Privacy Policy


‘AA Thornton’ (the “firm”, “us”, “we” or “our”), is committed to ensuring that any personal data collected via the firm’s website,, in respect of any natural person(s), including but not limited to, clients, suppliers, foreign associates, and employees (including prospective employees) is appropriately protected in accordance with the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”).

This Privacy Policy outlines the type of personal data that the firm collects via our website, how we use that information and how we protect it. This Privacy Policy tells you how we will seek your consent to acquire and process any personal data that you provide to us via the firm’s website, what to do if you do not want your personal data to be collected or processed by us, and how you can change any personal data that you have given to us previously.

Where appropriate, this Privacy Policy should be read in conjunction with our Terms of Business, which apply to all work done by us for our clients, and which contain additional provisions concerning data protection.

Personal data – what information do we collect about you via our website?

In this Privacy Policy, “personal data” means any information relating to an identified or identifiable natural person in accordance with Article 4, GDPR. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. Examples of personal data identifiers that we may collect via our website include, but are not limited to, the following: your name, job title, postal address, email address and/or telephone number.

How is this information collected via our website?

We may ask you to provide personal data via our website in a number of circumstances, including, but not limited to: when you ask us to contact you via our website, for example, to provide you with legal advice, to provide you with information about the firm or any events hosted by the firm; when you access an on-line client portal available via our website; when you sign up to receive any information from us including, but not limited to: legal updates, social media posts, and any other marketing information; or when you apply for or accept employment with the firm.

When we request you to provide us with personal data via our website, we shall seek your formal consent to use that information in accordance with the terms of this Privacy Policy. Where the personal data obtained via our website may be used by us for more than one purpose, this will be clearly explained, and you shall be given the opportunity to consent to the use of your personal data for of some or all of those purposes identified.

If you have supplied us with personal data via our website previously but have not previously given formal consent for us to store, process or use that information, we will ask for your formal consent, and in the absence of such consent being given, delete the information from all of our records within sixty calendar days from the date on which we sought your consent.

Why is personal data collected via our website?

We collect personal data via our website in a number of circumstances, which may include:

  • In the case of a request for legal advice from you, to ensure that your request is assigned to an appropriate professional having regard for the nature of your enquiry;
  • In the case of a request for information relating to one or more of the firm’s services from you, to ensure that we only send you information that is relevant to your request;
  • In the case of an online application for employment from you, to ensure that we are able to process your application appropriately;
  • In the case that you request to receive marketing communications from us, to share with you news, publications, and social media posts from the firm and to send you invitations to our events; and
  • In the case of client portals accessible via our website, to ensure the prevention of unauthorised access to any confidential personal and/or commercial data that is in our possession.

We will only process your personal data to the extent that the law allows us to do so. Under the GDPR, we rely on the following legal bases for processing:

  • where you have given us consent to the processing;
  • where it is necessary to perform a contract we have entered into, or are about to enter into with you (whether as a client, supplier, foreign associate, employee or otherwise); and/or
  • where it is necessary for the purposes of our legitimate interests (or those of a third party) and your interests or fundamental rights and freedoms do not override those legitimate interests.

In any circumstances in which we request or obtain personal data from you via our website, our reason(s) for collecting that data, the intended use of the data by us, and the extent to which, if any, the data will be processed by us, shall be made clear to you. If you do not provide us with the information requested by us from time to time, we may not be able to provide services to you or otherwise fulfil the purpose for which we have requested this information; in these circumstances, we shall inform you accordingly where we have your contact information.


The firm’s website uses cookies. A cookie is a piece of data stored on a user’s hard drive containing information about the user. The information below explains the cookies we use on our website and why we use them:

  • Google Analytics cookies: we use these cookies to collect information about how visitors use our website, including details of the site where the visitor has come from and the total number of times a visitor has been to our website. We use the information to improve our website and enhance the experience of its visitors.
  • Local Shared Objects (Flash cookies): we use Adobe Flash Player to deliver certain content. Local Shared Objects, otherwise known as Flash cookies, are used for this in order to check if your browser supports Flash.

You can enable or disable cookies by modifying the settings in your browser. You can find out more information on cookies, at:

You can also find out how to disable Flash cookies at – see for details.

Retaining personal information submitted via our website

When we obtain personal data from you via our website we shall keep that information for no longer than 6 months, should we not engage with your further.

If you do not wish for us to keep your personal data for the period that we have specified, upon request from you, we shall undertake to remove the data from our records or reduce the period in question, as appropriate, within thirty working days of receipt of your request.

Keeping personal data submitted via our website safe

We take the safety of personal data received via our website very seriously. Appropriate precautions will be taken by us to ensure that any personal data we receive is kept confidential and secure in accordance with our internal procedures. Further details regarding these procedures may be made available upon request. Personal data that we receive via our website may be stored by us either in hard or soft copy.

The transmission of information via the internet is not completely secure. When we correspond with you via the internet, although we will do our best to protect your personal data, we cannot guarantee its security. Any transmission of information by you is at your own risk.

Sharing personal data submitted via our website

You agree that we have the right to share your personal data with selected third parties including our business partners, suppliers and sub-contractors for the performance of any contract we enter into with them which relates to you or the services which we are going to provide to you.

We will also disclose personal data to third parties:

  • in the event that we buy or sell any business or assets, in which case we may disclose personal data to the prospective buyer or seller of such business or assets;
  • if AA Thornton or substantially all of its assets are acquired by a third party, in which case personal data held by it will be one of the transferred assets; or
  • if we are under a duty to disclose or share your personal data in order to comply with any legal or regulatory obligation, or in order to enforce or apply our Terms of Business or other agreements, or to protect the rights, property or safety of AA Thornton & Co., our clients, or others.

Sharing personal data outside of the EEA

In order to provide our services to you, we may be required to share your personal data with organisations outside of the European Economic Area. We will only do so if we have ensured that there are appropriate safeguards in place, if we have your explicit consent to do so, or if it is necessary for the performance of a contract between you and us, or the implementation of pre-contractual measures taken at your request.

Further detail can be found in our Terms of Business.

Your Rights

Under the GDPR, in certain circumstances you have the right to:

  • Request access to your personal data. You may receive a copy of the personal data we hold about you, together with information about how and why we hold it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data corrected.
  • Request erasure of your personal data. You may ask us to delete or remove your personal data in certain circumstances.
  • Object to the processing of your personal data, where we are relying on a legitimate interest (or those of a third party) or where we are processing only for direct marketing purposes.
  • Request the restriction of processing of your personal data. You may ask us to suspend the processing of your personal data, for example if you want to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party.
  • Lodge a complaint with the Information Commissioner’s Office. If you have any complaints about the way we process your personal data, please do contact us. Alternatively you may lodge a complaint with the Information Commissioner’s Office (
  • Withdraw consent. If we are relying on your consent to process your personal data, you have the right to withdraw your consent at any time. Please note that, if you do withdraw your consent, we may not be able to provide you with the relevant information or services.

If you want to exercise any of these rights, please contact us using the details below.

Unsubscribing from our marketing emails

If you no longer wish to receive our marketing emails, you can unsubscribe by selecting the option at the bottom of those emails. You will have the option to opt out of just that particular type of email, or opt out of all of our marketing emails in general. Once you have opted out we will not contact you again for marketing purposes unless you re-subscribe through our website.

Changes to our Privacy Policy

If we change this Privacy Policy we will post the changes on our website so that you are aware of the information we collect and how we use it at all times. Any changes will take effect as soon as they are posted on our website.

Contacting us about your personal data

If you wish to contact us or have any questions relating to this policy please email

This Privacy Policy was last updated in August 2018.