Privacy Policy

Last updated: April 2021

1.  Introduction

As a global professional services business with law at its core, we are committed to safeguarding the privacy and security of the personal information in our care.  This policy explains how we collect your personal information, what we do with it and your rights in respect of it.  We have a separate policy which sets out similar information relating to the cookies that we use, which can be found here.

When we say 'we', 'our', 'us' or 'Pinsent Masons' in this policy, we are referring to all or any of the entities which make up the international Pinsent Masons group, as the context requires.  An explanation of some of the other terminology that we use in this policy is set out in section 10.

2.  Who and where we are

Pinsent Masons provides legal and other professional services globally via a number of entities.  These include Pinsent Masons LLP, its subsidiaries and any affiliates which practise under the name Pinsent Masons, or which Pinsent Masons LLP or its partners operate as separate businesses, e.g. Out-Law, Vario and MPillay.  

We are the data controller of the personal information that we process, i.e. the organisation which determines, alone or jointly with another party, how your personal information is processed and for what purposes.  This means that we are legally responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the personal information that we handle. 

Most of Pinsent Masons' main IT systems are located in the UK or EU and controlled by Pinsent Masons LLP.  However, depending on the jurisdiction from which our legal or other services are provided to you, or in which your personal information is otherwise processed by us, another entity in the Pinsent Masons group may be the data controller in respect of your personal information.  More detailed information as to which of our entities is data controller in the circumstances in which we process personal information is set out in subsections 5.1 to 5.5 of this policy. For country specific legal notices and regulatory information about our business please click here. For a list of the jurisdictions in which we operate and office contact details, please click here.

Where we transfer your personal data to third parties, in certain circumstances those third parties may also be data controllers.  More information about this is provided in the 'Disclosure' part of the tables in section 5 of this policy.

Our global reach means that we are subject to the differing data protection regimes of the jurisdictions in which we operate.  We strive to achieve uniformity of data protection practices across the Pinsent Masons group, whilst also complying with all data protection laws.  This policy reflects the EU GDPR standard of protection of personal information, and references the relevant Articles of the EU GDPR where appropriate.  In those jurisdictions where data protection regimes differ significantly to the EU GDPR, elements of this policy may not apply, for example individuals' rights in relation to their personal information, and this policy does not establish rights or obligations which are additional to those prescribed in the applicable local data protection law. 

3.  Transfers of personal information across our business and to our suppliers

Our global presence means that your personal information may be transferred across the business worldwide due, for example, to our shared IT systems and datacentres, and cross-border working practices.  Personal data transfers are facilitated across the Pinsent Masons group by way of an intra group agreement which applies the EU approved model contract clauses to all such transfers of personal data within the Pinsent Masons group and, as part of that, all the Pinsent Masons group members agree to comply with the overarching principles of EU data protection annexed to the model clauses.

We also use a number of suppliers and service providers in connection with the operation of our business who may have access to the personal information that we process, e.g. IT suppliers when providing us with software support, or cloud services, or a company which we use for a marketing campaign may process your contact information on our behalf.  In all cases, your personal information is handled and protected in accordance with data protection law.  Where we use cloud services, our data will generally be hosted within the UK or EU, those being the locations which offer the highest level of data protection regulation of all the regions in which we operate. Where any personal data is processed by suppliers outside the EEA in countries that the UK and/or the EU have not assessed as providing an adequate level of protection, we ensure that personal data is adequately protected in accordance with applicable data protection law, and in particular Article 46 of the UK GDPR and the EU GDPR, by using the EU approved model contract clauses to cover the transfer or by ensuring that the supplier has Binding Corporate Rules in place.

4.  Whose personal information do we process?

We collect and process the personal information:

  • of our non-client contacts, such as those who use our website and online services, attend our webinars, seminars and events, and subscribe to our newsletters, email services and other promotional services (see section 5.1, 'Service Users, Non-client Contacts and Visitors', for more information);

  • obtained or created in relation to the legal services we provide, including the personal information of:

    • our clients, our client contacts, their people and third parties engaged by our clients (see 5.2, 'Clients and Client Contacts');

    • client counterparties and other third parties connected to the matters on which we are working for our clients (see 5.5, 'Service Providers and Other Non-client Individuals / Third Parties'); and

    • professional advisers, experts and consultants involved in the work that we carry out for our clients or engaged by us to support our client work (see 5.5);

  • of those who apply for a job or work placement with us (see 5.3, 'Applicants');

  • of our people;

  • of Varios and prospective Varios (see 5.4, 'Varios and Prospective Varios'); and

  • of contractors, suppliers and other third parties connected to the operation of our business (see 5.5).

5.  How do we process your personal information?

We will only process your personal information where we are permitted to do so by law, meaning when we have one or more legal basis to do so.  The following subsections explain how we process your personal information depending on the context of how personal information typically comes into our care, and include further information about the legal basis or bases that we rely on in those circumstances. 

In certain circumstances, we rely on the legal ground known as 'legitimate interests' to process your personal information.  This is where the processing of your personal information is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, but which is not detrimental to you and would have minimal impact on your privacy.  We undertake an assessment of any potential impact on your privacy before we process your personal information for our legitimate interests.

Insofar as we wish to use your personal information for purposes other than those mentioned above, we will check whether these additional purposes are compatible with the original purposes within the meaning of Article 6(4) of the EU GDPR.  Depending on the circumstances, we will inform you about the change of purpose and obtain your consent for the further processing of your personal information.

If you would like more details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been set out in the relevant subsection below, please email us as at [email protected].

  • 5.1 Service users, contacts and visitors

    If you use our website or other online services, attend our webinars, seminars or events, or subscribe to our newsletters, email services or other promotional services.

    Data controller

    In relation to our global website and online services, and our global initiatives, such as webinars, seminars and events, newsletters, email services or other promotional services, Pinsent Masons LLP ordinarily acts as data controller.

    In relation to local initiatives, the Pinsent Masons entity organising or delivering these may be the data controller.

    Legal bases for processing

    • You have provided us with your consent to use your personal information, e.g. in the course of subscribing to our newsletters, completing a survey of ours, signing-up to an event or creating an online account via our website (Article 6(1)(a) EU GDPR).
    • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with you, e.g. in connection with the provision of legal or other professional services to you involving our online tools, products and systems (Article 1(6)(b) EU GDPR).

    We process special category personal data, as necessary, with your consent (Article 9(2)(a) EU GDPR).

    Types of personal data

    • Identification information, e.g. title, name, the company you work for, and your job title or position.
    • Contact information, e.g. your address, email address, phone number, and marketing preferences.
    • Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
    • Financial information, e.g. bank and payment card details. 
    • Technical information, e.g. IP address, details of visits made to our online services such as the volume of traffic, online registration details and login credentials.
    • Diversity, health, religious beliefs or other special category personal information.
    • Images, e.g. CCTV footage taken at our premises and photos taken at our seminars or events.

    Collection

    • Directly from you, e.g. when you register for our events, seminars, or webinars, or to receive communications from us, or when you subscribe to our online services or provide information through electronic platforms made available to you in connection with services that we provide to you.
    • Via our website, e.g. connection data sent to our webserver by your browser when you connect to our website.

    Use

    • To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
    • To provide and improve our services and products, e.g. by monitoring and recording information relating to web based services such as how and when systems are accessed and how data is uploaded, to analyse performance.
    • To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
    • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
    • To improve your experience of our website, newsletters and other services, e.g. by monitoring and recording information relating to your browsing behaviour to make personalised content available to you more efficient and relevant.
    • To facilitate our internal business operations, e.g. internal record keeping and accounting.
    • To monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.

    Disclosure

    • Your personal information may be transferred worldwide:
    • across the Pinsent Masons group;
    • to service providers who support the operation of our business;
    • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
    • to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).
    • Any other information relating to you which you may provide to us.
    • Via web based services, e.g. some analytical information may be collected through electronic platforms made available to you in connection with services that we provide to you.
    • For information security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity, and scanning communications for appropriate content, attachments and viruses.

    Some of these recipients may be acting as data controllers.  In all cases, the personal information of yours that we share will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.  For more information about personal data transfers, please see section 3 of this policy.

  • 5.2 Where we are providing services to our clients

    Where we are instructed on a legal matter or are engaged  for other professional services we may process the personal information of clients and client contacts, counterparty contacts and litigants in person, advisors, experts, counsel, witnesses, and other individuals named in or connected with the services that we provide to our clients.

    Data controller

    In relation to client matter data we act as data controller, rather than as a data processor, subject to local laws and relevant data protection/ supervisory authority guidance in the jurisdictions where we operate.   The Pinsent Masons entity that is instructed on a matter will typically be the data controller in this context.

    As a professional services company, we are subject to the professional codes of conduct and regulations which apply to all law firms and we are not able to agree to act only on our clients' instructions in relation to the data we process.

    In relation to our global communications and business development initiatives, Pinsent Masons LLP ordinarily acts as data controller.  For to local communications and initiatives, the Pinsent Masons entity organising or delivering these may be the data controller.

    Legal bases for processing

    • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with our client, e.g. in connection with the provision of legal or other professional services to our client (Article 1(6)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information, e.g. in the course of completing a survey or signing-up to an event (Article 6(1)(a) EU GDPR).

    We process special category personal data, as necessary:

    • To establish, exercise or defend legal claims (Article 9(2)(f) EU GDPR).
    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal data which has been made public by you (Article 9(2)(e) EU GDPR).
    • For reasons of public interest in connection with a statutory provision (Article 9(2)(g) EU GDPR).

    We process criminal offence data, where necessary:

    • With your consent.
    • Which has been manifestly made public by the data subject.
    • In relation to legal claims.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty.
    • To protect the public against dishonesty.
    • To prevent fraud.
    • In relation to our obligations concerning suspicion of terrorist financing or money laundering.

    We may process criminal offence data relating to:

    • individuals who are involved in corporate crime cases, matters concerning victims of crime or other matters for which criminal offence information of our clients and/or their people informs our work for the client;
    • non-corporate clients; and
    • individuals who are connected to or involved in the structure of our corporate client entities, such as directors, beneficial owners and Politically Exposed Persons.
    • To prevent or detect unlawful acts.

    In respect of personal information provided to us by you or our clients in certain of the jurisdictions in which we operate, additional national data protection lawful basis requirements may apply.

    Types of personal data

    • Identification information, e.g. title, name, date of birth, the company you work for, your job title or position, and your passport or other official forms of ID.
    • Contact information, e.g. your address, email address, phone number, and marketing preferences.
    • Financial information, e.g. bank details and identifiers, and fees information.
    • Professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us.
    • Technical information, e.g. IP address, records of your visits to our online services, your online registration details and login credentials.
    • Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
    • Special category personal data, e.g. diversity, health and religious/philosophical beliefs.
    • Images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events.
    • Other personal information provided to us by you, by our client, or by third parties on our client's behalf to inform our work for our client, or generated or sourced by us in the course or providing legal or other professional services to our client, which may include special categories of personal data and personal data relating to criminal convictions and offences or related to security measures.
    • Any other information relating to you which you or our client may provide to us. 

    Collection

    • Directly from you or our client, e.g. to inform our work for our client and for connected purposes such as relationship management and file opening procedures.
    • From third parties, .e.g. further information to verify your identity or inform our work for our client may be collected from other professional advisers and third parties connected to a matter, publicly available resources, for example, courts and public records, company registers, official insolvency announcements, press releases published by clients, information published by media outlets including social media.
    • Directly from you, e.g. when you register for our events, seminars, or webinars, or to receive communications from us.
    • When you subscribe to our online services or provide information through electronic platforms made available to you in connection with services that we provide to you.
    • Via our website, e.g. connection data sent to our webserver by your browser when you connect to our website.
    • Via web based services, e.g. analytical information collected through electronic platforms made available to you in connection with services that we provide to you or our client.

    Use

    • To deliver our services to you or our client.
    • To manage and administer our relationship with you or our client, e.g., communicating with you, instruction, and conflict checking, file opening and billing procedures, and credit checks.
    • To facilitate our internal business operations, e.g. internal record keeping, procurement and accounting practices.
    • To establish, exercise or defend legal claims.
    • As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
    • To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
    • To improve our services and products, e.g. by monitoring and recording information relating to web based services such as how and when systems are accessed and how data is uploaded, to ensure the integrity of documents and data files and information security.
    • To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
    • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
    • To improve your experience of our website, newsletters and other services, e.g. by monitoring and recording information relating to your browsing behaviour to make personalised content available to you more efficient and relevant.
    • To monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
    • For information security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
    • So that you may provide a reference for us, in connection with a bid or tender, where we have agreed that you are happy to do so.
    • For referral purposes: we maintain a database of legal services providers and personal information relating to other third parties such as experts for similar purposes.

    Disclosure

    Your personal information:

    • may be transferred worldwide:
    • across the Pinsent Masons group;
    • to service providers who support the operation of our business, e.g., postal, courier and telecommunication service providers, financial institutions and other payment services providers, and providers of debt management services;
    • to other third parties connected to, involved in or engaged by us to support our work for our client, e.g. courts and authorities, professional advisers (including accountants, financial auditors and tax advisers), legal counsel, experts, and witnesses;
    • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
    • to other third parties in appropriate circumstances, e.g. to our clients during the course of our work with them, and where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event); and
    • will be stored in:
    • Pinsent Masons' information systems; and
    • third party software applications and services which have been procured to support the management of the information in our care.

    Some of these recipients may be acting as data controller.  In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.  For more information about personal data transfers, please see section 3 of this policy.

  • 5.3 Applicants

    If you apply for a job, work placement or vacation scheme with us (excluding Vario applicants; see 4.4).

    In certain of the jurisdictions in which we operate, we carry out pre-employment vetting checks. For details of our pre-employment vetting practices in respect of criminal offences, please refer to section 12 of this Policy.

    Data controller

    For applications made to Pinsent Masons via our online facility, Pinsent Masons LLP is usually the data controller.

    For applications made by other means, the Pinsent Masons entity to which the application is made may be data controller.

    Legal bases for processing

    • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary in order for us to takes steps, at your request, to enter into a contract with you (Article 1(6)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).

    We process special category personal data, as necessary:

    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal information which has been made public by you (Article 9(2)(e) EU GDPR).
    • For the purposes of carrying out the obligations and exercising specific rights of ours or yours in the field of employment and social security and social protection law (Article 9(2)(g) EU GDPR).

    We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:

    • With your consent.
    • In relation to legal claims.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty.
    • To protect the public against dishonesty.
    • To prevent fraud.

    For details of the pre-employment vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.

    Types of personal data 

    • Personal information, including name, date of birth, address, contact details, qualifications, and education and employment history.
    • Next-of-kin and dependants' information.
    • Special category personal data, e.g. ethnicity, health and religious/philosophical beliefs.
    • Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status. For details of the pre-employment vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.
    • Financial information including bank details and identifiers (e.g. National Insurance numbers).
    • Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
    • Any other information relating to you that you may provide to us.

    Collection

    • Directly from you, e.g. via your application, submission of your CV, completing our diversity questionnaires, in interviews, and at recruitment events and networking occasions.
    • From third parties, including recruitment agencies, providers of background checking services, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media such as LinkedIn. For details of the pre-employment vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.

    Use

    • For our recruitment processes, including vetting and background checks where appropriate, and to assess suitability, eligibility and fitness to work. For details of the pre-employment vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.
    • For human resources administration, including remuneration and all aspects of managing our relationship with you.
    • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
    • For information security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
    • For reporting purposes when required to do so by law or regulation.

    Disclosure

    Your personal information:

    • may be transferred worldwide:
    • across the Pinsent Masons group;
    • to service providers who support the operation of our business;
    • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
    • to other third parties in limited circumstances;
    • will be stored in:
    • Pinsent Masons' information systems; and
    • third party software applications and services which have been procured to support the operation of our human resources functions.

    Some of these recipients may be acting as data controller.  In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.  For more information about personal data transfers, please see section 3 of this policy.

  • 5.4 Varios and prospective Varios

    If you apply to become, or are working with us as, a Vario.

    Data controller

    Pinsent Masons LLP is usually the data controller in respect of processing of the personal information of Varios and applicants to the Vario business.

    Legal bases for processing

    • It is necessary pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with you or in order for us to takes steps, at your request, to enter into a contract with you (Article 6(1)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).

    We process special category personal data, as necessary:

    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal information which has been made public by you (Article 9(2)(e) EU GDPR).
    • For the purposes of carrying out the obligations and exercising specific rights of ours or yours in the field of employment and social security and social protection law (Article 9(2)(g) EU GDPR).

    We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:

    • With your consent.
    • In relation to legal claims.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty.
    • To protect the public against dishonesty.
    • To prevent fraud.

    For details of the pre-joining vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.

    Types of personal data

    • Personal information, including name, date of birth, address, contact details, qualifications, and education and employment history.
    • Next-of-kin and dependants' information.
    • Special category personal data, e.g. diversity, ethnicity, health and religious/philosophical beliefs.
    • Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.
    • Character suitability information, including the results of psychometric tests.
    • Financial information including bank details and identifiers, e.g. National Insurance numbers.
    • Technical information, e.g. IP address, browsing preferences, online registration details and login credentials.
    • Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
    • Any other information relating to you that you may provide to us.

    Collection

    • Directly from you, e.g. via your application to become a Vario, submission of your CV, completion of our diversity questionnaires, populating your information in our CRM System, in interviews, in catch-ups, and at events and networking occasions.
    • From third parties, including recruitment agencies, clients of ours with whom you may be placed, providers of background checking services, providers of psychometric testing, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media platforms such as LinkedIn. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.

    Use

    • For recruitment purposes, including vetting and background checks where appropriate, and to assess suitability, eligibility and fitness to work. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 12 of this Policy.
    • For human resources administration and management purposes including remuneration, managing all aspects of our relationship with you, and connecting and placing Varios with suitable clients.
    • For health and safety reasons (e.g. to inform access, adjustment and dietary requirements for placements and for our meetings and events), and for the application, audit and enforcement of our policies and other terms and conditions relating to you becoming or working as a Vario.
    • For information security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
    • For any other purposes connected with you being or becoming a Vario.<

    Disclosure

    Your personal information:

    • may be transferred worldwide:
    • across the Pinsent Masons group;
    • to service providers who support the operation of our business;
    • with Pinsent Masons' clients who are considering, or have contracted for, a Vario assignment;
    • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar, where we are compelled to do so by law, regulation or professional obligations; and
    • to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event);
    • will be stored in:
    • Pinsent Masons' information systems; and
    • third party software applications and services which have been procured to support the operation of the Vario team.

    Some of these recipients may be acting as data controller.  In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.  Once your information has been shared with a client in respect of a Vario assignment in which you have expressed an interest, that client may make your personal information available to other third parties. The client's privacy policies will detail how it may further process your personal data.

    For more information about personal data transfers, please see section 3 of this policy.

  • 5.5 Service providers and other individuals

    If you are a supplier or other service provider, or you work for or represent a supplier or service provider, an individual named in or connected with matters on which we are advising a client, including counterparty contacts and litigants in person, advisors, experts, counsel, witnesses, and other individuals named in or connected with the services that we provide to our clients.

    Data controller

    In relation to services procured for the global Pinsent Masons group, Pinsent Masons LLP ordinarily acts as data controller.  For services procured locally, the Pinsent Masons entity engaging you for those services may be the data controller.

    In relation to individuals named in or connected with maters on which we are advising a client, the Pinsent Masons entity that is instructed on the matter will typically be the data controller.

    Legal bases for processing

    • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
    • It is necessary for the performance of a contract with you (Article 6(1)(b) EU GDPR).
    • To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
    • You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).

    We process special category personal data, as necessary:

    • To establish, exercise or defend legal claims (Article 9(2)(f) EU GDPR).
    • With your consent (Article 9(2)(a) EU GDPR).
    • In relation to personal data which has been made public by you (Article 9(2)(e) EU GDPR).
    • For reasons of public interest in connection with a statutory provision (Article 9(2)(g) EU GDPR).

    We process criminal offence data, where necessary:

    • With your consent.
    • Which has been manifestly made public by the data subject.
    • In relation to legal claims.
    • To prevent or detect unlawful acts.
    • To comply with regulatory requirements relating to unlawful acts and dishonesty.
    • To protect the public against dishonesty.
    • To prevent fraud.
    • In relation to our obligations concerning suspicion of terrorist financing or money laundering.

    We may process criminal offence data relating to individuals who are:

    • involved in corporate crime cases, matters concerning victims of crime or other matters for which criminal offence information informs our work for our clients;
    • client counterparties; and
    • connected to or involved in the structure of our corporate client entities, our corporate client counterparty entities and our suppliers and service providers, such as directors, beneficial owners and Politically Exposed Persons.

    Types of personal data

    • Personal identifiers e.g. title, name, date of birth, address, email address and phone number.
    • Professional contact information, e.g. the organisation you work for, your job title or position, address, email address and phone number.
    • Professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us.
    • Financial information, e.g. bank details and identifiers, and fees information.
    • Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
    • Where you are named in or connected with matters on which we are advising a client, any personal information about you provided to us by or on behalf of our clients or generated by us in the course or providing legal services to our clients, which may include special categories of data.
    • Diversity, health or religious beliefs information.
    • Images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events.
    • Any other information relating to you which you may provide to us.

    Collection

    • Directly from you.
    • From our clients.
    • From third parties, such as other professional advisers and third parties connected to a matter, and through publicly available sources including court and public records and social media.

    Use

    • To deliver our services to our clients.
    • For referral purposes: we maintain a database of legal services providers and personal information relating to other third parties such as experts for similar purposes.
      To manage and administer our relationship with you e.g. communicating with you, and instruction and billing procedures.
    • To facilitate our internal business operations, e.g. internal record keeping, procurement and accounting practices.
    • To establish, exercise or defend legal claims.
    • As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
    • For the prevention and detection of criminal activity.
    • For information security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
    • So that you may provide a reference for us, in connection with a bid or tender, where we have agreed that you are happy to do so.
    • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.

    Disclosure

    Your personal information:

    • may be transferred worldwide:
    • across the Pinsent Masons group;
    • to service providers who support the operation of our business;
    • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations;
    • to other third parties in appropriate circumstances, e.g. to our clients during the course of our work with them and where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event); and
    • will be stored in:
    • Pinsent Masons' information systems; and
    • third party software applications and services which have been procured to support the management of the information in our care.

    Some of these recipients may be acting as data controller.  In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.  For more information about personal data transfers, please see section 3 of this policy.

6.  For how long do we keep your information?

Your personal information is retained by us in accordance with applicable law and regulation.   Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:

  • potential claims or litigation;
  • guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
  • how long we need to keep the data to fulfil the original purpose for which it was collected;
  • the nature and sensitivity of personal data; and
  • legal obligations to which we are subject.

This means that, in general, we delete personal information when: the purpose for its processing has been fulfilled or the contractual relationship with our client, you or your company has ended; all mutual claims have been fulfilled; and there are no other legal obligations to retain the personal information nor legal bases for further processing.  Typically, we retain personal information in client files for 10 years after the completion of the matter.

7.  Your rights

Depending on where you are in the world and which of the Pinsent Masons entities processes your personal information, you may have one or more of the following rights in respect of that personal information:

  • to be informed about the collection and use of your personal information;
  • to ask whether we process your personal information and request a copy of it if so;
  • to object to decisions that we may make based solely on the automated processing of your personal information;
  • in certain circumstances, to object to processing of your personal information where we do so for the purposes of our legitimate interests; 
  • to request that any inaccurate or incomplete personal information of yours in our care is rectified or competed;
  • in certain circumstances, to restrict our processing of your personal information;
  • in certain circumstances, to receive your personal information or have your personal information transmitted to another organisation in a structured, commonly used and machine readable format;
  • in certain circumstances, to request that we delete your personal information; and
  • to object to our processing of your personal information for direct marketing purposes.

Not all of these rights are absolute, which means that they may only apply in certain situations and may be subject to legal exceptions and exemptions.  To exercise your rights, please email us at [email protected].  You may also write to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.

You may change your marketing preferences or let us know that you no longer wish to receive any marketing communications from us by:

  • logging into your Pinsent Masons account and updating your preferences (via our website or via the link at the foot of each email that you have received from us) - please note it may take up to 72 hours for changes to take effect; or
  • sending an email to [email protected]; or
  • writing to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.

8.  How to make a complaint

Our Privacy Team oversees our compliance with data protection laws and this policy, and provides guidance and advice to the firm and our people.  Our Compliance Officer for Legal Practice ('COLP') oversees compliance with our professional responsibilities and the reporting of any failures to comply with legislative requirements, including data protection.

Please direct any complaint relating to how the firm has processed your personal information to [email protected]. You may also write to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.  We hope that we can resolve any query or concern you raise about our processing of your personal information.

The EU General Data Protection Regulation and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority ('DPA'), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of EU Member State DPAs and EEA DPAs can be found here.  Details of the DPAs relevant to other jurisdictions in which we operate, including the UK, are set out in section 11 of this policy.

9. Links to other websites

We sometimes provide you with links to other websites, but these websites are not under our control. We are not liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by those websites.

We recommend that you check the privacy policy and terms and conditions on each website to see how each third party will process your information.

10. Terminology used in this Privacy Policy

When we say 'we', 'our', 'us' or 'Pinsent Masons' in this policy, we are referring to all or any of the entities which make up the international Pinsent Masons group, as the context requires.  An explanation of some of the other terminology we use in this policy is set out below.

"checking organisations"

means an organisation registered with a criminal records bureau to (a) submit basic checks through a web service or by other means; (b) to submit standard and enhanced checks, and is entitled by law to ask an individual to reveal their full criminal history; or (c) any other approved organisation engaged by the firm to carry out criminal checks on its behalf;

"client"

any person or organisation to whom the firm provides a service and who is identified as a client on the firm's practice management system, regardless of whether time is recorded or a fee is charged;

"contact"

an individual who is a contact of the firm, including any client, any potential or former client, any supplier, any consultant, or any another professional advisor and any other contact of the firm;

"criminal offence data"

is personal data relating to criminal convictions and offences or related security measures. This encompasses a wide range of information about criminal activity, allegations, investigations and proceedings. It includes not just data which is obviously about a specific criminal conviction or trial, but also any other personal data relating to criminal convictions and offences, including unproven allegations, information relating to the absence of convictions and personal data of victims and witnesses of crime. It also encompasses a wide range of related security measures, including personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may lead to a criminal penalty if not adhered to.

"criminal record bureau"

means the Disclosure and Barring Service, Disclosure Scotland, AccessNI and other equivalent criminal record bureaus of the jurisdictions in which the firm operates;

"criminal record certificate"

means a criminal records certificate issued by a criminal record bureau in response to a criminal record check;

"criminal record check"

is a request submitted to a criminal records bureau to find out whether an individual has a criminal record;

"data"

recorded information whether stored electronically, on a computer, or in certain paper-based filing systems;

"data controller"

a person who or organisation which determines how personal information is processed and for what purposes;

"EU GDPR" or "General Data Protection Regulation"

means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;

"individual" or "you"

the person whose personal information is being collected, held or processed;

"partner(s)"

refers to a member of Pinsent Masons LLP or an employee or consultant of Pinsent Masons with equivalent standing;

"our/PM people"

means partners, members, consultants, employees, temporary workers, agency and casual workers, contractors, collaborators, volunteers and those on work placements providing services to/working for Pinsent Masons;

"personal information" or "personal data"

information (including opinions) which relates to an individual and from which he or she can be identified either directly or indirectly through other data which the firm has or is likely to have in its possession. These individuals are sometimes referred to as data subjects;

"policy"

the global privacy policy as amended from time to time;

"process" or "processing"

any activity that involves personal information. It includes obtaining, recording or holding the personal information, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal information to third parties as a result of those third parties having access to it;

"special category personal data" or "special category personal information"

means information revealing someone's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic information, biometric information, information concerning health or concerning sex life or sexual orientation;

"UK GDPR"

means the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); and

"Vario"

a consultant lawyer working for Pinsent Masons' freelance legal resource business.

 

11.  Non-European DPAs

 

Australia

The Privacy Commissioner, under the Office of the Australian Information Commissioner.

GPO Box 5218, Sydney NSW 2001

https://www.oaic.gov.au/

Dubai

There is no national DPA in the UAE.

Qatar - Qatar Financial Centre ('QFC')

The Employment Standards Office at the QFC.

Employment Standards Office, Qatar Financial Centre, Level 8, QFC Tower 1, Westbay, Doha, Qatar

Tel: +974 44967609

Email: [email protected]

http://www.qfc.qa/en/Operate/Pages/ESO.aspx

Hong Kong

The Office of the Privacy Commissioner for Personal Data

12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong

http://www.pcpd.org.hk/

People's Republic of China ('PRC')

There is no unified data protection legal regime nor a single designated DPA in the PRC. Competent authorities and enforcement regulators in some sectors may monitor and enforce data protection issues, e.g. the Cyberspace Administration of China and the Ministry of Public Security.

Singapore

Personal Data Protection Commission

10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438

Tel: +65 6377 3131

Fax: +65 6577 3888

Email: [email protected]

http://www.pdpc.gov.sg/

South Africa

The office of the Information Regulator has been established under the Protection of Personal Information Act 4 of 2013 ('POPIA'). The Information Regulator is to be responsible for investigating and attempting to resolve complaints.

United Kingdom

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

Home | ICO

12. Our personnel vetting practices in respect of criminal offences

Criminal offence information may be requested of prospective PM people and prospective Varios as part of the recruitment process in certain of the jurisdictions in which we operate before an offer of employment is made unconditional. If we are not permitted to or are not justified in seeking information about criminal offences for a role, we will not ask candidates for criminal offence information. We will not seek criminal offence information from any source other than the individual concerned, a criminal record bureau or a checking organisation.

Criminal offence information will only ever be used by the firm for the purposes for which it was originally collected. Criminal record certificate information will be handled, kept, and disposed of in accordance with the firm's Pre-employment Checks Policy: candidates may email [email protected] to request a copy.

Recruitment of ex-offenders policy statement

We are committed to the fair treatment of our people, prospective PM people and users of our services, regardless of their offending background.

The firm promotes equality of opportunity for all with the right mix of talent, skills and potential. Having a criminal record will not necessarily bar an individual from working with us and we welcome applications from a wide range of candidates, including those with criminal records.

The firm selects all candidates for interview based on their skills, qualifications and experience.

Circumstances in which candidates may be asked to provide criminal offence information

A criminal record check or a request for criminal offence information from an individual is only requested after a thorough risk assessment has indicated that doing so is both proportionate and relevant to the position concerned.

The type of criminal records information and level of criminal record check that the firm is entitled to request will depend on the nature of the role for which the individual's suitability is being assessed. When recruiting for a role, we assess whether:

  • it is appropriate to limit the criminal offence information sought to offences that have a direct bearing on suitability for the job in question; and
  • the information provided should be verified with a criminal record bureau.

If candidates are asked to provide criminal offence information

Where we request criminal offence information from an individual but do not request a criminal record check, we will ask the individual to provide only criminal offence information in relation to convictions and cautions that the firm would be legally entitled to see in a criminal record check for the relevant role.

If it is assessed that we should verify criminal records information with a criminal record check, we will comply with any criminal record bureau code of practice to which we are subject and provide the individual concerned with a copy of the firm's Pre-employment Checks Policy.

The firm will not rely on previously-issued criminal record certificates.

Criminal offence information verified through a criminal record check

Once criminal offence information has been verified through a criminal record check, we will:

  • if inconsistencies emerge between the information provided by the individual and the information in the criminal record certificate, give the individual the opportunity to provide an explanation; and
  • record that a criminal record check was completed and whether it yielded a satisfactory or unsatisfactory result.

Where an unprotected conviction or caution is disclosed

If we have concerns about the information that has been disclosed by a criminal record bureau, or the information is not as expected, we will discuss our concerns with the candidate and carry out a risk assessment.

Our risk assessment will take into account the circumstances and background of any offences and whether they are relevant to the position in question, balancing the rights and interests of the individual, PM people, clients, suppliers and the public.

We treat all applicants fairly but reserve the right to withdraw an offer of employment if an individual does not disclose relevant information, or if a criminal bureau check reveals information which we reasonably believe would make an individual unsuitable for a role.

Disputing the content of a criminal record certificate

Individuals may raise a dispute with a criminal record bureau if they believe that there has been a mistake in the contents of their certificate, for example a mistake in:

  • the records provided, for example incorrect or irrelevant information on convictions; or
  • their personal details.

Dispute processes may vary by criminal record bureau and the relevant criminal record bureau should be contacted directly for guidance on how to raise a dispute.