PRIVACY NOTICE RELATING TO DATA PROTECTION
The provisions set out in this Privacy Notice shall apply only if: (a) you have any right or rights under the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (“GDPR”); and (b) Curtis UK and/or any other Curtis Entity or Curtis Entities have any obligation or obligations under the GDPR in relation to personal data (including special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) of and/or about you. “Personal data” under the GDPR includes any information relating to an individual by which that individual can be identified, directly or indirectly, particularly by reference to an identifier such as the name, identification number, location data or an online identifier of that individual or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Nothing in this Privacy Notice shall: (i) give you any right or rights that you do not have under the GDPR and/or any other applicable data protection laws and/or regulations; or (ii) impose on Curtis UK and/or any other Curtis Entity or Curtis Entities any obligation or obligations which Curtis UK and/or any other Curtis Entity or Curtis Entities do not have under the GDPR and/or any other applicable data protection laws and/or regulations.
The individuals whose personal data the Curtis Entities process include: present and previous, actual, prospective and/or potential clients, employees, third-party vendors, any other individuals connected to those parties, and/or any other individuals with whom the Curtis Entities interact.
2. Who the Curtis Entities are
Curtis is an international law firm operating through a number of Curtis entities and offices worldwide. The “Curtis Entities” are: Curtis, Mallet-Prevost, Colt & Mosle LLP (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC302168) (“Curtis UK”); Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership organized under the laws of the State of New York, USA (“Curtis NY”); Curtis, Mallet-Prevost, Colt & Mosle, S.C., a Mexican partnership; Servicios Juridicos CMP Sociedad Civil, an Argentine partnership; Curtis Mallet-Prevost (Kazakhstan) LLP, a Kazakh entity; and Curtis, Mallet-Prevost, Colt & Mosle, Ltd., a Guernsey, Channel Islands entity; and “Curtis Entity” means any one of them.
The primary data controller in so far as Curtis Entities are concerned when processing data for the purposes set out in sections 5 and 6 below will be the Curtis Entity issuing the engagement letter. The Curtis Entities will use data for the limited purpose for which it is provided in connection with the provision of the Curtis Entities’ legal services for clients. The Curtis Entities take responsibility for controlling the personal data received by them from time to time in accordance with the limited discretion afforded to the Curtis Entities by the retainer with the client subject to legal and/or regulatory obligations, and/or professional rules and/or standards to which each Curtis Entity is subject.
The jurisdictions of the offices of the Curtis Entities include: the United Kingdom, the United States of America, France, Germany, Italy, Switzerland, Guernsey, Mexico, Argentina, Oman, the United Arab Emirates, Kazakhstan, Turkmenistan, the People’s Republic of China, and each other country in which a Curtis Entity has an office from time to time.
3. Contact details
The contact details of each office which forms part of the Curtis Entities can be found on the Curtis website at http://www.curtis.com/.
The Chief Privacy Officers of the Curtis Entities are Jonathan Walsh and Winta Jarvis. The Chief Privacy Officers can be contacted at firstname.lastname@example.org.
4. Types of personal data the Curtis Entities process
The Curtis Entities process personal data for the purposes of, or in connection with, providing professional legal services as a law firm. The types of an individual’s personal data which the Curtis Entities process include:
The Curtis Entities process personal data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:
6. Purposes of processing special categories of personal data
The Curtis Entities may process “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation.
The Curtis Entities process such data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:
In addition, the Curtis Entities may, where appropriate, process data relating to an individual’s criminal offences or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.
7. Failure to provide information
Where the provision of personal data of an individual is a statutory, regulatory or contractual requirement or a requirement necessary to enter into a contract and that individual’s personal data is not provided to the Curtis Entities, the Curtis Entities may not be able to perform, or may have to cease performing, legal services.
8. Data security
The Curtis Entities have implemented appropriate personal data security policies and technical measures to protect personal data under their control from unauthorised access, improper use, unauthorised modification, unauthorised disclosure or accidental loss. The Curtis Entities have put in place procedures to deal with any personal data breach in accordance with their respective legal obligations in this regard.
9. Cross-border transfers of data within the Curtis Entities
Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the offices of the Curtis Entities within the European Economic Area (“EEA”) involves transfers of such personal data to the offices of the Curtis Entities outside the EEA. The legal bases for such transfers are as follows:
To the extent that Curtis Entities may transfer personal data which is protected by the GDPR to recipients outside the EEA which are not a Curtis Entity or a Curtis office, the Curtis Entities shall ensure that the country to which the data is transferred is protected by:
If the non-EEA country does not have either an adequacy decision or adequate safeguards, the Curtis Entities shall only transfer personal data if so permitted by the GDPR; for example, if:
The sources from which one or more Curtis Entities collect data on individuals may include:
If, as part of any Curtis Entity’s instructions for, or in connection with, the provision of legal services by a Curtis Entity, such Curtis Entity is provided with personal data relating to any officers, employees and/or beneficial owners of, for example, any actual or prospective corporate client, any counterparty, opponent or other adversary, and/or personal data relating to their respective legal or other professional advisors, and/or other individuals involved in our actual, prospective or potential retainers, such personal data will be processed by the Curtis Entities as described in this Privacy Notice.
12. Categories of recipients of data
Personal data processed by one Curtis Entity may be accessible to all other Curtis Entities. The categories of recipients of personal data processed by a Curtis Entity may also include:
Where a Curtis Entity engages a third party to sub-process any data covered by the GDPR or other applicable laws, for one of the purposes listed in sections 5 and 6 above, such Curtis Entity will enter into a contract with that third party which is compliant with such Curtis Entity’s obligations as a controller of the personal data under the GDPR.
13. Retention of data
The Curtis Entities shall only retain an individual’s personal data for as long as it is necessary to fulfil the purpose or purposes for which it was collected which are set out in sections 5 and 6 above. An individual’s personal data will typically be retained by the Curtis Entities for the duration of the relevant retainer and up to 10 years thereafter unless one or more Curtis Entities believe that such information is or may be otherwise required to be retained for a longer period by any applicable laws or regulations and/or professional or regulatory rules and/or standards to which one or more Curtis Entities are subject, in which case such personal data will be retained for such longer period.
14. Individuals’ rights under the GDPR
Individuals have, or may have, the following rights under the GDPR in relation to their personal data processed by a Curtis Entity:
Individuals may exercise one or more of their rights under the GDPR in relation to their personal data processed by one or more of the Curtis Entities by emailing: email@example.com to obtain and complete a request form.
Where an individual exercises one of his or her rights to erase, restrict or object to the processing of his or her personal data, the Curtis Entities may be unable to provide legal services to the individual, or the legal services the Curtis Entities provide may be limited.
Individuals to whom the GDPR applies whose personal data is processed by the Curtis Entities have a right to lodge a complaint with the relevant supervisory authority. In the UK, this authority is the Information Commissioners Office (ICO).
Any updates to this privacy notice will be included on the Curtis website at www.curtis.com.
If Curtis makes any important changes to this privacy notice (relating to the information Curtis collect, how Curtis uses it or why) those changes will be highlighted at the top of the updated privacy notice and a prominent link to it will be provided for a reasonable length of time following the change.
We encourage you to periodically review this privacy notice to stay informed about how we collect, use, and share personal data in connection with the provision of legal services by any Curtis Entity.