Skip to content

Privacy Notice – General Data Protection Regulation (“GDPR”)

Kent Traffic Law encourages you to read the following information carefully.

  1. This privacy notice contains information about the personal data collected, stored and otherwise processed about you and the reasons for the processing. It also tells you who I, Sunil Rupasinha, share this information with, the security mechanisms I have put in place to protect your data and how to contact me in the event you need further information.


  1. Under Art. 4 of the General Data Protection Regulations, hereinafter referred to as GDPR, the following definitions can be found which relate to this privacy notice.

s1: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

s7: ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

s8: ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

s11: ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

s12: ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Who am I? -Data Controller

  1. Sunil Rupasinha collects, uses and is responsible for personal information about you.  When I do this I am the ‘controller’ of this information for the purposes of the GDPR  and the Data Protection Act 2018.
  2. If you need to contact me about your data or the processing carried out you can use  the contact details at the end of this document.

What do I do with your information? 

  1. Information collected:

When carrying out the provision of legal services or providing a reference I may collect  some or all of the following personal information that you provide:

  1. personal details
  2. family details
  3. lifestyle and social circumstances
  4. goods and services
  5. financial details
  6. education, training and employment details
  7. physical or mental health details
  8. racial or ethnic origin
  9. political opinions
  10. religious, philosophical or other beliefs
  11. trade union membership
  12. sex life or sexual orientation
  13. genetic data
  14. biometric data for the purpose of uniquely identifying a natural person
  15. criminal proceedings, outcomes and sentences, and related security measures p. other personal data relevant to instructions to provide legal services,  including data specific to the instructions in question.

Information collected from other sources. 

  1. The same categories of information may also be obtained from third parties, such as other legal professionals or experts, members of the public, your family and friends,  witnesses, courts and other tribunals, investigators, government departments,  regulators, current, past or prospective employers, education and examining bodies, public records and registers. This will likely rarely be the case as most of the reliable personal data will come directly from the data subject (Art. 13 of the GDPR)

How I use your personal information: Purposes  

  1. I may use your personal information for the following purposes:
  2. to provide legal services to my clients, including the provision of legal advice  and representation in courts, tribunals, arbitrations, and mediations
  3. to keep accounting records and carry out office administration
  • to take or defend legal or regulatory proceedings or to exercise a lien
  1. to respond to potential complaints or make complaints
  2. to check for potential conflicts of interest in relation to future potential cases
  3. to carry out anti-money laundering and terrorist financing checks
  • when procuring goods and services
  • as required or permitted by law.

Whether information has to be provided by you, and why 

  1. If I have been instructed by you or on your behalf on a case or if you have asked for a  reference, your personal information has to be provided, to enable me to provide you  with advice or representation or the reference, and to enable me to comply with my professional obligations, and to keep accounting records.

The legal basis for processing your personal information  

  1. Under Art. 6 of the GDPR, data controllers and processors must have a lawful basis for the processing of the personal data that is collected. I rely on the following as the lawful bases on which a client’s personal information is collected and used:
  • If you have consented to the processing of your personal information, then I  may process your information for the Purposes set out above to the extent to  which you have consented to me doing so.
  • If you are a client, processing is necessary for the performance of a contract  for legal services or in order to take steps at your request prior to entering into  a contract.
  • In relation to information which is in categories

(g) to (o) above (these being  categories which are considered to include particularly sensitive information  and which include information about criminal convictions or proceedings) I  rely on your consent for any processing for the purposes set out in purposes (i-viii) above. I need your consent to carry out processing  of this data for these purposes. However, if you do not consent to processing  for purposes (i-viii) above, I will be unable to take your case

  • In relation to information in categories (g) to (o) above (these being categories  which are considered to be particularly sensitive information and include  information about criminal convictions or proceedings), I am entitled by law  to process the information where the processing is necessary for legal  proceedings, legal advice, or otherwise for establishing, exercising or  defending legal rights.
  • In relation to information which is not in categories (g) to (o) above, I rely on  my legitimate interest and/or the legitimate interests of a third party in  carrying out the processing for the Purposes set out above.
  • In certain circumstances processing may be necessary in order that I can  comply with a legal obligation to which I am subject (including carrying out  anti-money laundering or terrorist financing checks).
  • The processing is necessary to publish judgments or other decisions of courts  or tribunals.

Who will I share your personal information with? 

  1. If you are a client, some of the information you provide will be protected by legal  professional privilege unless and until the information becomes public in the course  of any proceedings or otherwise. As a barrister I have an obligation to keep your  information confidential, except where it otherwise becomes public or is disclosed as  part of the case or proceedings.
  2. It may be necessary to share your information with the following:
  • data processors, such as my Chambers staff, IT support staff, email providers,  data storage providers
  • other legal professionals
  • experts and other witnesses
  • prosecution authorities
  • courts and tribunals
  • the staff in my chambers
  • lay clients
  • family and associates of the person whose personal information I am  processing
  • in the event of complaints, the Head of Chambers, other members of  Chambers who deal with complaints, the Bar Standards Board, and the Legal  Ombudsman
  • other regulatory authorities
  • current, past or prospective employers
  • education and examining bodies
  • business associates, professional advisers and trade bodies, e.g. the Bar  Council
  • the intended recipient, where you have asked me to provide a reference.
  1. I may be required to provide your information to regulators, such as the Bar  Standards Board, the Financial Conduct Authority or the Information  Commissioner’s Office. In the case of the Information Commissioner’s Office, there is  a risk that your information may lawfully be disclosed by them for the purpose of  any other civil or criminal proceedings, without my consent or yours, which  includes privileged information.
  2. I may also be required to disclose your information to the police or intelligence  services, where required or permitted by law.

Sources of information 

  1. In relation to Art 14 of the GDPR which relates to personal data not directly taken from the data subject; the personal information I obtain may include information which has been obtained  from:
  • other legal professionals
  • experts and other witnesses
  • prosecution authorities
  • courts and tribunals
  • trainee barristers
  • lay clients
  • family and associates of the person whose personal information I am  processing
  • in the event of complaints, the Head of Chambers, other members of  Chambers who deal with complaints, the Bar Standards Board, and the Legal  Ombudsman
  • other regulatory authorities
  • current, past or prospective employers
  • education and examining bodies
  • business associates, professional advisers and trade bodies, e.g. the Bar  Council
  • the intended recipient, where you have asked me to provide a reference.
  • data processors, such as my Chambers staff, IT support staff, email providers,  data storage providers
  • public sources, such as the press, public registers and law reports.

Transfer of your information outside the European Economic Area (EEA) 

  1. This privacy notice is of general application and as such it is not possible to state  whether it will be necessary to transfer your information out of the EEA in any  particular case or for a reference. However, if you reside outside the EEA or your  case or the role for which you require a reference involves persons or organisations  or courts and tribunals outside the EEA then it may be necessary to transfer some of  your data to that country outside of the EEA for that purpose. If you are in a country outside the EEA or if the instructions you provide come from outside the EEA then it  is inevitable that information will be transferred to those countries. If this applies to  you and you wish additional precautions to be taken in respect of your information  please indicate this when providing initial instructions.
  2. Some countries and organisations outside the EEA have been assessed by the  European Commission and their data protection laws and procedures found to show adequate protection. The list can be found here. Most do not. If your information has  to be transferred outside the EEA, then it may not have the same protections and  you may not have the same rights as you would within the EEA.
  3. I may transfer your personal information to the following which are located outside  the European Economic Area (EEA):
  • cloud data storage services based in the USA who have agreed to comply with  the EU-U.S. Privacy Shield, in order to enable me to store your data and/or  backup copies of your data so that I may access your data when they need to.  The USA does not have the same data protection laws as the EU but the EU U.S. Privacy Shield has been recognised by the European Commission as  providing adequate protection. To obtain further details of that protection see eu/eu-us-privacy-shield_en.
  • cloud data storage services based in Switzerland, in order to enable me to store  your data and/or backup copies of your data so that I may access your data  when I need to. Switzerland does not have the same data protection laws as the  EU but has been recognised by the European Commission as providing  adequate protection; see protection/data-transfers-outside-eu/adequacy-protection-personal-data-non eu-countries_en.
  1. I will not transfer personal information outside the EEA except as  necessary for providing legal services or for any legal proceedings.
  2. If you would like any further information please use the contact details at the end of  this document.

Data Retention

  1. Kent Traffic Law will normally store all your information until at least 1 year after the expiry of any relevant limitation period (which  will usually be 6 years, but may be 12 years, or longer where the case includes information relating to a minor), from the date of the last item of work carried  out, the date of the last payment received or the date on which all outstanding  payments are written off, whichever is the latest.
  2. This is because it may be needed for potential legal proceedings, regulatory concerns, or complaints. At this point any further retention will be reviewed and the  data will be marked for deletion or marked for retention for a further period.  The latter retention period is likely to occur only where the information is  needed for legal proceedings, regulatory matters or active complaints. Deletion  will be carried out (without further notice to you) as soon as reasonably  practicable after the data is marked for deletion.
  • Conflict Checks – I will store some of your information which I need to carry out conflict checks  for the rest of my career. However, this is likely to be limited to your name and  contact details/ the name of the case/anything else. This will not include any  information within categories (g) to (o) above.
  • Direct Access – I will normally store client instructions, case material and files which will be maintained for 7 years unless there are reasons to retain the papers longer. E.g should a case involve a minor, the information will be retained for 6 years after the 18th birthday of the minor.
  • Anti-money laundering – I will store information related to anti-money laundering checks will be retained until five  years after the completion of the transaction or the end of the business  relationship, whichever is the later;]


  1. Kent Traffic Law will adhere to the retention periods as indicated above. However, Kent Traffic law has a legal responsibility to dispose of any data and equipment containing personal data in a secure manner.
  2. A vast majority of Kent Traffic Law’s hard copy information is contained and used by the sole practitioner Sunil Rupasinha. Electronic and physical data which are taken to court are secured en route to and from courts or clients. Appropriate security measures are placed at the physical site location of any hard copy documents. These security measures are not disclosed on this privacy notice so as to not compromise their integrity.

Destruction of paper records

  1. Upon review that a document has exceeded the retention period, if the information has been retained by Kent Traffic Law, the physical hard copy records shall be destroyed in a manner that is compliant with GDPR and ICO guidelines. This is intended to avoid any breach of confidence or personal data.

Destruction of electronic records

  1. Any equipment that is made redundant shall be wiped and disposed of with the use of a specialist depending on the nature of the equipment. Equipment can range from hard drives, disks, CPU’s, and laptops that may become obsolete. The appropriate devices will also be reset to factory settings.


  1. As explained above, I am relying on your explicit consent to process your  information in categories (g) to (o) above. You provided this consent when you  agreed that I would provide legal services..
  2. You have the right to withdraw this consent at any time, but this will not affect the  lawfulness of any processing activity I have carried out prior to you withdrawing  your consent. However, where I also rely on other bases for processing your  information, you may not be able to prevent processing of your data. For example, if  you have asked me to work for you and I have spent time on your case, you may owe me money which I will be entitled to claim.
  3. If there is an issue with the processing of your information, please contact me or my clerks  using the contact details below.

Your Rights  

  1. Under the GDPR, you have a number of rights that you can exercise in certain  circumstances. These are free of charge. In summary, you may have the right to:
  • Ask for access to your personal information and other supplementary  information;
  • Ask for correction of mistakes in your data or to complete missing  information I hold on you;
  • Ask for your personal information to be erased, in certain circumstances;
  • Receive a copy of the personal information you have provided to me or have  this information sent to a third party. This will be provided to you or the third  party in a structured, commonly used and machine-readable format, e.g. a  Word file;
  • Object at any time to processing of your personal information for direct  marketing;
  • Object in certain other situations to the continued processing of your personal  information;
  • Restrict my processing of your personal information in certain circumstances;
  • Request not to be the subject to automated decision-making which produces  legal effects that concern you or affects you in a significant way.
  1. If you want more information about your rights under the GDPR please see the  Guidance from the Information Commissioners Office on Individual’s rights under the GDPR.
  2. If you want to exercise any of these rights, please:
  • Use the contact details at the end of this document;
  • I may need to ask you to provide other information so that you can be  identified;
  • Please provide a contact address so that you can be contacted to request  further information to verify your identity;
  • Provide proof of your identity and address;
  • State the right or rights that you wish to exercise.
  1. I will respond to you within one month from when I receive your request.

How to make a complaint?  

  1. The GDPR also gives you the right to lodge a complaint with the Information  Commissioners’ Office if you are in the UK, or with the supervisory authority of the  Member State where you work, normally live or where the alleged infringement of  data protection laws occurred. The Information Commissioner’s Office can be  contacted at

Future Processing 

  1. I do not intend to process your personal information except for the reasons stated  within this privacy notice. If this changes, this privacy notice will be amended and posted on Kent Traffic Law’s website

Changes to this privacy notice 

  1. This privacy notice was published on 1.1.20 and last updated on 18.3.21

I continually review my privacy practices and may change this policy from time to  time. All amendments will be posted on the above-mentioned website.

Contact Details 

  1. If you have any questions about this privacy notice or the information I hold about  you, please contact me or my clerks.

The best way to contact me is to write to me the address below or contact:

Sunil Rupasinha, B3, The Business Terrace,
Maidstone House, King Street,
Maidstone, ME15 6AW