Privacy notice

About this notice

This notice explains how and why the Eversheds Sutherland (International) LLP (also referred to as “Eversheds Sutherland”, “ES” “we”, “our” and “us”) use personal data in connection with the work we do at the ES Mortgage Enforcement Unit, including acting on our client’s instructions to take legal action when there has been a default on an individual’s mortgage account.

In this notice, when we talk about “personal data” we mean any information that relates to an identifiable natural person – in this case, you.

You should read this notice if you are dealing with our Mortgage Enforcement Unit in relation to a matter that we have been instructed by one of our clients to assist with, for example if you are a borrower, a solicitor or financial advisor acting on a borrower’s behalf or an occupier/owner of a property which is being sold or purchased. You should also read any other privacy notices that we give you, which apply to our use of your personal data in specific circumstances from time to time.

Alternatively, if you are a client, a prospective client, someone looking for a job with us, a supplier or someone else dealing with Eversheds Sutherland, please visit the Privacy Notice page on our website at for information about how we process personal data.

Eversheds Sutherland is a "controller" in relation to its use of your personal data. This is a legal term – it means that we make decisions about how and why we use your personal data and, because of this, we are responsible for making sure it is used in accordance with applicable data protection laws. We are required by law to give you the information in this notice. You should read this notice, so you know what personal data we collect about you, what we do with it and how you can exercise your rights in connection with it.

If you have any questions about any of these notices, please contact or send a letter to Mortgage Enforcement Unit, Eversheds Sutherland LLP, 1 Callaghan Square, Cardiff, CF10 5BT.

What types of personal data do we collect and where do we get it from?

For the purposes of this notice, the personal data we process about you broadly falls into three main categories: (i) Contact Information; (ii) Identity and Other Regulatory Information; and (iii) Matter Information.

The table below sets out the different types of personal data that we collect and the sources we collect it from.

Category Types of personal data Collected from
Contact Information  
  • Name
  • Address
  • Telephone number
  • Mobile number
  • Email address
  • You, our clients and/or third party systems
Identity and Other Regulatory Information
  • Identification verification information (e.g. date of birth, name, address, mortgage details)
  • You, our clients and/or third party systems used for our regulatory checks
Matter Information
  • Personal and financial information relating to your mortgage and your financial circumstances
  • Details relating to all matter related communications, enquiries and other dealings between your and us or our clients (including recordings of telephone calls)
  • Information as to the health and other vulnerabilities of you and persons connected with you to the extent they are relevant to carrying out our client’s instructions
  • You, our clients, your professional advisor(s) and other third parties to whom you provide information

What do we do with your personal data, and why?

We use your personal data for a number of different purposes. We must always have a “lawful basis” (i.e. a reason, prescribed by law) for processing your personal data. The table below sets out the purposes for which we may process the different categories of your personal data – depending on the nature of your matter with us or our client – and the corresponding lawful basis for that processing. For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

Purposes of processing Lawful basis
  Necessary to comply with a legal obligation Necessary for our legitimate interests
Matter Related Purposes
Responding to your enquiries and communicating with you (including by text, telephone, email and post)  

(It’s important that we can respond to your enquiries)
Performing identity verification checks (including against third party sources)

(We need to make sure that we are dealing with the correct people, relevant to our clients’ matters)
Providing advice to our clients and instructions to suppliers in relation to your matter  

(We need to be able to process your personal data as needed, to follow our clients’ instructions in connection with your matter)
Negotiating payment arrangements and other compromises on behalf of our client  

(We need to be able to process your personal data as needed, to follow our clients’ instructions)
Acting on our clients instructions in the enforcement of mortgages through the courts  

(We need to be able to process your personal data as needed, to follow our clients’ instructions)
Legal and Regulatory Compliance and Reporting Purposes
Monitoring our systems and processes to identify, record and prevent fraudulent, criminal and/or otherwise illegal activity

(We need to be able to monitor our systems in this way to help protect them, us and you from illegal activity)
Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
Purchasing, maintaining and claiming against our insurance policies

(It’s in our interests to protect our business against specified losses)
Training our staff

(Sometimes, it’s appropriate for us to use your personal data so that we can provide our staff with training to manage risk and improve the quality of our services)
Complying with instructions from our clients in relation to their regulatory obligations (including recording our telephone communications with you)  

(We need to record calls to our team to assist with our clients’ regulatory obligations, and for training and monitoring purposes)
General Business Requirements
Obtaining legal advice and establishing, defending and enforcing our legal rights and obligations and monitoring to identify and record fraudulent activity

(We must be able to defend our business and assert our legal rights)
For our general record-keeping and client relationship management

(As a law firm, we need to store client-related files so we can refer back to them)
Managing the proposed sale, restructuring, transfer or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation

(We have a legitimate interest in being able to sell any part of our business)
Continuously reviewing and improving our products and services (including by seeking and obtaining your feedback) and developing new ones  

(We have a legitimate interest in making sure that we are continuously improving our service offering)
Monitoring and producing statistical information regarding the use of our platforms, and analysing and improving their functionality  

(We need to perform this limited routine monitoring to make sure our platforms work properly)
Maintaining the security and integrity of our systems, platforms, premises and communications (and detecting and preventing actual or potential threats to the same)  

(We need to make sure our that our business processes are secure)

In limited circumstances, we may also process certain special categories of personal data (such as information regarding your health), which require a higher standard of protection under applicable laws. For these special categories of personal data, different lawful bases apply. We only process this type of information about you where it is necessary for the establishment, exercise or defence of a legal claim against us or where it is necessary for reasons of substantial public interest (for example this could be where it is relevant to the client work we do at the ES Mortgage Enforcement Unit). We also have policies in place explaining our procedures for ensuring compliance with applicable laws in connection with the processing of personal data, and our practices in relation to the retention and erasure of personal data.

Who do we share your personal data with, and why?

Sometimes we share your personal data with third parties where permitted by law, including the following:

These organisations may also use your personal data as a “controller” – and if so, they should have their own privacy notices which you should read, and they have their own responsibilities to comply with applicable data protection laws.

We also ask third party service providers to carry out certain business functions for us. These include IT support, cloud platform and data hosting providers who help us with the operation of our websites, mobile applications, data rooms, document and workflow management systems and other systems and applications.

We will have in place an agreement with our service providers which will restrict how they are able to process your personal data and impose appropriate security standards on them

Where is your personal data transferred to?

Since Eversheds Sutherland is a network of different law firms operating globally, we will sometimes need to transfer your personal data outside the European Union. Some of these jurisdictions may not provide the same level of protection to your personal data as provided in the UK. We will only make transfers where permitted by applicable law or:

How do we keep your personal data secure?

We will put in place appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

However please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping any passwords you use to access Eversheds Sutherland platforms safe

How long do we keep your personal data for?

We will only retain your personal data for a limited period of time, and for no longer than is necessary for the purposes for which we are processing it for.  This will depend on a number of factors, including:

What are your privacy rights and how can you exercise them?

Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.

Where our processing of your personal data is based on the legitimate interests (see table at paragraph 3 above), you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

Depending on the circumstances, you may have the right to:

Please contact or send a letter to Mortgage Enforcement Unit, Eversheds Sutherland LLP, 1 Callaghan Square, Cardiff, CF10 5BT if you would like to exercise any of your privacy rights. We also encourage you to let us know if you have any concern about how we are processing your personal data so we can try to resolve your concerns. However, if you consider that we are in breach of our obligations under data protection laws, you are always entitled to submit a complaint with the Information Commissioner’s Office.