News 19 Dec. 2019
Curtis Wins in London for Federal Airports Authority of Nigeria
News 18 Apr. 2016
Curtis gains recognition in new Africa publication
News 26 Feb. 2020
Curtis Secures Comprehensive Victory for the Republic of Kazakhstan’s Committee of Roads
News 24 Jan. 2020
Curtis defeats $400 million investment treaty claim brought against India
Client Alert 03 Apr. 2020
EU Insight: COVID-19 (Coronavirus) – Regulatory Measures and Announcements
Client Alert 02 Apr. 2020
UK Insight: COVID-19 Business Financing Facilities: Coronavirus Business Interruption Loan Scheme (CBILS) & Covid Corporate Financing Facility (CCFF)
Client Alert 26 Mar. 2020
Mexico Insight: COVID-19 (Coronavirus) Legal Implications
News 18 Dec. 2019
Six Curtis Partners Featured in Who's Who Legal - Arbitration 2020
Event 31 Jan. 2020
Partner Antonia Birt Speaks at 5th Annual GAR Live Abu Dhabi
Publications 15 Jan. 2020
Antonia Birt publishes IBA Arbitration Country Guide for the UAE
Client Alert 27 Mar. 2020
U.S. Insight: Data Security and Protection in the New Work-From-Home Regime During Coronavirus/COVID-19
Client Alert 24 Mar. 2020
U.S. Insight (Coronavirus/ COVID-19): Force Majeure under New York Law
Client Alert 06 Apr. 2020
U.S. Insight: Update on Virtual Notarization (Executive Order 202.7) During the COVID-19 (Coronavirus) Pandemic
The provisions set out in this Privacy Notice shall apply only if: (a) you have any right or rights under the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (“GDPR”); and (b) Curtis UK and/or any other Curtis Entity or Curtis Entities have any obligation or obligations under the GDPR in relation to personal data (including special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) of and/or about you. “Personal data” under the GDPR includes any information relating to an individual by which that individual can be identified, directly or indirectly, particularly by reference to an identifier such as the name, identification number, location data or an online identifier of that individual or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Nothing in this Privacy Notice shall: (i) give you any right or rights that you do not have under the GDPR and/or any other applicable data protection laws and/or regulations; or (ii) impose on Curtis UK and/or any other Curtis Entity or Curtis Entities any obligation or obligations which Curtis UK and/or any other Curtis Entity or Curtis Entities do not have under the GDPR and/or any other applicable data protection laws and/or regulations.
The individuals whose personal data the Curtis Entities process include: present and previous, actual, prospective and/or potential clients, employees, third-party vendors, any other individuals connected to those parties, and/or any other individuals with whom the Curtis Entities interact.
2. Who the Curtis Entities are
Curtis is an international law firm operating through a number of Curtis entities and offices worldwide. The “Curtis Entities” are: Curtis, Mallet-Prevost, Colt & Mosle LLP (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC302168) (“Curtis UK”); Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership organized under the laws of the State of New York, USA (“Curtis NY”); Curtis, Mallet-Prevost, Colt & Mosle, S.C., a Mexican partnership; Servicios Juridicos CMP Sociedad Civil, an Argentine partnership; Curtis Mallet-Prevost (Kazakhstan) LLP, a Kazakh entity; and Curtis, Mallet-Prevost, Colt & Mosle, Ltd., a Guernsey, Channel Islands entity; and “Curtis Entity” means any one of them.
The primary data controller in so far as Curtis Entities are concerned when processing data for the purposes set out in sections 5 and 6 below will be the Curtis Entity issuing the engagement letter. The Curtis Entities will use data for the limited purpose for which it is provided in connection with the provision of the Curtis Entities’ legal services for clients. The Curtis Entities take responsibility for controlling the personal data received by them from time to time in accordance with the limited discretion afforded to the Curtis Entities by the retainer with the client subject to legal and/or regulatory obligations, and/or professional rules and/or standards to which each Curtis Entity is subject.
The jurisdictions of the offices of the Curtis Entities include: the United Kingdom, the United States of America, France, Germany, Italy, Switzerland, Guernsey, Mexico, Argentina, Oman, the United Arab Emirates, Kazakhstan, the People’s Republic of China, and each other country in which a Curtis Entity has an office from time to time.
3. Contact details
The contact details of each office which forms part of the Curtis Entities can be found on the Curtis website.
The Chief Privacy Officers of the Curtis Entities are Jonathan Walsh and Mark Handley. They can be contacted via this email form.
4. Types of personal data the Curtis Entities process
The Curtis Entities process personal data for the purposes of, or in connection with, providing professional legal services as a law firm. The types of an individual’s personal data which the Curtis Entities process include:
5. Purposes of processing personal data
The Curtis Entities process personal data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:
1. For the purpose of, or in connection with, the provision of legal services and the carrying out of legal work;
Processing is necessary for the performance of a contract a Curtis Entity has entered into with the individual, or in order to take steps at the request of the individual prior to entering into a contract; or
Processing is necessary for the purposes of the legitimate interests of a Curtis Entity as a provider of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or
Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.
2. To manage client relationships and Curtis Entities’ business as a law firm, including administration of legal services and client relationships, and managing billing and payments;
Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities as provider(s) of legal services, to process data to carry out legal work and conduct business as a law firm; or for the purposes of a third party’s legitimate interests; or
3. To comply with all or any legal and/or regulatory requirements to which one or more Curtis Entities are subject;
Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract; or
4. To exercise or defend legal rights of any Curtis Entity, and/or to comply with a court order;
5. For compliance by each Curtis Entity with professional duties and/or standards to which it is subject;
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in ensuring compliance with professional duties and/or standards to which they are subject.
6. To provide the client with access to online portals;
Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities and individuals in communicating and sharing/storing relevant documents or other material.
7. To ensure the security of the systems and premises of the Curtis Entities;
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in protecting their systems and premises from misuse or criminal activity.
8. To improve and develop Curtis Entities’ legal services, including for internal training and the provision of forms and precedents; and/or
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in providing their attorneys with access to other forms of documents and precedents for the purpose of staff training. The Curtis Entities will use reasonable efforts to ensure any sensitive or confidential information in the documents which is not vital to understanding the documents is redacted.
9. For any purposes related to and/or ancillary to any of the purposes listed in 1 – 8 above, or for any other purpose(s) for which personal data was provided to any Curtis Entity.
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities as provider(s) of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or
6. Purposes of processing special categories of personal data
The Curtis Entities may process “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
The Curtis Entities process such data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:
1. The provision of legal services and the carrying out of legal work; and/or
Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity; or
Processing relates to personal data which is manifestly made public by the individual to whom the data relates; or
Any other lawful basis for processing such data under applicable laws and/or regulations.
2. To comply with all legal and regulatory requirements the Curtis Entities is subject to, including anti-bribery laws and know-your-client checks.
Processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law to which one or more Curtis Entities are subject; or
In addition, the Curtis Entities may, where appropriate, process data relating to an individual’s criminal offenses or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.
7. Failure to provide information
Where the provision of personal data of an individual is a statutory, regulatory or contractual requirement or a requirement necessary to enter into a contract and that individual’s personal data is not provided to the Curtis Entities, the Curtis Entities may not be able to perform, or may have to cease performing, legal services.
8. Data security
The Curtis Entities have implemented appropriate personal data security policies and technical measures to protect personal data under their control from unauthorized access, improper use, unauthorized modification, unauthorized disclosure or accidental loss. The Curtis Entities have put in place procedures to deal with any personal data breach in accordance with their respective legal obligations in this regard.
9. Cross-border transfers of data within the Curtis Entities
Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the offices of the Curtis Entities within the European Economic Area (“EEA”) involves transfers of such personal data to the offices of the Curtis Entities outside the EEA. The legal bases for such transfers are as follows:
10. Cross-border transfers of data outside the Curtis Entities
To the extent that Curtis Entities may transfer personal data which is protected by the GDPR to recipients outside the EEA which are not a Curtis Entity or a Curtis office, the Curtis Entities shall ensure that the country to which the data is transferred is protected by:
If the non-EEA country does not have either an adequacy decision or adequate safeguards, the Curtis Entities shall only transfer personal data if so permitted by the GDPR; for example, if:
11. Sources of data
The sources from which one or more Curtis Entities collect data on individuals may include:
If, as part of any Curtis Entity’s instructions for, or in connection with, the provision of legal services by a Curtis Entity, such Curtis Entity is provided with personal data relating to any officers, employees and/or beneficial owners of, for example, any actual or prospective corporate client, any counterparty, opponent or other adversary, and/or personal data relating to their respective legal or other professional advisors, and/or other individuals involved in our actual, prospective or potential retainers, such personal data will be processed by the Curtis Entities as described in this Privacy Notice.
12. Categories of recipients of data
Personal data processed by one Curtis Entity may be accessible to all other Curtis Entities. The categories of recipients of personal data processed by a Curtis Entity may also include:
Where a Curtis Entity engages a third party to sub-process any data covered by the GDPR or other applicable laws, for one of the purposes listed in sections 5 and 6 above, such Curtis Entity will enter into a contract with that third party which is compliant with such Curtis Entity’s obligations as a controller of the personal data under the GDPR.
13. Retention of data
The Curtis Entities shall only retain an individual’s personal data for as long as it is necessary to fulfill the purpose or purposes for which it was collected which are set out in sections 5 and 6 above. An individual’s personal data will typically be retained by the Curtis Entities for the duration of the relevant retainer and up to 10 years thereafter unless one or more Curtis Entities believe that such information is or may be otherwise required to be retained for a longer period by any applicable laws or regulations and/or professional or regulatory rules and/or standards to which one or more Curtis Entities are subject, in which case such personal data will be retained for such longer period.
14. Individuals’ rights under the GDPR
Individuals have, or may have, the following rights under the GDPR in relation to their personal data processed by a Curtis Entity:
Individuals may exercise one or more of their rights under the GDPR in relation to their personal data processed by one or more of the Curtis Entities by emailing Curtis' Chief Privacy Officers to obtain and complete a request form.
Where an individual exercises one of his or her rights to erase, restrict or object to the processing of his or her personal data, the Curtis Entities may be unable to provide legal services to the individual, or the legal services the Curtis Entities provide may be limited.
Individuals to whom the GDPR applies whose personal data is processed by the Curtis Entities have a right to lodge a complaint with the relevant supervisory authority. In the UK, this authority is the Information Commissioners Office (ICO).
Any updates to this privacy notice will be included on the Curtis website at www.curtis.com.
If Curtis makes any important changes to this privacy notice (relating to the information Curtis collects, how Curtis uses it or why) those changes will be highlighted at the top of the updated privacy notice and a prominent link to it will be provided for a reasonable length of time following the change.
We encourage you to periodically review this privacy notice to stay informed about how we collect, use, and share personal data in connection with the provision of legal services by any Curtis Entity.