Burness Paull LLP is committed to protecting the privacy and security of the personal data of its clients, suppliers, website visitors and business contacts.

This privacy policy describes how we and our subsidiaries collect and use personal information about you during and after your working relationship with us.

Data protection principles

We will comply with data protection law and the fundamental data protection principles, which state that the personal information we hold about you must be:

  • used lawfully, fairly and in a transparent way;
  • collected only for valid purposes that we have clearly explained to you, and not used in any way that is incompatible with those purposes;
  • relevant to the purposes we have told you about and limited only to those purposes;
  • accurate and kept up to date;
  • kept only as long as necessary for the purposes we have told you about; and
  • kept securely.
Information we collect and use

Personal data, or personal information, means any information about an individual from which that person can be identified.  It does not include anonymised data.

We may collect, store, and use your personal information in the course of our business and this may include:

  • personal contact details such as name, title, address, telephone number, email address, job title and name of employer;
  • information relating to the matter in respect of which you are seeking our legal advice or in which you are involved;
  • information to enable us to carry legal and regulatory checks, such as anti money laundering checks;
  • business information necessary for our business relationship with you, including financial,  banking and payment details;
  • information collected from publicly available sources such as Companies House, Registers of Scotland, the Land Registry, Linkedin and professional directories as well as from credit agencies;
  • information in respect of any relevant investigations or proceedings;
  • information provided by you for the purpose of attending meetings and events, including records of your attendance at our offices held for security purposes;
  • when you subscribe on our website, information on your preferences; and
  • where you or your organisation is a supplier to Burness Paull, contact and other information relative to those services.

We may also collect, store and use the following “special categories” of more sensitive personal information:

  • information such as dietary, disability or similar requirements relevant to your attendance at meetings and events; and
  • information about criminal convictions and offences where it is appropriate to do so and permitted by law.
How is your personal information collected?

We collect most personal information from you, in a variety of ways:

  • during the provision of legal services to you or where you are involved in a legal matter;
  • during our business relationship with you;
  • when you sign up for information via our website; and
  • when you attend meetings and events at our offices or hosted by us.

We may sometimes collect additional information from publicly available information including Companies House, Registers of Scotland, the Land Registry as well as third parties such as credit reference agencies, government agencies or other third party organisations that you have had or have a relationship with.

How we use your personal data

We use your personal data for the following purposes:

  • to provide you with the legal advice and services you require;
  • to manage the legal matter in which you may be involved;
  • to manage our business relationship with you, including keeping business records about services, payments and business contacts and ensuring our records are kept up to date;
  • to comply with our professional, legal and regulatory obligations as a law firm;
  • to send emails, newsletters and other messages to keep you informed of legal developments, market insights and of our services, where you have opted to receive these from us;
  • to invite you to events;
  • to seek your feedback, to help us improve our services and relationship with you and to address any concerns which may arise;
  • to monitor the use of our website and our other technology services for malware and other security threats and also to ensure that they are being used appropriately and are not being targeted for unauthorised access or usage; and
  • to provide security to our offices and other premises and ensure our compliance with health and safety requirements.

We do not envisage using your data to make automated decisions about you.

The basis on which we use your personal data

We can only use your personal data if we have a proper reason for doing so. There are a number of  reasons, including:

  • the performance of our contract with you;
  • it is necessary to comply with our legal or regulatory obligations;
  • it is necessary to deal with legal claims;
  • where you have given consent for us to do so; or
  • processing is necessary for our legitimate business or commercial interests or those of a third party, provided that these interests do not  override your own personal interests and rights

We may process sensitive personal data, such as your racial or ethnic origin, religious beliefs or health data or data about criminal convictions where:

  • you have given your express consent for the particular processing;
  • it is necessary to protect your vital interests or those of another person:
  • it is necessary to deal with legal claims, for example, involving court proceedings; or
  • it is necessary for substantial public interest,  for example to prevent or detect unlawful acts;
Our legitimate interests

In some circumstances, we use your personal data because it is in our legitimate business interests or those of a third party to do so. These interests include a number of business operations, including:

  • providing legal services;
  • managing and developing our business relationship with you and your organisation, including understanding our client demands, responding to requests and feedback and improving our services and offerings:
  • understanding how our clients and contacts use our services and website;
  • for credit control purposes and to enforce our terms of engagement and contracts;
  • ensuring our systems and premises are safe and secure;
  • managing our supply chain;
  • developing relationships with business partners and contacts; and
  • sharing data in connection with any acquisition or disposal of our business.
With whom do we share your data?

We routinely share your information where required by law, where it is necessary to manage our working relationship with you or where we have another legitimate interest in doing so. This includes sharing data with:

  • our subsidiaries, as required in order to provide you with the legal services you require;
  • other professional advisors instructed on your behalf, or in respect of the legal matter in which you may be involved, including solicitors, accountants, law accountants, tax advisors, experts, insolvency practitioners, arbitrators, adjudicators and mediators, local agent solicitors, foreign law firms and barristers (https://www.barcouncil.org.uk) advocates (http://www.advocates.org.uk/)  and healthcare professionals, social and welfare organisations;
  • third parties where necessary in respect of the legal services being provided to you, including your lender, Companies House, Registers of Scotland, the Land Registry, the Home Office, and Sheriff Officers;
  • our clients, where you are providing information in respect of a client matter;
  • our suppliers who provide us with their services, including IT and communication suppliers, screening service providers, outsourced business support, marketing and advertising agencies and translation companies;
  • law enforcement bodies, the courts, our regulators and other competent authorities in accordance with legal or regulatory requirements or good practice;
  • our insurers, brokers, external auditors, banks and other third parties who provide services to us;
  • third parties involved in the hosting or arranging of events to which you have been invited; and
  • third parties in the context of the acquisition or transfer of any part of our business or a business reorganisation.

edures in place to ensure that third parties have given us the necessary information and assurances about their processes.  All our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies.  We do not allow our third party service providers to use your personal data for their own purposes.  We only permit them to process your personal data for specified purposes and in accordance with our instructions.  You can therefore expect a similar degree of protection in respect of your personal information.

To deliver services to our clients, it is sometimes necessary for us to share your personal data outside the EEA e.g:

  • Where we instruct foreign lawyers in connection with the services we are providing to clients;
  • Where your, or our, service providers are located outside the EEA;
  • If you are based outside the EEA.

Transfers outside the EEA are subject to special rules under European and UK data protection law.

We will, however, implement appropriate safeguards to ensure the transfer complies with European and UK data protection law and all personal data will be secure.

Personal data about others

If you provide us with the personal data of other people (such as your directors, shareholders, beneficial owners, clients or customers), you must ensure that you are entitled to provide this information to us. We will assume that you have done so and we shall then collect, use and share that data in accordance with this privacy policy.

If you fail to provide personal information

If you fail to provide certain information when requested, we may not be able to provide you with the legal advice required or perform the contract we have entered into with you, or we may be prevented from complying with our legal obligations.

Data security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.  In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know.

All information you provide to us is stored on secure servers with industry standard anti-virus and firewall protection in place.

Unfortunately, the transmission of information via the internet is not completely secure.  Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted online or through the website.  Any transmission is at your own risk.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, subject to satisfying legal, regulatory, accounting, and reporting requirements. We have a data retention policy which has different retention periods depending on the type of information we hold. In accordance with guidelines issued by the Law Society of Scotland, we retain client files for a minimum period of 10 years from the date of completion of your matter.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Your rights of access, correction, erasure, and restriction

It is important that the personal information we hold about you is accurate and current.  Please keep us informed if your personal information changes during your working relationship with us.

Under certain circumstances, by law you have the right to:

  • request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;
  • request correction of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected;
  • request erasure of your personal information.  This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing;
  • object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
  • withdraw your consent  to processing, where we are processing on this basis of your prior consent;
  • request the restriction of processing of your personal information.  This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it; and
  • request the transfer of your personal information to another party.

If you wish to exercise any of these rights, please email us at dataprotection@burnesspaull.com.

You will not have to pay a fee to access your personal information or to exercise any of the other rights.  However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive.  Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).  This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

You have the right to complain at any time to the Information Commissioner’s Office, the UK supervisory authority for data protection issues. https://ico.org.uk/.

Subscribing to our website

You can subscribe on our website to receive information from us, including legal updates, event and seminar details or news.  You can unsubscribe at any time by clicking on the “click here to unsubscribe” link provided in our emails or by contacting us direct at dataprotection@burnesspaull.com.


This website uses cookies to store information on your device. Some are necessary to make the site work. Others are optional, and help us understand how people interact with our website and content so that we can make them better. When you start to use the website, you will be asked whether you agree to the use of cookies. Using this tool will set a cookie to remember your preferences. For more information on the cookies we use and how to disable them, please see our cookies policy.

Changes to this privacy policy

We reserve the right to update this privacy policy at any time.  This policy was lasted updated in August 2021.

About us

Burness Paull LLP is registered in Scotland with number SO300380. References in this privacy policy to Burness Paull include our subsidiaries:

Burness Paull Pension Trustees Limited (SC239975), Burness Paull (Directors) Limited (SC133590), Burness Paull (Nominees) Limited (SC103840), Burness Paull (Trustees) Edinburgh Limited (SC180268), Burness Paull (Directors Aberdeen) Limited (SC210957), Burness Paull (Trustees Aberdeen) 2017 Limited (SC560425) and Burness Paull (Trustees) Limited (SC062553).

© Burness Paull 2021