Privacy Policy

About us

Veitch Penny Solicitors, part of Gilbert Stephens LLP, is committed to protecting and respecting your personal information and privacy. This privacy and cookie policy relates to our use of any personal information we collect from you from any of our services. Whenever you provide personal data, we are legally obliged to use your information in accordance with all applicable laws concerning the protection of such information; including the Data Protection Act 1998 and 2018 (DPA), and The General Data Protection Regulation 2016 (GDPR) together, and with other subsequent laws passed to bring the GDPR in to effect in England and Wales after 31 December 2020 (“Data Protection Law”)

Veitch Penny is a trading name of Gilbert Stephens LLP.

For the purpose of the Data Protection Law, the data controller is Gilbert Stephens LLP, registered number OC352723. You can contact us:-

  • By mail at our registered office which is at is at 15-17 Southernhay East, Exeter EX1 1QE
  • By telephone 01392 424242 (ask for the Data Protection Officer)
  • By mail [email protected]

Whose data do we hold?

We may hold data about the following people:

  • Clients
  • Employees
  • Suppliers and service providers
  • Advisers, consultants and other professional experts
  • Complainants
  • Prospective clients

What data will we collect?

We will only collect information from you that is relevant to the matter that we are dealing with. In particular, we may collect the following information from you, which is defined as “personal data”:

  • Personal details
  • Family lifestyle and social circumstances
  • Financial details
  • Business activities of the person whose details we are processing

Special Categories

We may also collect sensitive information that is referred to as being in a “special category”. This could include:

  • Race or ethnic origin
  • Religious beliefs or other beliefs of a similar nature
  • Criminal convictions
  • Sexual orientation
  • Physical or mental health details

Basis for processing

The basis on which we process your personal data is one or more of the following:

  • It is necessary for the performance of our contract with you
  • It is necessary for us to comply with a legal obligation
  • It is in our legitimate interests to do so
  • You have given us your consent (this can be withdrawn at any time by advising our Data Protection Manager)

How will we use your data

We may use your information for the following purposes:

  • Provision of legal services, including advising and acting on behalf of clients
  • Promotion of our services
  • Provision of education and training to clients and employees
  • Maintaining accounts and records
  • Supporting managing staff

Who will we share your information with?

Under our Code of Conduct, there are very strict rules about who we can share your information with and this will normally be limited to other people who will assist with your matter. These may include:

  • Barristers
  • Medical experts
  • Health Care Professionals
  • Social and Welfare organisations
  • Courts and Tribunals
  • Private Investigators
  • Credit Reference Agencies

Sometimes we use third party service providers (data processors) to supply and support our services to you. We have contracts in place with our data processors which ensure that they cannot do anything with your personal information unless we have instructed them to do so. They will not share your personal information with any organisation apart from us and will hold it securely and retain it only for the period we instruct.

Where you authorise us to do so, we may also disclose your information to family, associates or representatives and may also disclose your information to debt collection agencies if you do not pay our bills.

How long will we keep your information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

When it is no longer necessary to retain your personal information, we will delete or anonymise it. In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of it, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal or regulatory requirements.

Contacting you

If you were an existing client as at 1st May 2018, and have been receiving information about our legal services (marketing) from us, we will continue to contact you by postal and electronic means (e-mail) with information about our legal services, unless you ask us not to do so by contacting [email protected]
If you become a client after 1st May 2018, we will contact you by post or electronic means with information about our legal services, but only if you have consented to this. You can choose to not receive these types of communication by contacting [email protected]
Transfers to third countries

Your data is stored by us and our processors in the UK, EEA or in a country where an adequacy decision has been made by the European Data Protection Board (EDPB). We may from time to time transfer your data to a country outside of the European Economic Area. Normally this would be necessary for the performance of your contract with us, or for the exercise or defence of a legal claim on your behalf. Sometimes we may transfer data for other reasons and we will ensure that the safeguards required by Data Protection Law are in place at all times.

Security arrangements

We will ensure that all of the information you provide us with is kept secure using appropriate technical and organisational measures. We hold the Law Society Lexcel Practice Management Standard. In the event of a personal data breach we have in place procedures to ensure the effects of such a breach are minimised and will liaise with the Information Commissioner’s Office and with you as appropriate. More information is available from the Data Protection Manager.

What rights do you have?

You have the following rights under Data Protection Law :-

  • A right to be informed about how we process your data
  • A right of access – you are entitled to find out what information we hold about you and why- see below
  • A right to rectification so that we must correct or update your details
  • A right to erasure – see below
  • A right to restrict processing
  • A right to data portability enabling you to obtain and re-use the personal data you have given to us
  • A right to object to us processing your data for marketing or profiling purposes
  • Rights concerning automated decision making and profiling

Right of access

You have a right to see the information we hold about you. To access this you need to provide a request in writing to our Data Protection Manager, together with proof of identity. We will usually process your request free of charge and within 30 days. However, we reserve the right to charge a reasonable administration fee and to extend the period of time by a further 2 months if the request is manifestly unfounded or vexatious and/or is very complex. Further details are available in our Data Subject Access Policy which is available on request from the Data Protection Manager

Right to erasure

You have a right to ask us to erase your personal data in certain cases. We will deal with your request free of charge and within 30 days, but reserve the right to refuse to erase information that we are required to retain by the law or regulation or that is required to exercise or defend legal claims. To exercise your right to erasure please contact our Data Protection Manager.

Who you can complain to

If you are unhappy about how we are using your information or how we respond to your request then initially you should contact the Data Protection Manager. If your complaint remains unresolved then you can contact the Information Commissioner’s Office, contact details are available at

Further information

To find out more information about the DPA and the way in which it is administered contact the Information Commissioner’s Office or online at