The Data Protection Principles

The Business must comply with the nine Data Protection Principles whenever it processes personal data.
Each principle supports fairness, transparency, and accountability under UK data-protection law.

1. Fairness and Transparency

The Business processes personal data fairly and transparently.
Every client, member of Personnel, and Supplier receives a privacy notice explaining how and why their personal data is processed.
This notice includes:

• Identity of the Business as the data controller

• Purpose of the processing and its legal basis

• Legitimate interests pursued by the Business or a third party, when applicable

• Recipients or categories of recipients

• International transfers and safeguards that apply

• Retention period or criteria used to determine it

• Rights of access, rectification, erasure, restriction, objection, and data portability

• Right to withdraw consent at any time, if consent is the legal basis

• Right to complain to a supervisory authority

• Whether providing data is required by law or contract and possible consequences of not providing it

• Existence of automated decisions, including profiling, with information about logic and possible effects

By providing this information clearly, the Business ensures that individuals understand how and why their personal data is used.

2. Lawful Processing

The Business processes personal data only when it has a valid legal basis.
Personal data is processed lawfully when one or more of the following apply:

• Processing is necessary for the performance of a contract, such as an engagement letter

• Processing is required to fulfil the legitimate interests of a client or the Business, except where overridden by individual rights

• Processing is required to meet a legal obligation

• The data subject’s consent has been obtained

No personal data is processed without a lawful ground.

3. Purpose Limitation

Personal data is collected only for specific, explicit, and legitimate purposes.
Any further use must be compatible with those original purposes unless new consent or another lawful basis is obtained.

In practice, the Business processes:

• Client data to provide professional services and manage client relationships

• Personnel data for administrative purposes

• Supplier data for contract management

• Data required to meet legal or regulatory obligations

The Business does not conduct unsolicited electronic marketing without first ensuring compliance with the law.

4. Data Minimisation

The Business collects and processes only the minimum personal data necessary.
Clients must ensure that data provided is limited to what is relevant for the requested service.

If excessive data is received, the Business returns it and requests an appropriate record containing only necessary information.

5. Data Accuracy

The Business takes reasonable steps to keep personal data accurate, complete, and up-to-date.
Clients are contractually required to supply accurate and current information.
The Business maintains accurate records of data relating to clients and Personnel, updating them as needed.

6. Individual Rights

Individuals may exercise their legal rights regarding their personal data.
These rights include access, rectification, erasure, restriction, objection, and data portability.
The Business identifies and responds to all individual-rights requests promptly and in line with statutory time limits, subject to any lawful exemptions.

7. Storage Limitation

Personal data is retained only as long as necessary for the purpose collected or a further lawful purpose.

Records are kept:

• For periods required by law or professional rules

• Permanently for notarial acts in public form (as required by the Notaries Practice Rules 2014)

• For at least 12 years for acts not in public form

Except where a legal obligation requires longer retention, personal data is deleted once it is no longer needed.

8. Data Security

The Business applies physical, organisational, and technical security measures to protect all personal data, including that processed by third parties on its behalf.

Physical Measures

• Locked offices and secure premises

• Documents stored in locked cabinets

• Restricted access for authorised Personnel only

• Secure disposal using confidential bins or shredders

Organisational Measures

• Vetting of Personnel and Suppliers

• Non-disclosure agreements before contracts

• Regular data-protection training

• Strict prohibition on using personal email for work

Technical Measures

• Properly configured firewalls and current software

• Patch management and OS updates

• Real-time antivirus and anti-malware protection

• User-access controls applying the least-privilege principle

• Complex, unique passwords with scheduled expiry

• Encryption of portable devices and protected keys

• Regular data backups

The Business also follows its Policy: Appointing Suppliers whenever third parties handle data.

9. Accountability

The Business demonstrates compliance with all Data Protection Principles through effective governance and documentation.
Appropriate policies, training, and reviews confirm that the Business acts responsibly at every stage of processing.

Governance Processes

To maintain full compliance, the Business implements the following governance processes.

A. Documented Policies

To uphold Principle 9 (Accountability), the Business maintains this Policy and any supporting data-protection policies required by law.
These documents establish the internal framework for data-protection compliance.

B. Assurance

The Business ensures that Personnel understand and apply data-protection obligations through training and ongoing guidance.
Every member of Personnel and each Supplier must comply with this Policy and any related contractual terms, including data-processing agreements where appropriate.
Policies are reviewed periodically to confirm ongoing compliance.

C. Advice

Whenever necessary, the Business seeks specialist legal or professional advice to ensure that its processing activities meet all applicable data-protection requirements.

D. Third Parties

The Business follows the Policy: Appointing Suppliers when engaging contractors or service providers that process personal data on its behalf.
Each third party must satisfy data-protection standards equivalent to those of the Business.

E. Data Protection Impact Assessments (DPIAs)

Processing activities likely to present a high risk to individuals’ rights and freedoms undergo a documented DPIA.
This assessment identifies potential risks and the safeguards needed to mitigate them.
A record of every DPIA is maintained for accountability.

F. Record-Keeping

The Business keeps an up-to-date record of processing activities, either within the Notary Register or another secure system.
Each record includes:

When the Business acts as a data processor, it also records:

• Its identity and contact details

• Categories of processing carried out for third parties

• Any transfers outside the EEA

• A general description of security measures in place

G. Privacy by Design

When developing new tools or processes involving personal data, the Business ensures that privacy and compliance are built in from the start.
All systems and procedures must support the Data Protection Principles by default.

H. Complaint Handling

The Business maintains a clear process for receiving and managing enquiries or complaints from individuals and supervisory authorities.
All concerns are handled promptly, and responses are issued within any statutory deadlines.

APPENDIX: GLOSSARY