Privacy Notice


This Notice details how CJCH Solicitors process and keep personal data secure on behalf of clients and others who use our services and websites.

In this policy, “we”, “us” and “our”, refers to CJCH Solicitors. This policy applies where we are acting as a data controller, in other words, where we ‘determine the means and purposes of processing’ of personal data in relation to our services and websites.

The websites covered in the Notice are: “”, “,”, “” and does not apply to any websites that may otherwise be linked to our own.

  • Cookies Policy: You can access our website without giving us your personal information. However, you may choose to provide us with your personal information on some pages of the website, for instance by completing the contact us form.
  • Although we will not collect your personal data unless you provide this to us, we do store a session cookie on your computer for the duration of your visit. This records your IP address, the pages you navigate between and the time and duration of your visit. This helps us to monitor overall traffic to the website. We do not use cookies to monitor your particular use of our website. You may disable the use of cookies in your Internet browser.

Website traffic

We use Google Analytics to understand who is visiting our website and using our online services. This information is general demographic information and is processed in a way that doesn’t identify individuals. Where we wish to collect personally identifiable information using our website, we will be clear and transparent about doing so.

We also recommend that existing clients of the firm refer to the general Terms & Conditions which have sections relating to your rights, confidentiality, storage of documents and outsourcing of work.


The data controller is CJCH Solicitors, Williams House, 11-15 Columbus Walk, CF10 4BY.

CJCH Solicitors is registered with the Information Commissioner’s Office under the Data Protection Act and our registration reference is Z8452468. We are authorised and regulated by the Solicitors Regulation Authority.

The Data Protection Officer is Acuity DPO Limited, 3 Assembly Square Britannia Quay, Cardiff Bay, Cardiff, United Kingdom, CF10 4PL.

Personal data

Precise information required will vary depending on your matter, which department you are dealing with and what we are contracted to do for you. This Notice is required for clients and prospective clients only. There is a separate notice for those making applications for employment and employees.

Categories of personal data held

We will always attempt to minimise the personal data we require to carry out your work.

In the majority of cases, this will be restricted to basic information such as identifying, bank account and contact information.

Some work may require the collection of additional, special category information. This information may also be shared with us as part of legal procedure. Collection, sharing and overall processing of this information may be required by court order. This may include:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious beliefs or philosophical beliefs;
  • Trade union membership;
  • Physical or mental health or condition;
  • Sex life and sexual orientation;
  • Genetic data; or
  • Biometric data used to uniquely identify an individual

Even if we are required by law to share this information, this is only done where there are safeguards in place to ensure that the information remains confidential and secure.

Legal basis for processing

We may process your file data. This may include basic information such as your name, date of birth, address, national insurance number, proof of address and identity. This information is used to verify your identity and checks we must make to comply with professional obligations. The legal basis for processing is compliance with various legal obligations to which we are subject.

We may process contact data. This may include address, telephone number and e-mail address. This may be processed in order to contact you, to keep you informed about your matter and for record keeping purposes. The legal basis for this processing is it is necessary for the performance of a contract or steps taken in order to enter into a contract. You may inform us at any time of the methods of contact you wish to use and we will abide by these instructions.

We may process matter data. This may include any information relevant to the matter for which you instruct us. We may process any of your personal data included in this policy where it is necessary for the establishment, exercise or defence of legal claims, whether this relates to administrative matters or court proceedings. The legal basis for this processing is legitimate interests, to protect and enforce the legal rights of you, others and ourselves. In some instances, we are obliged to share this information and the legal basis for processing is compliance with a legal obligation.

Sources of information

We may obtain information about you from a number of sources.

  • You may give us this information yourself and could be done verbally, in writing (by letter, e-mail, SMS, social media, or fax) or input through our websites. You must have authority to disclose personal data if it relates to someone else and all data disclosed should be complete, accurate and up to date.
  • Information may be passed on to us by third parties in order that we can carry out legal work on your behalf. Typically, these organisations include:
    • Courts and Tribunals;
    • Other professional legal service providers such as barristers and law firms we are in partnership with;
    • Other professional service firms such as accountants or independent financial advisors;
    • Independent Mental Capacity advocates;
    • Medical professionals;
    • Government departments such as local authorities and health boards;
    • Defence call centre;
    • Estate agents;

Use of your personal data

The main reason we ask you for your personal data is for the provision of legal services on your behalf, as instructed by you.

Your information may be used for:

  • Verifying your identity and to establish the funding of any transaction you have asked us to carry out on your behalf. In some cases, where funding is being provided by a family member of third party, we may need to ask you to obtain information from them and personal information provided will also be subject to the terms of this Privacy Notice;
  • The detection of fraud;
  • To comply with any professional standards regulation such as Anti-Money Laundering or checks made under the SRA Code of Conduct;
  • Communication with you for the duration of the matter;
  • Providing you with advice, to carry out legal work on your behalf or an organisation you represent, prepare documents or to complete transactions on your or your organisation’s behalf;
  • Keeping financial records of your transactions and the transactions, we make on your behalf. We do not store payment card information and all transactions are made over the phone;
  • Seeking advice from third parties in connection with your matter
  • Assisting you with the funding of your matter if it involves Legal Aid;
  • Responding to any complaints or allegations of negligence against us;
  • Internal management and planning, which includes:
    • Resource management;
    • Planning of tasks or meetings;
    • Keeping records of sources of work and new enquiries; and
    • Storage and archiving of files and documents.
  • Providing you with information about further legal work or services that could benefit you, whilst we are carrying out the work.

Disclosure of data

We do not share personal information with third parties unless we need to so. Data may be shared to complete legal work, and where it is required by law.

During the course of carrying out your legal work we are likely to need to disclose some information to parties outside CJCH Solicitors, but these disclosures are only made when required by your work. These may include:

  • HM Land Registry
  • HM Revenue and Customs;
  • The solicitors acting on the other side of the matter;
  • The bank, building society or other lender providing mortgage finance;
  • The Office of the Public Guardian;
  • The Probate Registry;
  • The Department for Work and Pensions;
  • Courts or Tribunals;
  • Independent Mental Capacity Advocates;
  • Medical professionals, predominantly instructed as expert witnesses;
  • Legal counsel such as barristers;
  • Crown Prosecution Service;
  • Legal Aid Agency;
  • Agents who work on our behalf but are not necessarily employed by CJCH;
  • Social workers;
  • ACAS;
  • Government organisations such as local authorities and health boards;
  • Lexcel Consultants, Paul Jones of 21st Century Professional Management;
  • Costs draftsmen;
  • Auditors/Accountant;
  • Any disclosure required by law in particular in relation to the prevention of financial crime and terrorism.

We will never sell your personal information to third parties.

List of processors

  • File archiving
  • Lexcel Consultants
  • Case management system

Retention of your information

Information may be held in electronically or manual files. We only retain the information for as long as it is necessary to:

  • Carry out the work on your behalf;
  • As is required to be kept by law;
  • Until the period that you could make a claim against us has elapsed, which is usually seven years after the matter concluded or, if acting for a child under 18, when they reach their 25th birthday;
  • For the duration of a trust, plus six years;
  • Wills and related documents can be kept for 75 years from the date the will was signed;
  • Probate matters where there is a surviving spouse or civil partner, are retained until the survivor has died in order to deal with the transferable Inheritance Tax allowance;
  • Deeds related to unregistered property are kept indefinitely as they evidence ownership; and;
  • Comply with any client instructions to extend the retention period in relation to their documents;

Information obtained from prospective clients is kept for up to____ for the purpose of providing quotations and any subsequent follow up.

In some cases, it is not possible to specify in advance the periods for which personal data will be retained. In such circumstances, the retention period will be determined by the following criteria:

Once your matter has been concluded, your file will be archived with our storage provider for at least six years. You will be advised by the relevant department if your file is to be archived for longer than six years.


Confidentiality and security

We have technological and organisational security policies and procedures in place to protect your data from loss, misuse, alteration and unintentional destruction. Our personnel are all trained to respect confidentiality and to safeguard the data in our possession.

We are Cyber Essentials certified and are working towards Cyber Essentials Plus.

Individual rights

This section is intended as a summary of the rights you possess under the GDPR. It isn’t possible to include all detail and this section should be considered alongside relevant legislation and that rights may depend on specific circumstances. They include:

  • the right to access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to object to processing;
  • the right to data portability;
  • the right to complain to a supervisory authority; and
  • the right to withdraw consent.

Inaccurate information

If you think any information we hold about you is incorrect or incomplete or has been changed since you first told us, please inform us as soon as possible so that we can update our records.

Access to your personal information

You are entitled to request a copy of your personal data. If you wish to make a subject access request, please contact our Data Compliance Liaison, Myles Thomas (, 02920 483181 or write to CJCH Solicitors, Williams House, 11 – 15 Columbus Walk, Cardiff, CF10 4BY, or contact the person responsible for dealing with your matter.

You may request us to confirm whether or not we process your personal data and in instances that we do, access to that personal data. This will be provided with other information which includes the purpose for processing, categories of personal data and any recipients of the data.

A subject access request entitles you to a copy of the personal data we hold that relates to you, and it must be made by you, in writing, with proof of identity shown. Please be aware, that this does not entitle you to the entire case file, as the focus relates to legal work and not personal information.

We also only share information provided the rights and freedoms of others are not affected.

Circumstances where you don’t want us to process your personal data

As solicitors, we only work at the request of our clients and where we are required to do so by law. Where you are no longer happy with us acting for you and no longer wish for your personal data to be processed we will attempt to comply with this request to the fullest extent possible. Please be aware that this may mean we are unable to continue to act for you and work on your file. We would attempt to stop working for you at the earliest point possible but you would still be liable for the fees and disbursements incurred up to that point.


You have the right to object to the processing of your personal data depending on the grounds relating to your particular situation but only insofar as the legal basis for the processing is necessary for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or a third party. Where an objection is made, we will stop processing the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.

Where we process personal data for direct marketing purposes, which are limited, you may at any time object and the personal data shall no longer be processed for such purposes.


Some circumstances allow for your personal data to be erased without undue delay. These include the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed.

There are exclusions that are applicable however. The relevant exclusions for CJCH are where the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims.


In certain situations, you may be able to ask for restrictions to be placed on the processing of your data or to exercise your right to be forgotten. These circumstances are where you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise or defence of legal claims and you have objected to processing, pending the verification of that objection.

If processing has been restricted then this results in the data being ‘frozen’, so it would still be stored but we would not be able to proceed without your consent or where it is required for the establishment, exercise or defence of legal claims.

Complaints about the use of your personal data

Please contact our Data Compliance Liaison, or the person responsible for your matter if you have any complaint or concern over how your data will be used. They will acknowledge your complaint and reply to your concerns.

If you are not satisfied with the response, the UK regulator on data protection issues is the Information Commissioner’s Office. Their website is and their telephone is 0303 123 1113. You may also do so in the EU member state of your habitual residence, place of work or the place of the alleged infringement.


The current data privacy notice will always be available on our website and we may update this policy from time to time by publishing a new version.

Any material changes will be advised to you.

Jurisdiction and applicable law

The courts of England and Wales will have exclusive jurisdiction over any claim arising from or related to a visit to our Websites or a data breach.

However, we retain the right to bring proceedings against you for breach of these Website conditions in your country of residence or any other relevant country. The law of England and Wales governs these terms.