GDPR for solicitors and law firms in the EU
An EU law firm operates at the intersection of GDPR, legal professional privilege, AMLD4/5, and national Bar or Law Society obligations. Data protection compliance for a law firm is not a standard SME exercise — it requires the standard framework to be adapted for the privilege regime, the AML retention conflict, and the specific ways in which legal matter data is processed, stored, and potentially subject to compelled disclosure.
Controller and processor in legal practice
Law firms are typically controllers for the personal data they process in providing legal advice — the firm determines the purposes and means, not the client. However, in some practice areas — employment law firms managing client HR systems, law firms administering client pension schemes — the firm may act as a processor for some data. Each matter type should be assessed, and a Data Processing Agreement executed where the firm acts as processor.
Legal professional privilege and DSARs
EU member states implementing Article 23 GDPR have provided exemptions from the right of access where disclosure would compromise legal professional privilege or prejudice the fairness of legal proceedings. The specific scope of the exemption varies by member state — French droit de la défense, German Berufsgeheimnisse, Irish legal professional privilege — but the principle that privileged communications can be withheld from a DSAR response is broadly recognised across EU jurisdictions. The exemption must be applied document by document and documented with reasons for each withholding.
AMLD4/5 retention conflict
Law firms within the scope of AMLD4/5 must retain CDD records for five years from the end of the matter. This conflicts with GDPR’s storage limitation principle in the same way as for accountants. Article 17(3)(b) resolves the conflict, but the resolution must be documented in the retention policy and privacy notice. At five years, CDD data must be destroyed and destruction recorded.
Tipping off and DSARs
Where a law firm has filed a Suspicious Transaction Report with the national FIU and the subject client submits a DSAR, full disclosure would constitute tipping off under AMLD4/5 Article 39 and national implementing law. The crime prevention exemption available under member state implementation of Article 23 GDPR provides the mechanism for withholding STR-related information. A documented procedure — STR log check on every DSAR, MLCO escalation, selective withholding with recorded basis — must exist before the situation arises.
Special category data in legal matters
Legal matters frequently involve special category data — health records in personal injury cases, criminal records in criminal defence, political or religious information in asylum matters. Processing requires both an Article 6 basis and an Article 9(2) condition, documented separately. The Article 9(2)(f) condition (legal claims) is the most commonly applicable for legal proceedings.
Note: EU GDPR applies directly across all 27 member states, but national law overlays — particularly on employment data, special category processing, and AML retention — vary materially between jurisdictions. Confirm requirements with a practitioner familiar with the relevant member state law.