Privacy Notice

Privacy Notice to Client Firms and Individual Customers

Effective 31st December 2020  –   V5 – 1st July 2024

Cpm21 (21st Century Professional Management) is a Trading Name of PXJ Consulting Ltd

Valley View

38 Lletty Dafydd,


SA11 4BG

Telephone No:  01443 742895

E-Mail Address:


UK Data Privacy/Data Protection Law changed significantly on 25th May 2018.

The General Data Protection Regulation (or GDPR for short) was a positive step towards individuals having more control over how their data is used and how they are contacted.

At 11pm on 31st December 2020, EU GDPR will no longer apply to personal data held or processed within the UK. Instead, “UK GDPR” will apply to such data. The provisions of UK GDPR are essentially the same as EU GDPR and therefore the following rights continue to apply.

We use Stripe for payment, analytics, and other business services. Stripe collects and processes personal data, including identifying information about the devices that connect to its services. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection and prevention. You can learn more about Stripe and its processing activities via privacy policy at:

Individuals have the right under the UK GDPR:

  • To be informed
  • To access their personal data
  • To rectification where that data is inaccurate or out-of-date
  • To erasure in some cases
  • To restrict processing
  • To data portability
  • To object
  • To ask for automated decision-making and profiling to be reviewed by a person

The changes will also help to better protect Personal Data. We have therefore updated our privacy notice to reflect these changes.

When providing consultancy support and guidance we usually enter into a contract with a “client firm” (e.g. solicitors or other professional services firms) and will provide services under the current version of cpm21 Terms and Conditions of Business in force at that time. Our updated Terms and Conditions of Business now address our obligations as “data processors” under GDPR in line with ICO guidance. We rely on the client firm to obtain any necessary consents from staff, clients etc when sharing their personal data with us or our Associates.

When we receive data from an “individual customer” we will hold and process it as a Data Controller e.g. where an individual books onto a training course. Please note that if a firm books a course on behalf of an individual then their name and details will be shared with the firm e.g. the delegate’s name will appear on our invoice.

We will only use personal data to help us provide an excellent service.

We will respect the privacy of individuals and client firms and work hard to ensure we meet strict regulatory requirements.

We will not sell personal data to third parties.

We will hold, and process data based on contract (with an individual customer), legal obligation, and legitimate interest.

Where the client firm or their staff or third parties provide us with sensitive or special category data we will rely on the client firm to obtain the necessary explicit consents e.g.  in relation to medical data or diversity data.

We will provide individuals with easy ways to manage and review their marketing choices if they receive direct marketing communications from us. Please note that our CPD/CPC course sign-in sheets currently invite delegates to share personal data and ask you whether you wish to OPT-IN to future marketing and updates. However, from 25th May 2018, we will generally no longer use sign-in sheets for either in-house or external courses. For in-house courses, it will be for the hosting firm to arrange their own record of attendees. We will generally, no longer issue training certificates.  However, we will for Legal Aid Supervision Courses continue to invite delegates to sign in and will issue training certificates to those that sign in and successfully complete their course. We have minimised the personal data we collect on these forms, but delegates should be aware that their personal data may be seen by other delegates.

Please note that when a delegate is booked on a course, we will record their details and the details of their firm on a current Course Booking Register.

As we work principally in the legal sector, and are Law Society Approved LEXCEL consultants, confidentiality is already part of the fabric and culture of our company to keep your information private and secure.

We would ask you to help us keep your data secure by carefully following any guidance and instructions we give e.g. by password protecting any documentation you send to us electronically such as an Excel or Word document.

Lawful Bases for Processing your Data

The new law states that we are allowed to use personal information only if we have a proper and lawful reason to do so. This includes sharing it with others outside the company e.g. an auditor of a relevant Quality Standard, the Law Society and Associate Consultants, Tutors and Administrators.

The GDPR says we must have one or more of these reasons:

  • Contract: the processing is necessary for a contract we have with an individual, or because they have asked us to take specific steps before entering into a contract e.g. an individual being booked on to a CPD/CPC training course
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
  • Consent: the individual has given clear consent for us to process their personal data for a specific purpose.

A legitimate interest is when we have a business or commercial reason to use your information.

Here is a list of the ways that we may use your personal data, and which of the reasons we rely on to do so.


Use of your

Personal Data


Our reason/justification for processing



Legitimate Business Interest

Opening, progressing, closing, archiving and storing a client firm folder.


Updating our Course Booking Registers

·        Contract

·        Legitimate Interest

·        Legal Obligation

Fulfilling a client firm’s instructions and providing services and training to individual customers


Complying with regulations and the law


Direct marketing to you ·        Legitimate Interest Keeping our records and database up-to-date, working out which of our products and services may interest you and telling you about them

Providing news articles and information on changes in the law and regulation and inviting you to contact us for support

• To make and manage payments.
• To manage fees and charges• To collect and recover money that is owed to us.
·        Contract

·        Legitimate Interest

·        Legal Obligation

Keeping our accounts systems up-to-date

Effective and efficient management of a sustainable business

• To manage risk for us and our client firms.
• To comply with laws and regulations that apply to us.
• To respond to complaints and seek to resolve them.
·        Contract

·        Legitimate Interest

·        Legal Obligation

Complying with regulations that apply to us.

Being efficient about how we fulfil our legal and contractual duties.

To run our business in an efficient and proper way. This includes managing our financial stability, business capability, planning, communications, corporate governance, and audit. ·        Legitimate Interest

·        Legal Obligation


Complying with regulations that apply to us


Being effective and efficient about how we run our business


To allow Associate Consultants, Tutors, Administrators and Auditors to inspect a client firm’s client files and other personal data e.g. staff records such as appraisals


To exercise our rights and comply with obligations set out in agreements or contracts ·        Legitimate Interest

·        Legal Obligation


Complying with contractual requirements e.g. our obligations as A Law Society Approved LEXCEL Consultants


Types of Personal Data we process



Type of Personal Information




Financial Your Bank account details and your financial status and information
Contact Information How to contact you
Socio-Demographic This includes details about your work or profession, nationality etc.
Transactional Details about payments to and from your bank accounts
Contractual Details about the products or services we provide to you
Behavioural Details about how you use our services
Communications What we learn about you from letters, emails, and conversations between us
Social Relationships Family friends and other relationship e.g. via Facebook, Linked-in etc.
Open Data and Public Records Details about you that are in public records such as the Law Society and SRA records.
Documentary Data Details about you that are stored in documents in different formats, or copies of them.  This could include things like Annual Accounts, Audit Reports, Management and Accounts Reports etc.
Special types of data The Law and other regulations treat some types of personal information as a special category. We will only collect and use these types of data if the law allows or requires us to do so:


·        Racial or ethnic origin

·        Religious or philosophical beliefs

·        Trade union membership

·        Genetic and bio-metric data

·        Health data including gender

·        Criminal convictions and offences


Consents Any permissions, consents or preferences that you give us.  This includes things like how you want us to contact you.
National Identifier A number or code given to you by a government department to identify who a person is, such as a National Insurance Number
Legal Aid Application and Bill Information required to submit an application for public funding and to claim fees under any legal aid certificate
HR Records Curriculum Vitae Staff Lists, Performance Appraisals, Induction and Recruitment Records
File Review Records Information on the performance of a fee earner/caseworker and details of the client’s case or matter


Sources of Data

We collect personal data from various sources:








Data you give us when you instruct us to advise/support/train you Client Firm/Individual Customer To enable us to decide whether to accept your instructions and assist you
Data you give us by letter/phone/email and other documents Client Firm/Individual Customer To enable us to decide whether to accept your instructions and assist you
Data you give us when you visit our website, via a messaging service or social media You To enable us to deal with your query or request and to contact you if appropriate
Data given to us during interviews/meetings etc. Client Firm/ Client Firm Staff Member/Individual Customer To enable us to assist You/Member of your Firm
Data you give us in client surveys Client Firm/Individual Customer To enable us to improve our services and respond to any expressions of dissatisfaction
Data provided to us by referrers and introducers Referrers To enable us to contact you
Audit preparation and audit report documents Audit Body or Auditor To enable us to assist and support you
Public Bodies Law Society / SRA To enable us to assist and support you
The Legal Aid Agency Reports e.g. Peer Review You/Your Firm To enable us to assist and support you


Who we share your Data with

We may share your personal data with (and sub-contract processing of that data to):

  • Associate Consultants
  • Associate Tutors
  • Associate Administrators
  • Audit Bodies
  • Auditors
  • Referrers
  • Organisations that we introduce you to
  • HM Revenue and Customs
  • The government both Central and Devolved
  • The SRA and other regulators
  • The Law Society

Automated Decision-Making

We do not use automated decision-making systems.

Personal Data we use

We typically will use the following types of personal data:

  • Your Name
  • Date of Birth
  • Work/Home address
  • Contact details such as phone numbers and email addresses
  • Bank details and account information
  • Medical information (where applicable) e.g. medical report in support of additional time requests for exams
  • Employment details
  • Your Social Media Profile
  • Financial and Management Data

Sending Data outside the European Economic Area (EEA) and the UK

We will store the bulk of your documents and information on Dropbox for Business which is therefore outside the EEA, namely in the USA.

On 1 August 2016 the European Commission issued its formal decision that the EU-US Privacy Shield provided adequate protection to allow personal data to be transferred to the United States. However, this no longer provides adequate protection following the Schrems II Judgement in July 2020 (ruling the United States Privacy Shield was no longer a valid safeguard under EU GDPR and Data Protection Rules). We anticipate that the same will apply for the time being to UK GDPR.

We have therefore, a Data Processing Agreement with Dropbox which contains EU Standard Contractual Clauses as required by EU GDPR.  These will be reviewed and updated as UK GDPR develops but for the time being should satisfy UK GDPR.

Likewise, we use several software packages within Microsoft (Office) 365 (such as WORD and EXCEL) to process data and, where possible, use passwords for individual documents. However, Microsoft has also included EU Standard Contractual Clauses within its Privacy agreements.

Following a risk assessment, we are in direct contact with Intuit QuickBooks (which also stores data in the USA) and which we use to process accounts data, to ensure they have similar safeguards in place.

You or a member of your firm’s refusal to provide Personal Data requested

If you or they refuse to provide the information requested, then it may cause delay and we may be unable to continue to assist and support you as requested.

Marketing Information

We may from time to time send you letters or emails about changes in the law/regulations and make suggestions about actions that you might consider taking in the light of that information e.g. updating your policies and procedures. We will send you this marketing information either because you have consented to receive it or because we have a “legitimate interest”.

You have the right to object and to ask us to stop sending you marketing information by contacting us at any time. You can of course change your mind and ask us to send the information again.

How long we keep your personal information

We are legally obliged to keep certain information for at least 6 years e.g. accounts data and typically store your documents for 18 months from when we last assisted you.

We will keep your name and personal contact details on our database until you tell us that you would like them to be removed.

How to get a copy of your Personal Information

If you wish to access your personal data, then write to:


Mr Paul Jones

Data Protection Manager

Cpm21 (21st Century Professional Management)

Valley View

38 Lletty Park,


SA11 4BG


Telling us if your Personal Information is incorrect (The right to rectification)

If you think any information we have about you is incomplete or wrong, then you have the right to ask us to correct it.  Please contact us as above.

Other Rights

As mentioned above you also have other rights, namely

  • The right to erasure
  • The right to restrict processing
  • The right to data portability

You have the right to ask us to delete (erase) or stop us using your data if there is no longer any need for us to keep it (e.g. under a legal obligation).

In terms of data portability, if your file is in electronic format we will take reasonable steps to export the file to a “portable format” where possible.


GDPR in some cases requires us to obtain your explicit consent i.e.

(a) The racial or ethnic origin of the data subject,

(b) Their political opinions,

(c) Their religious beliefs or other beliefs of a similar nature,

(d) Their membership of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) Their physical or mental health or condition,

(f) Their sexual life,

(g) The commission or alleged commission by them of any offence, or

(h) Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Where assisting and supporting a client firm involves us processing such data we will seek confirmation from the firm that they have the explicit consent of the individual. If we are dealing with the personal data of an individual customer e.g. when we plan to obtain their medical records, we will ask for explicit consent.

The individual has the right to withdraw their consent by contacting us as stated above.


How to Complain

If you are unhappy about how we are using your Personal Data then you can complain to us using the contact information above.

You also have the right to complain to the Information Commissioner’s Office (ICO). Further details on how to raise a concern with the ICO can be found on the ICO’s website:


Our current Cookie Policy can be found here.

Updating this Notice

We will, from time to time, update this Privacy Notice to reflect emerging ICO and Working Party 29 guidance, requirements of the new Data Protection Act 2018 and any other relevant changes in the law or regulations. We will also seek to learn from any published cases of Data Protection breaches.