Attorney Search
Site Search
Email Page Print Friendly Page Share

PRIVACY NOTICE RELATING TO DATA PROTECTION

The provisions set out in this Privacy Notice shall apply only if: (a) you have any right or rights under the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (“GDPR”); and (b) Curtis UK and/or any other Curtis Entity or Curtis Entities have any obligation or obligations under the GDPR in relation to personal data (including special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) of and/or about you. “Personal data” under the GDPR includes any information relating to an individual by which that individual can be identified, directly or indirectly, particularly by reference to an identifier such as the name, identification number, location data or an online identifier of that individual or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Nothing in this Privacy Notice shall: (i) give you any right or rights that you do not have under the GDPR and/or any other applicable data protection laws and/or regulations; or (ii) impose on Curtis UK and/or any other Curtis Entity or Curtis Entities any obligation or obligations which Curtis UK and/or any other Curtis Entity or Curtis Entities do not have under the GDPR and/or any other applicable data protection laws and/or regulations.

1. General

This Privacy Notice describes how the Curtis Entities hold, use or otherwise process personal data for the purposes of, or in connection with, providing their respective professional legal services and sets out the rights of individuals in relation to their personal data in this regard.  In addition: (a) Curtis’s Privacy Statement sets out how Curtis Entities hold, use or otherwise process personal data in relation to: (i) use of Curtis’s website, (ii) communications about Curtis’s expertise and professional services, and (iii) conflict of interest searches and other client due diligence; and (b) Curtis’s Mailings Privacy Policy sets out how Curtis Entities hold, use or otherwise process personal data in relation to mailing legal updates, insights, news alerts and other publications from Curtis Entities relating to legal matters, providing information about Curtis Entities’ services, and invitations to events which a Curtis Entity may organise or sponsor from time to time (“Mailings”), which are on Curtis’s website at http://www.curtis.com.  For information regarding how Curtis Entities handle and process personal data in connection with job applications, please see the “Careers” section of Curtis’s website at http://www.curtis.com/.

The individuals whose personal data the Curtis Entities process include: present and previous, actual, prospective and/or potential clients, employees, third-party vendors, any other individuals connected to those parties, and/or any other individuals with whom the Curtis Entities interact. 

2. Who the Curtis Entities are

Curtis is an international law firm operating through a number of Curtis entities and offices worldwide.  The “Curtis Entities” are: Curtis, Mallet-Prevost, Colt & Mosle LLP (incorporated in England and Wales as a limited liability partnership under the Limited Liability Partnerships Act 2000 with registered number OC302168) (“Curtis UK”); Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership organized under the laws of the State of New York, USA (“Curtis NY”); Curtis, Mallet-Prevost, Colt & Mosle, S.C., a Mexican partnership; Servicios Juridicos CMP Sociedad Civil, an Argentine partnership; Curtis Mallet-Prevost (Kazakhstan) LLP, a Kazakh entity; and Curtis, Mallet-Prevost, Colt & Mosle, Ltd., a Guernsey, Channel Islands entity; and “Curtis Entity” means any one of them.

The primary data controller in so far as Curtis Entities are concerned when processing data for the purposes set out in sections 5 and 6 below will be the Curtis Entity issuing the engagement letter. The Curtis Entities will use data for the limited purpose for which it is provided in connection with the provision of the Curtis Entities’ legal services for clients. The Curtis Entities take responsibility for controlling the personal data received by them from time to time in accordance with the limited discretion afforded to the Curtis Entities by the retainer with the client subject to legal and/or regulatory obligations, and/or professional rules and/or standards to which each Curtis Entity is subject.

The jurisdictions of the offices of the Curtis Entities include: the United Kingdom, the United States of America, France, Germany, Italy, Switzerland, Guernsey, Mexico, Argentina, Oman, the United Arab Emirates, Kazakhstan, Turkmenistan, the People’s Republic of China, and each other country in which a Curtis Entity has an office from time to time.

3. Contact details

The contact details of each office which forms part of the Curtis Entities can be found on the Curtis website at http://www.curtis.com/.

The Chief Privacy Officers of the Curtis Entities are Jonathan Walsh and Winta Jarvis. The Chief Privacy Officers can be contacted at privacy@curtis.com.

4. Types of personal data the Curtis Entities process

The Curtis Entities process personal data for the purposes of, or in connection with, providing professional legal services as a law firm.  The types of an individual’s personal data which the Curtis Entities process include:

  1. contact details (an individual’s first and last names, work email address, work telephone number, postal address, job title);
  2. financial information (including information regarding bank accounts, payments and invoicing);
  3. information required by applicable laws or regulations to which the Curtis Entities are subject (including information for anti-money laundering checks and know-your-client checks) and/or otherwise needed for compliance by a Curtis Entity with legal and/or regulatory obligations and/or professional rules and/or standards;
  4. information needed for the purposes of, or in connection with, the provision of legal services by one or more the Curtis Entities; and
  5. any other information an individual may provide to a Curtis Entity in connection with the provision of legal services by one or more of the Curtis Entities.


5. Purposes of processing personal data

The Curtis Entities process personal data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:

Purpose

Lawful basis

1. For the purpose of, or in connection with, the provision of legal services and the carrying out of legal work;

 

Processing is necessary for the performance of a contract a Curtis Entity has entered into with the individual, or in order to take steps at the request of the individual prior to entering into a contract; or

Processing is necessary for the purposes of the legitimate interests of a Curtis Entity as a provider of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

2. To manage client relationships and Curtis Entities’ business as a law firm, including administration of legal services and client relationships, and managing billing and payments;

 

Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities as provider(s) of legal services, to process data to carry out legal work and conduct business as a law firm; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

3. To comply with all or any legal and/or regulatory requirements to which one or more Curtis Entities are subject;

 

Processing is necessary for the performance of a contract to which the individual is party or in order to take steps at the request of the individual prior to entering into a contract; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

4. To exercise or defend legal rights of any Curtis Entity, and/or to comply with a court order;

Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities as provider(s) of legal services, to process data to carry out legal work and conduct business as a law firm; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

5. For compliance by each Curtis Entity with professional duties and/or standards to which it is subject;

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in ensuring compliance with professional duties and/or standards to which they are subject.

6. To provide the client with access to online portals;

 

Processing is necessary for the purposes of the legitimate interests of one or more Curtis Entities and individuals in communicating and sharing/storing relevant documents or other material.

7. To ensure the security of the systems and premises of the Curtis Entities;

 

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in protecting their systems and premises from misuse or criminal activity.

8. To improve and develop Curtis Entities’ legal services, including for internal training and the provision of forms and precedents; and/or

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities in providing their attorneys with access to other forms of documents and precedents for the purpose of staff training. The Curtis Entities will use reasonable efforts to ensure any sensitive or confidential information in the documents which is not vital to understanding the documents is redacted.

9. For any purposes related to and/or ancillary to any of the purposes listed in 1 – 8 above, or for any other purpose(s) for which personal data was provided to any Curtis Entity.

Processing is necessary for the performance of a contract a Curtis Entity has entered into with the individual, or in order to take steps at the request of the individual prior to entering into a contract; or

Processing is necessary for the purposes of the legitimate interests of all or any Curtis Entities as provider(s) of legal services, to process data in order to provide those services or in connection with those services; or for the purposes of a third party’s legitimate interests; or

Processing is necessary for compliance with a legal obligation to which a Curtis Entity is subject.

 

6. Purposes of processing special categories of personal data

The Curtis Entities may process “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation. 

The Curtis Entities process such data of individuals for the following purposes, all of which are for the purpose of, or in connection with, the provision of legal services by one or more Curtis Entities:

Purpose

Lawful basis

1. The provision of legal services and the carrying out of legal work; and/or

Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or

Processing relates to personal data which is manifestly made public by the individual to whom the data relates; or

Any other lawful basis for processing such data under applicable laws and/or regulations.

2. To comply with all legal and regulatory requirements the Curtis Entities is subject to, including anti-bribery laws and know-your-client checks.

Processing is necessary for reasons of substantial public interest, on the basis of European Union or Member State law to which one or more Curtis Entities are subject; or

Processing relates to personal data which is manifestly made public by the individual to whom the data relates; or

Any other lawful basis for processing such data under applicable laws and/or regulations.

In addition, the Curtis Entities may, where appropriate, process data relating to an individual’s criminal offences or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.

7. Failure to provide information

Where the provision of personal data of an individual is a statutory, regulatory or contractual requirement or a requirement necessary to enter into a contract and that individual’s personal data is not provided to the Curtis Entities, the Curtis Entities may not be able to perform, or may have to cease performing, legal services.

8. Data security

The Curtis Entities have implemented appropriate personal data security policies and technical measures to protect personal data under their control from unauthorised access, improper use, unauthorised modification, unauthorised disclosure or accidental loss. The Curtis Entities have put in place procedures to deal with any personal data breach in accordance with their respective legal obligations in this regard.

9. Cross-border transfers of data within the Curtis Entities

Processing of personal data (which includes, or may include, special categories of personal data and/or information regarding an individual’s criminal record or alleged criminal activities) by the offices of the Curtis Entities within the European Economic Area (“EEA”) involves transfers of such personal data to the offices of the Curtis Entities outside the EEA.  The legal bases for such transfers are as follows:

  1. transfers of such personal data from Curtis UK’s offices in the EEA, and/or from the relevant Curtis Entity’s office in Switzerland, to Curtis NY in the USA are made on the bases of Curtis NY’s participation in the EU-US Privacy Shield and the US-Swiss Privacy Shield Framework respectively;
  2. transfers of such personal data from Curtis UK’s offices in the EEA to the relevant Curtis Entity’s office in Switzerland are made on the basis of the European Commission’s adequacy decision which recognises Switzerland as one of the countries that provide adequate protection for the EU data protection purposes; and
  3. transfers of such personal data from the EEA to countries where Curtis NY and other non-EEA Curtis Entities have offices, other than to the United States, are made on the basis of the Standard Contractual Clauses (as approved by the European Commission from time to time) entered into by all Curtis Entities.


10. Cross-border transfers of data outside the Curtis Entities

To the extent that Curtis Entities may transfer personal data which is protected by the GDPR to recipients outside the EEA which are not a Curtis Entity or a Curtis office, the Curtis Entities shall ensure that the country to which the data is transferred is protected by:

  1. an adequacy decision by the European Commission; or
  2. adequate safeguards.

If the non-EEA country does not have either an adequacy decision or adequate safeguards, the Curtis Entities shall only transfer personal data if so permitted by the GDPR; for example, if:

  1. the transfer is necessary for the performance of a contract between the individual whose personal data is being transferred and one or more Curtis Entities, or the implementation of pre-contractual measures taken at the individual’s request;
  2. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual whose personal data is being transferred between the Curtis Entities and another natural or legal person; or
  3. the transfer is necessary for the establishment, exercise or defence of legal claims.


11. Sources of data

The sources from which one or more Curtis Entities collect data on individuals may include:

  1. the individual whose data is being collected;
  2. third parties connected with the individual, including an employer or service provider;
  3. clients; or
  4. publically available material.

If, as part of any Curtis Entity’s instructions for, or in connection with, the provision of legal services by a Curtis Entity, such Curtis Entity is provided with personal data relating to any officers, employees and/or beneficial owners of, for example, any actual or prospective corporate client, any counterparty, opponent or other adversary, and/or personal data relating to their respective legal or other professional advisors, and/or other individuals involved in our actual, prospective or potential retainers, such personal data will be processed by the Curtis Entities as described in this Privacy Notice.

12. Categories of recipients of data

Personal data processed by one Curtis Entity may be accessible to all other Curtis Entities.  The categories of recipients of personal data processed by a Curtis Entity may also include:

  1. counterparties in actual or potential transactions, opponents in actual or potential litigation, arbitration or other legal proceedings and their legal counsel, co-counsel, barristers, specialist professionals and/or experts;
  2. banks, financial institutions, accountants and/or insurers;
  3. sub-contractors and/or agents of the Curtis Entities;
  4. courts and/or tribunals;
  5. law enforcement agencies;
  6. regulators, other governmental and/or supervisory bodies;
  7. any registrar of a public register;
  8. postal and/or courier services providers; and/or
  9. potential parties the Curtis Entities intends to merge with or sell any part of the Curtis Entities to.

Where a Curtis Entity engages a third party to sub-process any data covered by the GDPR or other applicable laws, for one of the purposes listed in sections 5 and 6 above, such Curtis Entity will enter into a contract with that third party which is compliant with such Curtis Entity’s obligations as a controller of the personal data under the GDPR.

13. Retention of data

The Curtis Entities shall only retain an individual’s personal data for as long as it is necessary to fulfil the purpose or purposes for which it was collected which are set out in sections 5 and 6 above.  An individual’s personal data will typically be retained by the Curtis Entities for the duration of the relevant retainer and up to 10 years thereafter unless one or more Curtis Entities believe that such information is or may be otherwise required to be retained for a longer period by any applicable laws or regulations and/or professional or regulatory rules and/or standards to which one or more Curtis Entities are subject, in which case such personal data will be retained for such longer period.

14. Individuals’ rights under the GDPR

Individuals have, or may have, the following rights under the GDPR in relation to their personal data processed by a Curtis Entity:

  1. Right to information about their personal data;
  2. Right of access to their personal data;
  3. Right to rectification of their personal data which is inaccurate or incomplete;
  4. Right to erasure of their personal data (“right to be forgotten”);
  5. Right to restriction of processing of their personal data;
  6. Right to data portability of the personal data they have provided to the Curtis Entities;
  7. Right to object to the processing of their personal data where it is processed for direct marketing purposes or processed by automated means; and
  8. Right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them, or similarly significantly affects them.

Individuals may exercise one or more of their rights under the GDPR in relation to their personal data processed by one or more of the Curtis Entities by emailing: privacy@curtis.com to obtain and complete a request form.

Where an individual exercises one of his or her rights to erase, restrict or object to the processing of his or her personal data, the Curtis Entities may be unable to provide legal services to the individual, or the legal services the Curtis Entities provide may be limited.

15. Complaints

Individuals to whom the GDPR applies whose personal data is processed by the Curtis Entities have a right to lodge a complaint with the relevant supervisory authority. In the UK, this authority is the Information Commissioners Office (ICO).

16. Changes

Any updates to this privacy notice will be included on the Curtis website at www.curtis.com.

If Curtis makes any important changes to this privacy notice (relating to the information Curtis collect, how Curtis uses it or why) those changes will be highlighted at the top of the updated privacy notice and a prominent link to it will be provided for a reasonable length of time following the change.

We encourage you to periodically review this privacy notice to stay informed about how we collect, use, and share personal data in connection with the provision of legal services by any Curtis Entity.

International Lawyers