Data Protection Frequently Asked Questions

What is GDPR?

GDPR is the EU General Data Protection Regulation which comes into effect from 25 May 2018. It sets out a series of new EU laws concerning how data is processed and used. The objective of the regulation is to strengthen and standardise data protection laws for all EU citizens. These regulations will apply to any organisation that controls and/or processes data on behalf of an individual or group of individuals. Those responsible for adhering to these regulations include employees of the organisation, contractors, consultants, agents and third parties who have access to data either directly or indirectly.

What does this mean for Wilson Nesbitt?

We have always appreciated your trust in us to collect, process and protect your information. As a data controller and processor of your personal data, we will continue to:

  • develop on our strong risk culture by acting responsibly and putting your security at the front of our priorities;
  • manage our controls, processes and systems to improve our level of client service while providing you with the assurance that your information is safe and secure; and
  • conduct our business in a fair and transparent way and ensure we minimise the risk of unfair outcomes for our clients and the effect on their data rights and freedoms.

Our Data Protection Notice and the additional information on our website, explains how we collect personal information about you, how we use it and how you can interact with us about it.

Who we are

When we talk about ‘we’, ‘us’ and ‘our’ we are referring to Wilson Nesbitt Solicitors. Wilson Nesbitt Solicitors trade as both a partnership and as an unlimited company registration number NI614839, whose registered office is situated at 33 Hamilton Road, Bangor BT204LF, which is regulated by the Law Society of Northern Ireland ( Under GDPR we are a data controller for the personal data that we hold and process.

We share your information to colleagues within Wilson Nesbitt to help us provide our services, comply with regulatory and legal requirements and improve our service levels.

Data Protection Officer

Our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are fulfilled. You can contact our Data Protection Officer by clicking here or by writing to: Data Protection Officer, Wilson Nesbitt, 33 Hamilton Road, Bangor BT20 4LF.

How we collect information about you?

We collect personal information from you, for example when you:

  • Instruct us for a legal service;
  • Ask us to transfer money into your bank account;
  • use your credit or debit card to pay us;
  • complete transactions; or
  • look for advice.

We also collect information through our website, apps, social media, discussion forums, market research and our CCTV footage. Further information on how we collect information online is detailed on our website Privacy Statement. 

We record all phone conversations for lawful business purposes including confirmation of and clarity of your instructions to us and for training of our staff.

Our websites use ‘cookie’ technology. A cookie is a little piece of text that our server places on your device when you visit any of our websites or apps. They help us make the sites work better for you.

When you, or a partner or colleague on your behalf, instruct us to provide a legal service, and during the time you are availing of our services, we carry out information searches and verify your identity. We do this by sending and receiving information about you to and from third parties including reference and fraud prevention agencies. We and these agencies registers may keep records of our searches whether or not the legal service goes ahead.

What information do we collect about you?

This is some of the information we collect and hold about you when applying for and using our legal services:

Personal Descriptors Financial Information

Full name/Signature
Home/Business Address
Email address
Phone number
Marital status
Date of birth
Proof of identity and proof of address including; driving license,    
passport, utility bills, Bank statements etc.
National Insurance Number
Mother’s maiden name
Educational details or history
Call recordings
Location data
IP Address
Profession/ Job
CCTV images
Partner and dependents

Personal bank account details
Statement of net worth
Income and expenditure
Credit card account
Investment account
Debit and credit card numbers
Revenue documents e.g. P45 and P60
Payment instructions
Matter positions and history
Credit records, worthiness, standing or capacity
Expected turnover
Origin/source of funds
Purpose of your matter


Special categories of data

Under GDPR, there are special categories that require additional safeguards for processing. In some instances, we will require this information for processing or it may be volunteered by you. These data types and the reason we collect them are:

Special categories of data Do Wilson Nesbitt process this information?
Biometric data – Fingerprints, Facial and voice recognition No – At present we do not collect information to identify you through voice, facial or fingerprint recognition technology.
Health data

Yes - We may collect health data from you or your doctor or medical adviser when providing certain our legal services (accident, medical negligence or injury claims) or to support you in times of marital or family difficulty, dementia or bereavement.

If health data is requested by us, we will ask for your consent or the consent of your attorney

Racial or ethnic origin No - We do not request you to provide details of racial or ethnic origin to provide our legal services.
Political opinions No - We do not request you to provide political opinions to provide our legal services.
Religious or philosophical beliefs No - We do not request you to provide religious or philosophical beliefs to provide our legal services.
Trade union membership No - We do not request you to provide trade union membership to provide our legal services.
Genetic data No - We do not request you to provide genetic data to provide our legal services.
Sexual orientation No - We do not request you to provide sexual orientation to provide our legal services.


How we use your information

We use information about you to:

  • provide relevant legal services;
  • identify ways we can improve our legal services;
  • maintain and monitor your legal services;
  • protect both your & our interests, and the interests of others; and
  • decide and recommend how our legal services might be suitable for you.

To provide our legal services under the terms and conditions we agree between us, we need to collect and use personal information about you. If you do not provide this personal information, we may not be able to provide you with our legal services.

We analyse the information that we collect on you through your use of our legal services and on our social media, apps and websites. This helps us understand, how we interact with you and our position in the market place. Examples of how we use this information include helping protect you from financial crime, offering you legal services and personalising your experience.

We may report trends we see to third parties. These trend reports may include information such as the efficiency and speed of our services and the average time taken for particular legal matters. When we prepare these reports, we group clientsâ information and remove any names. We do not share information in these reports that can identify you as a client, such as your name, or matter details.

All of our processing must be supported by a lawful basis, as discussed in the 'Meeting our legal and regulatory obligations' section below.

Lawful basis for processing

To use your information lawfully, we rely on one or more of the following legal bases:

  • performance of a contract;
  • legal obligation;
  • our legitimate interests;
  • your consent;
  • protecting the vital interests of you or others; and
  • public interest.

To help you better understand where these lawful bases may apply, these are some examples for each lawful basis. In some cases, the same information is processed under more than one lawful basis:

Performance of a contract – Processing your information is necessary for us to provide your legal services.

Providing relevant legal services

We provide our banking, corporate & commercial clients with property Conveyancing, debt & repossession recovery, business mergers, acquisitions and sales, regulation compliance, dispute resolution, litigation recovery and other services.

We provide our private clients with legal services such as property Conveyancing, Wills, Trusts, Enduring Powers of Attorney, Tax Returns, separation, divorce, children and other family law services, medical negligence, personal injury claims, dispute resolution mediation, litigation and other services.

We process your information to identify and authenticate you to use our legal services.

Maintaining and monitoring your legal services
We must continually monitor and update information to ensure your data is safe, accurate and up to date. This ensures we keep your personal details and legal services secure and give you the best client service. To do this we may share information with third parties such as  reference and fraud prevention agencies.

Collecting money owed to us
As part of our legal service services we have the right to collect money owed to us.  In some instances, we will use third parties to help us obtain additional information and collect the debts owed to us.


Legal obligation – We must process this information to comply with our legal obligations.

Identify and authenticate our clients
We process your personal information to identify and authenticate our clients by carrying out Anti-Money Laundering and Fraud Prevention checks.

We share your information with third parties when performing these checks.


Our legitimate interests –Legitimate interest means the interests of Wilson Nesbitt in conducting and managing our business when providing legal services. The core legitimate interests of Wilson Nesbitt are to provide the best client service, introduce innovative legal services, and to protect our clients, employees and shareholders.

We will always assess whether the legitimate interest of Wilson Nesbitt will adversely impact the rights and freedoms of the data subject prior to processing. We implement safeguards to ensure that the processing remains fair and balanced.

Our risk assessments help us understand what information we need, our business requirements, the impact on our clients and employees, alternative options for processing and how long we hold the information for. 

Manage and understand risk
As a regulated legal services provider we must manage and understand our risk exposure to ensure our clients are protected and maintain a stable financial infrastructure.

We produce internal management information and models to understand risk across our business, ensure necessary safeguards are in place and assess the design and effectiveness of these safeguards. We report this on an ongoing basis to regulatory agencies.

We may share information with reference and fraud prevention agencies for these checks.

Manage our relationship with you
We keep our records up to date to ensure your personal information is safe, to contact you when required, and provide the best client service.

Analyse information and research your experiences dealing with us
We want to continually improve and better understand our clients. By collecting and analysing data from multiple sources, we can better understand the requirements of our clients and how we can improve legal services and service offerings.

This analysis also helps us run our business more efficiently and effectively.

We may report trends we see to third parties. These trend reports may include information such as the efficiency & speed of our services and the average time taken for types of legal matters. When we prepare these reports, we group clients’ information and remove any names. We do not share information in these reports that can identify you as a client, such as your name, or matter details.

Identify ways we can improve our legal services
We are always working to develop new legal services and innovative ways of bringing these to you.

We analyse the market and our client base to better understand what people like and what people want from their solicitor. We do this by collecting data on your legal transactions and by using client surveys. We use this information to provide a more personalised service to our clients and improve their experience using our legal services.

Prevent financial crime and cyber attacks
We continually monitor and analyse transactions, financial behaviour and electronic devices to detect and prevent fraud and cyber-attacks. This enables us to protect and secure our clients information, our networks and our financial interests.

We share information with third parties to prevent financial crime, report fraud, manage our risks and protect both our interests.

Sell whole or part of our business
On any proposed sale of our business or part of it we will share the necessary information required by the purchaser to assess valuations, perform due diligence and continue processing of the data.

This may include transferring your personal information to the purchaser.

Internal management information
We produce internal management information to run our business and better understand client needs. This information enables us to make informed decisions and develop our strategy.


Your consent – We require your consent for processing certain information such as special category data.

We ensure your consent is obtained under the following principles:

  • Positive Action - Clear affirmative action is required such as you continuing to instruct us. We do not imply or assume consent in the event of no positive action from you.
  • Free will – Your consent must be freely given and not influenced by external factors.
  • Specific – We will be clear on what exactly we are asking your consent for.
  • Recorded – We will keep a record of your consent and how we got it.
  • Can be withdrawn at any time – We will stop data processing that requires your consent at any time you make a valid request. You can withdraw your consent at any time.

Special Categories of Personal Data is information relating to:

a) Racial or ethical origin, political opinions or religious or philosophical beliefs                                                        
b) Trade union membership
c) Biometric data (we may collect voice, facial or fingerprint information to identify data subjects)
d) Genetic data
e) Physical or mental health
f) Sexual orientation
g) Commission or alleged commission of any offence by the data subject or
h) Any proceedings for any offence committed or alleged


Directly contact you about new legal services

With your consent, we will let you know what legal services or services you might like. You can select how you prefer to be contacted when instructing us or by contacting us.

You can withdraw your consent at any time.

Processing special category data
We require your consent when processing special category data, such as those listed.

In some instances, clients may provide us with special categories of data, such as health data. Given that this is a special category of data, we may have to obtain your consent before accepting this information for processing.


Protecting the vital interests of you or others

Sharing information to protect you
In some instances where we are concerned about your health and safety, we may share information with third parties to protect you and others.

This may include where we suspect that you, or others, may become a victim of financial crime.


Public interest

Prevention of fraud
We may share personal data under the public interest basis in relation to prevention of fraud. We may share information with third parties to reduce fraud risk and protect the public from financial loss.


Meeting our legal and regulatory obligations

To meet our regulatory and legal obligations, we collect some of your personal information, verify it, keep it up to date through regular checks, and delete it once we no longer have to keep it. We may also gather information about you from third parties to help us meet our obligations.

Personal searches and references agencies

In order to process your legal matter, we will perform identity checks on you with one or more reference agencies.

To do this, we will supply your personal information to the reference agency and they will give us information about you.   The reference agency will supply to us public information (including the electoral register) and fraud prevention information.

 We will use this information to:

  • Verify the accuracy of the data you have provided to us;
  • Prevent criminal activity, fraud and money laundering;
  • Trace and recover debts; and

If you are referred to us by another client or business contact, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before giving us this information.

The identities of the reference agencies, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights are explained in more detail at each of the below websites:

Callcredit :

Fraud Prevention Agencies

Before we provide legal services to you, we undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal data about you.    Our contact details can be found in the ‘Contact us’ section of our website.

 What we process and share

The personal data you have provided, we have collected from you, or we have received from third parties may include your:

  • name
  • date of birth
  • residential address and address history
  • contact details such as email address and telephone numbers 
  • financial information
  • employment details 
  • identifiers assigned to your computer or other internet connected device including your Internet Protocol (IP) address
  • vehicle details

When we and fraud prevention agencies process your personal data, we do so on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the legal services you have requested.

We, and fraud prevention agencies, may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

Consequences of processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the legal services you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services or employment to you. If you have any questions about this, please contact us on the details above.

Your rights

Your personal data is protected by legal rights, which include your rights to:

  • object to our processing of your personal data;
  • request that your personal data is erased or corrected;
  • request access to your personal data.

For more information or to exercise your data protection rights please, please contact us using the contact details above.

If you are unhappy about how your personal data has been used please refer to our complaints policy.

You also have a right to complain to the Information Commissioner's Office at which regulates the processing of personal data.


Sometimes we need your consent to use your personal information. For example, when we use sensitive personal information (known as 'special category information' under GDPR) about you, we ask for your explicit consent. We have controls to ensure that you are informed when making your decision and that you are aware that you can remove your consent at any time by contacting us. Our consent requests are built on the following principles:

  • Positive Action - Clear affirmative action is required such as you continuing to instruct us. We will not imply or assume consent in the event of no positive action from you.
  • Free will - Your consent must be freely given and not influenced by external factors.
  • Specific - We will be clear on what exactly we are asking your consent for.
  • Recorded - We will keep a record of your consent and how it was obtained.
  • Can be withdrawn at any time - We will stop data processing requiring your consent at any time you make valid request.

How we keep your information safe

We protect your information with security measures under the laws that apply and we meet international standards. We keep our computers, files and buildings secure.

In addition to our technical controls, our Data Protection Officer oversees how we collect, use, share and protect your information to ensure your rights are protected and fulfilled. Our Data Protection Officer advises on how we can best understand risks to your data rights and freedoms, implements processes to protect these and has responsibility to report to the Data Protection Authorities if we are not meeting our obligations.

When you contact us to ask about your information, we may ask you to identify yourself. This is to help us protect your information.

How long we keep your personal information for

To meet our legal, regulatory and business requirements, we hold your information while you are a client and for a period of time after that. Please note that our retention periods are subject to external considerations. We must meet minimum retention standards for our legal obligations and regulatory requirements. We must do this to protect both of our interests. We continuously assess and delete data to ensure it is not held for longer than necessary.

Your information and third parties

Sometimes we share your information with third parties.  For example to:

  • provide legal services, services and information;
  • analyse information;
  • research your experiences dealing with us;
  • collect debts;
  • sell whole or part of our business;
  • prevent financial crime;
  • help trace, investigate and recover funds on your behalf;
  • trace information; and
  • protect both our interests.

Third parties we may share information with can include:

  • Lenders, estate agencies, financial advisers & mortgage brokers
  • reference agencies
  • Fraud prevention agencies
  • Company search databases
  • Regulatory bodies; including the Law Society of Northern Ireland, the Financial Conduct Authority and the Information Commissioner’s Office
  • Legal providers in other jurisdictions we have a joint venture or agreement to work with
  • Insurance companies
  • Government bodies including HM Revenue & Customs
  • Businesses that introduce you to us or we introduce you to
  • Cards/transaction processing
  • Market research companies
  • Financial advisors
  • Debt collection agencies
  • External consultancy firms including Accountancy, Compliance and other Professional Services including solicitors acting for other parties
  • Any entity you request your data to be shared with

We require that these third parties provide sufficient guarantees that the necessary safeguards and controls have been implemented to ensure there is no impact on your data rights and freedoms.

We also have to share information with third parties to meet any applicable law, regulation or lawful request. When we believe we have been given false or misleading information, or we suspect criminal activity we must record this and tell law enforcement agencies, which may be either in or outside the UK.

International transfers of data

We may transfer your personal information outside of the European Economic Area (EEA). If, for example, you are purchasing property from a USA company that is subject to USA stock exchange or other regulation we must pass information verifying your identity to the sellers’ solicitor who will pass it on to their USA client. We expect the same standard of data protection to be applied outside of the EEA to any such transfers and the use of the information to ensure your rights are protected.

Your personal information rights

You can exercise your rights by writing to us, emailing us, using our social media channels or calling into one of our offices.

Whenever you contact us to ask about your information, we may ask you to identify yourself. This is to help protect your information.

Your right to obtain information cannot adversely affect the tights and freedoms of others. Therefore we cannot provide information on other people without consent. We generally do not charge you when you contact us to ask about your information. If requests are deemed excessive or manifestly unfounded, we may charge a reasonable fee to cover the additional administrative costs or choose to refuse the request.

The following section details your information rights and how we can help ensure that you are aware of these rights, how you can exercise these rights and how we intend to deliver on your requests.

Accessing your personal information

You can ask us for a copy of the personal information we hold and further details about how we collect, share and use your personal information. You can also request the following information:

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • where the personal data are not collected from the data subject, any available information as to their source.

Updating and correcting your personal details

You can ask us to update or correct any of your personal details at any time.

Removing consent

You can change your mind wherever you have given us your consent, and you can request that we no longer process data we require your consent for, such as for direct marketing or processing your sensitive information, such as medical data.

Restriction and objection

You may have the right to restrict or object to us processing your personal information. We will require your consent to further process this information once restricted. You can request restriction of processing where;

  • The personal data is inaccurate and you request restriction while we verify the accuracy;
  • The processing of your personal data is unlawful;
  • You oppose the erasure of the data, requesting restriction of processing instead;
  • You require the data for the establishment, exercise or defence of legal claims but we no longer require the data for processing;
  • You disagree with the legitimate interest legal basis and processing is restricted until the legitimate basis is verified.

Deleting your information (Right to be forgotten)

You may ask us to delete your personal information or we may delete your personal information under the following conditions:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  • you withdraw your consent where there is no other legal ground for the processing;
  • you withdraw your consent for marketing purposes;
  • you withdraw your consent for processing a child’s data;
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation.

Moving your information (your right to Portability)

Where possible we can share a digital copy of your information directly with you or another organisation. We will provide this information in a structured, commonly used and machine-readable format. Please note; we can only share this information where it has been processed automatically (hard copy documents are excluded for portability) and was processed under your consent or performance of a contract (further details on this are available in our 'lawful basis' section).

We do not provide portability of information processed under legal obligation or our legitimate interest, in line with GDPR guidance.

The right to lodge a complaint with a Supervisory Authority

If you have a complaint about the use of your personal information, please let a member of staff in our offices know, giving them the opportunity to put things right as quickly as possible. If you wish to make a complaint you may do so in person, by phone, in writing and by email. We will fully investigate all the complaints we receive. You may complain through our contact centre, our branches, our website, by phone, by email or in person at our offices. We ask that you supply as much information as possible to help us resolve your complaint quickly.

You can also contact the Information Commissioner’s Office (ICO) at the below details:

  • Visit their website at
  • Email by clicking here
  • Phone on: 0303 123 1113
  • Write to: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Updates to our Data Protection Notice

We will make changes to our Data Protection Notice from time to time, particularly when we change how we use your information, and change our technology and legal services. You can always find an up-to-date version of our Notice on this website or you can ask us for a copy.