Computer Forensics Lab
Computer Forensics Lab
WhatsApp
Legal · Last updated 8 July 2026

GDPR, Data Handling & Data Protection

Data protection is a high priority for Computer Forensics Lab. This statement explains, under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and PECR, the nature, scope and purpose of the personal data we collect, use and process — both through cflab.uk and in the course of our forensic engagements — together with the rights available to data subjects.

Where personal data is transmitted over the Internet, absolute security cannot be guaranteed. If you prefer, you may contact us by telephone on 0207 164 6915 instead of using our online forms.

Scope of this statement

In this statement, any reference to Computer Forensics Lab includes its other trading name, Data Recovery Lab. It applies to personal data we collect through our website, by email or telephone, and to personal data contained in material submitted to us for forensic examination. Where we are instructed by a solicitor, law-enforcement body or organisation to examine material on their behalf, we typically act as a data processor for the personal data in that material; for our own client records and website data we act as data controller.

Definitions

We use terminology consistent with the UK GDPR:

  • Personal data — any information relating to an identified or identifiable natural person (a "data subject"), for example a name, identification number, location data, an online identifier, or one or more factors specific to a person's identity.
  • Processing — any operation performed on personal data, whether automated or not (collection, storage, retrieval, disclosure, erasure, and so on).
  • Restriction of processing — marking stored personal data so its future processing is limited.
  • Profiling — automated processing of personal data to evaluate personal aspects such as behaviour, reliability or economic situation. We do not carry out profiling.
  • Pseudonymisation — processing personal data so it can no longer be attributed to a specific data subject without additional information kept separately.
  • Controller — the person or organisation that determines the purposes and means of processing.
  • Processor — a party that processes personal data on behalf of a controller.
  • Recipient — a party to whom personal data is disclosed.
  • Consent — a freely given, specific, informed and unambiguous indication of the data subject's wishes.

Controller and contact

Data controller
Computer Forensics Lab Ltd
Euro House, 133 Ballards Lane, Finchley, London N3 1LJ, United Kingdom
ICO registration: ZB395023

Data we collect on cflab.uk

Through this website and normal business correspondence we may collect:

  • Contact details you provide (name, organisation, email, phone).
  • The content of your inquiry, including any facts you disclose about your matter.
  • Correspondence between you and our team.
  • Invoicing and payment details necessary to raise and settle invoices.
  • Basic technical logs (see below) for security and abuse prevention.

Server logs and general data

When your browser (or an automated system) requests a page on cflab.uk our servers may record: the browser type and version, the operating system used, the referring page, the sub-pages requested, the date and time of access, the IP address, the Internet service provider, and similar data used to defend against attacks. This information is not used to draw conclusions about you as an individual. It exists to (1) deliver our content correctly, (2) optimise the site, (3) preserve the long-term viability of our systems, and (4) provide law enforcement with information necessary for prosecution in the event of a cyber-attack. Anonymous log data is stored separately from any personal data you actively provide.

Forensic evidence and case material

Digital evidence submitted to us is handled under documented forensic procedures. Original exhibits are hashed on receipt, working copies are used for examination, and access is restricted to the examiners assigned to the matter. Case material may contain personal data — including special-category or criminal-offence data — belonging to you or to third parties, and is handled strictly under the instructions of the party instructing us, in accordance with UK law and forensic best practice. Case material is retained only for the period agreed with the instructing party, after which it is securely destroyed.

  • Contract — to take steps at your request before entering a contract, and to perform our engagement with you.
  • Legitimate interests — to run our business, respond to inquiries, protect our systems, and pursue or defend legal claims.
  • Legal obligation — to comply with tax, accounting, anti-money-laundering and court orders.
  • Consent — where you have expressly agreed, for example to marketing communications you may withdraw at any time.
  • Substantial public interest / legal claims — where we process special-category or criminal-offence data as part of forensic evidence in legal proceedings.

Retention and routine erasure

We process and store personal data only for the period necessary to achieve the purpose of storage, or as required by law. When the purpose no longer applies, or when a prescribed retention period expires, personal data is routinely blocked or erased.

  • Inquiry correspondence — up to 24 months from last contact unless it becomes part of an active engagement.
  • Client and accounting records — a minimum of six years after the end of the engagement, consistent with HMRC guidance.
  • Case exhibits and working copies — for the period agreed with the instructing party.
  • Unclaimed physical property — securely disposed of or recycled after 30 days (see submitted property retention).

Technical and organisational measures

We apply measures appropriate to the sensitivity of the data we handle, including access controls, encryption of data at rest and in transit, physical security of premises where evidence is stored, and audited chain-of-custody records. Staff are trained in their data-protection obligations and are bound by written confidentiality undertakings.

Rights of the data subject

Subject to the exemptions in the UK GDPR and Data Protection Act 2018, you have the following rights. To exercise any of them, email info@cflab.uk.

Right of confirmation and access

You may ask us to confirm whether we are processing personal data about you, and to provide a copy of it, together with information about the purposes of processing, the categories of data, the recipients, the envisaged retention period, and the source of the data if not collected from you.

Right to rectification

You may ask us to correct inaccurate personal data and to complete incomplete personal data.

Right to erasure (right to be forgotten)

You may ask us to erase your personal data where one of the UK GDPR grounds applies — for example, when the data is no longer necessary for the purpose it was collected, you withdraw the consent on which processing was based, you object and there is no overriding legitimate ground, or the data has been unlawfully processed. We may need to retain data where required by law or for the establishment, exercise or defence of legal claims.

Right to restriction of processing

You may ask us to restrict processing where the accuracy of the data is contested, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending our verification.

Right to data portability

Where processing is based on your consent or on a contract and is carried out by automated means, you may receive personal data you have provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.

Right to object

You may object, on grounds relating to your particular situation, to processing based on our legitimate interests or on a public interest task. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is required for legal claims. Where we process personal data for direct marketing, you may object at any time and we will stop.

Automated individual decision-making

We do not make decisions about individuals based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Right to withdraw consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out beforehand.

Right to complain

You have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk. We would ask you to contact us first so we can try to resolve any concern.

Job applications

We collect and process the personal data of job applicants for the purpose of the application procedure, which may be carried out electronically. If we enter into an employment contract with an applicant, their data is stored in accordance with legal requirements. If no contract is concluded, application documents are automatically erased two months after the notification of the decision, unless another legitimate interest requires longer retention.

International transfers

Where personal data is transferred outside the United Kingdom, we rely on adequacy decisions or on appropriate safeguards recognised under UK GDPR (for example, the UK International Data Transfer Agreement or the International Data Transfer Addendum to the EU Standard Contractual Clauses). We do not transfer forensic case material outside the UK without the express instruction of the party instructing us.

Changes to this statement

We may update this statement from time to time. Material changes will be notified on this page with an updated revision date. See also our Privacy Policy and Cookie Policy.