News 09 Apr. 2024
Curtis Announces New Partners and Counsels Across Offices in Spring 2024
more
News 25 Jan. 2024
Counsel Mohannad A. El Murtadi Suleiman Addresses “Africanization” of International Investment Law
Event 18 Aug. 2023
Partner Borzu Sabahi Speaks at FDI Moot Shenzhen
News 25 Jul. 2023
Partner Eric Gilioli Ranked in Top 10 Influential Energy & Natural Resources Lawyers in Kazakhstan in Business Today
Client Alert 28 Dec. 2023
U.S. to Impose Secondary Sanctions on Non-U.S. Banks For Financing Russia’s Defense Industry
News 28 Aug. 2024
Curtis Recognized for Excellence in Arbitration in Chambers Latin America Guide 2025
Event 22 Aug. 2023
Partner Dr. Claudia Frutos-Peterson to Speak at Arbitration and ADR Commission of the ICC Mexico
News 15 Aug. 2023
Legal Reader Publishes Article on Dr. Majed Alotaibi’s Arrival as Senior Counsel in Curtis’ Riyadh Office
News 31 Jul. 2023
Curtis Welcomes Senior Saudi Advisor, Dr. Majed Alotaibi, to its Riyadh Office
News 24 Aug. 2023
Curtis Attorneys Quoted in CoinDesk on FTX Founder Sam Bankman-Fried’s Strategy Ahead of His Criminal Trial
Client Alert 10 Jul. 2024
EU Adopts New Restrictive Measures Against Belarus
Client Alert 26 Jun. 2024
The EU Adopts its 14th Sanctions Package Against Russia
news
Legal 500 UK Recognizes Curtis Practices and Attorneys in 2025 Edition
Curtis Attorneys Featured in IBA Insolvency and Arbitration Working Group’s New Reports
The provisions set out in this Privacy Notice shall apply only if:
(a) you have any right or rights under:
(b) Curtis UK, Curtis NY and/or any other Curtis Entity or Curtis Entities have any obligation or obligations under the Applicable Data Protection Laws and/or any other applicable data protection laws and/or regulations in relation to personal data (including special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) of and/or about you. “Personal data” under the Applicable Data Protection Laws includes any information relating to an individual by which that individual can be identified, directly or indirectly, particularly by reference to an identifier such as the name, identification number, location data or an online identifier of that individual or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.Nothing in this Privacy Notice shall: (i) give you any right or rights that you do not have under the Applicable Data Protection Laws and/or any other applicable data protection laws and/or regulations; or (ii) impose on Curtis UK, Curtis NY and/or any other Curtis Entity or Curtis Entities any obligation or obligations which Curtis UK, Curtis NY and/or any other Curtis Entity or Curtis Entities do not have under the Applicable Data Protection Laws and/or any other applicable data protection laws and/or regulations.
1. General
This Privacy Notice describes how the Curtis Entities hold, use or otherwise process personal data for the purposes of, or in connection with, providing their respective professional legal services and sets out the rights of individuals in relation to their personal data in this regard. In addition: (a) Curtis’ Privacy Statement sets out how Curtis Entities hold, use or otherwise process personal data in relation to: (i) use of Curtis’ website, (ii) communications about Curtis’ expertise and professional services, and (iii) conflict of interest searches and other client due diligence; and (b) Curtis’ Mailings Privacy Policy sets out how Curtis Entities hold, use or otherwise process personal data in relation to mailing legal updates, insights, news alerts and other publications from Curtis Entities relating to legal matters, providing information about Curtis Entities’ services, and invitations to events which a Curtis Entity may organize or sponsor from time to time (“Mailings”), which are on Curtis’ website. For information regarding how Curtis Entities handle and process personal data in connection with job applications, please see the “Careers” section of Curtis’ website.
The individuals whose personal data the Curtis Entities process include: present and previous, actual, prospective and/or potential clients, employees, third-party vendors, any other individuals connected to those parties, and/or any other individuals with whom the Curtis Entities interact.
2. Who the Curtis Entities are
Curtis is an international law firm operating through a number of Curtis entities and offices worldwide. The “Curtis Entities” are: Curtis, Mallet-Prevost, Colt & Mosle LLP (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC302168) with offices in London, Brussels, Frankfurt, Milan and Rome and Curtis, Mallet-Prevost, Colt & Mosle (France) LLP, (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC428111) with an office in Paris, together (“Curtis UK”); Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership organized under the laws of the State of New York, USA (“Curtis NY”) with offices in the United States, Beijing, Dubai and Muscat; Curtis, Mallet-Prevost, Colt & Mosle S.A.S., a Colombian simplified stock corporation with an office in Bogotá; Curtis, Mallet-Prevost, Colt & Mosle, S.C., a Mexican partnership with an office in Mexico City; Servicios Juridicos CMP Sociedad Civil, an Argentine partnership with an office in Buenos Aires; Curtis Mallet-Prevost (Kazakhstan) LLP, a Kazakh entity with offices in Almaty and Astana; Curtis Mallet-Prevost (Qazaqstan) Limited, an Astana International Financial Centre (AIFC) registered entity with an office in Astana; and Curtis, Mallet-Prevost, Colt & Mosle, Ltd., a Guernsey, Channel Islands entity; and “Curtis Entity” means any one of them.
The primary data controller in so far as Curtis Entities are concerned when processing data for the purposes set out in sections 5 and 6 below will be the Curtis Entity issuing the engagement letter. The Curtis Entities will use data for the limited purpose for which it is provided in connection with the provision of the Curtis Entities’ legal services for clients. The Curtis Entities take responsibility for controlling the personal data received by them from time to time in accordance with the limited discretion afforded to the Curtis Entities by the retainer with the client subject to legal and/or regulatory obligations, and/or professional rules and/or standards to which each Curtis Entity is subject.
The jurisdictions of the offices of the Curtis Entities include: the United Kingdom, the United States of America, Belgium, France, Germany, Italy, Switzerland, Guernsey, Mexico, Colombia, Argentina, Oman, the United Arab Emirates, Kazakhstan, the People’s Republic of China, and each other country in which a Curtis Entity has an office from time to time.
3. Contact details
The contact details of each office which forms part of the Curtis Entities can be found on the Curtis website.
The Chief Privacy Officers of the Curtis Entities are Jonathan Walsh and Bradley Doline. They can be contacted via this email form.
4. Types of personal data the Curtis Entities process
The Curtis Entities process personal data for the purposes of, or in connection with, providing professional legal services as a law firm. The types of an individual’s personal data which the Curtis Entities process include:
5. Purposes of processing personal data
The Curtis Entities process personal data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:
Purpose
Lawful basis
1. For the purpose of, or in connection with, the provision of legal services and the carrying out of legal work;
Processing is necessary for the performance of a contract a Curtis Entity has entered into with the individual, or in order to take steps at the request of the individual prior to entering into a contract; or
Processing is necessary for the purposes of the legitimate interests of a Curtis Entity as a provider of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or
Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.
2. To manage client relationships and Curtis Entities’ business as a law firm, including administration of legal services and client relationships, and managing billing and payments;
Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities as provider(s) of legal services, to process data to carry out legal work and conduct business as a law firm; or for the purposes of a third party’s legitimate interests; or
3. To comply with all or any legal and/or regulatory requirements to which one or more Curtis Entities are subject;
Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract; or
4. To exercise or defend legal rights of any Curtis Entity, and/or to comply with a court order;
5. For compliance by each Curtis Entity with professional duties and/or standards to which it is subject;
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in ensuring compliance with professional duties and/or standards to which they are subject.
6. To provide the client with access to online portals;
Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities and individuals in communicating and sharing/storing relevant documents or other material.
7. To ensure the security of the systems and premises of the Curtis Entities;
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in protecting their systems and premises from misuse or criminal activity.
8. To improve and develop Curtis Entities’ legal services, including for internal training and the provision of forms and precedents; and/or
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in providing their attorneys with access to other forms of documents and precedents for the purpose of staff training. The Curtis Entities will use reasonable efforts to ensure any sensitive or confidential information in the documents which is not vital to understanding the documents is redacted.
9. For any purposes related to and/or ancillary to any of the purposes listed in 1 – 8 above, or for any other purpose(s) for which personal data was provided to any Curtis Entity.
Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities as provider(s) of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or
6. Purposes of processing special categories of personal data
The Curtis Entities may process “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
The Curtis Entities process such data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:
1. The provision of legal services and the carrying out of legal work; and/or
Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity; or
Processing relates to personal data which is manifestly made public by the individual to whom the data relates; or
Any other lawful basis for processing such data under applicable laws and/or regulations.
2. To comply with all legal and regulatory requirements the Curtis Entities is subject to, including anti-bribery laws and know-your-client checks.
Processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law to which one or more Curtis Entities are subject; or
In addition, the Curtis Entities may, where appropriate, process data relating to an individual’s criminal offenses or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.
7. Failure to provide information
Where the provision of personal data of an individual is a statutory, regulatory or contractual requirement or a requirement necessary to enter into a contract and that individual’s personal data is not provided to the Curtis Entities, the Curtis Entities may not be able to perform, or may have to cease performing, legal services.
8. Data security
The Curtis Entities have implemented appropriate personal data security policies and technical measures to protect personal data under their control from unauthorized access, improper use, unauthorized modification, unauthorized disclosure or accidental loss. The Curtis Entities have put in place procedures to deal with any personal data breach in accordance with their respective legal obligations in this regard.
9. Cross-border transfers of data within the Curtis Entities
Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the offices of the Curtis Entities within the European Economic Area (“EEA”) involves transfers of such personal data to the offices of the Curtis Entities outside the EEA. Under the GDPR the legal bases for such transfers are as follows:
Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by Curtis UK’s office within the UK involves transfers of such personal data to the offices of the Curtis Entities outside the UK. Under the UK DPR the legal bases for such transfers are as follows:
Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the office of the Curtis Entities within the Dubai International Financial Centre (“DIFC”) involves transfers of such personal data to the offices of the Curtis Entities outside the DIFC. The legal bases for such transfers are as follows:
10. Cross-border transfers of data outside the Curtis Entities
To the extent that Curtis Entities may transfer personal data which is protected by the GDPR, UK DPR or the DIFC DPR to recipients outside the EEA, the UK or the DIFC respectively which are not a Curtis Entity or a Curtis office, the Curtis Entities shall ensure that the country to which the data is transferred is protected by:
If the non-EEA, non-UK or non-DIFC country does not have either an adequacy decision or adequate safeguards, the Curtis Entities shall only transfer personal data if so permitted by the Applicable Data Protection Laws; for example, if:
11. Sources of data
The sources from which one or more Curtis Entities collect data on individuals may include:
If, as part of any Curtis Entity’s instructions for, or in connection with, the provision of legal services by a Curtis Entity, such Curtis Entity is provided with personal data relating to any officers, employees and/or beneficial owners of, for example, any actual or prospective corporate client, any counterparty, opponent or other adversary, and/or personal data relating to their respective legal or other professional advisors, and/or other individuals involved in our actual, prospective or potential retainers, such personal data will be processed by the Curtis Entities as described in this Privacy Notice.
12. Categories of recipients of data
Personal data processed by one Curtis Entity may be accessible to all other Curtis Entities. The categories of recipients of personal data processed by a Curtis Entity may also include:
Where a Curtis Entity engages a third party to sub-process any data covered by the Applicable Data Protection Laws or other applicable laws, for one of the purposes listed in sections 5 and 6 above, such Curtis Entity will enter into a contract with that third party which is compliant with such Curtis Entity’s obligations as a controller of the personal data under the Applicable Data Protection Laws.
13. Retention of data
The Curtis Entities shall only retain an individual’s personal data for as long as it is necessary to fulfill the purpose or purposes for which it was collected which are set out in sections 5 and 6 above. An individual’s personal data will typically be retained by the Curtis Entities for the duration of the relevant retainer and up to 10 years thereafter unless one or more Curtis Entities believe that such information is or may be otherwise required to be retained for a longer period by any applicable laws or regulations and/or professional or regulatory rules and/or standards to which one or more Curtis Entities are subject, in which case such personal data will be retained for such longer period.
14. Individuals’ rights under the Applicable Data Protection Laws
Individuals have, or may have, the following rights under the Applicable Data Protection Laws in relation to their personal data processed by a Curtis Entity:
Individuals may exercise one or more of their rights under the Applicable Data Protection Laws in relation to their personal data processed by one or more of the Curtis Entities by emailing Curtis' Chief Privacy Officers to obtain and complete a request form.
Where an individual exercises one of his or her rights to erase, restrict or object to the processing of his or her personal data, the Curtis Entities may be unable to provide legal services to the individual, or the legal services the Curtis Entities provide may be limited.
15. Complaints
Individuals to whom the Applicable Data Protection Laws apply whose personal data is processed by the Curtis Entities have a right to lodge a complaint with the relevant supervisory authority.
In France, this authority is the Commission Nationale Informatique & Libertés (CNIL).
In Germany, this authority is Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI).
In Italy, this authority is Garante per la protezione dei dati personali (Garante).
In the UK, this authority is the Information Commissioners Office (ICO).
In the DIFC, this authority is the DIFC Data Commissioner.
16. Changes
Any updates to this privacy notice will be included on the Curtis website at www.curtis.com.
If Curtis makes any important changes to this privacy notice (relating to the information Curtis collects, how Curtis uses it or why) those changes will be highlighted at the top of the updated privacy notice and a prominent link to it will be provided for a reasonable length of time following the change.
We encourage you to periodically review this privacy notice to stay informed about how we collect, use, and share personal data in connection with the provision of legal services by any Curtis Entity.
We use cookies on our website to enhance your browsing experience, match your interests and assess our website performance. We do not share information with any third-party for marketing purposes. Please view our privacy policy to learn more about the use of cookies on our website. By continuing to browse our website, you consent to our use of cookies.