Client Data Protection Statement
Introduction
In the course of our acting for you, we may receive information relating to you, your directors, shareholders, beneficial owners, employees, agents, associates and family members. In this Data Protection Statement (this “Policy”), we refer to this information as “personal data”. This Policy sets out the basis on which we will process this personal data. Please read the Policy carefully to understand our practices regarding personal data and how we will use it.
About Milberg London LLP
- The data controller in respect of personal data is Milberg London LLP, a limited liability partnership registered in England and Wales under number OC430853. Our registered office is at Third Floor, Sutton Yard, 65 Goswell Road, London, EC1V 7EN.
- Milberg London LLP is registered with the Information Commissioner’s Office under registration number ZA777525.
- Milberg London LLP is authorised and regulated by The Solicitors Regulation Authority.
- References in this Policy to the “Firm”, “we”, “our” or “us” are references to Milberg London LLP.
Contacting us
We are not required to appoint a formal Data Protection Officer under data protection laws. However, our Privacy Manager is James Taylor whose contact details are:
Email: [email protected]
Address: Privacy Manager, Third Floor, Sutton Yard, 65 Goswell Road, London, EC1V 7EN.
Data protection principles
- Anyone processing personal data must comply with the principles of processing personal data as follows:
- lawfulness, fairness and transparency – data must be processed lawfully, fairly and in a transparent manner.
- purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- data minimization – data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- accuracy – data must be accurate and, where necessary, kept up to date.
- storage limitation – data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
- integrity and confidentiality – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures.
- This Policy describes the personal data that we collect, and explains how we comply with these principles.
- Anyone processing personal data must comply with the principles of processing personal data as follows:
Information we collect
- We collect the personal data as necessary to enable us to carry out your instructions, to manage and operate our business and to comply with our legal and regulatory obligations.
- The personal data that we collect includes, but is not limited to, the following: your name; home and business address; contact details (such as telephone numbers and email address); date of birth; gender; marital status; copies of passport, national identity card, driving licence, utility bills, bank statements and similar documents; business and professional qualifications and experience; immigration status and work permits; information relating to the matter in which you are seeking our advice or representation; other personal data contained in correspondence and documents which you may provide to us.
- If you do not provide any personal data that we ask for and that we need to enable us to carry out your instructions, it may delay or prevent us from providing our services to you.
- Where the personal data relates to your directors, shareholders, beneficial owners, employees, agents, associates or family members you confirm that you are authorised to provide this personal data to us. It is not reasonably practicable for us to provide to these individuals the information set out in this Policy. Accordingly, where appropriate, you are responsible for providing this information to any such individuals.
How your information is collected
- We collect most of this information from you directly. However, we also collect information:
- from publicly accessible sources (such as Companies House);
- directly from a third party (such as client due diligence providers and credit reference agencies);
- from a third party with your consent, (such as your bank or building society, another financial institution or advisor or consultants and other professionals you may engage);
- your employer, professional body or pension administrators; and
- from our IT systems and communications monitoring, building access control systems and reception logs.
- We collect most of this information from you directly. However, we also collect information:
How and why we use your information
- Our use of your personal data is subject to your instructions, data protection laws and our professional duty of confidentiality.
- We will only process your personal data if we have a legal basis for doing so, including where:
- where you have given consent;
- processing is necessary for the performance of our contractual engagement with you: this relates to all personal data we reasonably need to process to carry out your instructions;
- processing is necessary for compliance with a legal obligation to which we are subject: this relates to our legal obligations in relation to, for example, anti-money laundering; and
- processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms: this relates to our processing for marketing purposes, for our management, accounting and administration purposes and for data security.
- The table below further explains the purposes for which we will use your personal data (excluding special categories of personal data) and our legal basis for doing so:
Purposes for which we will process the information | Legal basis for the processing |
To provide legal professional services to you in connection with your matters. | For the performance of our contract with you or to take steps at your request before entering into a contract. |
To carry out associated administration and accounting in connection with your matters and other processing necessary to comply with our professional, legal and regulatory obligations. | For the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations. |
To comply with our anti-money laundering requirements. | To comply with our legal and regulatory obligations. |
To comply with our internal business policies. | It is in our legitimate interests or those of a third party to adhere to our own internal procedures so that we can deliver an efficient service to you. We consider this use to be necessary for our legitimate interests and proportionate. |
For operational reasons, such as improving efficiency, training and quality control. | It is in our legitimate interests to be as efficient as we can so we deliver the best service for you. |
To prevent unauthorised access and modifications to our systems. | It is in our legitimate interests to prevent and detect criminal activity that could be damaging for the Firm and/or for you. To comply with our legal and regulatory obligations |
For updating client records. | For the performance of our contract with you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations. For our legitimate interests, eg making sure we can keep in touch with our clients about legal developments and existing and new services. |
For marketing our services. | It is in our legitimate interests to market our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you. |
To carry out credit reference checks. | It is in our legitimate interests to carry out credit control and to ensure our clients are likely to be able to pay for our services. |
External audits and quality checks, e.g. for the audit of our accounts. | It is in our legitimate interests to maintain our accreditations so we can demonstrate we operate at the highest standards. To comply with our legal and regulatory obligations. |
To enforce legal rights or defend or undertake legal proceedings | To comply with our legal and regulatory obligations. For our legitimate interests, ie to protect our business, interests and rights. |
Data processing
- The Firm acts as a data controller in relation to the processing of personal data as set in this Policy. However, in some circumstances we may process personal data on your behalf as a data processor for the purposes of data protection laws.
- Where we process any personal data on your behalf as your data processor, the terms set out in our data processing addendum, a copy of which is available on request from our Privacy Manager, shall apply.
Special categories of personal data
- You may also supply us with, or we may receive, special categories of (or “sensitive”) personal data. This is defined by data protection laws to include (but is not limited to) personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health.
- We process these special categories of personal data on the basis of one or more of the following:
- where you have given explicit consent to the processing of the personal data for one or more specified purposes;
- where the processing relates to personal data which is manifestly made public by you;
- where the processing is necessary for the establishment, exercise or defence of legal claims;
- where the processing is necessary for reasons of substantial public interest, in accordance with applicable law (such reasons include where the processing is necessary for the purposes of the prevention or detection of an unlawful act or for preventing fraud); or
- for the provision of confidential advice.
Data relating to criminal convictions and offences
- We collect and store personal data relating to criminal convictions and offences (including the alleged commission of offences) only where necessary for the purposes of:
- where you have given consent;
- where the processing relates to personal data which is manifestly made public by you;
- where the processing is necessary for reasons of substantial public interest, in accordance with applicable law (such reasons include where the processing is necessary for the purposes of the prevention or detection of an unlawful act or for preventing fraud).
- where the processing is necessary (i) for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), (ii) is necessary for the purpose of obtaining legal advice, or (iii) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
- We collect and store personal data relating to criminal convictions and offences (including the alleged commission of offences) only where necessary for the purposes of:
Marketing
- We may use your personal data to send you updates (by email, text, telephone or post) about legal developments that might be of interest to you and/or information about our services, including exclusive offers, promotions or new services or products. You have the right to opt out of receiving promotional communications at any time, by:
- contacting us by email at [email protected] and/or [email protected];
- contacting our Privacy Manager whose details are given above; or
- using the ‘unsubscribe’ link in emails or ‘STOP’ number in texts.
- We may use your personal data to send you updates (by email, text, telephone or post) about legal developments that might be of interest to you and/or information about our services, including exclusive offers, promotions or new services or products. You have the right to opt out of receiving promotional communications at any time, by:
Email monitoring
Email which you send to us or which we send to you may be monitored by the Firm to ensure compliance with professional standards and our internal compliance policies. Monitoring is not continuous or routine, but may be undertaken on the instruction of a partner where there are reasonable grounds for doing so.
Third party processors
- Our information technology systems are operated by the Firm but some data processing is carried out on our behalf by a third party (see section 14 (Disclosure of personal data) below). Details regarding these third-party data processors can be obtained from our Privacy Manager whose details are given above.
- Where processing of personal data is carried out by a third party data processor on our behalf we endeavour to ensure that appropriate security measures are in place to prevent any unauthorised disclosure of or access to your personal data.
Disclosure of personal data
- Personal data will be retained by us and will not be shared, transferred or otherwise disclosed to any third party, save as set out in this Policy.
- If we are working with other professional advisers in relation to any matter handled by us on your behalf then, unless you instruct us otherwise, we shall assume that we may disclose your information to them.
- We disclose and share personal data:
- with partners, staff and consultants of the Firm based in the UK;
- where appropriate, with other affiliated firms which are part of the Milberg brand (including in the USA);
- if you are part of a Group Litigation, with the Representative Claimants and Committee (to the extent necessary);
- to other professional advisers and third parties in accordance with your instructions;
- to our professional indemnity insurers or brokers, and our auditors, or risk managers who we or they may appoint;
- with the courts or any other judicial body involved in your dispute;
- third party processors, service providers, representatives and agents that we use to make our business more efficient, including for our IT services, data storage/back-up and marketing; and/or
- if we, acting in good faith, consider disclosure to be required by law or the rules of any applicable governmental, regulatory or professional body.
- Certain laws (for example, those relating to money laundering and tax fraud) give power to authorities such as the police or the tax authorities to inspect clients’ information and take copies of documents. It is possible that, at any time, we may be requested by those authorities to provide them with access to your information in connection with the work we have done for you. If this happens, we will comply with the request only to the extent that we are bound by law and, in so far as it is allowed, we will notify you of the request or provision of information.
- In certain circumstances, solicitors are required by statute to make a disclosure to the National Crime Agency where they know or suspect that a transaction may involve a crime including money laundering, drug trafficking or terrorist financing. If we make a disclosure in relation to your matter, we may not be able to tell you that a disclosure has been made.
- We may transfer personal data to a successor firm or company which acquires the legal practice carried on by us. If this happens, we shall ensure that you are notified of the transfer and we shall secure a commitment from the firm or company to which we transfer personal data to comply with applicable data protection laws.
- Some of these third parties may be based outside the United Kingdom or the European Economic Area (“EEA”). For more information, including on how we safeguard your personal data when this occurs, see below: ‘International Transfers’.
Your rights
- Access to your information and updating your information
- You have the right to access information which we hold about you. If you so request, we shall provide you with a copy of your personal data which we are processing (“subject access request”). We may refuse to comply with a subject access request if the request is manifestly unfounded or excessive or repetitive in nature.
- You also have the right to receive your personal data in a structured and commonly used format so that it can be transferred to another data controller (“data portability”). This right only applies where your personal data is processed by us with your consent or for the performance of a contract and when processing is carried out by automated means.
- We want to make sure that your personal data is accurate and up to date. You have the right to have inaccurate personal data rectified, or completed if it is incomplete. We may refuse to comply with a request for rectification if the request is manifestly unfounded or excessive or repetitive.
- Right to object
- You have the right to object at any time to our processing of your personal data for direct marketing purposes.
- You also have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
- Your other rights
- You also have the following rights under data protection laws to request that we rectify your personal data which is inaccurate or incomplete.
- In certain circumstances, you have the right to: (i) request the erasure of your personal data erasure (“right to be forgotten”) and (ii) restrict the processing of your personal data to processing to which you have given your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of others.
- Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply. For example: we may refuse to comply with a request for access if the request is manifestly unfounded or excessive or repetitive in nature; we may refuse a request for erasure where the processing is necessary to comply with a legal obligation or necessary for the establishment, exercise or defence of legal claims.
- Access to your information and updating your information
Exercising your rights
- You can exercise any of your rights as described in this Policy and under data protection laws by contacting our Privacy Manager whose details are given above.
- Save as described in this Policy or provided under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
- Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm your identity.
Security of your information
- We store your information in hard copy and in electronic format. We use industry standard technical and organisational measures to protect information from the point of collection to the point of destruction.
- We will only transfer personal data to a third party if it agrees to comply with those procedures and policies, or if it puts in place adequate measures itself.
- Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted over the internet.
International transfers
- To deliver services to you, it is sometimes necessary for us to transfer and store your personal data outside of the UK or the EEA as follows:
- affiliated firms which are part of the Milberg brand;
- our service providers located outside the UK or the EEA;
- if you are based outside the UK or the EEA; and
- where there is an international aspect to the matter which we have been instructed on.
- Where personal data is transferred to and stored outside the UK or the EEA, we take steps to provide appropriate safeguards to protect your personal data, including:
- transferring your personal data to a country, territory, sector or international organisation which the UK Government or (as the case may be) the European Commission has determined ensures an adequate level of protection, as permitted under data protection laws (Article 45(1) GDPR); or
- entering into standard contractual clauses approved by the UK Government or (as the case may be) the European Commission, obliging recipients to protect your personal data as permitted under data protection laws (Article 46(2)(c) GDPR).
- In the absence of an adequacy decision or of appropriate safeguards as referenced in paragraph 18.2 above, we will only transfer personal data to a third country where one of the following applies (as permitted under Article 49 GDPR):
- the transfer is necessary for the performance of our contractual engagement with you;
- the transfer is necessary for the establishment, exercise or defence of legal claims; or
- you have provided explicit consent to the transfer.
- If you want further information on the specific mechanism used by us when transferring your personal data out of the UK or the EEA, please contact our Privacy Manager using the details set out above.
- To deliver services to you, it is sometimes necessary for us to transfer and store your personal data outside of the UK or the EEA as follows:
How long we keep your information
- Personal data processed by us will only be retained for as long as necessary to fulfil our engagement. Following the end of our engagement we will retain your information:
- to enable us to respond to any queries, complaints or claims made by you or on your behalf; and
- to the extent necessary for (i) complying with our legal, regulatory, accounting and reporting obligations, (ii) the establishment or defence of legal claims, or (iii) our legitimate business purposes.
- After this period, when it is no longer necessary to retain your personal data, we will securely delete or anonymise it in accordance with our Data Retention Policy. Further details regarding our data retention policy can be obtained from our Privacy Manager whose details are given above.
- Personal data processed by us will only be retained for as long as necessary to fulfil our engagement. Following the end of our engagement we will retain your information:
Complaints
- If you have any questions or complaints regarding this Policy or our privacy practices, please contact our Privacy Manager in the first instance via the details given in paragraph 3 above. We hope we will be able to resolve any issues you may have.
- You also have the right to make a complaint at any time with a supervisory authority, in particular in the EU (or EEA) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”) who can be contacted at https://ico.org.uk/ or telephone on 0303 123 1113.
Changes to this policy
We may change this Policy from time to time. The current version of this Policy will always be available from us in hard copy or on our website. We will post a prominent notice on our website to notify you of any significant changes to this Policy or update you by other appropriate means.