MIDLegal

Data Protection Policy

Last reviewed: 17 June 2026 · Version 1.0

MID Legal Limited takes the protection of personal data seriously. This Data Protection Policy sets out our approach to handling personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It complements, and should be read with, our Privacy Policy.

Data Controller

MID Legal Limited is the data controller for the personal data we process in the course of providing legal services. We are a company registered in England and Wales (Company No. 16969538) with our registered office at 41 Bernard Grove, Bolton, Lancashire, BL1 3LE. For any data protection matter, you can contact us at info@midlegal.uk.

Our Data Protection Principles

We are committed to processing personal data in accordance with the principles set out in UK GDPR. Personal data must be:

  • Processed lawfully, fairly and in a transparent manner.
  • Collected for specified, explicit and legitimate purposes.
  • Adequate, relevant and limited to what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Kept in a form that permits identification for no longer than is necessary.
  • Processed in a manner that ensures appropriate security.

Lawful Bases for Processing

We process personal data only where we have a lawful basis to do so. The bases we most commonly rely on are the performance of a contract with you, compliance with a legal or regulatory obligation, our legitimate interests in running our practice, and, where appropriate, your consent. Where we process special category data, such as information about health or criminal matters, we do so only where an additional condition under UK GDPR applies, typically because it is necessary for the establishment, exercise or defence of legal claims.

Data Security

We maintain appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include access controls, secure storage, staff training and confidentiality obligations. In the event of a personal data breach that is likely to result in a risk to individuals, we will notify the Information Commissioner’s Office (ICO) without undue delay and, where required, the individuals affected.

Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected and to meet our legal, regulatory and insurance obligations. Files are generally retained for at least six years after the conclusion of a matter, after which they are securely destroyed unless a longer period is required.

Your Rights

Under UK GDPR you have the right to be informed about how your data is used, to access your data, to have inaccurate data corrected, to request erasure, to restrict or object to processing, and to data portability. To make a request, please contact our Data Protection Officer at info@midlegal.uk or call 07448 478847. We will respond within one month, although this period may be extended for complex requests.

Complaints to the ICO

If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority, at ico.org.uk. We would welcome the chance to resolve your concerns directly before you contact the ICO.

Review

This policy is reviewed regularly and updated to reflect changes in the law and our practices.