General Data Protection Regulation (GDPR)

Home General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

This notice explains when and why I (Data Controller) collect personal information about you; how I use it, the conditions under which I may disclose it to others and how I keep it secure.

For my clients, you should read this notice alongside my general terms and conditions which provide further information on confidentiality, data privacy etc.

I am Harjit Sarang, the Data Protection Officer and I can be contacted at / 07980 917882 / 01727 884688 – SURROGACY LAWYERS, Fountain Court, 2 Victoria Square, Victoria Street, St Albans AL1 3TF 

Who am I

I am the sole Director of Surrogacy Lawyers providing advice, assistance and representation to adults in relation to all matters concerning fertility, donor conception and surrogacy in the UK and abroad.   I do not advise children because they are represented by guardians or their parents.

What I need

Before I represent you, I will need to identify you therefore I will need identification information such as your passport and a utility bill.  The rest of the information that I need will depend on what I am instructed to do for you.   In most cases that I work on, very sensitive information will be required from you and processed including e-mail / correspondence between us during your case.

If I have your personal data as a result of you being involved in a case with my client(s), I need to process your data to provide a service to my client(s).

If you phone or email me I will process your name, contact details and a very general description of your case.

Sources of information

Information about you may be gathered from a number or sources including from you and third parties that you authorise.  You may provide me with information from organisations such as financial organisations, schools, healthcare providers, police, social services, fertility clinics and surrogacy agencies, hospitals and other relevant agencies.  You may also instruct agents and lawyers outside of England and Wales to send me your data.  You should check the data protection laws and procedures of the countries concerned.

Why I need it

The primary reason for asking you to provide me with your personal data, is to allow me to represent you which also includes business management and administration.

The following are some examples, although not exhaustive, of what I may use your information for:

  • Verifying your identity.
  • Verifying and accounting for your source of funds and payments to me.
  • Communicating with you.
  • Providing you with advice, assistance, representation and preparing evidence to the court.
  • Keeping financial records of your transactions and the transactions I make on your behalf.
  • Seeking advice from third parties; such as legal and non-legal experts.
  • Responding to any complaint or allegation of negligence against me. 

Who has access to it

At the start of your case, you create a Google Drive or Drop Box file to allow me access to your data rather than e-mailing documents to me.  You may then delete the folder at the end of your case and have complete control of who has access to it.

I have a data protection regime in place to oversee the effective and secure processing of your personal data. I will not sell or rent your information to third parties. I will not share your information with third parties for marketing purposes.   I make use of portable devices that remain with me including when I am abroad.  This is to improve my ability to communicate with you.  

Your information is encrypted on all devices both at rest and in transit.     I use the following services and devices Office 365, Google Drive, G-mail, Drobox, Bundledocs, Insight Legal Software, Skype, Zoom, Acrobat Pro, Apple ix, Macbook Pro and ipadPro. 

There may be circumstances, in carrying out your legal work, where I may need to disclose some information to third parties; for example:

  • Court or Tribunal.
  • Solicitors acting on the other side.
  • Asking an independent Barrister or Counsel for advice; or to represent you.
  • Non-legal experts to obtain advice or assistance.
  • Translation Agencies.
  • External auditors, accountants or our Regulator; e.g. Lexcel, SRA, ICO etc.
  • Providers of identity verification.
  • Any disclosure required by law or regulation; such as the prevention of financial crime and terrorism.
  • If there is an emergency and I think you or others are at risk.
  • Insight legal accounting software will record all financial transactions between us including invoices delivered, disbursements and payments received.  
  • My accountants Gary Cansick & Co. to audit and prepare accounts.
  • If you do not pay my invoices, I might disclose information about your identity, assets and amounts owed to a third-party recovery agency.

In the event any of your information is shared with the aforementioned third parties, I ensure that they comply, strictly and confidentially, with my instructions and they do not use your personal information for their own purposes unless you have explicitly consented to them doing so.

There may be some uses of personal data that may require your specific consent. If this is the case, I will contact you separately to ask for your consent which you are free to withdraw at any time.

How do I protect your personal data?

Occasionally I will require original documents from you to file with the court.  I recognise that your information is valuable, and I take all reasonable measures to protect it whilst it is in my care.  Your file with me will only be electronic on the cloud services listed above.  Pleadings are filed with the court after which hard copies are not retained by me.  You will be the controller of your own drive/dropbox and may delete my permissions at the end of your case.  

At the end of your case, our e-mail files are deleted and transferred to an external hard drive where they will be retained for 6 years.

I use computer safeguards such as firewalls and ensure encryption at rest and in transit.

How long will I keep it for?

Your personal information will be retained, usually in electronic files, only for as long as necessary to fulfil the purposes for which the information was collected; or as required by law; or as long as is set out in any relevant contract you may hold with me. For example:

  • As long as necessary to carry out your legal work.
  • For a minimum of 6 years from the conclusion or closure of your legal work; in case you, or me, need to re-open your case for the purpose of defending complaints or claims against me.
  • I will not retain your data longer than is necessary.
  • I will retain some basic data such as your name, address and very general case description details for conflict check purposes. I will need to retain this for longer than 6 years.
  • I will retain basic contact details unless you ask me to delete them.
  • You can find details of how long the court retains your data at the following link: -

What are your rights?

Under GDPR, you are entitled to access your personal data (otherwise known as a ‘right to access’). If you wish to make a request, please do so in writing.

A request for access to your personal data means you are entitled to a copy of the data I hold on you – such as your name, address, contact details, date of birth, information regarding your health etc.- but it does not mean you are entitled to the documents that contain this data.

Under certain circumstances, in addition to the entitlement to ‘access your data’, you have the following rights:

  1. The right to be informed: which is fulfilled by way of this privacy notice and our transparent explanation as to how I use your personal data
  2. The right to rectification: you are entitled to have personal data rectified if it is inaccurate or incomplete
  3. The right to erasure / ‘right to be forgotten’: you have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This right only applies in the following specific circumstances:
  • Where the personal data is no longer necessary in regard to the purpose for which it was originally collected
  • Where consent is relied upon as the lawful basis for holding your data and you withdraw your consent
  • Where you object to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed
  • Where you object to the processing for direct marketing purposes
  1. The right to object: you have the right to object to processing based on legitimate interests; and direct marketing. This right only applies in the following circumstances:
    • An objection to stop processing personal data for direct marketing purposes is absolute – there are no exemptions or grounds to refuse – I must stop processing in this context
    • You must have an objection on grounds relating to your particular situation
    • I must stop processing your personal data unless:
    • I can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms; or
    • The processing is for the establishment, exercise or defence of legal claims.
  1. The right to restrict processing: you have the right to request the restriction or suppression of your data. When processing is restricted, I can store the data but not use it. This right only applies in the following circumstances:
  • Where you contest the accuracy of the personal data – I should restrict the processing until I have verified the accuracy of that data.
    • Where you object to the processing (where it was necessary for the performance of a public interest or purpose of legitimate interests), and I am considering whether my organisation’s legitimate grounds override your right.
    • Where processing is unlawful, and you request restriction.
    • If I no longer need the personal data but you require the data to establish, exercise or defend a legal claim.

Complaints about the use of personal data

If you wish to raise a complaint on how I have handled your personal data, you can contact me and I will investigate further.

If you are not satisfied with my response or believe I am not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO).

Marketing data

I will never contact you for the purpose of direct marketing.

I will never send marketing communications via SMS or call you without your specific consent; nor do I ever pass on or sell your details to a third party.

How I collect personal data

The following are examples, although not exhaustive, of how I collect your personal information

  • Submitting an online enquiry
  • Following/liking/subscribing to social media channels
  • Ask a question or submit any queries or concerns you have via email or on social media channels
  • Post information to the website or social media channels, for example when I offer the option for you to comment on, or join, discussions
  • When you leave a review about me on Google Reviews or any other social media platform

How I protect your personal information

Sensitive information or specific details will never be used to target marketing communications.

Any questions regarding this notice and our privacy practices should be sent by email to me, the Data Controller at any time if you have any questions or requests.

Legal professional privilege

The listed GDPR provisions do not apply to personal data that consists of—

(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or

(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

Information required to be disclosed by law etc or in connection with legal proceedings

The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.

  • The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.
  • The listed GDPR provisions do not apply to personal data where disclosure of the data—
    • (a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),
    • (b)is necessary for the purpose of obtaining legal advice, or
    • (c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of those provisions would prevent the controller from making the disclosure.