GDPR Compliance

Last Updated: March 2026

Our Core Commitment: BMA Law does not sell, share, rent, lease, or disclose customer data to any third party, for any reason, under any circumstances. Your data stays with us. Period.

Our Commitment to GDPR Compliance

BMA Law ("we," "our," "us") is committed to ensuring the protection and privacy of personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). We recognize data protection as a fundamental right and have implemented comprehensive policies, procedures, and technical measures to ensure all personal data is processed lawfully, fairly, and transparently.

For our full privacy practices, see our Privacy Policy. For information about our AI systems, see our EU AI Act Transparency Policy.

Your Rights as a Data Subject

Under the GDPR, you are entitled to the following rights:

Right of Access (Article 15)

You have the right to obtain confirmation as to whether personal data concerning you is being processed and, where applicable, access to that data together with information about purposes, categories, recipients, retention periods, and the existence of your other rights.

Right to Rectification (Article 16)

You have the right to obtain rectification of inaccurate personal data without undue delay, and to have incomplete data completed.

Right to Erasure (Article 17)

You have the right to obtain erasure of personal data where: it is no longer necessary for its original purpose; you withdraw consent; you object and there are no overriding legitimate grounds; the data was unlawfully processed; or erasure is required by law. This right is subject to exceptions for legal compliance and defense of legal claims.

Right to Restriction of Processing (Article 18)

You have the right to restrict processing where: you contest accuracy (pending verification); processing is unlawful and you oppose erasure; we no longer need the data but you require it for legal claims; or you have objected pending verification of legitimate grounds.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (CSV or JSON) and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds. For direct marketing, you can object at any time and we will stop without exception.

Rights Related to AI Processing (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects. We do not engage in automated decision-making that produces legal effects on individuals. For details on our AI systems, see our EU AI Act Transparency Policy.

How to Exercise Your Rights

To exercise any right described above, email: [email protected]

Include sufficient information to verify your identity and identify the specific data your request relates to. We may request additional verification to protect your data from unauthorized access.

Data Protection Officer

BMA Law has designated a Data Protection Officer (DPO) responsible for overseeing data protection strategy and compliance. The DPO can be contacted at: [email protected]

Response Timeline

We will respond to data subject requests within thirty (30) days, extendable by two months for complex requests. We will inform you of any extension within one month, with reasons. If we decline a request, we will inform you within one month with reasons and your right to lodge a complaint.

Legal Basis for Processing

We process personal data under Article 6 of the GDPR on the following bases: your explicit consent; performance of a contract; compliance with legal obligations; protection of vital interests; and legitimate interests (where not overridden by your rights). You may request copies of our legitimate interest assessments at [email protected].

No Data Sharing

We do not share your data with anyone. BMA Law does not sell, rent, lease, trade, or otherwise disclose your personal data to any third party for any purpose. Your data is processed solely to provide the services you have requested from us. This applies to all data, including data processed by our AI systems.

International Data Transfers

Where we transfer data outside the EEA or UK, we use Standard Contractual Clauses (SCCs) as approved by the European Commission, the UK International Data Transfer Agreement, or other legally recognized mechanisms. We conduct transfer impact assessments and implement supplementary measures as necessary. Your data is never shared with third parties during transfer.

Complaints

If you are dissatisfied with our processing or our response to a request, you may lodge a complaint with your local supervisory authority. EU authorities are listed at edpb.europa.eu. For the UK, contact the Information Commissioner's Office (ICO).

We appreciate the opportunity to address concerns before you approach a supervisory authority. Please contact us first at [email protected].

Contact

BMA Law
General: [email protected]
GDPR/Data Protection: [email protected]
Website: bmalaw.com