1. DEFINITIONS
Data Controller means the organisation determining the purposes and means of processing personal data.
Data Processor means an organisation that is responsible for processing personal data on behalf of a controller.
Sub Processor means as processor engaged on behalf of Howard Kennedy by a data processor.
Supervisory Authority means the national regulatory, supervisory, or governmental body with jurisdiction over Data Protection Law. In the UK, this is the Information Commissioners Office (ICO).
Personal Data means data, which relates to a data subject who can be identified from the data, or from the data and other information, which is in the possession of, or is likely to come into the possession of the data controller. It includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive Personal Data means personal data consisting of information as to –
a. The racial or ethnic origin of the data subject,
b. Their Political opinions,
c. Their Religious beliefs or other beliefs of a similar nature,
d. Whether they are a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),
e. Their physical or mental health or condition,
f. Their sexual life,
g. The commission or alleged commission by them of any offence, or
h. Any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Data Subject means the identifiable natural person to which the personal data or sensitive personal data relates.
Personal Data Breach means an incident in which security is breached leading to a loss of confidentiality, integrity or availability of confidential information stored by us.
Howard Kennedy or Firm or We mean all companies trading as or forming part of Howard Kennedy, including Howard Kennedy LLP, Howard Kennedy Corporate Services LLP, and Howard Kennedy Services Ltd.
Singular words include the plural, masculine words include the feminine, and words importing persons include corporations and in each case vice versa.
2. DESCRIPTION OF PROCESSING
2.1 Personal data shall be processed by Howard Kennedy LLP (registered in England and Wales OC361417), authorised and regulated by the Solicitors Regulation Authority (number 557188) under the conditions set out below.2.2 Personal data is required by the firm in order to identify individuals as required under anti-money laundering regulations and to provide legal and other professional services to clients.
2.3 The duration of processing of data will be for the entire life of the matter plus a period of up to ten years from the date of matter closure, depending on the type of work undertaken.
2.4 Personal identification data used to verify identity under anti-money laundering regulations will be retained for the entire duration of a client relationship with the firm, with a minimum period of 5 years.
2.5 Personal data submitted by or stored on behalf of clients or prospective clients may include multiple categories of data, including but not limited to, personal identity documents, contact information, financial and credit history, electronic mail messages, legal documents, forms, contracts, deeds, wills, presentations, pictures, calendar and meeting information and tasks.
2.6 Personal data submitted by or stored on behalf of clients or prospective clients may concern, but not be limited to the following types of data subjects, clients, clients family members, business associates, employees, contractors, clients customers, suppliers, subcontractors, and any other individuals involved in a client matter.
3. GENERAL PROCESSING OBLIGATIONS OF HOWARD KENNEDY
3.1 Howard Kennedy will be the data controller for the matter file and all documentation created by the firm on behalf of clients, and information supplied by clients related to a matter for the duration of data processing.
3.2 Howard Kennedy may also act as a data processor for information processed by the firm on behalf of a client for which the client remains the data controller.
3.3 Howard Kennedy shall process personal data within the context of a matter, this may involve sharing information with third parties, including but not limited to professional advisers, counsel, the other parties to a matter or transaction, along with their professional advisors, and required third party search and service providers. Personal data shall not be used for any purpose unrelated to the matter or shared with ay party unrelated to the matter, unless specifically instructed to do so in writing by the data subject, or as required by regulatory bodies, legislation, or insurers.
3.4 Howard Kennedy may use client data for the purpose of internal software and systems development. All data used for this purpose will be anonymised where possible. Where such development involves the use of external providers, this will only be undertaken on the condition that those providers have committed to maintaining appropriate confidentiality to the same standard as Howard Kennedy, and are under appropriate legal obligation of confidentiality.
3.5 Howard Kennedy may use contact information of clients for direct marketing purposes. If you do not wish to receive direct marketing from the firm, please inform your matter lawyer or the data protection officer ([email protected]).
3.6 Howard Kennedy shall ensure that its members, employees, contractors, and sub processors who have access to and/or process personal data on behalf of the firm have committed to maintaining appropriate confidentiality to the same standard as Howard Kennedy, and are under appropriate legal obligation of confidentiality.
4. DATA SECURITY
4.1 Howard Kennedy has implemented appropriate technical and organisational measures to safeguard the personal data it holds. These measures meet the requirements of the GDPR (Article 32) and provide an appropriate level of security for the personal data. The firm will review and update these measures over time as appropriate in line with recognised industry best practice to ensure appropriate security is maintained.
5. SUBCONTRACTING/SUBPROCESSING
5.1 Howard Kennedy may appoint a sub processor or subcontractor to process data on behalf of the firm provided that-
5.1.1 The firm enters into a suitable contract with the sub processor with appropriate terms that match those set out in the GDPR.
5.1.2 Where a sub processor fails to fulfil the data protection obligations of the contract it enters into, Howard Kennedy will remain fully liable to the client for the performance of the sub processors obligations.
6. DATA SUBJECT ACCESS REQUESTS
6.1 Where Howard Kennedy is the data processor and taking into account the nature of processing, the firm shall provide commercially reasonable assistance to clients by appropriate technical and organisational measures as far as possible, to assist the client with their obligation to respond to a request from a data subject under their right of access, rectification, restriction of processing, erasure, portability, or objection to automated decision making. To the extent permitted by law, Howard Kennedy may charge reasonable costs incurred in providing this assistance.
6.2 Where Howard Kennedy is the data controller, the firm shall, where possible comply with requests from data subjects under their right of access, rectification, restriction of processing, erasure, portability, or objection to automated decision making. All such requests should be addressed to the Data Protection Officer. Where the firm is unable to comply with such requests, an explanation of the reason shall be provided in writing.
7. MARKETING & EVENTS
7.1 Howard Kennedy may use the business contact information of clients, prospective clients, and contacts for the purposes of direct marketing and sending invitations to events we feel may be of interest. Howard Kennedy will not send direct marketing or event invitations to personal (non-business) email addresses unless that individual has given explicit consent.
7.2 Any individual may request to be removed from our marketing lists at any time by emailing [email protected] from the email address concerned, or by clicking the unsubscribe link contained within our marketing messages. All such requests will be completed within 7 working days.
7.3 The name, job title and organisation name of event attendees may be shared with any third party organisers of that particular event.
7.4 Any information shared with external parties for marketing purposes will be in accordance with the provisions set out in section 5 of this notice.
8. PERSONAL DATA BREACH
8.1 Where Howard Kennedy is the Data Controller, the firm shall notify the data subject without undue delay after becoming aware of a personal data breach which puts the data subject to risk of harm.
8.2 Where Howard Kennedy is a Data Processor, the firm shall notify the Data Controller without undue delay after becoming aware of a personal data breach which puts the data subject at risk of harm. The firm shall also provide commercially reasonable assistance to the Data Controller in connection with their notification and communication obligations under GDPR. To the extent permitted by law, Howard Kennedy may charge reasonable costs incurred in providing this assistance.
9. DATA PROTECTION IMPACT ASSESSMENTS
9.1 Howard Kennedy shall conduct Data Protection Impact assessments of its own processing activities as appropriate.
9.2 Where Howard Kennedy is the Data Processor, the firm shall provide commercially reasonable assistance to clients in relation to their obligations under the GDPR to carry out Data Protection Impact Assessments (consulting Supervisory Authorities as required). To the extent permitted by law, Howard Kennedy may charge reasonable costs incurred in providing this assistance.
10. AUDITING
10.1 Information and policies describing Data Protection safeguards is available upon request to clients and prospective clients.
10.2 Upon reasonable written notice to the firm, a client or prospective client may request an audit or inspection to verify Howard Kennedys compliance with the obligations set out in this document and its Data Protection documentation. Howard Kennedy shall facilitate this (as long as the action does not breach the confidentiality of another client or third party). The audit may be carried out by a client or authorised third party, during normal working hours, in a way that does not disrupt Howard Kennedy’s business operations, and no more than once per calendar year. The resulting audit report will be supplied to the firm upon request and shall remain confidential.
10.3 Howard Kennedy will notify the client or prospective client, if in its reasonable opinion the audit request infringes data protection laws or violates the confidentiality of another client or third party.
11. DATA TRANSFERS
11.1 Except in instances where Howard Kennedy is required to do so by law, the firm shall not transfer any Personal Data out of the European Economic Area to any country that has not been identified by the European Commission or a Supervisory Authority under the Data Protection Laws as a country that provides an adequate level of data protection except:
11.1.1 With the data subjects prior written approval, and
11.1.2 Where the firm has ensured adequate protection for such Personal Data, as required by the Data Protection Laws, such as by ensuring that any such transfer of Personal Data is governed by the EU Standard Contractual Clauses.
11.2 If Howard Kennedy is required to transfer Personal Data out of the European Economic Area to any country that has not been identified by the European Commission or a Supervisory Authority under the Data Protection Laws as a country that provides an adequate level of data protection, the firm shall inform the data subject of that legal requirement before processing, unless the law prohibits such notification.
12. RETURN OR DELETION OF PERSONAL DATA
12.1 After a period of up to 10 years from the date of matter closure, depending on the type of work undertaken, Howard Kennedy will review the stored matter files and commence destruction of the file and all personal data contained therein as appropriate. The file will only be retained if there is a legitimate business reason for doing so. Deeds will continue to be kept in secure storage.
12.2 Prior to this date, and at the choice of the Data Subject or Data Controller, Howard Kennedy shall return or destroy all copies of personal data unless the retention of data is required by legislation, regulation, or insurers for the defence of legal claims. Where Howard Kennedy is not able to comply with a destruction request, an explanation shall be provided in writing.
13. YOUR RIGHTS
13.1 You have certain rights under the Data Protection Act in relation to the information that we hold about you. These rights are set out below:
13.1.1 The right to access
13.1.2 The right to rectification
13.1.3 The right to erasure
13.1.4 The right to restrict processing
13.1.5 The right to object to processing
13.1.6 The right to data portability
13.1.7 The right to complain to a supervisory authority
13.1.8 The right to withdraw consent
13.2 You are entitled to have access to your personal data. You may request details of the information which we hold about you and the purposes for which it is held. We will provide this information within 30 days of your request, subject to any routine processing continuing between that time and the time of response. This will normally be provided free of charge, however, you may be charged a reasonable fee (as permitted by law) for this information.
13.3 You are entitled to require that Howard Kennedy stop using information about you for the purpose of direct marketing, i.e. the communication to you (by whatever means) of any advertising or marketing material.
13.4 In certain circumstances, you have the right to erasure of your personal data without unnecessary delay. There are exceptions to this right including our compliance with legal or professional obligation, or the establishment, exercise or defence of legal claims. Possible circumstances in which erasure can we requested include:
13.4.1 Where such data is no longer required for the original purpose
13.4.2 The legal basis for processing is consent, and consent is withdrawn
13.4.3 You object to processing under certain rules of applicable data protection legislation.
13.5 In certain circumstances, you have the right to restrict the processing of your personal data without unnecessary delay. In such circumstances, we will continue to store the personal data but will only process it, with your consent, for the establishment, exercise or defence of legal claims, or to protect the rights of another person. Such circumstances include:
13.5.1 Where you contest the accuracy of the information
13.5.2 Processing is unlawful but you do not wish to exercise your right of erasure
13.5.3 The personal data is no longer needed for the original purpose but you require the data for the exercise or defence of legal claims
13.5.4 You have objected to processing and that objection is currently being investigated.
13.6 You have the right to object to processing of your personal data on grounds relating to your particular situation. However, this is only to the extent that the legal basis for the processing is that it is necessary for the performance of a task carried out in the public interest or in the exercise of any official authority vested in us, or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease processing the personal data unless we can demonstrate legitimate grounds for the processing, which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
13.7 You are entitled to require us to ensure that no decision taken by or on behalf of us and which significantly affects you is based solely on the automated processing of your information, for the purpose of evaluating such matters as, for example, your creditworthiness, reliability or conduct.
13.8 You are entitled to require a correction of errors in the personal information held about you. If we disagree that information is inaccurate you are entitled to apply to ask the court for an order that such erroneous information be rectified, blocked, destroyed or erased.
13.9 If the legal basis for processing your personal data is consent, or processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract, and processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
13.10 If the legal basis for processing personal data is consent, you have the right to withdraw consent at any time. If you chose to withdraw consent, we will cease processing that personal information without unnecessary delay. This will not affect the lawfulness of processing prior to the time that consent was withdrawn.
13.11 If you consider that processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. In the UK, this is the Information Commissioners Office (ICO). You may do so in the EU member state of your normal residence, your place of work or the place of the alleged infringement.
Last updated 18 April 2018