Cookies on Pinsent Masons website

This website uses cookies to allow us to see how the site is used. The cookies cannot identify you. If you continue to use this site we will assume that you are happy with this

If you want to use the sites without cookies or would like to know more, you can do that here.

Privacy Policy


  • This policy summarises the key points about how Pinsent Masons collects, uses and discloses personal data and ensures compliance with the laws and regulations throughout the world where we operate.
  • More information can be provided upon request from our Data Protection Manual.  Defined words are in the Appendix at the end of this policy.

What is Personal data?

  • Personal data is information (including opinions) which relates to an individual and from which he or she can be identified either directly or indirectly through other data which the firm has or is likely to have in its possession. These individuals are sometimes referred to as data subjects.


The firm is the data controller of the personal data we process and therefore is responsible for ensuring our systems, processes, suppliers and PM people comply with data protection laws in relation to the information we handle. 

All PM people must abide by this policy and the manual when handling personal data and must take part in any required data protection training. Any breach will be taken seriously and may result in disciplinary action.

We have a Data Protection Officer who oversees compliance with data protection laws and this policy and provides guidance and advice to the firm and PM people as required.

In addition, our Compliance Officer for Legal Practice (COLP) oversees compliance with our professional responsibilities and the reporting of any failures to comply with legislative requirements, including data protection.

Principles of Data Protection

The firm has adopted the following principles to govern our use, collection and disclosure of personal data.   These principles have been established to create a uniform standard across our offices worldwide taking account of the laws in the jurisdictions where we operate.

The firm's core principles provide that personal data must:

  • be processed fairly and lawfully and to the extent required under local law with valid and informed consent;
  • be obtained for specific and lawful purposes;
  • be kept accurate and up to date;
  • be adequate, relevant and not excessive in relation to the purposes for which it is used;
  • not be kept for longer than is necessary for the purposes for which it is used;
  • be processed in accordance with the rights of individuals;  
  • be kept secure to prevent unauthorised processing and accidental loss, damage or destruction; and
  • not be transferred to, or accessed from, another jurisdiction where these core principles cannot be met unless it is adequately protected.  (See out section on Transfer of Data).

Collection, Use and Disclosure

As a firm the type of data we collect and process falls into one of the following categories:-

  • personal data relating to subscribers to our newsletters and other promotional materials;
  • personal data obtained and created in relation to providing legal services; and
  • personal data relating to PM people.

The below table provides a summary of how we collect and use personal data:

Subscribers to our newsletters and other promotional material

Types of data




Information such as name and business information (email address, job title, who you work for).

Additional information may be processed where it is provided by you, for example in correspondence, in connection with an event or in letting us know what areas you are interested in and when you wish to be contacted by us.  This may include access or dietary requirements which may reveal information about your health or religious beliefs.

Our websites may also collect your device's unique identifier, such as an IP address.
Data is collected in our CRM system when you register to receive legal updates, or we otherwise receive your contact details.

Data may also be collected in our OutLaw database when you join My OutLaw.

You will receive a notice when your details have been added to the CRM or OutLaw database.  You can revisit your profile at any time to amend your information or preferences or to provide additional details.

You will also be provided with the option to opt out and/ or be removed from the CRM or OutLaw database with each marketing communication you receive from us.
Personal data will be used to:

- complete any request you may make; 

- contact you with communications about legal updates, breaking news, newsletters and event invitations which we think are relevant to your interests and in line with your preferences;

- make users' experiences more efficient and understand how we can improve your browsing preferences and the services Pinsent Masons provides; and

- analyse what subjects are of interest to particular users so that we can improve the content in our newsletters and promotional material.
Personal data:

- may be transferred worldwide to our affiliates, and to service providers who support the operation of our business;

- which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected;

- will not be given to other third parties, apart from in limited circumstances such as, where we run a joint seminar and you book onto it. 

Providing legal services

Types of data




​Information processed for relationship management and file opening procedures such as name, business information and identification documentation. 

Additional personal data will be processed when individuals are named in matters on which we are advising or when the personal data is uploaded onto any of the web based services (e.g. SmartDelivery) which we provide to you.

Our web-based services (e.g. SmartDelivery) will also process online registration details and login credentials for the individuals who request access to these services.
Relationship management and file opening information is collected from you directly and further information (e.g. to verify your identity) may be collected from third parties, such as publicly available sources.

​All additional personal data is collected when supplied to us, or created by us in connection with a particular matter on which we are advising.  Where relevant, this may be through a web based service you are using (e.g. document production services on SmartDelivery).
​Relationship management and file opening data is used for providing legal services, administration, commercial purposes (eg creditworthiness) and as required by law (eg anti money laundering).

All other personal data will be used for the purposes of providing legal services and to comply with our statutory/ regulatory obligations

In relation to our web based services we will monitor and record information relating to use of the services.  This will include how and when the system is accessed and how data is uploaded.
​Personal data:

- may be transferred worldwide to our affiliates, and to service providers who support the operation of our business;

- which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected.

PM People

Types of data




​Personal data such as name, address, contact details, education and employment history; information relating to next of kin/ dependants;  financial information including bank details and identifiers (e.g. National Insurance numbers); records of your use of the firm's IT and information services (e.g. LexisNexis); CCTV and swipe card data.  Also we may process information revealing sensitive information such as health details, racial origin, religious beliefs and information about offences/ alleged offences. Personal data will be collected from a number of sources including your application form/CV; tracking your use of the firm's IT and information services; notes and records kept throughout your employment including absences, expenses claims, questionnaires, performance reviews and details of any grievances/ disciplinary action; CCTV and swipe cards. Personal data will be used for: human resources administration; learning and development; to ensure the firm's information and offices are secure; and management purposes (including where necessary disciplinary purposes).

Photographs, education and career information may be used in marketing and promotional material for the firm including our website, brochures, bids and tenders.
​Personal data:

- may be transferred worldwide to our affiliates, and to service providers who support the operation of our business;

- which is shared with service providers will be limited to that which is required for providing the service and will be adequately protected.

Individuals' Rights

Personal data must be processed in line with individuals' rights, including the right to:

  • request a copy of their personal data;
  • request that their inaccurate personal data is corrected;
  • request that their personal data is deleted and destroyed when causing damage or distress; and
  • opt out of receiving electronic communications from the firm.

Should you wish to make a request in line with your rights as an individual, please forward it to the Data Protection Officer.

PM people must notify or inform the Data Protection Officer immediately if they receive a request in relation to personal data which the firm processes. 

How to Make a Complaint

You should direct all complaints relating to how the firm has processed your personal data to the Data Protection Officer.

PM people must inform the Data Protection Officer immediately if they receive a complaint relating to how the firm has processed personal data so the firm's complaints procedure can be followed.


Information security is a key element of data protection.  The firm takes appropriate measures to secure personal data and protect it from loss or unauthorised disclosure or damage.   The firm is ISO27001:2005 certified and it is a requirement that all PM people comply with the firm's IS policy, which is available on the Information Security pages.

Transfer of Data between Jurisdictions

As an international law firm, personal data may be transferred between our various offices worldwide (as listed on due to, for example, our shared IT systems and/or cross border working. We also use a number of suppliers in connection with the operation of our business and they may have access to the personal data we process.  For example, an IT supplier may see our personal data when providing software support, or a company which we use for a marketing campaign may process contacts' personal data for us. When contracting with suppliers and/or transferring personal data to a different jurisdiction, the firm takes appropriate steps to ensure that there is adequate protection in place and that the principles are adhered to.

Contact details:

Data Protection Officer, 3 Colmore Circus, Birmingham, B4 6BH, United Kingdom



Appendix Definitions

In the Privacy Policy and the Data Protection Manual, the following terms have the following meanings:-

"client" any person or organisation to whom the firm provides a service and who is identified as a client on the firm's practice management system, regardless of whether time is recorded or a fee is charged; 
"contact"  an individual who is a contact of the firm, including any client, any potential or former client, any supplier, any consultant, or any another professional advisor and any other contact of the firm; 
"CRM" the firm's client relationship management system, InterAction;
"data" recorded information whether stored electronically, on a computer, or in certain paper-based filing systems; 
"data controller" a person who or organisation which determines how personal data is processed and for what purposes. The equivalent term under the data protection law applicable to Hong Kong is "data user", under the law applicable to Singapore it is simply referred to as an "organisation"; and under Australian law it is an "agency" or "organisation";
"Data Protection Officer" the person designated as the Data Protection Officer of the firm from time to time who can be contacted at ;
"individual" or "you" the person whose personal data is being collected, held or processed; 
"IS policy" the firm's Information Security Policy;
"manual" the firm's Data Protection Manual;
"personal data" please see the what is personal data section of this policy;
"PM people" or "PM person" means partners, members, consultants, employees, temporary workers, agency and casual workers, contractors, collaborateurs, volunteers and those on work placements providing services to/working for the firm;  
"policy" the Privacy Policy as amended from time to time;
"principles" the core data protection principles set out in the Privacy Policy and summarised in the firm's Data Protection Manual;
"process" or "processing" any activity that involves use of personal data.  It includes obtaining, recording or holding the personal data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it.  Processing also includes transferring personal data to third parties as a result of those third parties having access to it; and