GDPR Policy.
How we process personal data on your behalf when we work on your matters, as your processor, not your controller.
Last updated: 29 June 2026 · Applies to data we process on behalf of client law firms
1. Our role: processor, not controller
When we carry out paralegal work for your firm, whether litigation support, drafting, disclosure review or any other engaged service, we process personal data strictly on your instructions. Your firm remains the data controller for that data; we act as a data processor (or sub-processor, where you are processing on behalf of your own client).
2. Our commitments as a processor
- We process personal data only on your documented instructions, and only for the purposes you’ve authorised.
- Every paralegal who works on your matters signs a confidentiality undertaking before access is granted.
- We apply appropriate technical and organisational measures to protect the data in our care.
- We will assist you in responding to data subject requests relating to data we hold on your behalf.
- We will assist you in meeting your breach notification obligations, including notifying you without undue delay if we become aware of a breach.
- We delete or return all personal data at the end of an engagement, at your instruction, unless we’re required by law to retain it.
- We do not transfer client data outside the UK without your prior written authorisation.
- We allow you, or an auditor you appoint, to audit our compliance with these commitments on reasonable notice.
3. Data Processing Agreement
We enter into a written Data Processing Agreement (DPA) with every client firm before any matter work begins, setting out the detail of the above in a form that satisfies Article 28 UK GDPR. A copy of our standard DPA is available on request.
4. Sub-processors
We do not use sub-processors to handle client data without the client’s prior written consent. Where a sub-processor is engaged for a specific matter, this is agreed with the client in advance.
5. Security measures
- Access to client matters is limited to the paralegal(s) assigned, on a need-to-know basis.
- Data in transit is encrypted; devices used to access client systems are secured and managed.
- All staff complete data protection training before working on client matters.
6. Breach notification
If we become aware of a personal data breach affecting your data, we will notify you within 72 hours of becoming aware, with enough information to allow you to meet your own notification obligations to the ICO and affected individuals.
7. Retention & deletion
We retain personal data processed on your behalf only for the duration of the engagement, and delete or return it within 30 days of the engagement ending, unless you instruct otherwise or we’re required by law to retain it for longer.
8. International transfers
Where personal data is processed outside the UK, we put appropriate safeguards in place in line with UK GDPR requirements, and remain accountable for that data throughout. Details of these arrangements form part of our DPA and are available on request.
9. Requesting our DPA or asking questions
To request a copy of our Data Processing Agreement, or to ask any question about how we handle data on your behalf, contact info@paralegaloutsourcing.co.uk.
Find out what a dedicated paralegal could take off your plate.
A short, no-obligation call. We’ll map the work slowing your practice down and show you exactly how we’d take it on, confidentially and on your terms.
Confidential · No obligation · Typically a 20-minute call