Our Commitment to GDPR Compliance

BMA Law (“we,” “our,” “us,” or the “Firm”) is firmly committed to ensuring the protection and privacy of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”). We recognize the fundamental importance of data protection as a right of every individual and have implemented comprehensive policies, procedures, and technical measures to ensure that all personal data entrusted to us is processed lawfully, fairly, and transparently. This page outlines our approach to GDPR compliance and provides detailed information on how you, as a data subject, may exercise your rights under the Regulation.

For our full privacy practices, including information about the types of data we collect, how we use your data, and our policies on cookies, data retention, and security, please refer to our comprehensive Privacy Policy.

Your Rights as a Data Subject

Under the GDPR, you are entitled to the following rights with respect to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions as set out in the Regulation:

Right of Access (Article 15): You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed and, where that is the case, access to the personal data together with information about the purposes of processing, the categories of data concerned, the recipients to whom the data has been or will be disclosed, the retention period, and the existence of your other rights. You are entitled to receive a copy of the personal data undergoing processing, free of charge for the first request.

Right to Rectification (Article 16): You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure / Right to Be Forgotten (Article 17): You have the right to obtain the erasure of personal data concerning you without undue delay where one of the following grounds applies: the data is no longer necessary for the purposes for which it was collected; you withdraw your consent and there is no other legal basis for the processing; you object to the processing and there are no overriding legitimate grounds; the data has been unlawfully processed; or the data must be erased to comply with a legal obligation. Please note that this right is subject to exceptions, including where processing is necessary for compliance with a legal obligation, for the exercise or defense of legal claims, or for reasons of public interest.

Right to Restriction of Processing (Article 18): You have the right to obtain restriction of processing where you contest the accuracy of the data (for a period enabling us to verify accuracy), where the processing is unlawful and you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of whether our legitimate grounds override yours. When processing is restricted, we will only store the data and will not further process it without your consent, except for the establishment, exercise, or defense of legal claims.

Right to Data Portability (Article 20): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format (such as CSV or JSON). You also have the right to transmit that data to another controller without hindrance from us, where the processing is based on consent or a contract and is carried out by automated means.

Right to Object (Article 21): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data which is based on our legitimate interests or on the performance of a task in the public interest. Upon receiving your objection, we shall no longer process your personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. Where personal data is processed for direct marketing purposes, you have the right to object at any time, and we will cease processing for such purposes without exception.

How to Exercise Your Rights

To exercise any of the rights described above, please submit your request by email to our dedicated GDPR contact address:

[email protected]

When submitting a request, please include sufficient information to allow us to verify your identity and to identify the specific personal data to which your request relates. We may request additional information from you to confirm your identity before processing your request, particularly where we have reasonable doubts concerning the identity of the person making the request. This verification step is necessary to protect your personal data from unauthorized access or disclosure.

Data Protection Officer

BMA Law has designated a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy, ensuring compliance with the GDPR, and serving as the primary point of contact for data subjects and supervisory authorities on matters relating to data protection. The DPO can be contacted at:

Data Protection Officer
BMA Law
Email: [email protected]

The DPO is available to address any questions or concerns you may have regarding the processing of your personal data, to receive and coordinate responses to data subject requests, and to liaise with supervisory authorities as necessary.

Response Timeline

In accordance with Article 12(3) of the GDPR, we will provide information on action taken on a data subject request without undue delay and in any event within thirty (30) days of receipt of the request. This period may be extended by two further months where necessary, taking into account the complexity and number of requests received. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. Where we decide not to take action on a request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Legal Basis for Processing

We process personal data only where we have a valid legal basis under Article 6 of the GDPR. The legal bases upon which we rely include: your explicit consent; the necessity of processing for the performance of a contract to which you are a party (including our engagement letter and retainer agreement); compliance with a legal obligation to which we are subject; the protection of vital interests; and the pursuit of our legitimate interests, provided that such interests are not overridden by your fundamental rights and freedoms. Where we rely on legitimate interests, we conduct and document a legitimate interest assessment to ensure that the balance of interests favors processing. You may request a copy of our legitimate interest assessments by contacting us at [email protected].

International Data Transfers

Where we transfer personal data from the European Economic Area (EEA) or the United Kingdom to countries that have not received an adequacy decision from the European Commission, we ensure that appropriate safeguards are implemented to protect your personal data. These safeguards include the use of the European Commission’s Standard Contractual Clauses (SCCs) as approved under Commission Implementing Decision (EU) 2021/914, the UK International Data Transfer Agreement or Addendum, or other legally recognized transfer mechanisms. We conduct transfer impact assessments where required and implement supplementary measures as necessary to ensure that your personal data receives an essentially equivalent level of protection as it would within the EEA.

Complaints Process

If you are dissatisfied with our processing of your personal data or with our response to a data subject request, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence, place of work, or place of the alleged infringement. A list of EU data protection supervisory authorities and their contact details can be found on the European Data Protection Board (EDPB) website at edpb.europa.eu. For the United Kingdom, the relevant supervisory authority is the Information Commissioner’s Office (ICO), which can be contacted at ico.org.uk.

We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority. If you have any complaints or concerns about our data processing practices, please contact us first at [email protected], and we will endeavor to resolve the matter promptly and to your satisfaction.

For our complete privacy practices, including information about data collection, cookies, data retention, security measures, and your rights under other privacy laws such as the CCPA, please review our Privacy Policy.