The right to object to any automated profiling without consent.

Data subjects may make data access requests as described in the our subject access request procedure this procedure also describes how the firm will ensure that its response to access request complies with the requirements of the Regulation.


Data Subjects who wish to complain to the firm about how their personal information has been processed may lodge their complaint directly with the Data Protection Officer. The data protection section of you client facing material will need to be modified to include a GDPR complaints section.

If operating a website the firm will need create a form, usually on the “Contact Us” section of the website, into which data subjects can enter the details of their complaint They will need to be shown the Fair Processing Notice at this point.
Data subjects may also complain directly to the ICO and the DPO in writing.
Where data subjects wish to complain about how their complaint has been handled, or appeal against any decision made following a complaint, they may lodge a further complaint to the Data Protection Officer. The right to do this will be included in the GDPR section of our complaints procedure.


The firm understands “consent” to mean that it has been explicitly and freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement, or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. The consent of the data subject can be withdrawn at any time
The firm understands “consent” to mean that the data subject has been fully informed of the intended processing and has signified their agreement, while in a fit state of mind to do so and without pressure being exerted upon them. Consent obtained under duress or on the basis of misleading information will not be a valid basis for processing. There must be some active communication between the parties, which demonstrate active consent.

Consent cannot be inferred from non-response to a communication. For sensitive data, explicit written consent of data subjects must be obtained unless an alternative legitimate basis for processing exists.

In most instances, consent to process personal and sensitive data is obtained routinely by the firm using standard consent documents.

Where the firm provides online services to children, parental, or custodial authorisation must be obtained. This requirement applies to children under the age of 16, unless the Member State has made provision for a lower age limit – which may be no lower than 13.

Our offices

We are based in Rhiwbina in Cardiff, you can find us on the main high street.

7 Heol-Y-Deri
Cardiff CF14 6HA

Tel: 029 2061 6066

How to find us