Sterling Law Group plc

Data Protection notice to clients


This policy explains how we use any personal information we collect about you. Here at Sterling & Law Independent Financial Consultants we are committed to protecting your information when you use our services or apply for a product.

Sterling & Law Independent Financial Consultants is the trading name of Sterling & Law Group plc. To find out more about Sterling & Law Group plc look at the ‘About Us’ section of our website at

For the purposes of the Data Protection Act 1998 and GDPR provisions, Sterling & Law Independent Financial Consultants is the registered Data Controller.  The trading address of Sterling & Law Independent Financial Consultants is No 1 Harley Street, London W1G 9QD.

This policy explains how we use any personal information we collect about you when you use our websites or get in touch. If you have any questions, please contact us and we will be happy to help. 020 7291 4567 or


Your information

Personal data

We, and the product providers and companies we use collect your information to provide you with independent financial advice. We use this information to help us select and apply for the products or services you purchase from or through us. This includes the information you give us and the information we may acquire from third parties.

We also collect information about your personal circumstances and your financial situation to find out which products are best suited to your circumstances.  We may need to check your identity so may ask you to send us documents which prove who you are and where you live, such as your passport or utility bills.

The personal data we gather may include contact details, financial information, marital status, ID, nationality, and employment information.


Sensitive personal data

We may need to ask you for sensitive personal data, for example, your physical or mental health or condition, criminal offences, or related proceedings. We would ask for your express permission before using any sensitive personal data. Any use of sensitive personal data would be strictly controlled in accordance with this policy.


Business Purposes

The purposes for which personal data may be used by us:

  • Compliance with our legal, regulatory and corporate governance obligations and good practice;
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests;
  • Ensuring business policies are adhered to (such as policies covering email and internet use);
  • Operational reasons, such as knowing our customers through factfinding, recording transactions, training and quality control,
  • Investigating complaints;
  • Marketing our business;
  • Through third parties such as lenders, security vetting, credit scoring and checking.


This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy with additional procedures and guidelines from time to time. Any new or modified policy will be circulated via updates on our website.

Who is responsible for this policy?

Our Data Protection Officers have overall responsibility for the day-to-day implementation of this policy. They can be contacted by email at or in writing to: The DPO, Sterling & Law Group plc, St James Office, No 1 Harley Street, London W1G 9QD. By telephone: 020 7291 4567.

Our procedures

Fair and lawful processing

We aim to process data fairly and lawfully in accordance with your rights. This means that we would only process your personal data with your consent.

The Data Protection Officer’s responsibilities:

  • Keeping the board updated about data protection responsibilities, risks and issues;
  • Reviewing all data protection procedures and policies on a regular basis;
  • Arranging data protection training and advice for all staff members
  • Answering questions on data protection from clients, staff, board members and other stakeholders;
  • Responding to individuals such as clients and employees who wish to know which data we hold on them;
  • Ensure all systems, services, software and equipment meet acceptable security standards;
  • Checking and scanning security hardware and software regularly to ensure that it is functioning properly;
  • Researching third-party services, such as cloud services the company uses to store or process data.

Sensitive personal data

In most cases where we process sensitive personal data we will require your explicit consent to do this unless exceptional circumstances apply. Any such consent would need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.

A typical example would be information about your health when making an application for a life insurance policy.

  • Accuracy and relevance

We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the you have agreed to this or would otherwise reasonably expect this.

You may ask that we correct inaccurate personal data relating to you. If you believe that information is inaccurate you should inform us.

Your personal data

We would ask you to help us ensure that personal data we hold about you is accurate and updated. For example, if your personal circumstances change, please inform us so that we can update our records about you.

Data security

We endeavour to keep personal data secure against loss or misuse.

Storing data securely

  • In cases when data is stored on printed paper, it will be kept in a secure place where unauthorised personnel cannot access it;
  • Printed data will be shredded when it is no longer needed;
  • Data stored on a computer will be protected by strong passwords that are changed regularly. We encourage all staff to use a password manager to create and store their passwords;
  • Data stored on CDs or memory sticks will be locked away securely when they are not being used;
  • The DPO will approve any cloud used to store data;
  • Data will be regularly backed up in line with the company’s backup procedures;
  • Data will never be saved directly to mobile devices such as tablets or smartphones;
  • All servers containing sensitive data will be protected by security software and a strong firewall.

Data retention

We will retain personal data for no longer than is necessary. What is necessary will depend upon the circumstances of each case, considering the reasons that the personal data was obtained. This will be determined in a manner consistent with our data retention guidelines.

Transferring data internationally

There are restrictions on international transfers of personal data. We will not transfer your personal data anywhere outside of the UK without your express permission.

Subject access requests

You are entitled, subject to certain exceptions, to request access to information held about you. If we receive a subject access request from you, we will refer that request immediately to the DPO. Your information will be delivered to you in a timely manner.

  • We will abide by any request from you not to use your personal data for direct marketing purposes.

GDPR provisions

Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.

Privacy Notice – transparency of data protection

Being transparent and providing accessible information to you about how we will use your personal data is important for our organisation. The following are details on how we collect data and what we will do with it:

  • Conditions for processing

We will ensure that any use of your personal data is justified. The conditions for processing will be available to you in the form of a privacy notice.


The data that we collect is subject to your consent, which can be revoked at any time.

Data portability

You have the right to receive a copy of your data in a structured format. If you request a copy of your data, this would normally be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals. You may also request that your data is transferred directly to another system. This will be done for free; as long as the system is compatible with ours.

Your right to be forgotten

You may request that any information held on you is deleted or removed. Any third parties who process or use that data must also comply with such a request.

IPO Registration details

Data controller name Sterling & Law Group plc
Registration number Z8912287
Security number 10568141
FCA registration number 216784