This Privacy Notice (“Notice”) describes how PFM UK collects and uses your Personal Data under the EU General Data Protection Regulation (“GDPR”) and UK data protection legislation. It tells you what Personal Data PFM UK collects, why we need it, how we use it and what protections are in place to keep it secure.

Key Terms

PFM UK”, “we”, “us” and “our” mean Phi Finney McDonald UK Ltd.

PFM UK Personnel” means PFM UK’s prospective, present and past partners, employees, consultants and agency staff, and people connected to such persons.

PFM AU” means Phi Finney McDonald Pty Ltd, PFM UK’s affiliate in Australia.

Personal Data” means information about individuals (including you), and from which such individuals could be identified.

You” means individuals whose Personal Data we process including, but not limited to PFM UK clients, PFM UK client personnel, counter-parties, counter-party personnel, other solicitors/advisors, witnesses, suppliers, supplier personnel, job applicants and individuals to whom we send marketing communications.

Data Controller

PFM UK is the Data Controller in relation to your Personal Data and is committed to protecting the privacy rights of individuals, including your rights. Our data protection registration number is ZA786307.

Data Protection Manager

PFM UK has not appointed a Data Protection Officer. Instead, we have appointed a Data Protection Manager (“DPM”) who oversees PFM UK’s compliance with the GDPR and any other applicable data protection legislation and regulation.

You can contact the DPM at

How does PFM UK obtain your Personal Data?

We will usually obtain your Personal Data from you directly, such as where:

  • You communicate with us in writing;
  • You speak to us in person or remotely by telephone or video conference;
  • You complete a form on our website; and
  • You use our website.

We may also obtain your Personal Data from a third-party source. For example, we may collect information from: our clients and our clients’ personnel, agents and advisers; third-party identity check providers; other law firms/advisers which represent you; the company for whom you work; other organisations/persons with whom you have dealings; government agencies; credit reporting agencies; recruitment agencies; information or service providers; and publicly available records (such as from Companies House).

What Personal Data does PFM UK collect from and about you?

We collect and use different types of Personal Data about you, which will vary in type and detail and purpose of processing. Please consider the following illustrative and non-exhaustive examples:

  • Personal Data about you: name, address, date of birth, marital status, nationality, gender, preferred language, job title, work-life and restrictions and required accommodations, possibly about your family life (see further below for how we deal with sensitive/special category data);
  • Personal Data to contact you at work or home: name, address, telephone, and email addresses;
  • Personal Data which may identify you: photographs and video, passport and driving license details, electronic signatures; and
  • Personal Data to process any payment we might need to make to you: bank account details, HMRC numbers and references (where applicable).

What about Personal Data about other people which you provide to PFM UK?

If you provide information to us about someone else (such as one of your associates, directors or employees, or someone with whom you have business dealings), please ensure that you are entitled to disclose that information to us and that, without our taking any further steps, we may process that information under this Notice.

Why do we need to collect and use your Personal Data?

We need to collect and use your Personal Data for several reasons. The primary purpose is to provide legal advice and services to our clients. This may involve the use of your Personal Data in the following (non-exhaustive) ways:

  • to contact you if you are involved in a client’s matter, whether in your professional or personal capacity;
  • to carry out investigations, risk assessments and client due diligence, identity, credit, fraud, money laundering and other regulatory checks. For example, we may use a third-party identity check provider;
  • to review, draft and disclose correspondence and other documents, including court documents;
  • to instruct third parties on behalf of our clients; and
  • for comparison/analytical purposes and to formulate legal opinions and provide advice.

We may also process your Personal Data for effective business management purposes which may involve the use of your Personal Data in the following (non-exhaustive) ways:

  • to engage and contact suppliers;
  • to carry out internal reviews, investigations, audits;
  • to conduct business reporting and analytics;
  • to advertise and market the services we provide;
  • to help measure performance and improve our services;
  • for recruitment;
  • for regulatory and legislative compliance and related reporting;
  • for considering and exercising our legal rights; and
  • for the prevention and detection of crime.

What is PFM UK’s legal basis for processing your Personal Data?

Under the GDPR, PFM UK must identify a lawful basis for processing your Personal Data which may vary according to the Personal Data processed and the individual to whom it relates.

  • Performance of a contract with you (where applicable):

PFM UK may process the Personal Data it requires to fulfil its obligations under its contract with you. This will be the relevant legal basis if you are an individual client, supplier or another individual with a direct contractual relationship with PFM UK.

  • Legitimate interests of PFM UK or a third party:

PFM UK processes some of your Personal Data because it is in its legitimate interests and/or the legitimate interests of a third party to do so. This will primarily concern the processing of Personal Data that is necessary for us to provide legal advice and services to our clients. PFM UK’s legitimate business interest in such instances is the proper performance of its function as an authorised and regulated provider of legal services. PFM UK’s clients also have a legitimate interest (and more general right in law) in obtaining legal advice and services.

PFM UK’s broad interest in the provision of legal services as a basis for processing your Personal Data, and our clients’ corollary interest in receiving such services, can be broken down into more discrete categories which may include, but are not limited, to:

  • the interest in contacting individuals relevant to PFM UK’s work and our clients’ matters, which may involve the use of your Personal Data;
  • the interest in reviewing documents and correspondence disclosed to PFM UK, PFM UK clients and third parties which may contain your Personal Data;
  • the interest in reviewing and analysing all evidence available to PFM UK and its clients, which may contain your Personal Data;
  • the interest in adducing legal arguments, creating documents and correspondence, which may contain your Personal Data;
  • the interest in disclosing documents and correspondence, which may contain your Personal Data, to various parties to further PFM UK’s clients’ objectives;
  • the interest in instructing third parties on behalf of PFM UK clients;
  • the interest in receiving payment from PFM UK clients and third parties, and to facilitate payments to and from PFM UK clients and third parties; and
  • to allow for all of the above, the secure management and storage of your Personal Data, within our IT environment and hard-copy filing systems.

PFM UK may also process your Personal Data because it is necessary for its legitimate business interests in the effective management and running of PFM UK which may include, but is not limited to: engaging suppliers and supplier personnel; ensuring that its systems and premises are secure and running efficiently; for regulatory and legislative compliance, and related auditing and reporting; for insurance purposes; for recruitment/hiring purposes; for marketing purposes; and to facilitate, make and receive payments.

PFM UK does not consider that the processing of your Personal Data, on the basis that it is within PFM UK’s legitimate interests (whatever such interests might be), is unwarranted because of any prejudicial effect on your rights and freedoms or your legitimate interests.

  • Compliance with a legal obligation to which PFM UK is subject:


In certain circumstances, PFM UK must process your Personal Data to comply with its legal obligations. This might include, but is not limited to, Personal Data required: for tax and accounting purposes; for conflict checking purposes as required by the common law and PFM UK’s regulators; and for PFM UK to fulfil its compliance and other obligations under relevant legislation/regulation.


More information relating to legal bases for processing Personal Data can be found on the Information Commissioner’s website (see details below) or by contacting us.

Special category and criminal records Personal Data


If PFM UK processes your criminal records Personal Data or special category Personal Data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data or sexual orientation, we will obtain your explicit consent to that processing unless this is not required by law (because, for example, it is processed to exercise our rights or defend legal claims) or the information is required to protect your health in an emergency. Where we are processing Personal Data based on your consent, you may withdraw that consent at any time.

Direct Marketing

We may use your contact details to send you marketing materials, provided we are permitted to do so by law. You always have the right to unsubscribe from any marketing. You can do so by contacting us.

Who receives your Personal Data?

We may disclose your Personal Data to third parties (outside of PFM UK and PFM UK Personnel) if, but only when, we have a legal basis to do. Such recipients include but are not limited to: PFM AU; co-counsel, other solicitors/barristers/experts/foreign law firms whom we instruct on your behalf; PFM UK’s insurance brokers and underwriters; PFM UK’s bank, auditors and accountants; PFM UK’s outsourced IT providers and other suppliers; HMRC; the Solicitors Regulation Authority; the Law Society; the Home Office and Passport Services; the other side/other parties on any given matter (lay and solicitor).

How do we protect your Personal Data?

We have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction or accidental loss of your Personal Data. We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any Personal Data we hold is not accessed by anyone unauthorised to access it. We have in place, and abide by, a specific information security policy about the security standards used to protect your Personal Data.

When we use third-party organisations to process your Personal Data on our behalf, they must also have appropriate security arrangements, must comply with our contractual requirements and instructions, and must ensure compliance with the GDPR and any other relevant data protection legislation.

Is your Personal Data transferred to “third countries” and, if so, what safeguards are in place?

Under this Notice and the GDPR, we may transfer your Personal Data to organisations, including PFM AU, in “third countries” outside of the EEA. In addition to the security arrangements mentioned above regarding our engagement of third-party organisations, where such transfers are required, we will ensure that your Personal Data is adequately protected. For example, we will use a contract for the transfer that contains specific data protection provisions adopted by the European Commission or a relevant data protection authority. If applicable, you can request a copy of these contracts from us.

How long will your Personal Data be retained by PFM UK?

We will retain your Personal Data for the time required for the specific purposes for which it is processed by PFM UK and which are set out in this Notice. However, we may have to keep your Personal Data for a longer period, for example, where required by our legal and regulatory obligations or to ensure we have effective back-up systems. In such cases, we will ensure that your Personal Data will continue to be treated in accordance with this Notice, restrict access to any archived Personal Data and ensure that all Personal Data is held securely and kept confidential.

What are your rights?

The GDPR generally affords individuals a right to access their Personal Data, to object to the processing of their Personal Data, to rectify, to erase, to restrict and to port their Personal Data.

We have specific procedures in place regarding Subject Access Requests (“SARs”) that you may make. A SAR is a request made by you which requires us to provide you with details of your Personal Data which we hold and process and a description of how we process it. You should put any questions or requests to us in writing.

There are exceptions to the rights of individuals regarding their Personal Data, and your rights may be limited, particularly when we are processing your Personal Data to provide legal advice to our clients. We will, at all times, respect your Personal Data and seek to be transparent, but sometimes we may be restricted from even acknowledging that we process or have processed your Personal Data.

How to make a complaint

If you are unhappy with the information provided in this Notice or have concerns about how PFM UK processes your Personal Data you may contact us. If you remain dissatisfied, then you may apply to the Information Commissioner for a decision. You can contact the Information Commissioner at:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF