Privacy Policy

Last updated on: 10 June 2026

1. Introduction

1.1 Burges Salmon LLP, its subsidiaries and all affiliated entities (“we”, “us”, or “our”) are committed to respecting and protecting your privacy.

1.2 This Privacy Policy (the “Policy”) explains how we will collect, store and use any personal data you provide via our website, email or networking with our people and when you, or third parties who hold your data, otherwise communicate with us (including in the course of the legal services we provide or the running of our business).

1.3 Our details are as follows:

• Data controller: Burges Salmon LLP, One Glass Wharf, Bristol BS2 0ZX.
• Our EU/EEA branch: Burges Salmon IP Ireland Limited, a wholly owned subsidiary of Burges Salmon LLP, acts as our EU/EEA representative under Article 27 of the EU GDPR. It is registered in Ireland under company number 680701 and its registered office is at The Greenway, 112-114 St Stephen’s Green, Dublin 2.

1.4 This Policy may change from time to time and, if it does, the up-to-date version will always be available on our website and becomes effective immediately.

1.5 Please take the time to read this Policy, which contains important information about the way in which we process personal data.

1.6 For the purposes of this Policy, “Data Protection Legislation” means the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (as amended from time to time), the Data (Use and Access) Act 2025, Regulation (EU) 2016/679 (the “EU GDPR”) to the extent applicable, and any other law applicable to us relating to data protection.

2. Information we may collect about you

2.1 We may collect and process information about you and your personnel through various means, including:

• in the course of carrying out work for you (or your business); as noted above, we will almost always act as a data controller in this capacity but there might be very limited circumstances in which we will act as a data processor. Where we are acting as a data processor, we will separately let you know and ensure that appropriate contract terms are in place
• via our website (e.g. on our ‘Contact Us’ page or our news and insight subscription form, submitting a job application etc.) or when using one of our apps or digital services
• by email or other electronic correspondence (including technical monitoring tools and other tracking technologies). When you interact with our marketing emails, event invitations or other direct mailings, we may collect information about your engagement, including whether you open emails (by downloading images or clicking links), click on web links (which generates tracking codes to log activity), use ‘view as web page’ links, or respond to event RSVP buttons. We use this information to personalise future communications and to help us manage events. If you unsubscribe from any direct marketing or alerts, we will retain your details on a suppression list to record your preference
• from third party sources including publicly available sources and service providers, your representatives, and regulatory bodies
• by telephone, video conferencing or collaboration software
• networking (e.g. at law fairs, client events and/or other meetings or events both in person or virtual either hosted or attended by us)
• through the extranet or other document storage, management or review sites or platforms that we make available in the context of the services we provide
• through our guest WiFi service or other facility at our premises that may require log in details
• through an online or emailed form, questionnaire, survey or similar format
• by operating security policies and procedures in our offices (e.g. by virtue of our access to CCTV footage recorded by our buildings’ landlord and other CCTV footage we collect in our offices)
• otherwise through providing our legal services or operating our business.

2.2 The personal data you give to us may include:

• your name, title and contact information, including telephone number, postal address and email address
• information relating to your location, preferences and / or interests
• the MAC address of the device you use when logging in to our guest WiFi service (only held for 24 hours)
• information collected in-app or through one of our digital services, such as GPS or other location tracking
• employment and job application details, e.g. date of birth, employment history, qualifications, equality monitoring information
• photographic identification and video footage
• in certain circumstances, your and others’ signature(s), National Insurance number(s), financial details such as bank account details and details of any relevant sanctions or similar restrictions
• in certain circumstances, data relating to health (including disabilities), ethnicity, race, religious beliefs, trade union membership and other ‘special category personal data’
• in certain circumstances, current health information where required for specific purposes such as accessibility requirements or emergency contact information
• the content of any enquiry submitted over our website, during an online event or via any of our social media accounts
• where you have subscribed or responded to our marketing mailings, your communication preferences and, if required, any dietary requirements
• survey responses and feedback
• any other personal data we collect (such as the client reference number which may be assigned to you) in the context of our work for our clients or in the course of operating our business.

2.3 Each time you visit our website or use one of our apps or digital services, we may automatically collect the following information:

• Web or app usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform.
• Information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).
• Location, device and demographic information (Google Analytics provides age range and gender information. Find out more about how Google collects demographic data).

2.4 We may ask you for information when you report a problem with our website, apps or other digital services.

2.5 If you contact us, we may keep a record of that correspondence.

2.6 The personal data described above may relate to any of the following categories of person:

• our clients and clients’ personnel
• our prospective employees, secondees, work experience students or other job applicants
• our current and former employees, partners, consultants and any other person employed by us
• our alumni, Bright Sparks or other programme or initiative that you may have been invited to join
• emergency contacts or referees whose details have been provided to us by our people
• third parties with whom we have contact by virtue of providing legal services (e.g. third party payers of invoices, counterparties on a client’s matter and users of, or other individuals identified on, the extranet or other document storage, management or review sites or platforms that we make available in the context of the services we provide)
• our contacts at our ‘Preferred Firms’ or referrers, professional advisors or others with whom we work in the context of our legal services
• our prospective target clients
• our contractors and suppliers
• those with whom we work in the context of our Corporate Responsibility initiatives
• attendees and/or participants at events hosted by us either virtually or in person or held at our offices
• those who submit enquiries through our website or whose details are otherwise entered into our client relationship management system
• any other visitor to our offices.

The list above is not exhaustive.

3. Cookie Policy

3.1 Our website, apps and other digital services use cookies to distinguish you from other users, to improve your experience on our website, apps and other digital services and where applicable, to recommend content that may be of interest to you. For full details on how we use cookies, please see our Cookie Policy.

4. How we use your information

4.1 We may use your information for the following purposes:

• to respond to any query that you may submit to us
• to manage our relationship with you (and/or your business), including by maintaining our database of clients and other third parties for administration, and accounting and relationship management purposes
• to complete our contractual obligations to you, or otherwise taking steps as described in our engagement terms and/or our Terms of Business (including any associated administration)
• to carry out any relevant conflict checks, anti-money laundering and sanctions checks and fulfilling our obligations under any relevant anti-money laundering law or regulation (including under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017)
• to verify your identity using electronic verification from time to time. Any personal data received from you for the specific purpose of proving your identity will be processed only for the purposes of preventing money laundering or terrorist financing (as detailed above), unless any additional use is permitted by law or you consent to us using it for a different purpose
• to send you or email or post any relevant information on our services and to invite you to events and networking opportunities that may be of interest to you (such as our email briefings, podcasts and other news) using the email and/or postal address which you have provided, but only if you have given us your consent to do so or we are otherwise able to do so in accordance with applicable Data Protection Legislation
• to manage and administer any events (either virtual or in person) hosted or sponsored by us, including managing your communication preferences, for example, if you opt out from our mailings, to operate suppression lists to ensure that you do not receive marketing communications from us
• to process any job application you (or your representative) has submitted
• to administer our corporate responsibility initiatives
• to manage and administer our supplier and other third-party relationships and to comply with our contractual and legal obligations pursuant to those relationships
• to ensure that our website, apps and digital service’s content is presented in the most effective manner for you and your device
• to customise our website, apps and other digital services according to your interests
• to administer our website, apps and other digital services and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey responses;
• to allow you to participate in interactive features on our website, apps and other digital services when you choose to do so
• as part of our efforts to keep our website, apps and other digital services safe and secure
• to measure or understand the effectiveness of advertising we send to you and others, and to deliver relevant advertising to you
• to ensure we appropriately administer any attendance/visits to our offices
• in respect of health data collected from anyone attending our premises (such as accessibility requirements or emergency contact information), we will use that data to ensure we can appropriately accommodate your visit. We will process health data only where we have a lawful basis to do so, such as your explicit consent or where necessary for reasons of substantial public interest
• we may disclose health data on a confidential basis to relevant authorities where required to do so by law
• to comply with any other professional, legal and regulatory obligations which apply to us or policies or procedures that we have in place (including procedures by which we use software tools to review and access information stored on our system in order to assess, verify or otherwise process the personal data we hold)
• where we reasonably consider it necessary to prevent illegal activity or to protect our legitimate interests

4.2 We do not process your personal data for the purposes of making any decision about you, which produces a legal or similarly significant effect, and which is based solely on automated processing (and without any meaningful human involvement).

5. Legal grounds for processing your information

5.1 We will rely on the following legal bases under Data Protection Legislation for processing your personal data:

• performance of, or entry into, a contract. The personal data that we are required to collect in order to comply with any other professional, legal and regulatory obligations which apply to us must be provided to us in order for us to perform this contract – we would not be able to act for you without this personal data
• compliance with a legal obligation to which we are subject (including if we are under a statutory or equivalent obligation to disclose contact details to public health authorities)
• we have a legitimate interest in doing so as a legal services provider (and where our legitimate interests are not overridden by your (or the relevant individual’s) own interests or fundamental rights or freedoms). These legitimate interests include managing our relationship with our people, clients, prospective clients, suppliers and their contact personnel, administering visitors to and maintaining the security of our offices and our IT systems and network, administering events hosted by us, ascertaining achievement of proper standards and compliance with policies, practices or procedures, direct marketing undertaken in accordance with applicable laws, and intra-group transmission of personal data for internal administrative purposes
• where our processing is necessary for the purposes of a recognised legitimate interest as defined under Data Protection Legislation
• where processing of ‘special category data’ is necessary in the context of the establishment, exercise or defence of legal claims or where another legal ground other than explicit consent is available to us under Data Protection Legislation; or
• in certain circumstances, such as those described in paragraph 4.1(e) above or where we need to process ‘special category data’ in the context of our legal work but outside the scope of paragraph 5.1(d) above, where we have obtained your express / explicit consent to do so. As we will explain at the time we collect your consent, you may withdraw it at any time in accordance with the information we provide to you at that time

6. Sharing your information

6.1 We may share your details with carefully selected third parties. These may include service providers, support services, joint event hosts and organisations that help us to market our services and third parties instructed to enable us to fulfil our contractual obligations to you and/or our clients in the course of business.

6.2 We may share personal data internally between our subsidiaries and affiliated entities when providing services or as necessary to fulfil our obligations under Data Protection Legislation.

6.3 If we share your information with third parties they will process your information as either a data controller or as our data processor and this will depend on the purposes of our sharing your personal data. We will only share your personal data in compliance with Data Protection Legislation.

6.4 We may disclose your information to third parties when:

• you specifically request this or it is necessary to provide our legal services to you (e.g. when we need to instruct lawyers in another jurisdiction to provide advice which you have requested)
• we feel other companies’ products and services may interest you
• in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
• if our website apps or other digital services or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets
• it is necessary to administer and manage any events that you are invited to and/or attend and/or participate in that is either hosted at one of our offices, virtually or elsewhere; or
• if we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property or safety of our website, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

6.5 The third parties include:

• Burges Salmon subsidiaries and affiliated entities, as above 
• our bank (including as permitted by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 which, for the purposes of preventing money laundering or terrorist financing, may require us to disclose your personal data on request to our bank from time to time where we hold monies in our pooled Client Account on your behalf)
• our insurers
• our auditors, including external accreditation bodies
• other professional advisors or third parties (including counsel, overseas lawyers, accountants, mediators, arbitrators, consultants, expert witnesses, costs draftsmen or other service providers who process personal data on our behalf) with whom we engage as part of our work for our clients or who our clients separately engage in the same context
• our regulator, the Solicitors Regulation Authority
• law enforcement and governmental (e.g. public health) authorities, the courts and other regulatory bodies as may be permitted or required by applicable law (in which case we will notify you, unless we are prohibited from doing so or it is not possible or reasonable to do so)
• our data processors providing goods and services to us including, catering, security, email security, data governance, archiving and other IT and business support services
• our email marketing provider, our website provider(s), our app platform provider and any other digital service platform provider that we use
• other attendees or participants on communication or collaboration software used by us and/or you on which you attend and where it is not possible to hide your identity or contact details (e.g. Microsoft Teams and other video conferencing software, direct messaging apps etc.)
• other attendees or participants at events hosted by us (either virtual or in person) that you attend and where it is not possible to hide your identity or contact details (e.g. Microsoft Teams and other video conferencing software, apps and other digital services and/or when name badges are used)
• selected partner digital agencies, online job application provider(s) and our recruitment portal
• analytics and search engine providers that assist us in the improvement and optimisation of our website, apps and other digital services
• any third party you ask us to share your data with

The list above is not exhaustive.

6.6 Our website may, from time to time, contain links to and from the websites of advertisers and partners. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

6.7 Our app platforms, may from time to time, create and store certain data. The apps may be made available via Apple’s appstore and the Google Playstore, both of which may make analytics data available to us. These providers will have their own terms of use and privacy policies.  Google and Apple will only share information with us that complies with their policies. We do not accept any responsibility or liability for these policies.  Please check these policies before you submit any personal data. 

6.8 We will not rent or sell our users’ or other contacts’ details to any other organisation or individual.

7. Storage and retention of your personal data

 7.1 We follow strict security procedures as to how your personal information is stored and used, and who sees it, to help stop any unauthorised person getting hold of it. We have implemented appropriate technical, physical and organisational security measures, and hold ISO27001 and CyberEssentials+ certification as well as maintain a wide range of information security and data protection-focused policies and processes. All personal information you register on our website, app or other digital service will be located behind a firewall. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. Unfortunately, the transmission of information via the internet is not completely secure and although we do our best to protect your personal data, we cannot absolutely guarantee the security of your data. 

7.2 We will keep your information stored on our systems for as long as it takes to provide the services to you and in accordance with our Terms of Business.  Any data collected via one of our apps or other digital services will be stored in accordance with the Terms of that platform.  We may keep your data for longer than our stated retention period if we cannot delete it for legal, regulatory or technical reasons.  We may also keep it for research and development, preventing conflicts of interests or statistical purposes.  If we do, we will ensure that appropriate safeguards are in place to protect your privacy and only used for those purposes.

7.3 Any contact details stored on our client relationship management database will be removed from our mailing lists if they do not interact with our emails (i.e. open emails or click on links within them) or are not involved in any meetings or events for a certain period following which they will be moved to an archive folder before being deleted permanently.

7.4 The third parties we engage to provide services on our behalf will keep your data stored on their systems for as long as is necessary to provide the services to you. 

7.5 We will, subject to paragraph 7.2, not store your information for longer than is reasonably necessary or as required by law or by our regulator, or to assert or defend against legal claims. 

7.6 We will retain health data only for as long as is necessary for the purposes for which it was collected, or as required by law.

8. Sending your information overseas

8.1 From time to time, we may need to transfer your personal data to Burges Salmon entities outside the United Kingdom for the purpose of our internal business processes (such as administration and billing) and for the purpose of providing legal advice and services. Where we transfer personal data between any Burges Salmon entity, we will comply with any transfer requirements applicable under Data Protection Legislation.

8.2 If we need to share your personal data with any other recipient outside the United Kingdom (e.g. a professional advisor or third party engaged by us or you as part of our work under an engagement letter) we will ensure we do so in compliance with Data Protection Legislation, including, where applicable, by ensuring that the transfer is necessary to perform a contract in place with you or a contract entered into in your interests.  As part of this, we will ensure we have a set of approved UK standard contractual clauses (or other approved protection mechanism) in place with that third party.  All EU/EEA member states benefit from UK adequacy regulations, meaning that transfers of personal data to the EU/EEA are permitted without the need for additional safeguards. 

8.3 Some of the technology providers we use operate data centres located in the EU/EEA. As a result, your personal data may be processed in the EU/EEA as well as in the UK.

8.4 We have put in place appropriate contractual clauses with our practice management system provider (located in the US and New Zealand) and with our email security, service continuity and archiving service provider’s affiliates in South Africa, the US and Australia. New Zealand also benefits from a UK adequacy decision. If these transfers affect you, you may contact us to obtain more precise information and a copy of relevant documentation.

8.5 Our people may access our systems remotely when working within or outside of the UK. Where they do so, they are required to use our systems and access any personal data in accordance with all applicable policies and procedures.

9. Use of AI

9.1 As part of our commitment to providing efficient and innovative legal services, we are exploring the use of generative artificial intelligence technologies (“AI”). These tools can assist us in various aspects of legal work, including assisting with the drafting of documents and notes, summarising information, document review and analysing data. Our adoption of generative AI aims to enhance client service delivery and to meet the evolving requirements of our clients.

9.2 We use AI to help protect our business and the parties with whom we engage. For example, we use services that deploy AI to help identify or detect unusual activity, potential fraud, or threats to our IT infrastructure and information security.

9.3 We may use personal information as part of the development and internal training or testing of an AI solution or other technology, where it is not possible to use anonymised data.

9.4 We ensure that any AI tools processing your information meet our security, confidentiality, and data protection requirements. We do not allow any client information to be used to train open-access AI models or to be shared outside secure environments. For more information about our AI tools and our use of AI, please see our Responsible AI webpage.

9.5 We rely on legitimate interest as our lawful basis should we process any personal data, either directly or incidentally, through our use of AI. We will discuss with you the use of any new AI tools on your matter outside of those noted on our Responsible AI webpage.

9.6 We commit periodically to reviewing our generative AI practices to ensure these (and any emerging) risks are monitored.

10. Withdrawal of consent

10.1 Where we process your personal data on the basis of your consent (for example, for certain direct marketing activities or for processing special category data in specific circumstances described in this Policy), you may withdraw that consent at any time by contacting us at [email protected] or via the web form on our Contact Us page.

10.2 If you do withdraw your consent, we may still be able to process some of the data that you have provided to us on other grounds and will notify you of these at such time.

11. Your information rights

11.1 Data Protection Legislation gives you the right to access information held about you. You are entitled to be told by us whether we or someone else on our behalf is processing your personal information; what personal information we hold; details of the purposes for the processing of your personal information; and details of any third party with whom your personal information has been shared. We may reasonably request further information in order to identify the information or activities to which your request relates.  Please note that you are only entitled to information which we are able to provide based on a reasonable and proportionate search.

11.2 You can access the personal information we hold on you by writing to us at: FAO: Data Protection Officer, One Glass Wharf, Bristol, BS2 0ZX or by contacting [email protected] or by completing our web form via our Contact Us page.

11.3 We may ask you to provide certified copy proof of identity before we show you your personal information – this is so we can prevent unauthorised access. 

11.4 You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, in the event that an access request is unfounded, excessive or especially repetitive, we may charge a ‘reasonable fee’ for meeting that request. Alternatively, we may refuse to comply with your request in such circumstances. Similarly, we may charge a reasonable fee to comply with requests for further copies of the same information. (That fee will be based upon the administrative costs of providing the information).  

11.5 You have the additional rights to request rectification and erasure of your personal data and to request restriction of, and to otherwise object to, our processing of your personal data and you can exercise these rights at any time by contacting [email protected] or by completing our web form via our Contact Us page.

11.6 You are also entitled to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format, and to transmit that data to another data controller. You can exercise this by contacting us at [email protected] or by completing our web form via our Contact Us page.

11.7 You have the right to object to the processing of your personal data for direct marketing purposes at any time. If you exercise this right, we will stop processing your data for such purposes. You can do so by clicking the ‘unsubscribe’ link in any marketing email, by contacting [email protected], or by completing our web form via our Contact Us page.

11.8 Whilst we do not currently carry out any automated decision-making, if we do make any decision about you based solely on automated processing (including profiling) that produces legal effects or similarly significant effects concerning you, you have the right to request human review of that decision, to express your point of view, and to contest the decision. To exercise this right, please contact us using the details in Section 13.

12. Complaints

12.1 If at any time you consider that we have not processed your personal data in accordance with this Policy or applicable Data Protection Legislation, please contact us straight away to let us know.

12.2 In addition, you have a statutory right to make a complaint to us if you consider that our processing of your personal data infringes your rights.  To do so, please contact us as directed in Section 13 below.

12.3 You have the right to make a complaint to the UK’s data protection regulator, the Information Commissioner’s Office (ICO).  For more details please visit https://ico.org.uk/concerns/handling/. Alternatively, if you are located in the EU or EEA you may contact the Irish Data Protection Commissioner (DPC) via their website: https://dataprotection.ie/docs/complaints/1592.htm

12.4 With effect from 1 January 2021, the DPC is our lead supervisory authority within the EU/EEA, in addition to the ICO within the UK.