Privacy Policy

Prepared by: Mrs Verity Grigg – Lead on Data Protection Compliance


Mercian Law respects your privacy and is committed to protecting your personal data.

When you become a client of Mercian Law Limited (ML), make an enquiry or subscribe to our blog ‘The Debt Recovery Expert’, ML obtains information about you.  This statement explains how we look after that information and what we do with it.

  • We do not buy contact lists and we have never sold, or ever intend to sell, any of the information we hold about you to third parties
  • Mercian Law does not provide services to children, and we do not collect data relating to children
  • We do not transfer our data outside the European Economic Area (EEA)


The purpose of this policy is to enable ML to:

  • Comply with the law in respect of the data it holds about individuals
  • Follow good practice
  • Protect ML’s clients, staff and other individuals
  • Protect the firm from the consequences of a breach of its responsibilities

Processing personal data is fundamental to our work as a solicitors practice. The General Data Protection Regulations (GDPR) regulates the processing of information relating to individuals. As solicitors, we must comply with the GDPR.

The processing of personal data without notifying the ICO is an offence which may result in a fine.

ML recognises that the aim of GDPR is primarily to give control to individuals over their personal data and to protect them from data and privacy breaches, and to simplify the regulatory environment in the modern digital landscape. 

The Regulations set out six data protection principles with which we must comply.


ML will never process data regarding:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data
  • Data concerning health
  • Sexual orientation
  • Criminal convictions or offences


Our contact details are:

Registered Office: Ventura House, Ventura Park Road, Tamworth, Staffordshire, B78 3HL
Correspondence Address: PO Box 15245, Tamworth, B77 9HE
Telephone: 01827 215679
Company Number: 6837515

As a solicitors practice, we are obliged to be registered with the Information Commissioners Office.  The link below is to our registration entry:

Our lead on data protection compliance is Mrs Verity Grigg who is:

  • Fully familiar with GDPR & data protection responsibilities
  • She has registered ML with the Information Commissioner, and keeps the registration up to date and renewed on 22nd June of each year
  • She has written and reviews (every three years) this data protection & privacy policy
  • She ensures that data subject access and other data requests are handled in a timely manner


The lawful basis for processing under GDPR. 

Upon signing a retainer for our services, you give consent for our processing of your personal data to enable us to provide our services to you.  If you do not provide the information we request, we cannot provide our professional services to you and will cease to act.

The purposes for which we intend to process personal data are either:

  • To enable us to supply professional legal services to you as our client
  • To fulfil our legal obligations
  • To comply with professional obligations to which we are subject as a member of The Law Society and regulated by The Solicitors Regulation Authority
  • To use in the investigation and/or defence of complaints, disciplinary and legal proceedings
  • To enable us to invoice you for our services and address any fee enquiries that may arise
  • To contact you about blog articles if you have subscribed to blog ‘The Debt Recovery Expert’

We will only use your personal data for the purpose for which we collected it.


Personal data, or personal information, means any information about you from which you can be identified.

Normally the only information we hold comes directly from you.  Whenever we collect information from you, we will make it clear which information is required to provide you with the service you need.  We store your information securely on our secure computer system.  The data we collect includes:

  • Clients contact information, paperwork and correspondence for casework
  • Information supplied by those making an enquiry, either by telephone, e-mail or JivoChat
  • Blog subscribers – contact information for those wishing to receive blog articles

From July 2018 ML created a new blog, our historical database of contacts has been deleted.  You have to ‘opt-in’ to be included on our blog mailing list, this way ML ensures we meet the GDPR standards on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn at any time without detriment.

ML holds your data on its:

  • Network drives (password protected and kept in office)
  • Hard copy (in a locked filing cabinet)
  • Back up (in the cloud & encrypted)
  • Mobile Phone (contact information only, e-mails are encrypted and deleted once read)


When someone visits we use Google Analytics (based outside the EU) to collect standard internet log information and details of visitor behaviour patterns.  This is called aggregated data and is not personal data as it doesn’t reveal your identity.  It is of interest for us to ascertain the number of visitors to our site and the pages visited.  We do not make, and do not allow Google to make any attempt to find the identities of those visiting our website.  Such use of data helps us to keep our website updated and relevant, which is a legitimate business interest.

Our website includes links to third party websites.  Clicking on those links may allow third parties to collect or share data about you.  ML does not control these third-party websites and are not responsible for their privacy statements.  When you leave our web site, we encourage you to read the privacy notice of every website you visit.


ML uses a third-party service, to publish our blog.  The blog is hosted by  ML collects anonymous information about users viewing posts on the blog to help in the monitoring and improvement of the blog.  WordPress requires visitors that want to post a comment to enter a name and e-mail address.  Please see WordPress privacy policy on how they process data.


When you call ML, you may be transferred to a telephone answering service if we are engaged on another call.  Your message is e-mailed to ML and stored on ML’s account.


ML uses Microsoft Office 365.  We will also monitor any e-mails sent to us, including file attachments, for viruses or malicious software.  Please be aware that you have a responsibility to ensure that any e-mail you send is within the bounds of the law.  Remember standard e-mail is not a secure method of communication and confidential information shouldn’t be sent by e-mail.


ML uses a third-party provider, JivoChat, to supply and support our live chat service, which we use to handle enquiries in real time.

If you use the live chat service ML will collect your name, e-mail address and the contents of the live chat session.  This information will be retained for 6 years and will not be shared with any other organisations.

JivoChat’s privacy policy can be viewed here.


If we receive a complaint, ML opens a file containing the details of the complaint.  This will detail the identity of all involved in the complaint.  We will only use the personal information we collect to process the complaint.  We do compile statistics, but not in a form which identifies anyone.  Complaint files are retained for 6 years.

ML tries to meet the highest standards when collecting and using personal information.  We take any complaints seriously.  We encourage you to bring it to our attention if you think that our collection or use of information is unfair, misleading or inappropriate.  We would also welcome your suggestions for improving our procedures.


Our use of your personal data is subject to your instructions, the GDPR and our duty of confidentiality. Please note that our work for you may require us to give information to third parties such as expert witnesses, other professional advisers, the court service, mediators, IT consultant, professional indemnity insurance providers etc – data processors. Apart from these agreed third parties, we will not share your information with anyone else.  We require all third parties to respect the security of your data and to treat it in accordance with the law.  We do not allow third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.


ML has identified the following potential key risks, which this policy is designed to address:

  • Breach of confidentiality (information being given out inappropriately)
  • Insufficient clarity about the range of uses to which data will be put — leading to Data Subjects being insufficiently informed
  • Breach of security by allowing unauthorised access
  • Harm to individuals if personal data is not up to date
  • Information attached to an e-mail could go astray or be misdirected
  • Those with access to personal information could misuse it
  • Royal Mail losing post
  • IT system being compromised


We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. 

ML’s IT security includes anti-virus software, e-mail encryption protocols, cloud-based data storage.  ML also has professional indemnity insurance covering loss of client data.


The GDPR defines a personal data breach as: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

ML uses the services of an IT consultant and has implemented recommendations to attempt to mitigate the risks associated to a solicitors firm.  This has included Advanced Threat Protection and cloud-based data storage (as opposed to data back-up held within the office).

ML must notify the ICO without undue delay (within 72 hours) once a breach has been detected that is likely to result in a risk to your rights and freedoms.  For example, the breach could result in loss of confidentiality, your economic disadvantage.  ML will also notify you directly.

ML will act in a reasonable and proportionate manner in complying with our obligations.


We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

The Solicitors Regulation Authority (SRA) does not have any specific rules on the length of time we should keep your file.  We are required to establish good processes for orderly file closure, which is central to running an efficient practice, managing risk (chapter 7 of the SRA Code) and fulfilling our client care obligations (Chapter 1 of the SRA Code).  There are no requirements relating to retention of files in the SRA’s Minimum Terms for Professional Indemnity Insurance.  However, in the event of a complaint we keep data for the following periods:

  • Clients paper files are shredded, and electronic files are deleted after 6 years, being the limitation period for a dispute to be raised.
  • Contact details will remain in ML’s Outlook contacts list until we haven’t received instructions for 6 years, or until ML receives a request to delete the contact.
  • Blog subscribers will remain on the subscriber list indefinitely or until an unsubscribe request is received.
  • Notes taken when an enquiry is received, either by telephone, e-mail or JivoChat will be retained for 6 years.


Under GDPR you have 8 rights:

It is important that the personal data we hold about you is accurate and current.  Please keep us informed if your personal data changes during your relationship with us.

You have the right, free of charge, to a copy of all the information we hold about you in a structured commonly used and machine-readable form (apart from a very few things which we may be obliged to withhold because they concern other people as well as you).  To obtain a copy, either write to the lead for data protection compliance – Mrs Verity Grigg at Mercian Law Limited or alternatively e-mail us:

To help us provide the information you require and deal with your request swiftly, please provide the following information to enable us to verify your identity and locate the information:

  • Your date of birth.
  • Previous or other names you may have used.
  • Your previous address in the past 6 years.
  • Your file reference number.
  • What information you want.

You can ask someone else to request information on your behalf, for example, a solicitor, friend or relative.  We must have your authority to respond to a subject access request on your behalf.  Please provide a signed letter stating that you authorise us to send the information to the person concerned.

We aim to reply as promptly as we can and, in any case, within the legal maximum of 1 month or 40 days if the request is complex. 

If ML believes your requests are manifestly unfounded or excessive, we reserve the right to refuse your request or charge you a reasonable fee for our time in dealing with the request.

If you disagree with our decision you can complain to the ICO, the UK supervisory authority for data protection issues.

If you have a concern about ML’s information rights practices, we would appreciate if you raise it with Mrs Verity Grigg at ML in the first instance using the contact information above.