Legal Notices

The provisions set out in this Privacy Notice shall apply only if:

(a) you have any right or rights under:

  1. the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (“GDPR”);
  2. the UK Data Protection Act 2018 and/or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data (United Kingdom General Data Protection Regulation), as amended from time to time, together (“UK DPR”); and/or
  3. Data Protection Law DIFC Law No. 5 of 2020 (“DIFC DPR”)
    Collectively (the “Applicable Data Protection Laws”); and

(b) Curtis UK, Curtis NY and/or any other Curtis Entity or Curtis Entities have any obligation or obligations under the Applicable Data Protection Laws and/or any other applicable data protection laws and/or regulations in relation to personal data (including special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) of and/or about you. “Personal data” under the Applicable Data Protection Laws includes any information relating to an individual by which that individual can be identified, directly or indirectly, particularly by reference to an identifier such as the name, identification number, location data or an online identifier of that individual or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.Nothing in this Privacy Notice shall: (i) give you any right or rights that you do not have under the Applicable Data Protection Laws and/or any other applicable data protection laws and/or regulations; or (ii) impose on Curtis UK, Curtis NY and/or any other Curtis Entity or Curtis Entities any obligation or obligations which Curtis UK, Curtis NY and/or any other Curtis Entity or Curtis Entities do not have under the Applicable Data Protection Laws and/or any other applicable data protection laws and/or regulations.

1. General

This Privacy Notice describes how the Curtis Entities hold, use or otherwise process personal data for the purposes of, or in connection with, providing their respective professional legal services and sets out the rights of individuals in relation to their personal data in this regard. In addition: (a) Curtis’ Privacy Statement sets out how Curtis Entities hold, use or otherwise process personal data in relation to: (i) use of Curtis’ website, (ii) communications about Curtis’ expertise and professional services, and (iii) conflict of interest searches and other client due diligence; and (b) Curtis’ Mailings Privacy Policy sets out how Curtis Entities hold, use or otherwise process personal data in relation to mailing legal updates, insights, news alerts and other publications from Curtis Entities relating to legal matters, providing information about Curtis Entities’ services, and invitations to events which a Curtis Entity may organize or sponsor from time to time (“Mailings”), which are on Curtis’ website. For information regarding how Curtis Entities handle and process personal data in connection with job applications, please see the “Careers” section of Curtis’ website.

The individuals whose personal data the Curtis Entities process include: present and previous, actual, prospective and/or potential clients, employees, third-party vendors, any other individuals connected to those parties, and/or any other individuals with whom the Curtis Entities interact.

2. Who the Curtis Entities are

Curtis is an international law firm operating through a number of Curtis entities and offices worldwide. The “Curtis Entities” are: Curtis, Mallet-Prevost, Colt & Mosle LLP (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC302168) with offices in London, Frankfurt, Milan and Rome and Curtis, Mallet-Prevost, Colt & Mosle (France) LLP, (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC428111) with an office in Paris, together (“Curtis UK”); Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership organized under the laws of the State of New York, USA (“Curtis NY”) with offices in the United States, Beijing, Dubai and Muscat; Curtis, Mallet-Prevost, Colt & Mosle S.A.S., a Colombian simplified stock corporation with an office in Bogotá; Curtis, Mallet-Prevost, Colt & Mosle, S.C., a Mexican partnership with an office in Mexico City; Servicios Juridicos CMP Sociedad Civil, an Argentine partnership with an office in Buenos Aires; Curtis Mallet-Prevost (Kazakhstan) LLP, a Kazakh entity with offices in Almaty and Astana; Curtis Mallet-Prevost (Qazaqstan) Limited, an Astana International Financial Centre (AIFC) registered entity with an office in Astana; and Curtis, Mallet-Prevost, Colt & Mosle, Ltd., a Guernsey, Channel Islands entity; and “Curtis Entity” means any one of them.

The primary data controller in so far as Curtis Entities are concerned when processing data for the purposes set out in sections 5 and 6 below will be the Curtis Entity issuing the engagement letter. The Curtis Entities will use data for the limited purpose for which it is provided in connection with the provision of the Curtis Entities’ legal services for clients. The Curtis Entities take responsibility for controlling the personal data received by them from time to time in accordance with the limited discretion afforded to the Curtis Entities by the retainer with the client subject to legal and/or regulatory obligations, and/or professional rules and/or standards to which each Curtis Entity is subject.

The jurisdictions of the offices of the Curtis Entities include: the United Kingdom, the United States of America, Belgium, France, Germany, Italy, Switzerland, Guernsey, Mexico, Colombia, Argentina, Oman, the United Arab Emirates, Kazakhstan, the People’s Republic of China, and each other country in which a Curtis Entity has an office from time to time.

3. Contact details

The contact details of each office which forms part of the Curtis Entities can be found on the Curtis website.

The Chief Privacy Officer of the Curtis Entities is Jonathan Walsh. He can be contacted via this email form.

4. Types of personal data the Curtis Entities process

The Curtis Entities process personal data for the purposes of, or in connection with, providing professional legal services as a law firm. The types of an individual’s personal data which the Curtis Entities process include:

  1. contact details (an individual’s first and last names, work email address, work telephone number, postal address, job title);
  2. financial information (including information regarding bank accounts, payments and invoicing);
  3. information required by applicable laws or regulations to which the Curtis Entities are subject (including information for anti-money laundering checks and know-your-client checks) and/or otherwise needed for compliance by a Curtis Entity with legal and/or regulatory obligations and/or professional rules and/or standards;
  4. information needed for the purposes of, or in connection with, the provision of legal services by one or more the Curtis Entities; and
  5. any other information an individual may provide to a Curtis Entity in connection with the provision of legal services by one or more of the Curtis Entities.


5. Purposes of processing personal data

The Curtis Entities process personal data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:

Purpose

Lawful basis

1. For the purpose of, or in connection with, the provision of legal services and the carrying out of legal work;

Processing is necessary for the performance of a contract a Curtis Entity has entered into with the individual, or in order to take steps at the request of the individual prior to entering into a contract; or

Processing is necessary for the purposes of the legitimate interests of a Curtis Entity as a provider of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

2. To manage client relationships and Curtis Entities’ business as a law firm, including administration of legal services and client relationships, and managing billing and payments;

Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities as provider(s) of legal services, to process data to carry out legal work and conduct business as a law firm; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

3. To comply with all or any legal and/or regulatory requirements to which one or more Curtis Entities are subject;

Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

4. To exercise or defend legal rights of any Curtis Entity, and/or to comply with a court order;

Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities as provider(s) of legal services, to process data to carry out legal work and conduct business as a law firm; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

5. For compliance by each Curtis Entity with professional duties and/or standards to which it is subject;

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in ensuring compliance with professional duties and/or standards to which they are subject.

6. To provide the client with access to online portals;

Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities and individuals in communicating and sharing/storing relevant documents or other material.

7. To ensure the security of the systems and premises of the Curtis Entities;

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in protecting their systems and premises from misuse or criminal activity.

8. To improve and develop Curtis Entities’ legal services, including for internal training and the provision of forms and precedents; and/or

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in providing their attorneys with access to other forms of documents and precedents for the purpose of staff training. The Curtis Entities will use reasonable efforts to ensure any sensitive or confidential information in the documents which is not vital to understanding the documents is redacted.

9. For any purposes related to and/or ancillary to any of the purposes listed in 1 – 8 above, or for any other purpose(s) for which personal data was provided to any Curtis Entity.

Processing is necessary for the performance of a contract a Curtis Entity has entered into with the individual, or in order to take steps at the request of the individual prior to entering into a contract; or

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities as provider(s) of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

6. Purposes of processing special categories of personal data

The Curtis Entities may process “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.

The Curtis Entities process such data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:

Purpose

Lawful basis

1. The provision of legal services and the carrying out of legal work; and/or

Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity; or

Processing relates to personal data which is manifestly made public by the individual to whom the data relates; or

Any other lawful basis for processing such data under applicable laws and/or regulations.

2. To comply with all legal and regulatory requirements the Curtis Entities is subject to, including anti-bribery laws and know-your-client checks.

Processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law to which one or more Curtis Entities are subject; or

Processing relates to personal data which is manifestly made public by the individual to whom the data relates; or

Any other lawful basis for processing such data under applicable laws and/or regulations.

In addition, the Curtis Entities may, where appropriate, process data relating to an individual’s criminal offenses or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.

7. Failure to provide information

Where the provision of personal data of an individual is a statutory, regulatory or contractual requirement or a requirement necessary to enter into a contract and that individual’s personal data is not provided to the Curtis Entities, the Curtis Entities may not be able to perform, or may have to cease performing, legal services.

8. Data security

The Curtis Entities have implemented appropriate personal data security policies and technical measures to protect personal data under their control from unauthorized access, improper use, unauthorized modification, unauthorized disclosure or accidental loss. The Curtis Entities have put in place procedures to deal with any personal data breach in accordance with their respective legal obligations in this regard.

9. Cross-border transfers of data within the Curtis Entities

Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the offices of the Curtis Entities within the European Economic Area (“EEA”) involves transfers of such personal data to the offices of the Curtis Entities outside the EEA. Under the GDPR the legal bases for such transfers are as follows:

  1. transfers of such personal data from Curtis UK and/or Curtis NY’s offices in the EEA to the relevant Curtis Entity’s office in Switzerland and/or Argentina are made on the basis of the European Commission’s adequacy decision which recognizes Switzerland and Argentina as two of the countries that provide adequate protection for GDPR purposes, as will transfers of such personal data to any Curtis Entity’s offices in any country the European Commission issues a further adequacy decision for;
  2. transfers of such personal data from Curtis UK and/or Curtis NY’s offices in the EEA to Curtis UK’s office in the UK are made on the basis of the interim provision for transmission of personal data to the UK set out in the Trade and Cooperation Agreement Between the European Union and the European Atomic Energy Community, of the One Part, and the United Kingdom of Great Britain and Northern Ireland, of the Other Part, dated 24 December 2020 (the “Trade Agreement”), and when the period set out in the Trade Agreement ends such transfers will be made either on the basis of a European Commission adequacy decision for the UK or, if one is not made, on the basis set out in (3) below; and
  3. transfers of such personal data from Curtis UK and/or Curtis NY’s offices in the EEA to Curtis Entities offices outside the EEA, in countries where no adequacy decision has been issued by the European Commission, are made on the basis of the Standard Contractual Clauses (as approved by the European Commission from time to time) entered into by all Curtis Entities.

Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by Curtis UK’s office within the UK involves transfers of such personal data to the offices of the Curtis Entities outside the UK. Under the UK DPR the legal bases for such transfers are as follows:

  1. transfers of such personal data from Curtis UK’s office in the UK to the relevant Curtis Entity’s offices in the EEA, Switzerland and/or Argentina are made on the basis of the UK government’s adequacy decision set out in The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which recognizes the EEA, Switzerland and Argentina as countries that provide adequate protection for UK DPR purposes, as will transfers of such personal data from Curtis UK’s office in the UK to any Curtis Entity’s offices in any country the UK government issues a further adequacy decision for; and
  2. transfers of such personal data from Curtis UK’s office in the UK to Curtis Entities offices outside the UK, in countries where no adequacy decision has been issued by the UK government, are made on the basis of the Standard Contractual Clauses (as approved by the UK government from time to time) entered into by all Curtis Entities.

Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the office of the Curtis Entities within the Dubai International Financial Centre (“DIFC”) involves transfers of such personal data to the offices of the Curtis Entities outside the DIFC. The legal bases for such transfers are as follows:

  1. transfers of such personal data from Curtis NY’s office in the DIFC to the relevant Curtis Entity’s offices in the EEA, the UK and/or Argentina are made on the basis of the Commissioner of Data Protection’s (“DIFC Data Commissioner”) adequacy decision which recognizes the EEA, the UK and Argentina as countries that provide adequate protection for DIFC data protection purposes, as will transfers of such personal data from Curtis NY’s office in the DIFC to any Curtis Entity’s offices in any country the DIFC Data Commissioner issues a further adequacy decision for; and
  2. transfers of such personal data from Curtis NY’s office in the DIFC to Curtis Entities offices outside the DIFC, in countries where no adequacy decision has been issued by the DIFC Data Commissioner, are made on the basis of the Standard Contractual Clauses (as approved by the DIFC Data Commissioner from time to time) entered into by all Curtis Entities.


10. Cross-border transfers of data outside the Curtis Entities

To the extent that Curtis Entities may transfer personal data which is protected by the GDPR, UK DPR or the DIFC DPR to recipients outside the EEA, the UK or the DIFC respectively which are not a Curtis Entity or a Curtis office, the Curtis Entities shall ensure that the country to which the data is transferred is protected by:

  1. an adequacy decision by:
    1. the European Commission, for transfers protected by the GDPR;
    2. the UK government, for transfers protected by the UK DPR; or
    3. the DIFC Data Commissioner, for transfers protected by the DIFC DPR; or
  2. adequate safeguards.

If the non-EEA, non-UK or non-DIFC country does not have either an adequacy decision or adequate safeguards, the Curtis Entities shall only transfer personal data if so permitted by the Applicable Data Protection Laws; for example, if:

  1. the transfer is necessary for the performance of a contract between the individual whose personal data is being transferred and one or more Curtis Entities, or the implementation of pre-contractual measures taken at the individual’s request;
  2. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual whose personal data is being transferred between the Curtis Entities and another natural or legal person; or
  3. the transfer is necessary for the establishment, exercise or defense of legal claims.


11. Sources of data

The sources from which one or more Curtis Entities collect data on individuals may include:

  1. the individual whose data is being collected;
  2. third parties connected with the individual, including an employer or service provider;
  3. clients; or
  4. publicly available material.

If, as part of any Curtis Entity’s instructions for, or in connection with, the provision of legal services by a Curtis Entity, such Curtis Entity is provided with personal data relating to any officers, employees and/or beneficial owners of, for example, any actual or prospective corporate client, any counterparty, opponent or other adversary, and/or personal data relating to their respective legal or other professional advisors, and/or other individuals involved in our actual, prospective or potential retainers, such personal data will be processed by the Curtis Entities as described in this Privacy Notice.

12. Categories of recipients of data

Personal data processed by one Curtis Entity may be accessible to all other Curtis Entities. The categories of recipients of personal data processed by a Curtis Entity may also include:

  1. counterparties in actual or potential transactions, opponents in actual or potential litigation, arbitration or other legal proceedings and their legal counsel, co-counsel, barristers, specialist professionals and/or experts;
  2. banks, financial institutions, accountants and/or insurers;
  3. sub-contractors and/or agents of the Curtis Entities;
  4. courts and/or tribunals;
  5. law enforcement agencies;
  6. regulators, other governmental and/or supervisory bodies;
  7. any registrar of a public register;
  8. postal and/or courier services providers; and/or
  9. potential parties the Curtis Entities intends to merge with or sell any part of the Curtis Entities to.

Where a Curtis Entity engages a third party to sub-process any data covered by the Applicable Data Protection Laws or other applicable laws, for one of the purposes listed in sections 5 and 6 above, such Curtis Entity will enter into a contract with that third party which is compliant with such Curtis Entity’s obligations as a controller of the personal data under the Applicable Data Protection Laws.

13. Retention of data

The Curtis Entities shall only retain an individual’s personal data for as long as it is necessary to fulfill the purpose or purposes for which it was collected which are set out in sections 5 and 6 above. An individual’s personal data will typically be retained by the Curtis Entities for the duration of the relevant retainer and up to 10 years thereafter unless one or more Curtis Entities believe that such information is or may be otherwise required to be retained for a longer period by any applicable laws or regulations and/or professional or regulatory rules and/or standards to which one or more Curtis Entities are subject, in which case such personal data will be retained for such longer period.

14. Individuals’ rights under the Applicable Data Protection Laws

Individuals have, or may have, the following rights under the Applicable Data Protection Laws in relation to their personal data processed by a Curtis Entity:

  1. Right to information about their personal data;
  2. Right of access to their personal data;
  3. Right to rectification of their personal data which is inaccurate or incomplete;
  4. Right to erasure of their personal data (“right to be forgotten”);
  5. Right to restriction of processing of their personal data;
  6. Right to data portability of the personal data they have provided to the Curtis Entities;
  7. Right to object to the processing of their personal data where it is processed for direct marketing purposes or processed by automated means; and
  8. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them, or similarly significantly affects them.

Individuals may exercise one or more of their rights under the Applicable Data Protection Laws in relation to their personal data processed by one or more of the Curtis Entities by emailing Curtis' Chief Privacy Officers to obtain and complete a request form.

Where an individual exercises one of his or her rights to erase, restrict or object to the processing of his or her personal data, the Curtis Entities may be unable to provide legal services to the individual, or the legal services the Curtis Entities provide may be limited.

15. Complaints

Individuals to whom the Applicable Data Protection Laws apply whose personal data is processed by the Curtis Entities have a right to lodge a complaint with the relevant supervisory authority.

In France, this authority is the Commission Nationale Informatique & Libertés (CNIL).

In Germany, this authority is Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).

In Italy, this authority is Garante per la protezione dei dati personali (Garante).

In the UK, this authority is the Information Commissioners Office (ICO).

In the DIFC, this authority is the DIFC Data Commissioner.

16. Changes

Any updates to this privacy notice will be included on the Curtis website at www.curtis.com.

If Curtis makes any important changes to this privacy notice (relating to the information Curtis collects, how Curtis uses it or why) those changes will be highlighted at the top of the updated privacy notice and a prominent link to it will be provided for a reasonable length of time following the change.

We encourage you to periodically review this privacy notice to stay informed about how we collect, use, and share personal data in connection with the provision of legal services by any Curtis Entity.