Data and Privacy Notice

This Notice applies to those who instruct us to provide professional services or engage with us in relation to our services as well as others who use or access our DG Legal Website and/or the Compliance Caddy ( the software platform owned and operated by DG Legal (collectively referred to in this Notice as ‘our Websites and Platforms’).  We maintain and will provide separate privacy notices in relation to the collection and use of personal information about our staff and employees, including potential employees, during and after their working relationship with us.

We are DG Legal Limited a company registered in England & Wales.  Our company number is 7934502 and registered office address is at 39 The Rushes, Loughborough LE11 5BG.  ‘DG Legal’ and ‘Compliance Caddy’ are registered trademarks belonging to DG Legal Ltd.

In accordance with the Data Protection Act 2018 and the General Data Protection Regulation as incorporated into the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (UK GDPR), this Privacy Notice explains, in detail, the types of personal data we may collect about you when you interact with us. It also explains how we'll store and handle that data and keep it safe. Unless otherwise indicated, references in this Data and Privacy Notice to the GDPR refer to the UK GDPR.

The terms ‘Personal Data’, ‘Data Controller, ‘Data Processor’ and ‘Data Subject’ are as defined in the Data Protection Act 2018 and GDPR.

We are committed to ensuring that your privacy is respected and that Personal Data or other confidential data is protected.

This notice explains how we use and protect any information that is provided to us including information stored on the Compliance Caddy. In particular, it sets out what personal information we collect, the legal basis for using it, how long we keep it and the procedures that we have in place to secure that data and safeguard your privacy.

We know that there's a lot of information here, but we want you to be fully informed about your rights, and how our firm uses your data. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.  We hope the following sections will answer any questions you have but if not, please do get in touch with us (for further information on how to do this, please see below).

When we collect Personal Data

We collect your Personal Data when you provide it to us. You may give us your Personal Data through the submission of an enquiry through our Websites and Platforms; by subscribing to our updates; through the storage of data on our online Compliance Caddy software; or you may provide Personal Data to us during the course of instructing us to provide services to you. This may be provided by you over the internet; telephone; face to face; by email or by post.

We may also collect Personal Data automatically with regard to each of your visits to any of our Websites and Platforms including technical information.

Data Processing

Training and Consultancy instructions

Whilst undertaking training and consultancy work for our clients, we may have access to materials in any medium that contain, refer to or relate to confidential information. There may be occasions where we are instructed to process Personal Data on behalf of our clients (such as an instruction to review casefiles for compliance). Where we process Personal Data given to us by our clients under their instruction in the course of providing services to them, we are a Data Processor for the purposes of the GDPR and other applicable data protection laws, including the Data Protection Act 2018. This accounts for most of our processing activity.  As part of our acceptance of those instructions, we provide contractual undertakings in respect of such data.

Compliance Caddy

Through the Compliance Caddy software, we collect, use and are responsible for certain categories of your personal information which may include Personal Data.

Compliance Caddy users will typically act as the ‘Data Controller’ for any Personal Data they upload to Compliance Caddy. The data controller determines the purposes and means of processing Personal Data, while the Data Processor processes data on behalf of the Data Controller. DG Legal (as the operator of Compliance Caddy) is a ‘Data Processor’ and processes personal data on behalf of the Data Controller when it uses the Compliance Caddy platform.

Data Controllers and Data Processors are responsible for implementing appropriate technical and organisational measures to ensure and demonstrate that any data processing is performed in compliance with the GDPR. Their obligations arise from the data protection principles which require lawfulness, fairness and transparency, purpose limitation, data minimisation, and accuracy, as well as fulfilling Data Subjects’ rights with respect to their Personal data.

To the extent that any Personal Data may be transferred by you to DG Legal via the Compliance Caddy and we undertake any processing of that data (as defined by the GDPR and any other relevant data protection legislation), we confirm that we will:

  • only use the data for the purpose(s) for which you have provided it to us and for no other purposes
  • operate in accordance with this data and privacy notice
  • keep the data securely and confidentially and in accordance with the current data protection legislation
  • notify you immediately of any data loss or other security breach so that you can decide what action to take to protect your clients’ interests
  • not pass this data to any third party or subcontractor without your prior written agreement (or unless otherwise required by law)
  • return the data to you or securely delete it on request (unless we have another lawful basis for holding it)

Website enquiries

Our Websites and Platforms do not automatically capture or store personal information other than details of visits made to the site or platform including, but not limited to, traffic data, location data, logs (including, where available, the IP address and location of the device connecting to the online services and other technical information and identifiers about the device and the nature of the visit) and other communication data, and the resources that you use.  For information on cookies, see below.

When you use our Websites and Platforms to contact us or provide personal information, we may collect the following:

  • information you provide to us by completing contact forms (this includes information you give us when subscribing to a service, submitting data or requesting a call back or further services)
  • information you provide to us if you contact us, for example to report a problem with the site or to raise a query or make an online comment

For the purposes of data protection legislation, we are the Data Controller and sole owner of the Personal Data collected automatically on our Websites and Platforms.

Subscribing to our Updates

We only collect certain data about you, as detailed above. Any email updates we send are done so through an EMS, email marketing service provider. An EMS is a third-party service provider of software / applications that allows companies to send out email campaigns to a list of users.

Email updates that we send may contain tracking beacons or similar server technologies in order to track subscriber activity within email messages (such as which pages of our Websites and Platforms are being accessed). Where used, such messages may record a range of data such as: times, dates, IP addresses, opens, clicks, forwards, geographic and demographic data. Such data, within its limitations will show the activity each subscriber made for that email campaign.

Any email updates we send are in accordance with the GDPR and the Privacy & Electronic Communications Regulations. We provide you with an easy method to withdraw your consent (unsubscribe) or manage your preferences / the information we hold about you at any time. All email updates will include instructions on how to unsubscribe or manage your preferences.

Our EMS providers are Constant Contact and Mailchimp. We hold the following information about you within our EMS system:

  • name
  • email address
  • subscription time & date

Conditions for processing data

We are only entitled to hold and process your data where the law allows us to. The current law on data protection sets out a number of different reasons for which we may collect and process your personal data.

These include:

Contractual obligations

The main purpose for our holding your data is subject to an agreement we have with you to provide you with training, consultancy or other professional services and/or, where relevant, to provide you with access to and use of our Compliance Caddy software.

This agreement is a contract between us and the law allows us to process your data for the purposes of performing a contract (or for the steps necessary to enter in to a contract).

The areas where we are processing data to enter into, or fulfil a contract are:

  • delivering services to you under contract
  • keeping you updated with changes or information relating to those services
  • processing information from you to arrange a contract between us, such as when you give us your details to enter into an agreement for services with us
  • performance of any legal contract as a supplier or customer

Legitimate Interests

In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.

We may process your Personal Data in order to improve our Websites and Platforms including the Compliance Caddy software with the primary aim of providing you with a more personal and interactive experience. In particular, we may use your personal data to tailor our Websites and Platforms so as to ensure they are displayed in the most effective way for the device you are using. We may also process your personal data for the purposes of making our Websites and Platforms more secure, for development of additional and enhanced functions and for internal technical operations such as for testing, statistical and other administrative or compliance purposes.

We rely on legitimate interests in some cases to invite you to certain events such as webinars and seminars. Our legitimate interest is to provide information to our clients that will support their use of our services and that could be of benefit to them.

We rely on legitimate interest to train our staff so that they can provide an exceptional service to all of our clients. There may be matters relating to a staff member’s engagement with you which we review with them as part of their personal training and development.

We also use various third-party cookies to help us improve our Websites and Platforms (for further details on Cookies, please see below).

If our business is subsequently sold or we merge with another entity, to ensure our business can be continued and in order that services can continue to be provided to you, we will transfer your personal data to a third party or that data will be one of the assets transferred to a purchasing entity.

Legal compliance

If the law requires us to, we may need to collect and process your Personal Data.

We will rely on our legal obligations to process information for the following purposes:

  • complying with our responsibilities to regulators and under applicable legislation
  • complying with our legal obligations as an employer
  • complying with obligations to HMRC regarding records keeping of our financial activity, including information relating to transactions, billing and payments
  • defending a legal claim or upholding the rule of law - for example, we can pass on details of people involved in fraud or other criminal activity


In some situations, we may collect and process your Personal Data with your consent. For instance, where you have opted in to receive marketing communications from us, we will process your Personal Data in such a way as to provide you with marketing communications and effect any transfer of your Personal Data to third parties in line with the preferences you have provided.  For instance, we use the consent lawful basis for anyone subscribing to our email updates.

Another activity where we rely on your consent would be the processing of job applications. You can withdraw consent at any time, however, please be aware we will be unable to process your application if you do so.

You always have the right to withdraw your consent at any time (see below about contacting us).

Information collected by us

We may collect Personal Data as follows:

  • name and contact details (including address, email and phone numbers)
  • information about the firm that a person works at and their role there
  • information about an individual’s regulatory status such as any registration details held by them or their business (e.g. SRA, BSB, CILEx)
  • information contained in training and development records and plans
  • information provided to us about a firm’s clients or cases/matters including complaints history and results of file reviews undertaken
  • personal information that may be included in communications with us or in connection with services that we provide to or receive, or that we are arranging to provide or receive
  • payment information and financial information that relates to a contractual relationship including bank details

We do not envisage that any data we hold would be classified as ‘Special Categories’ under the GDPR. If we need to start processing this type of data, or if we are acting as a Data Processor for this data then we will explain this to you.


Should you ever visit our office in Loughborough, it is important to let you know that we have installed CCTV systems inside the office and on the outside of the building and personal data in form of images or CCTV footage may be recorded.

We operate CCTV in accordance with the ICO CCTV Code of Practice and are processing Personal Data obtained via CCTV in order to pursue our legitimate interests of:

  • promoting a safe working environment and monitoring health and safety at our premises
  • monitoring the safety and security of our premises
  • deterring and assisting in the prevention, investigation and detection of crime and/or serious breaches of policies and procedures, and
  • assisting with the identification and prosecution of offenders, including use of images as evidence in criminal proceedings

CCTV is never used for any automated decision taking.

Signs are displayed notifying individuals that CCTV is in operation. Images captured by CCTV will not be kept for longer than is necessary and ordinarily, will not be retained for more than 30 days. However, on occasions, there may be a need to keep images for longer such as where a crime is being investigated.

We will only disclose images and audio to other authorised bodies such as the police or other law enforcement agencies for the purposes set out above.

Telephone call recording

We record most incoming and outgoing telephone calls and your personal data may be collected as a result.  Please see our Privacy notice for more information.

We record conversations for the following reasons:

  • to allow us to be able to properly assess the needs of our clients (including potential clients) and third parties in order that we can provide them with a better service and resolve their queries
  • to identify training and development needs
  • to identify and evaluate any expressions of dissatisfaction and/or complaints
  • to enable us to review call quality
  • to protect the wellbeing and safety of our staff by identifying any threatening behaviour which can then be evidenced and acted upon where necessary.

Call recordings are destroyed in accordance with the retention information in this Notice.  If the recording is available, you can submit a request a copy of your call by making a data subject access request to our DPO (as set out below).

Information collected from others

We may also collect the same categories of information from third parties such as:

  • an individual’s employer or authorised individuals in a business they work for or own
  • public bodies such as the SRA, Bar Standards Board, CILEx, FCA, Companies House and the Law Society
  • accountants and other professional advisers
  • information on public record, including professional networking sites
  • names and details of other suppliers of goods or services

Even if we have not had direct contact with you and are processing data given to us by a third party for a purpose and with a legal basis outlined above, the contents of this data and privacy notice will still be in effect. We look after all personal data in the same way, regardless of where it has come from and whether we are acting as a Data Controller or a Data Processor.

How we use your personal information

We use your Personal Data or other information for the following purposes:

  • providing you with training and consultancy services, advice and assistance and for reasons directly associated with those services
  • to notify you of our other services or services provided by selected third parties but only where we have your express consent to do so
  • to arrange the provision of training and consultancy services to clients
  • to provide our Websites and Platforms. In particular, we may use the data for operating our service, administration, monitoring, statistical analysis, performance measurement, business development and marketing. We may from time to time collate information and statistics for the purposes of monitoring usage of our Websites and Platforms in order to help us develop our Websites and Platforms and our services
  • to monitor the quality of services we provide and to manage any queries or complaints about the services we provide
  • to comply with our legal responsibilities to regulatory bodies
  • to promote and market our services (but only where we have your consent to do so)
  • to manage matters relating to our payroll and employment, including our legal responsibilities as an employer (including training of our staff) and our obligations to HMRC
  • to engage with individuals who want to work with us a employees or consultants and with other partners or service providers that supply us with good and services
  • to comply with legal obligations to act in the public interest and uphold the rule of law

We do not use information provided in order to contact you for marketing purposes unless you have consented to this.

Who will we share your personal information with?

We take client confidentiality very seriously and will not share any Personal Data provided to us or entered into our Websites and Platforms, in particular, our Compliance Caddy software, unless required to do so by law. If required by law, we will share Personal Data with official bodies including the SRA, ICO, the police, law enforcement and intelligence agencies.

We do not share any information collected about you to any third parties except where:

  • you have consented to us sharing your personal information in this way
  • we are under a legal, regulatory or professional obligation to do so (for example, we may be obliged to share information with regulatory bodies and public bodies including the Police or National Crime Agency) or in order to enforce or apply our Terms of Use (or other client terms) or to protect the rights and interests, property, or safety of our firm, our clients or others, although we would only do so in accordance with relevant data protection legislation
  • all, or substantially all the assets of our firm are merged with or acquired by a third party, or we expand or re-organise our business, in which case your personal information may form part of the transferred or merged assets or we may need to transfer your information to new entities or third parties through which our business will be carried out
  • we provide anonymous statistical information about users of our websites and related usage information to reputable third parties, including analytics and search engine providers
  • we use a third party service provider to provide services that involve data processing, for example storage and archival, auditing, professional advisory (including legal, accounting, financial and business consulting) and security services

Other information we process we may share with:

  • employees and professional advisers and consultants that help us to manage our Websites and Platforms
  • our accountants and solicitors that are engaged by us to provide services required by law, such as filing financial information with HMRC
  • other data processors, such as software providers, in the course of running the business including CRM providers, email communication platforms and social media platforms
  • third party hosting providers to provision and host our Websites and Platforms
  • storage and archiving providers to ensure your information is protected securely and backed up

Any partners, suppliers or third parties we share data with will be bound by strict agreements that meet the requirements of GDPR and will be monitored for performance with those agreements.

Transfer of data outside the UK

We may transfer Personal Data overseas. For instance, we use cloud IT and similar data storage facilities and so we may store, process and transmit data in locations outside the UK.

In the course of advising clients based outside of the UK, we may be required to share Personal Data with them. Where this is the case we will only share the minimal amount of personal data necessary for the purpose of processing and, where possible, we will share the personal data in an anonymised form.

Data on the Compliance Caddy is stored and processed within the UK. Users should not access the Compliance Caddy system from outside of the UK. If they do and we are acting as a Data Processor, the means and purposes of processing (including transfer outside of the UK) is decided entirely by the user as Data Controller but we will treat that Personal Data in accordance with this Data and Privacy Notice and UK data privacy law.

Whenever we transfer any data out of the UK, we ensure a similar degree of protection is afforded to it and treated with the same security measures regardless of location, and in accordance with our internal processes and policies as well as regulatory and legal obligations. In particular, we ensure that at least one of the following safeguards is implemented:

  • we will only transfer Personal Data to countries that have been deemed to provide an adequate level of protection for personal data by the UK by means of an adequacy decision or similar in accordance with UK adequacy regulations or otherwise comply with EU GDPR transfer restrictions, as applicable;
  • where we use certain service providers, we may use specific contractual provisions which gives Personal Data the same protection it has within the UK and ensures a similar level of protection to the personal data as if it was processed within the UK, as applicable; and/or
  • we will require that any overseas third party to which we disclose Personal Data to: (a) only use that Personal Data for the purposes for which it was disclosed; (b) use all technical and organisational measures which are reasonable in the circumstances to secure that personal data; (c) delete that personal data when it is no longer required; and (d) treat that personal data in accordance with this Data and Privacy Notice and the appropriate data privacy law.

How long we will store your Personal Data

We only keep Personal Data for as long as is necessary for the purpose(s) for which it was provided.

We use the following retention periods and review these periodically to make sure we are only keeping personal data and other data for as long as is needed:

  • information about clients for a period of 7 years after our contract with the client ends unless we have another legal basis to process that information
  • information relating to client advice we have given for a period of 10 years after the date of the advice
  • information entered into our Compliance Caddy software platform will be kept for a maximum of 9 months after the contract ends. For most of this time, the information will be kept in secure encrypted backups that are deleted at the end of that period
  • financial information and any financial transactions will be kept for a period of 7 years to comply with HMRC requirements
  • data submitted using our contact us web forms on our websites for 12 months
  • CCTV data for 30 days unless we have another legal basis to process that information
  • call recordings are stored for six months

Where we have processed your Personal Data to provide you with marketing communications with your consent, we may contact you periodically to ensure you are happy to continue receiving such communications. Where you inform us that you no longer wish to receive such communications, your personal data will be kept for 30 days once consent has been withdrawn and then deleted.

How we protect your information

We will treat your Personal Data with the utmost care and take all appropriate steps to protect it. We have clear data protection and information security policies and procedures in place (along with regulatory and other legal obligations to keep your data safe) and these are regularly assessed as part of our compliance processes.

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.  We use up-to-date industry procedures to keep personal information as safe and secure as possible and to protect against loss, unauthorised disclosure or access. We protect our IT systems from Cyber Attack. All information you provide to us is stored on secure servers.

Access to your Personal Data is secured. Where we have given you (or where you have generated) a password which enables you to access parts of our Websites and Platforms and having access to Personal Data, you are responsible for keeping this password confidential. You must not share your password with anyone.  In addition, anyone accessing the Compliance Caddy must adhere to the password protocol and other obligations as set out in the Software Terms and Conditions on that site.

We regularly monitor our systems for possible vulnerabilities and attacks and we carry out penetration testing to identify ways to further strengthen security.

Transmissions to our Websites and Platforms

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your Personal Data, we cannot guarantee the security of your data during its transmission to our Websites and Platforms; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.


A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of our DG Legal Website.

By law, we may not place cookies on your computer without your consent, unless they are strictly necessary to the operation of the service that we provide on our Websites and Platforms.

We use Google Analytics to monitor how our DG Legal Website is being used so we can make improvements. Our use of Google Analytics requires us to pass to Google your IP address (but no other information) – Google uses this information to prepare site usage reports for us, but Google may also share this information with other Google services.

The analytical cookies are operated by Google Analytics and they store data including information about your visit(s) to the website including pages visited and time spent on each page; interaction with site-specific widgets; downloads; clicks on links/videos and flash version, JavaScript support, screen resolution, and screen colour processing ability.  Google may also use the data collected to contextualize and personalise the ads of its own advertising network.

If you already have Google Analytics cookies, they will be updated with the latest information about your visit to our DG Legal Website. We cannot access these cookies and are not the data controller for information held by Google Analytics.

For further information on how Google access and store your data, please go to:

We have set out below the particular cookies that are used on our DG Legal Website and their purposes.

SourceCookiePurposeTypeExpiryFurther Information
Google Doubleclick.netTest_cookieUsed to check if browser supports cookies (necessary)HTTP1 dayThis is a necessary cookie to make the website useable.  The website cannot function properly without this cookie.
Google Analytics_gaRegisters a unique ID used to generate statistical data on how visitors use the websiteHTTP2 yearsThis is a statistical cookie to help us understand how visitors interact with the website
Google Analytics_gatUsed to throttle request rateHTTP1 dayThis is a statistical cookie to help us understand how visitors interact with the website
Google Analytics_gidRegisters a unique ID used to generate statistical data on how visitors use the websiteHTTP1 dayThis is a statistical cookie to help us understand how visitors interact with the website
Google Adsense_gcl_auFor evaluating advertisement efficiencyHTTP3 monthsThis is a marketing cookie to help track visitors across websites
Google Double click.netIDEFor registering and reporting the visitor’s actions after viewing one of our advertsHTTP1 yearThis is a marketing cookie to help track visitors across websites


For tracking where users have shown interest in events across websites and for detecting how the user navigates across websitesPixelSessionThis is a marketing cookie to help track visitors across websites

Accepting or rejecting cookies

There  are  a  number  of  different  ways  in  which  you  can  accept  or  reject  some  or  all  cookies.  However, please  be  aware  that  doing  so  may  impair  our  websites  and  their  functionality  or  may  even  render  some or  all  of  the websites  unusable.  You  should  also  be  aware  that  clearing  all  cookies  from  your  browser  will  also  delete  any  cookies that  are  storing  your  preferences,  for  example,  whether  you  have  accepted  cookies  on  a  website  or any  cookies  that  are  blocking  other  cookies.

You  can  find  more  detailed  information  about  cookies  and  adjusting  your  browser  settings  by  visiting

You  can  accept  or  reject  some  or  all  cookies  by adjusting  your  browser  settings.  For more information  about  how  to  change  your  browser  settings  for  some  of  the  most  commonly  used  web browsers, please see:

If you have any queries about the cookies that we use, or would like more information, please contact us.

Links to other websites

Our Websites and Platforms may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this policy. You should exercise caution and look at the privacy statement or policy applicable to the website in question.

Your rights

You have rights under the GDPR and these include the right to be informed what information we hold about you. In particular, you have the right to request:

  • access to the personal data we hold about you, free of charge in most cases
  • the correction of your personal data when incorrect, out of date or incomplete
  • for example, when you withdraw consent, or object and we have no legitimate overriding interest, or once the purpose for which we hold the data has come to an end
  • that we stop any consent-based processing of your personal data after you withdraw that consent

You have the right to request a copy of any information about you that we hold at any time, and also to have that information corrected if it is inaccurate.

If we choose not to action your request, we will explain to you the reasons for our refusal.

Your right to withdraw consent

Whenever you have given us your consent to use your Personal Data, you have the right to change your mind at any time and withdraw that consent.

Where we rely on our legitimate interest

In cases where we are processing your Personal Data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.

Contacting us

For information on how your information is used, how we maintain the security of our information, and to exercise your rights to access information we hold on you, please contact us. Similarly, if you believe that the information we hold is wrong or out of date, please let us know and we will update it.

The person in this firm responsible for data protection is our Data Protection Officer, Melanie O’Brien, and enquires and requests can be sent to her by telephone on 01509 214999, by emailing or in writing to DG Legal, 39 The Rushes, Loughborough, LE11 5BG.

Our ICO’s registration number is: ZA400801

The Regulator

For further details about your rights as a Data Subject, we would invite you to access the information provided on the Information Commissioner’s Office website:

If you feel that your Personal Data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your Personal Data, you have the right to lodge a complaint with the Information Commissioner's Office. You can contact them by calling 0303 123 1113 or go online to

Changes to this policy

We do not intend to process your Personal Data for any reason other than stated within this Data and Privacy Notice. If this changes, we will update this Notice on our Websites and Platforms including the Compliance Caddy and in any documentation we will send to you, if applicable. However, internet and data privacy best practice and acceptable standards are developing. We therefore reserve the right to revise this Notice at any time. If this Notice changes in any way, we will place an updated version on the DG Legal Website, our Compliance Caddy homepage and/or will provide a copy directly.  Continued instructions to us as well as continued use of our Websites and Platforms including our Compliance Caddy platform will signify that you agree to any such changes.

Version: 4.0 January 2022