6. For how long do we keep your information?
Your personal information is retained by us in accordance with applicable law and regulation. Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:
- potential claims or litigation;
- guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
- how long we need to keep the data to fulfil the original purpose for which it was collected;
- the nature and sensitivity of personal data; and
- legal obligations to which we are subject.
This means that, in general, we delete personal information when: the purpose for its processing has been fulfilled or the contractual relationship with our client, you or your company has ended; all mutual claims have been fulfilled; and there are no other legal obligations to retain the personal information nor legal bases for further processing. Typically, we retain personal information in client files for 10 years after the completion of the matter.
7. Your rights
Depending on where you are in the world and which of the Pinsent Masons entities processes your personal information, you may have one or more of the following rights in respect of that personal information:
- to be informed about the collection and use of your personal information;
- to ask whether we process your personal information and request a copy of it if so;
- to object to decisions that we may make based solely on the automated processing of your personal information;
- in certain circumstances, to object to processing of your personal information where we do so for the purposes of our legitimate interests;
- to request that any inaccurate or incomplete personal information of yours in our care is rectified or competed;
- in certain circumstances, to restrict our processing of your personal information;
- in certain circumstances, to receive your personal information or have your personal information transmitted to another organisation in a structured, commonly used and machine readable format;
- in certain circumstances, to request that we delete your personal information; and
- to object to our processing of your personal information for direct marketing purposes.
Not all of these rights are absolute, which means that they may only apply in certain situations and may be subject to legal exceptions and exemptions. To exercise your rights, please email us at [email protected]. You may also write to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom. Please also refer to section 12.1 of this policy for any further information concerning certain of our non-European offices in respect of exercising your rights in relation to your personal information.
You may change your marketing preferences or let us know that you no longer wish to receive any marketing communications from us by:
- logging into your Pinsent Masons account and updating your preferences (via our website or via the link at the foot of each email that you have received from us) - please note it may take up to 72 hours for changes to take effect; or
- sending an email to [email protected]; or
- writing to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom.
8. How to make a complaint
Our Privacy Team oversees our compliance with data protection laws and this policy, and provides guidance and advice to the firm and our people. Our Compliance Officer for Legal Practice ('COLP') oversees compliance with our professional responsibilities and the reporting of any failures to comply with legislative requirements, including data protection.
Please direct any complaint relating to how the firm has processed your personal information to [email protected]. You may also write to us at Privacy Team, Pinsent Masons, 19 Cornwall Street, Birmingham, B3 2DT, United Kingdom. We hope that we can resolve any query or concern you raise about our processing of your personal information.
The EU General Data Protection Regulation and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority ('DPA'), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of EU Member State DPAs and EEA DPAs can be found here. Details of the DPAs relevant to other jurisdictions in which we operate, including the UK, are set out in section 12 of this policy.
9. Links to other websites
We sometimes provide you with links to other websites, but these websites are not under our control. We are not liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by those websites.
We recommend that you check the privacy policy and terms and conditions on each website to see how each third party will process your information.
10. Terminology used in this Privacy Policy
When we say 'we', 'our', 'us' or 'Pinsent Masons' in this policy, we are referring to all or any of the entities which make up the international Pinsent Masons group, as the context requires. An explanation of some of the other terminology we use in this policy is set out below.
"checking organisations"
|
means an organisation registered with a criminal records bureau to (a) submit basic checks through a web service or by other means; (b) to submit standard and enhanced checks, and is entitled by law to ask an individual to reveal their full criminal history; or (c) any other approved organisation engaged by the firm to carry out criminal checks on its behalf;
|
"client"
|
any person or organisation to whom the firm provides a service and who is identified as a client on the firm's practice management system, regardless of whether time is recorded or a fee is charged;
|
"contact"
|
an individual who is a contact of the firm, including any client, any potential or former client, any supplier, any consultant, or any another professional advisor and any other contact of the firm;
|
"criminal offence data"
|
is personal data relating to criminal convictions and offences or related security measures. This encompasses a wide range of information about criminal activity, allegations, investigations and proceedings. It includes not just data which is obviously about a specific criminal conviction or trial, but also any other personal data relating to criminal convictions and offences, including unproven allegations, information relating to the absence of convictions and personal data of victims and witnesses of crime. It also encompasses a wide range of related security measures, including personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may lead to a criminal penalty if not adhered to.
|
"criminal record bureau"
|
means the Disclosure and Barring Service, Disclosure Scotland, AccessNI and other equivalent criminal record bureaus of the jurisdictions in which the firm operates;
|
"criminal record certificate"
|
means a criminal records certificate issued by a criminal record bureau in response to a criminal record check;
|
"criminal record check"
|
is a request submitted to a criminal records bureau to find out whether an individual has a criminal record;
|
"data"
|
recorded information whether stored electronically, on a computer, or in certain paper-based filing systems;
|
"data controller"
|
a person who or organisation which determines how personal information is processed and for what purposes;
|
"EU GDPR" or "General Data Protection Regulation"
|
means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
|
"individual" or "you"
|
the person whose personal information is being collected, held or processed;
|
"partner(s)"
|
refers to a member of Pinsent Masons LLP or an employee or consultant of Pinsent Masons with equivalent standing;
|
"our/PM people"
|
means partners, members, consultants, employees, temporary workers, agency and casual workers, contractors, collaborators, volunteers and those on work placements providing services to/working for Pinsent Masons;
|
"personal information" or "personal data"
|
information (including opinions) which relates to an individual and from which he or she can be identified either directly or indirectly through other data which the firm has or is likely to have in its possession. These individuals are sometimes referred to as data subjects;
|
"policy"
|
the global privacy policy as amended from time to time;
|
"process" or "processing"
|
any activity that involves personal information. It includes obtaining, recording or holding the personal information, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal information to third parties as a result of those third parties having access to it;
|
"special category personal data" or "special category personal information"
|
means information revealing someone's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic information, biometric information, information concerning health or concerning sex life or sexual orientation;
|
"UK GDPR"
|
means the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); and
|
"Vario"
|
a consultant lawyer working for Pinsent Masons' freelance legal resource business.
|
11. Defined terms used in our Standard Terms of Business for the provision of professional services to our clients
The data protection and marketing provisions of the Pinsent Masons Standard Terms of Business for the provision of professional services to our clients include certain defined terms. These defined terms and the meanings attributed to them are set out below, with further variances specific to certain jurisdictions described in 12.1.
Client Personal Data
|
means all personal data processed by Pinsent Masons its agents, affiliates or sub-contractors under or in connection with the Agreement and for which the Client is Controller;
|
Controller
|
means (a) “controller” or “responsible party” or equivalent term as defined in the Data Protection Laws where applicable;
|
Data Subject, “process”, “processing” and “supervisory authority”
|
will have the meanings given to them in the Data Protection Laws where applicable;
|
Data Protection Laws
|
means (a) any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding pronouncement , including findings, orders, decisions and judgements of a competent court or regulator with jurisdiction as updated and amended from time to time which relates to the protection of individuals with regards to the processing of personal data to which a party is subject, including, where applicable, the General Data Protection Regulation 2016/679 ("GDPR") and the e-Privacy Directive and relevant member state laws in the European Economic Area ("EEA") and in relation to the United Kingdom ("UK") the Data Protection Act 2018 and the Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586). As amended to be referred to as PECR, DPA 2018 and the UK GDPR respectively; (b) any code of practice or statutory guidance published by a competent Regulator from time to time; and (c) any binding pronouncements (including findings, orders, decisions and/or judgements) by a Regulator or a court of law;
|
“personal data”
|
means (a) “personal data” or “personal information” or equivalent term as defined in the Data Protection Laws where applicable;
|
Regulator
|
means any supervisory authority or independent public authority which has competence to monitor, apply and/or enforce the Data Protection Laws, in order to protect the rights and freedoms of natural persons in relation to processing of personal data, including those organisations referred to in sections 8 and 12 of this Privacy Policy;
|
Restricted Country
|
means a country, territory or jurisdiction which is not deemed to provide adequate protection of personal data in accordance with the Data Protection Laws (and in particular, where applicable, Article 45 (1) of GDPR);
|
Security Requirements
|
means the requirements regarding the security of personal data, as set out in the Data Protection Laws (including, where applicable, the measures set out in Article 32(1) of GDPR (taking due account of the matters described in Article 32(2) of GDPR));
|
Transparency Requirements
|
means the requirements of lawfulness, fairness and transparency set out in the Data Protection Laws, (and in particular, where applicable, Articles 13 and 14 of GDPR).
|
12. Further information in relation to our non-European office and the relevant DPAs
12.1. Important differences in how personal information is processed by our non-European offices
We explain below any essential differences in how personal data is processed by our international offices.
South Africa
Where our South Africa office provides legal or other services to you or where your personal information is processed in South Africa by us, then, in compliance with data protection law applicable in South Africa, we process personal information relating to identifiable existing legal entities in the same manner as described for the processing of personal data of individuals in this policy.
You can find further information on how we comply with relevant laws and how you might exercise your rights in our PAIA and POPIA Manual or by contacting our Information Officer at [email protected].
Our PAIA and POPIA Manual also provides copies of the necessary forms that you must use if you wish to exercise certain rights.
12.2 Non-European DPAs
Australia
|
The Privacy Commissioner, under the Office of the Australian Information Commissioner.
GPO Box 5218, Sydney NSW 2001
https://www.oaic.gov.au/
|
Dubai
|
There is no national DPA in the UAE.
|
Qatar - Qatar Financial Centre ('QFC')
|
The Employment Standards Office at the QFC.
Employment Standards Office, Qatar Financial Centre, Level 8, QFC Tower 1, Westbay, Doha, Qatar
Tel: +974 44967609
Email: [email protected]
http://www.qfc.qa/en/Operate/Pages/ESO.aspx
|
Hong Kong
|
The Office of the Privacy Commissioner for Personal Data
12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong
http://www.pcpd.org.hk/
|
People's Republic of China ('PRC')
|
There is no unified data protection legal regime nor a single designated DPA in the PRC. Competent authorities and enforcement regulators in some sectors may monitor and enforce data protection issues, e.g. the Cyberspace Administration of China and the Ministry of Public Security.
|
Singapore
|
Personal Data Protection Commission
10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438
Tel: +65 6377 3131
Fax: +65 6577 3888
Email: [email protected]
http://www.pdpc.gov.sg/
|
South Africa
|
The office of the Information Regulator has been established under the Protection of Personal Information Act 4 of 2013 ('POPIA'). The Information Regulator is to be responsible for investigating and attempting to resolve complaints.
|
United Kingdom
|
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Home | ICO
|
13. Our personnel vetting practices in respect of criminal offences
Criminal offence information may be requested of prospective PM people and prospective Varios as part of the recruitment process in certain of the jurisdictions in which we operate before an offer of employment is made unconditional. If we are not permitted to or are not justified in seeking information about criminal offences for a role, we will not ask candidates for criminal offence information. We will not seek criminal offence information from any source other than the individual concerned, a criminal record bureau or a checking organisation.
Criminal offence information will only ever be used by the firm for the purposes for which it was originally collected. Criminal record certificate information will be handled, kept, and disposed of in accordance with the firm's Pre-employment Checks Policy: candidates may email [email protected] to request a copy.
Recruitment of ex-offenders policy statement
We are committed to the fair treatment of our people, prospective PM people and users of our services, regardless of their offending background.
The firm promotes equality of opportunity for all with the right mix of talent, skills and potential. Having a criminal record will not necessarily bar an individual from working with us and we welcome applications from a wide range of candidates, including those with criminal records.
The firm selects all candidates for interview based on their skills, qualifications and experience.
Circumstances in which candidates may be asked to provide criminal offence information
A criminal record check or a request for criminal offence information from an individual is only requested after a thorough risk assessment has indicated that doing so is both proportionate and relevant to the position concerned.
The type of criminal records information and level of criminal record check that the firm is entitled to request will depend on the nature of the role for which the individual's suitability is being assessed. When recruiting for a role, we assess whether:
- it is appropriate to limit the criminal offence information sought to offences that have a direct bearing on suitability for the job in question; and
- the information provided should be verified with a criminal record bureau.
If candidates are asked to provide criminal offence information
Where we request criminal offence information from an individual but do not request a criminal record check, we will ask the individual to provide only criminal offence information in relation to convictions and cautions that the firm would be legally entitled to see in a criminal record check for the relevant role.
If it is assessed that we should verify criminal records information with a criminal record check, we will comply with any criminal record bureau code of practice to which we are subject and provide the individual concerned with a copy of the firm's Pre-employment Checks Policy.
The firm will not rely on previously-issued criminal record certificates.
Criminal offence information verified through a criminal record check
Once criminal offence information has been verified through a criminal record check, we will:
- if inconsistencies emerge between the information provided by the individual and the information in the criminal record certificate, give the individual the opportunity to provide an explanation; and
- record that a criminal record check was completed and whether it yielded a satisfactory or unsatisfactory result.
Where an unprotected conviction or caution is disclosed
If we have concerns about the information that has been disclosed by a criminal record bureau, or the information is not as expected, we will discuss our concerns with the candidate and carry out a risk assessment.
Our risk assessment will take into account the circumstances and background of any offences and whether they are relevant to the position in question, balancing the rights and interests of the individual, PM people, clients, suppliers and the public.
We treat all applicants fairly but reserve the right to withdraw an offer of employment if an individual does not disclose relevant information, or if a criminal bureau check reveals information which we reasonably believe would make an individual unsuitable for a role.
Disputing the content of a criminal record certificate
Individuals may raise a dispute with a criminal record bureau if they believe that there has been a mistake in the contents of their certificate, for example a mistake in:
- the records provided, for example incorrect or irrelevant information on convictions; or
- their personal details.
Dispute processes may vary by criminal record bureau and the relevant criminal record bureau should be contacted directly for guidance on how to raise a dispute.