Privacy Policy

Last updated: January 2020

1. Introduction

As a global professional services business with law at its core, we are committed to safeguarding the privacy and security of the personal information in our care.  This policy explains how we collect your personal information, what we do with it and your rights in respect of it.  We have a separate policy which sets out similar information relating to the cookies and other technologies that we use, which can be found here.

When we say 'we', 'our', 'us' or 'Pinsent Masons' in this policy, we are referring to all or any of the entities which make up the international Pinsent Masons group, as the context requires.  An explanation of some of the other terminology we use in this policy is set out in section 9.

2. Who and where we are

Pinsent Masons provides legal and other professional services globally via a number of entities.  These include Pinsent Masons LLP, its subsidiaries and any affiliates which practise under the name Pinsent Masons, or which Pinsent Masons LLP or its partners operate as separate businesses, e.g. Out-Law, Vario and MPillay.

We are the data controller of the personal information that we process, i.e. the organisation which determines, alone or jointly with another party, how your personal information is processed and for what purposes.  This means that we are legally responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the personal information that we handle. 

Most of Pinsent Masons' main IT systems are located in the UK or EU and controlled by Pinsent Masons LLP.  However, depending on the jurisdiction from which our legal or other services are provided to you, or in which your personal information is otherwise processed by us, another entity in the Pinsent Masons group may be the data controller in respect of your personal information. For country specific information about our business, including a list of our offices and the jurisdictions in which we operate, please click here

Where we transfer your personal data to third parties, in certain circumstances those third parties may also be data controllers.  More information about this is provided in the 'Disclosure' part of the tables in section 4 of this policy.

Our global presence means that your personal information may be transferred across the business worldwide due, for example, to our shared IT systems and cross-border working practices.

We also use a number of suppliers and service providers in connection with the operation of our business who may have access to the personal information that we process, e.g. an IT supplier may see your personal information when providing us with software support, or a company which we use for a marketing campaign may process your contact information on our behalf.  In all cases, your personal information is handled and protected in accordance with data protection law.

3. Whose personal information do we process?

We collect and process the personal information:

  • of our non-client contacts, such as those who use our website and online services, attend our webinars, seminars and events, and subscribe to our newsletters, email services and other promotional services (see section 4.1, 'Service Users, Non-client Contacts and Visitors', for more information);
  • obtained or created in relation to the legal services we provide, including the personal information of:
    • our clients, our client contacts, their people and third parties engaged by our clients (see 4.2, 'Clients and Client Contacts');
    • client counterparties and other third parties connected to the matters on which we are working for our clients (see 4.5, 'Service Providers and Other Non-client Individuals / Third Parties'); and
    • professional advisers, experts and consultants involved in the work that we carry out for our clients or engaged by us to support our client work (see 4.5);
  • of those who apply for a job or work placement with us (see 4.3, 'Applicants');
  • of our people;
  • of Varios and prospective Varios (see 4.4, 'Varios and Prospective Varios'); and
  • of contractors, suppliers and other third parties connected to the operation of our business (see 4.5).

4. How do we process your personal information?

We will only process your personal information where we are permitted to do so by law, meaning when we have one or more legal basis to do so.  The following subsections explain how we process your personal information depending on the context of how personal information typically comes into our care, and include further information about the legal basis or bases that we rely on in those circumstances. 

In certain circumstances, we rely on the legal ground known as 'legitimate interests' to process your personal information.  This is where the processing of your personal information is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, but which is not detrimental to you and would have minimal impact on your privacy.  We undertake an assessment of any potential impact on your privacy before we process your personal information for our legitimate interests.

If you would like more details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been set out in the relevant subsection below, please email us as at [email protected].

4.1 Service Users, Non-client Contacts and Visitors

If you use our website or other online services, attend our webinars, seminars or events, or subscribe to our newsletters, email services or other promotional services.

Legal basis for processing

  • You have provided us with your consent to use your personal information, e.g. in the course of subscribing to our newsletters, completing a survey of ours, signing-up to an event or creating an online account via our website.
  • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table.
  • It is necessary for the performance of a contract with you, e.g. in connection with the provision of legal or other professional services to you involving our online tools, products and systems.

Types of personal data

  • Identification information, e.g. title, name, the company you work for, and your job title or position.
  • Contact information, e.g. your address, email address, phone number, and marketing preferences.
  • Financial information, e.g. bank and payment card details.
  • Technical information, e.g. IP address, details of visits made to our online services such as the volume of traffic, online registration details and login credentials.
  • Diversity, health, religious beliefs or other special category personal information.
  • Images, e.g. CCTV footage taken at our premises and photos taken at our seminars or events.
  • Any other information relating to you which you may provide to us.

Collection

  • Directly from you, e.g. when you register for our events, seminars, or webinars, or to receive communications from us, or when you subscribe to our online services or provide information through electronic platforms made available to you in connection with services that we provide to you.
  • Via our website, e.g. connection data sent to our webserver by your browser when you connect to our website.
  • Via web based services, e.g. some analytical information may be collected through electronic platforms made available to you in connection with services that we provide to you.

Use

  • To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
  • To provide and improve our services and products, e.g. by monitoring and recording information relating to web based services such as how and when systems are accessed and how data is uploaded, to analyse performance.
  • To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
  • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
  • To improve your experience of our website, newsletters and other services, e.g. by monitoring and recording information relating to your browsing behaviour to make personalised content available to you more efficient and relevant.
  • To facilitate our internal business operations, e.g. internal record keeping and accounting.
  • To monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
  • For the prevention and detection of criminal activity, e.g. to ensure the security of our website and premises.

Disclosure

Your personal information may be transferred worldwide:

  • across the Pinsent Masons group;
  • to service providers who support the operation of our business;
  • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
  • to other third parties in limited circumstances, e.g. where we run a joint seminar with a third party that you wish to attend.

Some of these recipients may be acting as data controllers. In all cases, the personal information of yours that we share will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.

4.2 Clients and Client Contacts

If you instruct us on a legal matter or engage us for other professional services.

Legal basis for processing

  • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table.
  • It is necessary for the performance of a contract with our client, e.g. in connection with the provision of legal or other professional services to our client.
  • To meet our legal and regulatory obligations.
  • You have provided us with your consent to use your personal information, e.g. in the course of completing a survey or signing-up to an event.
  • To establish, exercise or defend legal claims.

Types of personal data

  • Identification information, e.g. title, name, date of birth, the company you work for, your job title or position, and your passport or other official forms of ID.
  • Contact information, e.g. your address, email address, phone number, and marketing preferences.
  • Financial information, e.g. bank details and identifiers.
  • Technical information, e.g. IP address, records of your visits to our online services, your online registration details and login credentials.
  • Special category personal data, e.g. diversity, health and religious/philosophical beliefs.
  • Images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events.
  • Other personal information provided to us by you, by our client, or by third parties on our client's behalf to inform our work for our client, or generated or sourced by us in the course or providing legal or other professional services to our client, which may include special categories of personal data and personal data relating to criminal convictions and offences or related to security measures.
  • Any other information relating to you which you or our client may provide to us.

Collection

  • Directly from you or our client, e.g. to inform our work for our client and for connected purposes such as relationship management and file opening procedures.
  • From third parties, e.g. further information to verify your identity or inform our work for our client may be collected from publicly available databases.
  • Directly from you, e.g. when you register for our events, seminars, or webinars, or to receive communications from us, or when you subscribe to our online services or provide information through electronic platforms made available to you in connection with services that we provide to you.
  • Via our website, e.g. connection data sent to our webserver by your browser when you connect to our website.
  • Via web based services, e.g. analytical information collected through electronic platforms made available to you in connection with services that we provide to you or our client.

Use

  • To deliver our services to you or our client.
  • To manage and administer our relationship with you or our client e.g. communicating with you, and instruction, file opening and billing procedures.
  • To facilitate our internal business operations, e.g. internal record keeping and accounting practices.
  • To establish, exercise or defend legal claims.
  • As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
  • To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
  • To improve our services and products, e.g. by monitoring and recording information relating to web based services such as how and when systems are accessed and how data is uploaded.
  • To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
  • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
  • To improve your experience of our website, newsletters and other services, e.g. by monitoring and recording information relating to your browsing behaviour to make personalised content available to you more efficient and relevant.
  • To monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
  • For the prevention and detection of criminal activity, e.g. to ensure the security of our website and premises.

Disclosure

Your personal information:

  • may be transferred worldwide:
  • across the Pinsent Masons group;
  • to service providers who support the operation of our business;
  • to other third parties connected to, involved in or engaged by us to support our work for our client, e.g. professional advisers, legal counsel, experts, and witnesses;

  • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
  • to other third parties in limited circumstances;
  • will be stored in:
  • Pinsent Masons' information systems; and
  • third party software applications and services which have been procured to support the management of the information in our care.

Some of these recipients may be acting as data controller. In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.

4.3 Applicants

If you apply for a job, work placement or vacation scheme with us (excluding Vario applicants; see 4.4).

Legal basis for processing

  • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table.
  • It is necessary in order for us to takes steps, at your request, to enter into a contract with you.
  • To meet our legal and regulatory obligations.
  • You have provided us with your consent to use your personal information.

Types of personal data

  • Personal information, including name, date of birth, address, contact details, qualifications, and education and employment history.
  • Next-of-kin and dependants' information.
  • Special category personal data, e.g. ethnicity, health and religious/philosophical beliefs.
  • Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status.
  • Financial information including bank details and identifiers (e.g. National Insurance numbers).
  • Any other information relating to you that you may provide to us.

Collection

  • Directly from you, e.g. via your application, submission of your CV, completing our diversity questionnaires, in interviews, and at recruitment events and networking occasions.
  • From third parties, including recruitment agencies, providers of background checking services, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media such as LinkedIn.

Use

  • For our recruitment processes, including to assess suitability, eligibility and fitness to work.
  • For human resources administration, including remuneration and all aspects of managing our relationship with you.
  • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
  • For the prevention and detection of criminal activity and to ensure our information systems and offices are secure.
  • For reporting purposes when required to do so by law or regulation.

Disclosure

Your personal information:

  • may be transferred worldwide:
  • across the Pinsent Masons group;
  • to service providers who support the operation of our business;
  • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations; and
  • to other third parties in limited circumstances;
  • will be stored in:
  • Pinsent Masons' information systems; and
  • third party software applications and services which have been procured to support the operation of our human resources functions.

Some of these recipients may be acting as data controller. In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.

4.4 Varios and Prospective Varios

If you apply to become or are working with us as a Vario

Legal basis for processing

  • It is necessary pursue our legitimate interests for the purposes set out in the 'Use' section of this table.
  • It is necessary for the performance of a contract with you or in order for us to takes steps, at your request, to enter into a contract with you.
  • To meet our legal and regulatory obligations.
  • You have provided us with your consent to use your personal information.

Types of personal data

  • Personal information, including name, date of birth, address, contact details, qualifications, and education and employment history.
  • Next-of-kin and dependants' information.
  • Special category personal data, e.g. diversity, ethnicity, health and religious/philosophical beliefs.
  • Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status.
  • Character suitability information, including the results of psychometric tests.
  • Financial information including bank details and identifiers, e.g. National Insurance numbers.
  • Technical information, e.g. IP address, browsing preferences, online registration details and login credentials.
  • Any other information relating to you that you may provide to us.

Collection

  • Directly from you, e.g. via your application to become a Vario, submission of your CV, completion of our diversity questionnaires, populating your information in our CRM System, in interviews, in catch-ups, and at events and networking occasions.
  • From third parties, including recruitment agencies, clients of ours with whom you may be placed, providers of background checking services, providers of psychometric testing, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media platforms such as LinkedIn.

Use

  • For recruitment purposes, including to assess suitability, eligibility and fitness to work.
  • For human resources administration and management purposes including remuneration, managing all aspects of our relationship with you, and connecting and placing Varios with suitable clients.
  • For health and safety reasons (e.g. to inform access, adjustment and dietary requirements for placements and for our meetings and events), and for the application, audit and enforcement of our policies and other terms and conditions relating to you becoming or working as a Vario.
  • For the prevention and detection of criminal activity and to ensure our information systems and offices are secure.
  • For any other purposes connected with you being or becoming a Vario.

Disclosure

Your personal information:

  • may be transferred worldwide:
  • across the Pinsent Masons group;
  • to service providers who support the operation of our business;
  • with Pinsent Masons' clients who are considering, or have contracted for, a Vario assignment;
  • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar, where we are compelled to do so by law, regulation or professional obligations; and
  • to other third parties in limited circumstances;
  • will be stored in:
  • Pinsent Masons' information systems; and
  • third party software applications and services which have been procured to support the operation of the Vario team.

Some of these recipients may be acting as data controller. In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection. Once your information has been shared with a client in respect of a Vario assignment in which you have expressed an interest, that client may make your personal information available to other third parties. The client's privacy policies will detail how it may further process your personal data.

4.5 Service Providers and Other 'Non-client' Individuals / Third Parties

If you are a supplier or other service provider, an individual named in or connected with matters on which we are advising a client, or any other third party.

Legal basis for processing

  • It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table.
  • It is necessary for the performance of a contract with you.
  • To meet our legal and regulatory obligations.
  • You have provided us with your consent to use your personal information.

Types of personal data

  • Personal identifiers e.g. title, name, date of birth, address, email address and phone number.
  • Professional contact information, e.g. the organisation you work for, your job title or position, address, email address and phone number.
  • Professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us.
  • Financial information, e.g. bank details and identifiers, and fees information.
  • Where you are named in or connected with matters on which we are advising a client, any personal information about you provided to us by or on behalf of our clients or generated by us in the course or providing legal services to our clients, which may include special categories of data.
  • Diversity, health or religious beliefs information.
  • Images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events.
  • Any other information relating to you which you may provide to us.

Collection

  • Directly from you.
  • From our clients.
  • From third parties, such as other professional advisers and third parties connected to a matter, and through publicly available sources including court and public records and social media.

Use

  • To deliver our services to our clients.

     

  • For referral purposes: we maintain a database of legal services providers and personal information relating to other third parties such as experts for similar purposes.
  • To manage and administer our relationship with you e.g. communicating with you, and instruction and billing procedures.
  • To facilitate our internal business operations, e.g. internal record keeping, procurement and accounting practices.
  • To establish, exercise or defend legal claims.
  • As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
  • For the prevention and detection of criminal activity.
  • For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.

Disclosure

Your personal information:

  • may be transferred worldwide:
  • across the Pinsent Masons group;
  • to service providers who support the operation of our business;
  • to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where we are compelled to do so by law, regulation or professional obligations;
  • to other third parties in appropriate circumstances, e.g. to our clients during the course of our work with them; and
  • will be stored in:
  • Pinsent Masons' information systems; and
  • third party software applications and services which have been procured to support the management of the information in our care.

Some of these recipients may be acting as data controller. In all cases, personal information of yours that is shared or stored outside of the Pinsent Masons group will be limited to the minimum required for the relevant purpose and subject to the appropriate terms regarding disclosure, confidentiality and data protection.

5. For how long do we keep your information?

Your personal information is retained by us in accordance with applicable law and regulation.   Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:

  • potential claims or litigation;
  • guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
  • how long we need to keep the data to fulfil the original purpose for which it was collected;
  • the nature and sensitivity of personal data; and
  • legal obligations to which we are subject.

6. Your rights

Depending on where you are in the world and which of the Pinsent Masons entities processes your personal information, you may have one or more of the following rights in respect of that personal information:

  • to be informed about the collection and use of your personal information;
  • to ask whether we process your personal information and request a copy of it if so;
  • to object to decisions that we may make based solely on the automated processing of your personal information;
  • in certain circumstances, to object to processing of your personal information where we do so for the purposes of our legitimate interests; 
  • to request that any inaccurate or incomplete personal information of yours in our care is rectified or competed;
  • in certain circumstances, to restrict our processing of your personal information;
  • in certain circumstances, to receive your personal information or have your personal information transmitted to another organisation in a structured, commonly used and machine readable format;
  • in certain circumstances, to request that we delete your personal information; and
  • to object to our processing of your personal information for direct marketing purposes.

Not all of these rights are absolute, which means that they may only apply in certain situations and may be subject to legal exceptions and exemptions.  To exercise your rights, please email us at [email protected].  You may also write to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.

You may change your marketing preferences or let us know that you no longer wish to receive any marketing communications from us by:

  • logging into your Pinsent Masons account and updating your preferences (via our website or via the link at the foot of each email that you have received from us) - please note it may take up to 72 hours for changes to take effect; or
  • sending an email to [email protected]; or
  • writing to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.

7. How to make a complaint

Our Privacy Team oversees our compliance with data protection laws and this policy, and provides guidance and advice to the firm and our people.  Our Compliance Officer for Legal Practice ('COLP') oversees compliance with our professional responsibilities and the reporting of any failures to comply with legislative requirements, including data protection.

Please direct any complaint relating to how the firm has processed your personal information to [email protected]nsentmasons.com. You may also write to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.  We hope that we can resolve any query or concern you raise about our processing of your personal information.

The General Data Protection Regulation and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority ('DPA'), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of European DPAs can be found here.  Details of the DPAs relevant to other jurisdictions in which we operate are set out in section 10 of this policy.

8. Links to other websites

We sometimes provide you with links to other websites, but these websites are not under our control. We are not liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by those websites.

We recommend that you check the privacy policy and terms and conditions on each website to see how each third party will process your information.

9. Terminology

When we say 'we', 'our', 'us' or 'Pinsent Masons' in this policy, we are referring to all or any of the entities which make up the international Pinsent Masons group, as the context requires.  An explanation of some of the other terminology we use in this policy is set out below.

"client"

any person or organisation to whom the firm provides a service and who is identified as a client on the firm's practice management system, regardless of whether time is recorded or a fee is charged;

"contact"

an individual who is a contact of the firm, including any client, any potential or former client, any supplier, any consultant, or any another professional advisor and any other contact of the firm;

"data"

recorded information whether stored electronically, on a computer, or in certain paper-based filing systems;

"data controller"

a person who or organisation which determines how personal information is processed and for what purposes;

"individual" or "you"

the person whose personal information is being collected, held or processed;

"partner(s)"

refers to a member of Pinsent Masons LLP or an employee or consultant of Pinsent Masons with equivalent standing;

"our people"

means partners, members, consultants, employees, temporary workers, agency and casual workers, contractors, collaborators, volunteers and those on work placements providing services to/working for Pinsent Masons;

"personal information" or "personal data"

information (including opinions) which relates to an individual and from which he or she can be identified either directly or indirectly through other data which the firm has or is likely to have in its possession. These individuals are sometimes referred to as data subjects;

"policy"

the global privacy policy as amended from time to time;

"process" or "processing"

any activity that involves personal information. It includes obtaining, recording or holding the personal information, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal information to third parties as a result of those third parties having access to it;

"special category personal data" or "special category personal information"

means information revealing someone's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic information, biometric information, information concerning health or concerning sex life or sexual orientation;

"Vario"

a consultant lawyer working for Pinsent Masons' freelance legal resource business.

10. Non-European DPAs

Australia

The Privacy Commissioner, under the Office of the Australian Information Commissioner.

GPO Box 5218, Sydney NSW 2001

https://www.oaic.gov.au/

Dubai

There is no national DPA in the UAE.

Qatar - Qatar Financial Centre ('QFC')

The Employment Standards Office at the QFC.

Employment Standards Office, Qatar Financial Centre, Level 8, QFC Tower 1, Westbay, Doha, Qatar

Tel: +974 44967609

Email: [email protected]

http://www.qfc.qa/en/Operate/Pages/ESO.aspx

 

Hong Kong

The Office of the Privacy Commissioner for Personal Data

12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong

http://www.pcpd.org.hk/

People's Republic of China ('PRC')

There is no unified data protection legal regime nor a single designated DPA in the PRC. Competent authorities and enforcement regulators in some sectors may monitor and enforce data protection issues, e.g. the Cyberspace Administration of China and the Ministry of Public Security.

Singapore

Personal Data Protection Commission

10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438

Tel: +65 6377 3131

Fax: +65 6577 3888

Email: [email protected]

http://www.pdpc.gov.sg/

South Africa

The office of the Information Regulator has been established under the Protection of Personal Information Act 4 of 2013 ('POPIA'). As at January 2020, POPIA is yet to be fully implemented. The Information Regulator is to be responsible for investigating and attempting to resolve complaints.