provide to Us
   We may collect and process the following categories of personal data that you provide
   directly:

• Identity data: full name, date of birth, gender, national identity number, passport or driving licence details
  • Contact data: address, email address, telephone numbers
  • Financial data: bank account details, payment card details, billing information
• Legal matter data: details relevant to your legal matter including case facts, correspondence, evidence, and instructions
  • Immigration status data (where relevant): visa details, biometric information, nationality, immigration history
  • Family and relationship data (where relevant): details of family members, dependants, relationship history
  • Employment data (where relevant): employment history, earnings, employer details
  • Health and medical data: only where directly relevant to your legal matter and with your explicit consent
  • Criminal conviction and offence data: only where required for the provision of legal services and where lawfully permitted

3.2 Data We Collect Automatically
When you visit our website, we may automatically collect:
• Technical data: IP address, browser type and version, device identifiers, operating system
• Usage data: pages visited, links clicked, time spent on pages, referring URLs
• Cookie data: as described in our Cookie Policy

3.3 Data Received from Third Parties
We may receive personal data from the following third-party sources:
• Other solicitors, barristers, or legal professionals involved in your matter
• Courts, tribunals, and regulatory bodies (including the Home Office and UKVI)
• Medical professionals and expert witnesses
• Employers and public authorities
• Credit reference agencies and anti-money laundering screening providers
• Publicly available sources such as Companies House, the Electoral Register, and court records

4. Lawful Basis for Processing
   We process personal data only where we have a lawful basis to do so. The lawful bases we rely upon include:
   1. Performance of a contract (Article 6(1)(b) UK GDPR): processing necessary to perform the legal services contract between us, or to take steps at your request prior to entering into such a contract.
   2. Legal obligation (Article 6(1)(c) UK GDPR): processing required to comply withour legal and regulatory obligations, including anti-money laundering (AML) obligations under the Proceeds of Crime Act 2002 and Money Laundering Regulations 2017, obligations to the Solicitors Regulation Authority (SRA), and obligations to the courts.
   3. Legitimate interests (Article 6(1)(f) UK GDPR): processing necessary for our legitimate interests, including managing and improving our practice, preventing fraud, ensuring IT and network security, and maintaining business records, where such interests are not overridden by your rights and freedoms.
   4.  Vital interests (Article 6(1)(d) UK GDPR): in limited circumstances where processing is necessary to protect your vital interests or those of another person.
   5.  Explicit consent (Article 6(1)(a) / Article 9(2)(a) UK GDPR): where we have obtained your explicit consent, in particular for the processing of special category data.

For Special Category Data (Article 9 UK GDPR), which includes health data, racial or ethnic origin, religious beliefs, sexual orientation, and biometric data, we rely on one of the following additional conditions:
•  Explicit consent
• Processing necessary for the establishment, exercise, or defence of legal claims (Article 9(2)(f))
• Processing necessary for reasons of substantial public interest (Article 9(2)(g) and Schedule 1 DPA 2018)

For Criminal Conviction and Offence Data (Article 10 UK GDPR / s.10 DPA 2018), we rely on Schedule 1, Part 3 of the DPA 2018 (confidential counselling, advice, or
support), the administration of justice, and compliance with regulatory obligations.

5. How We Use Your Personal Data
   We use your personal data for the following purposes:
   • Providing legal advice and representation, including conducting legal research and preparing court documents
   • Managing your matter and maintaining our matter files and case management systems
   • Communicating with you about your matter and our services
   • Verifying your identity and conducting AML due diligence checks
   • Processing payments and managing billing and accounts
   •  Complying with our regulatory obligations to the SRA, the Legal Aid Agency (where applicable), courts and tribunals
   •  Detecting and preventing fraud, money laundering, and other criminal activity
   •  Administering and improving our website and IT systems
   •  Carrying out client satisfaction surveys (where consented)
   •  Defending legal claims and professional indemnity matters
   •  Meeting our professional conduct and ethical obligations
6. Sharing Your Personal Data
   We may share your personal data with the following third parties, only to the extent necessary and on a confidential basis:
   • Barristers, counsel, and other legal professionals instructed in your matter

• Courts, tribunals, and government bodies (including the Home Office, UKVI, andthe Ministry of Justice)
•  Expert witnesses, translators, and interpreters
•  Medical professionals and care providers (where relevant to your matter)
•  Opposing parties and their legal representatives, as required by law or court order
•  The Solicitors Regulation Authority, the Legal Ombudsman, and other regulatory or professional bodies
•  Our professional indemnity insurers and legal advisers
•  HM Revenue and Customs and other tax or governmental authorities
•  IT service providers, cloud storage providers, and case management software suppliers — all subject to appropriate data processing agreements
•  Approved legal aid bodies and the Legal Aid Agency (where applicable)

We do not sell, rent, or otherwise disclose your personal data to third parties for marketing purposes without your express consent.

7. International Transfers
   Your personal data is primarily held and processed within the United Kingdom and theEuropean Economic Area (EEA). Where we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including:
   Transfers to countries with adequacy decisions under UK GDPR
   •  Use of the International Data Transfer Agreement (IDTA) or Addendum to the EU Standard Contractual Clauses (SCCs) approved by the ICO
   •  Binding Corporate Rules, where applicable

You may request details of the specific safeguards applied to any international transfer of your personal data by contacting our Data Protection Officer.

8. Retention of Personal Data
   We retain personal data only for as long as necessary for the purposes for which it wascollected, or as required by law or regulation. Our retention periods are guided by:
   The SRA Code of Conduct and its associated guidance
   •  Limitation Act 1980: limitation periods for legal claims (generally six years for contract claims)
   •  HM Revenue and Customs requirements (generally six years for financial records)
   •  Legal aid requirements (where applicable)
   •  Archiving obligations for court-filed documents
   As a general guide:
   •  Client files and matter documents: retained for a minimum of six years from the conclusion of the matter, or longer where required by the nature of the matter (e.g., conveyancing files, wills, probate documents)

•  Anti-money laundering due diligence records: retained for a minimum of five years from the end of the business relationship
• Accounting and financial records: retained for six years
•  CCTV footage (if applicable): retained for a maximum of 30 days unless required for an ongoing investigation

After the applicable retention period, personal data is securely destroyed or anonymised in accordance with our Data Retention and Destruction Policy.

9. Your Rights Under UK GDPR
   Subject to certain exemptions (including legal professional privilege and the proper administration of justice), you have the following rights in relation to your personal data:
   Right of access (Subject Access Request — SAR): you have the right to request a copy of the personal data we hold about you and information about how we use it. We will respond within one calendar month (extendable by a further two months in complex cases).
   7. Right to rectification: you have the right to request correction of inaccurate or incomplete personal data.
   8.  Right to erasure (right to be forgotten): you have the right to request deletion of your personal data in certain circumstances, including where the data is no
   longer necessary for the purpose for which it was collected, and where no
   overriding legal obligation or legitimate interest applies.
   9.  Right to restriction of processing: you have the right to request that we restrict the processing of your data in certain circumstances, for example while the accuracy of your data is being verified.
   10.  Right to data portability: where we process your data by automated means on the basis of your consent or a contract, you have the right to receive your data in a structured, commonly used, and machine-readable format.
   11. Right to object: you have the right to object to processing based on legitimate interests or for direct marketing purposes. We will cease such processing unless we can demonstrate compelling legitimate grounds which override your interests, rights, and freedoms.
   12. Rights in relation to automated decision-making: you have the right not to be subject to a decision based solely on automated processing, including profiling,
   which produces legal or similarly significant effects. We do not currently carry out such processing.
   13. Right to withdraw consent: where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact our Data Protection Officer in writing at office@fbsolicitors.com or at our principal address above. We may require you to verify your identity before processing your request.

10. Automated Decision-Making and Profiling
    We do not use automated decision-making processes or profiling that produce legal or
    similarly significant effects on individuals. Where any automated tools are used in the
    provision of our services (for example, document review software), these remain subjectto meaningful human oversight.
11. Data Security
    We implement appropriate technical and organisational measures to protect your
    personal data against unauthorised access, loss, destruction, alteration, or disclosure.
    These measures include:
    Password protection and multi-factor authentication for all systems containing personal data
    •  Encryption of personal data in transit and at rest where appropriate
    •  Restricted access to personal data on a need-to-know basis
    •  Regular staff training on data protection and information security
    •  Documented incident response procedures for personal data breaches
    •  Physical security controls at our premises
    •  Regular review of our information security policies and procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and, where required, will notify affected individuals without undue delay.

12. Cookies
    Our website uses cookies and similar tracking technologies. By using our website, youconsent to our use of cookies in accordance with our Cookie Policy, which is available on our website. You can control your cookie preferences through your browser settings or through our cookie consent tool.
13. Children’s Data
    Our services are generally directed at adults. Where we process the personal data of children (persons under 18) in the context of a legal matter, we do so only to the extent necessary and in accordance with UK GDPR and the DPA 2018. We take particular care to ensure that any processing of children’s data is fair, transparent, and
14. Legal Professional Privilege
    Certain data protection rights (including the right of access) may be restricted where personal data is subject to legal professional privilege. We will assess each request individually and advise you of any applicable restrictions. Privileged material will not bedisclosed without your consent or as required by law.
15. Third-Party Websites
    Our website may contain links to third-party websites. We are not responsible for the privacy practices or content of those websites and encourage you to review their respective privacy policies.
16. Complaints
    If you have any concerns about how we handle your personal data, please contact our
    Data Protection Officer in the first instance. We will endeavour to address your concernspromptly and fairly.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 | Website: www.ico.org.uk

17. Changes to This Policy
    We may update this Privacy Policy from time to time to reflect changes in the law, our data processing practices, or the nature of our services. Where changes are material, we will notify affected individuals by email or by a prominent notice on our website. The version date at the top of this document indicates when the policy was last updated.