Data Protection

Privacy Policy.

Sarfraz & Naydenov Solicitors takes your privacy, and the security of your personal data, very seriously. This policy explains how we collect, use, store, share, and protect your personal data, and sets out your rights under data protection law.

Approved: 24 June 2023  ·  Valid from: 1 August 2023  ·  Last updated: 3 July 2026

1. Introduction

Sarfraz & Naydenov Solicitors Limited — regulated by the Solicitors Regulation Authority (SRA No. 8004238), Company No. 14754939, registered office 109 Church Street, Wolverton, Milton Keynes, MK12 5LD — takes privacy, and the security of your personal data, very seriously. The directors are committed to ensuring that we safeguard your personal data at all times and in the best way possible.

This privacy policy contains important information for you. It explains:

  • who we are;
  • what personal information we collect about you;
  • how, when and why we collect, store, use and share your personal data;
  • how we keep your personal data secure;
  • for how long we keep your personal data;
  • your rights in relation to your personal data; and
  • how to contact us, or the relevant supervisory authorities, should you have a complaint.

So that we can provide legal services to you, or take your instructions, we need to collect, use and process certain personal information about you (your personal data). When we do so, we are subject to the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any national implementing laws, regulations and secondary legislation, as revised, amended or updated from time to time. We are the ‘controller’ of that personal information for the purposes of those laws — in other words, we are primarily responsible for that personal data, and we determine the purposes and means of its processing.

If you have any questions about the use to which we put your data, please email us at office@sn-solicitors.com, or write to Muhammad Sarfraz, Director, at our registered office address given above.

This policy applies in all circumstances, but in particular where you (or someone, or an organisation, on your behalf):

  • instruct us to act on your behalf and/or to provide you with advice or information;
  • enquire about instructing us;
  • visit our website;
  • submit an enquiry, make contact with us, or sign up to receive our newsletter;
  • request information from us or provide information to us; and
  • attend events or seminars hosted by us.

This policy will also apply where we:

  • conduct searches about you on public sources in connection with our marketing or business acceptance processes;
  • agree to provide legal services to you or to the organisation for whom you work; or
  • add you to a mailing or marketing list.

In other words, this policy applies where we are acting as a data controller in relation to your personal data, and where we have a supervisory role in relation to how personal data is collected, stored, used and shared.

In general, the services we provide are not principally aimed at children, as children are generally represented by their parent(s) or guardian(s). If you are a child and require further advice or explanation about how we will use your data, or if you represent the interests of a child, please contact us using the details set out above.

We use cookies on our website. This policy should therefore be read in conjunction with our cookie policy.

We are committed to preserving the privacy of your data so that we can:

  • deliver services of a high quality to all our clients;
  • at all times comply with the law and the various regulations to which we are subject;
  • preserve the confidentiality of your personal data in compliance with the SRA Standards and Regulations;
  • meet the expectations of clients, employees and third parties; and
  • protect our reputation.

In this policy, please note the use of the following terms:

Personal data — has the meaning given to it by the UK GDPR, and means any information relating to an identified or identifiable individual (known as a ‘data subject’).

Processing — means any operation or action performed on personal data; for example, collection, recording, organisation, structuring, storing, altering, deleting or otherwise using personal data.

We, us and our — refers to Sarfraz & Naydenov Solicitors.

You and your — refers to the person whose data is processed.

2. Your personal data

We may collect, store, use and share personal data relating to you in the course of acting for, or advising, you. The data we need to collect from you in order to be able to act for, or advise, you may include the following:

  • your name and contact details, including address, telephone number, mobile telephone number, and email address;
  • information about your gender, where it is relevant and you choose to provide it;
  • where you are located, where it is relevant and you choose to provide it;
  • information about your online presence (for example, LinkedIn or Twitter), and whether you have linked to us or our social media pages, where relevant and you choose to provide it;
  • professional or trade-related information, where relevant and you choose to provide it;
  • information required to check and verify your identity (for example, for anti-money laundering purposes or to help prevent fraud), which may include passport details, driving licence details, date of birth, and other information as appropriate;
  • information as to the matter in which we are acting or advising you;
  • information required to carry out a financial or credit check;
  • financial details relating to you, including bank account details (where money is or may need to be sent to you), billing information and credit card details;
  • the source of any funds supplied by you in relation to any transaction that involves a purchase;
  • your National Insurance number and/or tax details;
  • details of your spouse/partner and dependants or other family members (for example, where you have instructed us on a family matter, or in connection with a will, trust or similar arrangement);
  • details of your employment status and related details, including salary and benefits, records relating to sickness and attendance, performance, disciplinary action, conduct and grievances (including relevant special category personal data), where relevant to your matter;
  • details of your racial or ethnic origin, gender and sexual orientation, and religious or similar beliefs (for example, where you instruct us in relation to a discrimination or similar claim);
  • details of your nationality and immigration status, and information from related documents such as your passport (for example, where you instruct us on an immigration matter);
  • details of your pension arrangements (for example, where you instruct us on a pension matter or on financial arrangements following the breakdown of a relationship);
  • details of your trade union membership (for example, where you instruct us on a discrimination claim, or your matter is funded by a trade union);
  • details of your medical records and of any injuries, and other personal, physical, mental or medical details (for example, where we are acting for you in a personal injury claim);
  • marketing and communications data, including your preferences in relation to receiving marketing and communications from us;
  • transaction data, including details about any payments to and from you;
  • technical data, including internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technical data relating to your use of our website; and
  • details of your visits to our offices, and CCTV footage.

Failure to provide the personal data we request may prevent us from acting for you, or may delay the provision of services.

In most cases we will collect data about you directly from you — by letter, by email, using a secure portal on our website, by phone, or at a meeting with you. However, we may also need to acquire information about you:

  • from publicly available sources, such as HM Land Registry, Companies House, and professional or membership records;
  • from third-party services, such as screening suppliers, credit reference agencies, and due diligence suppliers;
  • from third parties with whom you have a relationship, including banks, building societies, financial institutions, other professionals and advisers, employers, professional bodies, doctors, and trade unions; and
  • through information-technology-related methods, including the use of cookies on websites, CCTV, messaging systems, access control systems, email, and instant messaging services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We may also obtain personal data about you in relation to your use of our website. This may include your computer’s IP address and the operating system and web browser you use to access our website. It enables us to identify who has visited our website, to produce statistical data on its use, and to help us enhance the user experience in the future.

3. The purposes for which your information is used

Data protection law requires that we only use your personal data for the purposes for which it was acquired, or where we have a proper reason for using it. Those reasons may include:

  • where you have given consent to the use of your personal data for one or more specific purposes;
  • where the use is necessary for the performance of a contract to which you are a party, or in order to take steps at your request before entering into a contract;
  • where the use is necessary for compliance with a legal obligation to which we are subject;
  • where the use is necessary to protect your vital interests or those of another person;
  • where the use is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; and
  • where the use is necessary for the purposes of our legitimate interests or those of a third party, except where those interests are overridden by your interests or fundamental rights and freedoms, in particular where you or the relevant person is a child.

The specific position in relation to your personal data is that we may use it for the following purposes:

  • to provide you with legal services, advice or representation, so that we can comply with our contract with you and/or take any steps necessary before entering into a contract with you;
  • to prevent or detect fraud, either against you or against any other person involved in a matter in which you are involved;
  • to carry out identity checks and undertake information gathering and audits as required by the Solicitors Regulation Authority or other regulatory bodies, to comply with legal and/or regulatory obligations to which you or we are subject;
  • to carry out anti-money laundering checks;
  • to undertake financial, embargo/sanction-list and other security checks, and such other processing as is required for legal and regulatory compliance;
  • to gather and provide any information required by, or relating to, audits, enquiries or investigations by your, or our, regulator(s);
  • to preserve the confidentiality of commercially sensitive information, and for the protection of our, or another’s, intellectual property and other commercially valuable information;
  • to comply with our legal and regulatory obligations;
  • to comply with our internal business policies, and for operational reasons such as security, confidentiality, competency and efficiency control, training and client care;
  • for audits and external quality reviews in relation to standards adopted by us (for example, Lexcel, the Conveyancing Quality Standard, and ISO standards);
  • for statistical analysis, to enable us better to manage our business (for example, in relation to our financial performance, client base, and range of services);
  • for maintaining and updating records to ensure accuracy of processing, preventing unauthorised access and modification, and preventing and detecting criminal activity;
  • to make information returns to regulators and legally constituted bodies;
  • to ensure safe working practices, and for staff administration and assessment;
  • for marketing our services to existing and former clients and to third parties; and
  • for credit control and credit reference checks in relation to the services we perform.

The purposes set out above do not apply to ‘special category personal information’ — this includes personal information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, together with genetic and biometric data capable of identifying you, and data concerning health, sex life or sexual orientation. We will only ever process information of that nature with your explicit consent.

4. Contacting you

In addition to the matters dealt with above, we may also need to send you updates concerning legal and other relevant developments in relation to you, the matter on which we are instructed, your personal, business or family interests, or other related matters which might concern or interest you. This may be by post, telephone, email or text, and may include information about the legal and other services we offer and any changes to those services.

We regard ourselves as having a legitimate interest in processing your personal data for these purposes, and take the view that we do not require your consent to do so. From time to time we undertake ‘legitimate interest assessments’ in order to balance our interests in contacting you against your interests in relation to your data. Where we believe consent is required, we will contact you specifically for it, in a clear and transparent manner.

Please be assured that we treat your personal data with the utmost respect and will never share it with others for marketing or promotional purposes. You have, at all times, the right to request that we do not contact you for any purpose other than carrying out the matter on which we are instructed. We may, however, ask you to confirm your marketing preferences from time to time, so that we can be sure your views remain the same, especially in relation to legal and regulatory updates.

5. Sharing your data with others

Notwithstanding that we will not share your personal data for marketing purposes, it may be necessary for us to share it with others in order to:

  • carry out our legal services for you;
  • provide advice, assistance and representation to you;
  • comply with our contractual obligations to you; or
  • comply with any legal or regulatory obligations to which you or we are subject.

Those with whom we may share your personal data include:

  • professional advisers used in connection with your matter — for example, solicitors, barristers or other lawyers, accountants, advisers, experts, medical professionals, and search agents;
  • third parties involved in your matter — for example, financial services providers, banks, building societies, insurers and registrars;
  • government and similar organisations, such as HM Land Registry, Companies House, and HM Revenue & Customs;
  • others within our business;
  • your, or our, regulator(s);
  • credit reference agencies, in connection with our contract with you;
  • our bank, insurers and insurance brokers;
  • external auditors, in relation to the audits and external quality reviews referred to above; and
  • suppliers of services required in relation to your matter.

When sharing your personal data, we will ensure at all times that those with whom it is shared process it appropriately and take all necessary measures to protect it. We impose contractual obligations on all providers of services to ensure that your personal data is kept secure, and we will only allow others to handle it where we are satisfied that their protective measures are satisfactory.

From time to time, we may be required to disclose personal data and exchange information about you with government, law enforcement and regulatory bodies and agencies, in order to comply with our own legal and regulatory obligations.

During the course of, and sometimes following the conclusion of, our instructions, we may need to share your personal data with other third parties — for example, those involved in a relevant or related transaction. We will only share information which it is necessary and relevant to share.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business, or during a restructuring. Usually, information will be anonymised, but this may not always be possible; the recipient will be bound by confidentiality obligations.

From time to time it may be necessary to share data for statistical purposes, for example with our regulatory body. We will always take steps to ensure that information shared is anonymised, and where this is not possible we will require the recipient to keep it confidential at all times. Other than as set out above, we will not share your personal data with any other third party.

6. How your personal data is kept

Your personal data will be kept secure at all times. It may be held at our office, at third-party agencies and service providers, and by our representatives and the agents used by us.

Some of your data may be held within the legal software we use, named Clio. Clio has its own policy to safeguard data stored on its platform. Where this takes place outside the UK/EEA, the provisions set out in section 7 below will apply.

We operate various security measures to prevent loss of, or unauthorised access to, your personal data. We restrict access to your personal data to those with a genuine business need, and we have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. In addition, we only use authentic, licensed software packages, such as Outlook for email.

Personal data processed by us will not be retained for any longer than is necessary for that processing, or for purposes relating to or arising from it. Where your personal data is retained after we have finished providing our services to you, or after the contract with you has ended, this will generally be for one of the following reasons:

  • so that we can respond to any questions, complaints or claims made by you or on your behalf;
  • so that we are able to demonstrate that your matter was dealt with adequately and that you were treated fairly; or
  • in order to comply with legal and regulatory requirements.

In general, we will retain your data only for so long as is necessary for the objectives and purposes contained in this policy. Different retention periods will apply depending on the type of data and the purpose of its retention. In particular, we will retain:

  • contact details — so that we can inform you of updates concerning our services and of relevant developments in relation to you, the matter on which you instructed us, or other related matters which might concern or interest you; and
  • accounts data and money laundering checks data and documents — for such period as they continue to be required in order to conclude all of your matters adequately, and for such time as is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or those of another person.

We will delete and/or anonymise any personal data which it is no longer necessary for us to retain.

7. Transferring your data out of the UK and EEA

In order for us to provide you with the services on which we have been instructed, it may be necessary for us to share your personal data with those who are outside the UK/EEA — where, for example, they have offices or are based outside the UK/EEA, where electronic services and resources are based outside the UK/EEA, or where there is an international element to your instructions. Where this is the case, special rules apply to the protection of your data.

It may be necessary during the course of your matter for us to transfer personal data relating to you to one or more countries which have been assessed by the Secretary of State (or, where the EU GDPR applies, by the European Commission) as providing an adequate level of protection for personal data, including all EU and EEA countries.

We may also need to transfer your personal data to countries that have not been assessed as providing adequate protection. In such cases, we will always take steps to ensure that, wherever possible, the transfer complies with data protection law and that your personal data will be secure. We use standard data protection contract clauses approved by the Secretary of State or the European Commission in such circumstances.

For further information, please contact us, or Muhammad Sarfraz (our Data Manager).

8. Your rights in relation to your data

Data protection legislation gives you, the data subject, various rights in relation to the personal data that we hold and process. These rights are exercisable without charge, and we are subject to specific time limits for responding to you. They are, in the main, set out in Articles 12–23 of the UK/EU GDPR, and are as follows:

  • Right of access — the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where it is, access to that personal data and various other information, including the purpose of the processing, with whom the data is shared, how long it will be retained, and the existence of your other rights.
  • Right to rectification — the right to obtain, without undue delay, the correction of inaccurate personal data concerning you.
  • Right to erasure — sometimes referred to as the ‘right to be forgotten’, this is the right to request that, in certain circumstances, we delete data relating to you.
  • Right to restrict processing — the right to request that, in certain circumstances, we restrict the processing of your data.
  • Right to data portability — the right, in certain circumstances, to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and to have that data transmitted to another controller.
  • Right to object — the right, in certain circumstances, to object to your personal data being processed by us, in relation to direct marketing, or in relation to processing supported by the argument of legitimate interest.
  • Right not to be subject to automated decision making — the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Full details of these rights can be found in the UK/EU GDPR, or by reference to guidance produced by the Information Commissioner’s Office. If you wish to exercise any of these rights, you may do so:

  • by contacting us using any medium you wish, including in writing, by telephone, by text, electronically, or using such social media as we employ for communication purposes;
  • by completing a form which we can supply to you for this purpose; or
  • through a third party whom you have authorised for this purpose.

Please bear in mind that there are some restrictions on your ability to exercise the rights set out above, and that, in some cases, if you choose to exercise those rights we will be unable to perform the instructions you have given us. If that is the case, we may need to cease to act for you.

9. Keeping your data secure

To ensure that data is kept secure, and to prevent any breach of confidentiality, we have put in place security measures intended to prevent your personal data from being accidentally lost, or used or accessed unlawfully. Access to your personal data is restricted to those with a need to access it, and regard will be had to the need for confidentiality when it is processed.

Our systems are subject to rigorous testing, meaning that we observe industry standards for information security.

In the event of a suspected data security breach, you will be notified. Where relevant, we will also inform the appropriate regulator (including the Information Commissioner’s Office) where we are legally required, or have a regulatory obligation, to do so.

Please note that the transmission of information via the internet is not completely secure. Although we will do our best to protect personal data, we cannot guarantee the security of any data transmitted to us via our website, or to or from us via email; any such transmission is at your own risk. Once we have received your information, we will apply procedures and security features, such as encrypted email, to try to prevent unauthorised access.

We also take appropriate steps to keep your personal data safe from unauthorised access, improper use or disclosure, unauthorised modification, and unlawful destruction or accidental loss, consistent with applicable law. This applies to both electronic and physical data: our premises are access-controlled, and electronic data requires users to authenticate with a login and password.

Our directors, staff and third-party service providers who have access to your personal data are subject to confidentiality obligations.

10. Making a complaint

If you have any queries as to the acquisition, use, storage or disposal of any personal data relating to you, please contact us, or Muhammad Sarfraz (our Data Manager), at muhammad.sarfraz@sn-solicitors.com.

Notwithstanding our best efforts, sometimes things do go wrong. If you are unhappy with any aspect of the use and/or protection of your personal data, you have the right to make a complaint to the Information Commissioner’s Office:

Information Commissioner’s Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113

Website: www.ico.org.uk

11. This policy

This privacy policy was published on 8 September 2023 and last updated on 3 July 2026. Its terms and provisions may be changed, updated and amended from time to time. If we do so while we are providing you with services, we will inform you of those changes.

If you would like this policy supplied to you in another format — for example, audio, large print or Braille — please contact us at the email address given in section 10 above.

Questions About Your Data?

We're happy to explain how we handle your information.

If you have any questions about this policy or wish to exercise your data protection rights, contact our Data Manager, Muhammad Sarfraz.