Privacy Notice Regarding the Processing of Personal Data About Clients and Other Business Contacts Pursuant to the the DIFC-DPL
Please read carefully before using this site.
This Privacy Notice is effective as of 1st October 2020.
This Privacy Notice describes the ways in which Squire Patton Boggs, through its Dubai International Financial Centre branch office and legal entities listed in Annex 1 (the “Affected Offices”), processes and protects the personal data of our clients, individuals related or adverse to our clients and other business contacts.
Squire Patton Boggs is a global law firm operating under a Swiss verein structure that comprises Squire Patton Boggs (UK) LLP, Squire Patton Boggs (US) LLP and other constituent legal entities. A full description of our organisation listing all of our offices worldwide is provided in our Legal Notices page.
We provide legal services primarily to corporate clients. The types of personal data that we process, as described in this Privacy Notice, are those necessary for us to provide our clients with effective legal representation locally, regionally and globally and to carry out various ancillary activities.
As an international law firm, we take very seriously our legal, professional and ethical duties and obligations to protect personal data. We have a robust information security management program in place to protect the personal data and other information that we process, and have achieved ISO27001 certification of the firm’s technical and organisational controls across a broad spectrum of systems and processes. These measures are monitored, reviewed and regularly enhanced in order to meet our professional responsibilities and the needs of our clients.
In line with the transparency requirements of Articles 9 and 10 of the Dubai International Financial Centre Data Protection Law, DIFC Law No. 5 of 2020 (the “DIFC-DPL), this Privacy Notice sets out the following information:
- Identification of the Data Controllers
- Details of Our Local Data Privacy Contact
- Sources and Categories of Personal Data That We Process, Why We Do So, and Lawful Bases for Processing
- Other Squire Patton Boggs Offices And Operations as Well as Third Parties With Which Our Affected Offices May Share Personal Data
- Circumstances in Which We Transfer Personal Data to Countries Outside the DIFC for Processing, and the Safeguards We Put in Place to Protect the Personal Data so Transferred
- Our Retention Policy for Records Containing Personal Data
- Individual’s Rights in Relation to Their Personal Data
- Definitions of Certain Terms Used in This Privacy Notice
Our Affected Offices are branch offices of, or are otherwise associated with, either Squire Patton Boggs (UK) LLP or Squire Patton Boggs (US) LLP. These are listed in Annex 1 to this Privacy Notice.
If you are a client of one or more of our Affected Offices, or an individual related or adverse to one of our clients, the relevant data controller is the Squire Patton Boggs legal entity retained by our client. If you contract with our Affected Offices in any other capacity, your data controller will be the Squire Patton Boggs entity with which you contract.
For cross-border matters, and in relation to personal data shared by several of our Affected Offices, the relevant entities may operate as joint controllers that will collaborate with one another, as necessary, to comply with our obligations under the DIFC-DPL, including to address requests by data subjects to exercise their rights under the DIFC-DPL, as set out in Section 7 below.
The main establishment for all of our Affected Offices for purposes of compliance with the DIFC-DPL is Squire Patton Boggs (MEA) LLP, Dubai International Financial Centre, Burj Daman Office Tower, Level 10, P.O. Box 111713, Dubai, United Arab Emirates.
Please direct all general communications or queries relating to this Privacy Notice or the firm’s compliance with the DIFC-DPL to our local data privacy contact. The details for our local data privacy contact are as follows:
By email: DIFC_Privacy@squirepb.com
Attn: Data Privacy Contact
Squire Patton Boggs
Dubai International Financial Centre
Burj Daman Office Tower, Level 10
P.O. Box 111713
United Arab Emirates
+971 4 447 8700
With regard to the exercise of data subject rights under the DIFC-DPL, a specific email address is provided in Section 7 below for the convenience of individuals wishing to submit a data subject request.
Our Affected Offices process various categories of personal data for the purposes identified below, on the lawful basis indicated for each respective processing activity.
To Provide Legal Services to Our Clients
The information that we collect and process in relation to our clients for the purposes of providing legal services to them is primarily company data and business information.
In some cases, it may be necessary for us to process personal data specific to the matter at hand in order to properly advise and act for our clients. It is not possible to identify every potential category of personal data that we may process as lawyers acting for our clients, since these are as diverse as the legal issues that we are retained to address. The most typical categories are identified below, along with the relevant sources, purposes and lawful bases for processing.
In order to provide, charge for and manage the delivery of legal services and communicate with our corporate clients in relation to the same, it is in our legitimate interests as a law firm, and those of our clients, to process personal data relevant to the legal services we provide them. When we are retained by individual clients, we process their data as necessary for us to provide legal services under the terms of our engagement with them and comply with relevant local bar rules.
The categories of personal data that we process for this purpose, which our clients usually provide to us, include the following:
- Business contact details of clients (the individual business contact’s name, position, company affiliation, physical and email addresses, telephone numbers, etc.) – for purposes of communication in relation to our provision of legal services to them
- Bank account details and related personal data necessary for us to make and receive payments – in order to receive or pay out transaction completion monies or other transaction-related funds such as disbursements, to pay court fees, and to invoice our clients and receive payment
- Account management information (which may include financial or account performance data related to individuals) – to enable us to assess the provision of our services to clients, for our own internal administrative purposes or at the request of our clients
We may also process third-party data as necessary for the provision of legal services to our clients. This information may include personal data about a client’s individual employees, customers or suppliers or about individuals employed or otherwise associated with an adversary or counterparty. We may obtain this information from our clients, from public sources or from third parties, depending on the relevant circumstances. For example:
- In corporate or litigation matters, we may need to process the personal data of, or sent to us by, transactional counterparties or opponents in proceedings involving our clients, emails sent to or from employees of our clients or counterparties, and biographical data concerning witnesses and prospective witnesses and legal and other advisers to such third parties.
- Where it is necessary for our lawyers to review large numbers of documents in relation to litigation matters or investigations, we may use automated systems to help us identify documents of interest which may contain personal data.
In some cases, the client personal data or third-party data that we process in relation to a particular matter may involve the processing of special categories of personal data where relevant to the legal issues involved (for example, in connection with immigration proceedings, data protection, pensions, health and safety regulation or labour and employment matters). The lawful basis upon which we process such data will depend on the circumstances of each case, and may be carried out on the basis that the processing is:
- Necessary for the establishment, exercise of defence of legal claims
- Based on the explicit consent of the individual concerned
- Based on personal data which are manifestly made public by the data subject
We may also process information about individuals associated with our clients or adverse parties relating to alleged criminal offenses or convictions as authorized by DIFC or other applicable national law.
Where we obtain personal data from a client in relation to connected individuals or adverse parties, or other third-party data that is subject to the DIFC-DPL requirements, we do so on the basis that our client has satisfied its own obligations as a controller in its own right in relation to the collection, processing and transfer of such personal data to us.
In many cases, it would be impossible, or would require disproportionate effort on our part, to provide notice of processing directly to these third parties. In most circumstances, we will in any event be subject to a legal obligation of professional secrecy in relation to client data that are entrusted to us and, therefore, are not permitted to inform the relevant data subjects of our data processing.
To Comply With Know-Your-Client (“KYC”) Rules
For the purposes of complying with applicable DIFC KYC legislation, including laws on anti-money laundering (“AML”), anti-terrorism, anti-bribery, anti-corruption, contravention of international trade rules and other crimes, we process during our client inception procedures:
- Personal data concerning individual clients as necessary to perform the required due diligence; and
- Personal data of the officers, shareholders, trustees, beneficial owners, authorised signatories and other individuals associated with our corporate clients as necessary to perform the required due diligence.
For these purposes, it may be necessary for us to obtain various types of information from the relevant individuals themselves or the potential client with which they are associated. The information required may include identification documentation such as passports and national identity cards, home address and other contact details, employment status and history, credit history and other information necessary to complete required background checks. Where necessary, and as authorized by DIFC or applicable national law, we may also need to collect information pertaining to alleged criminal offenses or convictions of individuals related to the potential client. The personal data is used to determine whether we are prohibited by applicable laws from engaging with the client or to identify and evaluate any risks associated with the individual’s economic circumstances, reliability or behavior. Depending on the outcome, we may elect, or be required, to decline to enter into a client relationship.
To complete the required background checks, we may also rely on third-party sources such as credit rating agencies, identity verification agencies, publicly accessible sources such as public registers and publicly available internet sites, and subscription services that provide screening against lists of politically exposed persons and prohibited and/or sanctioned persons identified by the UAE government, the DIFCA or the DFSA.
Squire Patton Boggs is subject to similar types of KYC obligations in jurisdictions outside the DIFC, such as for the purposes of checks against the U.S. Office of Foreign Asset Controls Sanctions Lists. In such cases, it is in the legitimate interests of our law firm to process personal data about individual clients or people associated with our corporate clients as necessary to perform these checks.
To Perform Credit Checks
For the purposes of evaluating the creditworthiness of potential clients, it is in our legitimate interest to process financial data about our clients, including personal data about associated individuals (shareholders, non-executive directors, officers, etc.) in order to evaluate the merits of engaging with them.
The types of personal data that we process for this purpose may involve bank account details, personal financial information including asset ownership, and credit histories. This data may be obtained directly from the individuals concerned as well as from public sources and third-party subscription services or credit vetting agencies.
To Carry Out Conflict-of-Interests Checks
In most cases, we have a legal obligation to process limited amounts of personal data in order to perform “conflict checks” before incepting clients. Such conflict checks may be required by various laws, regulations and “best practice” ethical guidelines to which Squire Patton Boggs, as a law firm, is subject. These checks may sometimes involve the processing of personal data about individuals related or adverse to our clients, such as records of litigation in which they are involved, board memberships or shareholdings. We may obtain this information from the individuals concerned, from public sources or from subscription services such as legal directories. In circumstances where a legal obligation does not apply, we have a mutual legitimate interest with our clients to ensure that our services are provided free from any conflicts of interest, and rely on our clients to ensure that the individuals involved receive proper notice.
In either case, we may not be able to move forward with providing legal services if the personal data are not provided to enable us to complete checks required by law.
To Engage With Our Vendors
For the purposes of dealing with suppliers, it is in our legitimate interests and those of our vendors for us to process the business contact details of the vendors’ individual account representatives in order to communicate and otherwise conduct business with them. The information that we typically process for this purpose is provided by the vendor and includes the appointed business contact’s name, position, company affiliation, physical and email addresses, telephone numbers.
To Market Our Services to Clients and Business Contacts
The information contained in this subsection supplements our Global Website Privacy Notice, which may be found here. In the event of any inconsistencies between the provisions of our Global Website Privacy Notice and this Privacy Notice, the provisions of this notice shall take precedence in regard to the website and marketing-related processing activities carried out by our Affected Offices.
It is in our legitimate interest as a law firm to collect and process business contact data needed to provide requesting clients and contacts with copies of our newsletters on legal developments covering different practice areas, client alerts, blogs, invitations to seminars, online webinars and similar events that we offer, and other marketing materials, where we believe this may be of interest. We also collect business contact data to record information about our business development and marketing activities, such as meetings and other interactions with clients and prospective clients. In addition, we organize and facilitate communications amongst alumni of the Firm. The personal data that we collect for these purposes includes the following:
- The business contact details of our individual clients and the employees of our corporate clients (e.g., name, address, email address, phone number, company name, company address, title or position);
- The business contact details of prospective clients, consultants and other parties that may be interested in using our services or partnering with us;
- Where relevant, information provided by these individuals about their preferences in relation to receiving updates from us on developments in particular practice areas and industry sectors, firm-sponsored events and the like;
- The date and time of business interactions, notes of the meetings or events; and
- Where we are delivering webinars using an online conferencing service, the details for registration of your attendance (e.g. name, company name, title or positon, and business email address).
We generally obtain the business contact details and preference information that we use for marketing communications and business development activities directly from our clients or prospects. This includes visitors to our website, who may register online to opt-in to receiving client alerts, newsletters, invitations to events and other information from us. We may also obtain your business contact details and information about your preferences in regard to the subject matter of newsletters and other materials or events that we offer when you provide us with your business card at conferences that we sponsor or network with our lawyers and staff at meetings or events. We obtain the consent of prospective clients and others with whom we do not have an existing client relationship before sending them our marketing materials by electronic means, where required by applicable DIFC guidelines. We have in place an effective online tool for users to manage requests to opt out or modify their preferences in relation to the subject matter and categories of information they receive.
In order to manage the preferences of our clients, website visitors and other business contacts efficiently and maintain the accuracy of the data we collect, we utilize third-party marketing and events management platforms and other solutions. We safeguard any personal data that we transfer to these service providers, or which they collect on our behalf, in the manner discussed in Sections 4 and 5 below. The personal data that you provide us when you register on our website may be shared with Squire Patton Boggs marketing personnel or lawyers located in offices outside the DIFC. Intra-group transfers of personal data within Squire Patton Boggs are safeguarded by the DIFC Standard Contractual Clauses, as discussed in Section 5 below.
To Facilitate Communications With Our Clients and Other Business Contacts
We use telephone conferencing services provided by third parties for the purposes of providing legal advice and client services, and to deliver webinars. In some cases, we may electronically record a conference call for evidentiary purposes or to memorialise a webinar for further training use. In such cases, we will notify the participants that the call is being recorded. Depending on the circumstances, the lawful basis for recording the call will be either the participants’ consent or to provide evidence of a business communication.
The purposes for which we share personal data relating to our clients and business contacts among our DIFC and global offices, and also with trusted third-party vendors and business partners, are set out below.
Lawyers and staff in our Affected Offices work collaboratively with colleagues in Squire Patton Boggs offices around the globe on cross-border matters, marketing and business development activities and to share experience, knowledge and resources.
Transfers of personal data between and among our Affected Offices (see Annex 1), as well as with lawyers in other offices of the firm, may be necessary in order to deliver legal services to our clients efficiently and effectively or at the request of our clients. For example, a particular matter may involve legal issues or proceedings in multiple jurisdictions, and in these cases we may share personal data relating to the matter amongst selected Squire Patton Boggs colleagues based in our global offices, unless we are instructed otherwise by our client in relation to a particular matter. These international transfers within the firm are governed by intra-group controller arrangements and processor agreements, as appropriate.
Other firm functions that involve the transfer of client-related and business contact personal data to selected members of management and staff located in our offices within and outside the DIFC include financial management, client billing, firm management and administration.
Marketing data containing DIFC business contact details and client preferences in regard to legal developments in specific practice areas, client alerts, newsletters and events are accessible by selected members of the Squire Patton Boggs marketing team located outside the DIFC and may be shared with lawyers working in offices outside the DIFC.
Client-related and business contact information collected in the course of networking and business development activities may be shared among lawyers and staff in our Affected Offices and collaboratively with colleagues in Squire Patton Boggs offices around the globe.
Subject to the client’s prior authorization, our contentious practice sometimes relies on e-discovery software that is operated by an expert team with the firm that is based in the United States and virtual data rooms that are hosted on the firm’s United States servers.
For security purposes (in particular back-up and failover), the firm mirrors DIFC client data, which may include personal data, on Squire Patton Boggs servers located in the United States, where certain firmwide applications are hosted.
Contractual arrangements governing international transfers of personal data to Squire Patton Boggs offices outside the DIFC are discussed in Section 5 below.
Transfers to Unaffiliated Third Parties
Our Affected Offices also share personal data with trusted service providers and business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any personal data that we share with them. The data recipients include, for example, IT service providers, marketing and events management platforms, telecommunications operators, banking institutions, data room administrators, document review service providers, credit vetting agencies, background check firms, legal directories, third-party consultants or experts, local counsel, barristers, opposing counsel, auditors, and professional indemnity insurers together with their appointed legal and other advisors. If requested by our clients, this may also include e-billing and matter management platform services providers.
We may also share personal data collected for the purposes of client retainers with external recipients in circumstances where we have a legal obligation to do so, including but not limited to courts, tribunals, regulatory authorities, tax authorities and law enforcement.
Finally, it may be necessary for our Affected Offices from time to time to share client data with potential merger partners located in countries outside the DIFC in cases where negotiations have reached a reasonably advanced stage. Any personal data that may be transferred to a potential merger partner will be limited to that which is necessary for the transaction to proceed, and will be safeguarded by protective contractual measures, including the DIFC Standard Contractual Clauses where required.
Contractual arrangements governing other international transfers of personal data to third-party suppliers and partners outside the DIFC are discussed in Section 5 below.
We will never sell personal data collected for the purposes of client retainers, or otherwise obtained from third parties, nor knowingly permit it to be used for marketing purposes by any person outside Squire Patton Boggs.
We transfer personal data intra-group and externally to third countries outside the DIFC that are not considered to provide an adequate level of data protection. You may request a copy of the DIFC Standard Contractual Clauses or other relevant international transfer documentation by contacting our local data privacy contact using the contact details provided in Section 2 above.
We have put in place appropriate intra-group agreements using the DIFC Commissioner-approved Standard Contractual Clauses for controllers or processors, as appropriate, to protect intra-group transfers of personal data from our Affected Offices to Squire Patton Boggs offices in the United States, European Union, United Kingdom, Australia, the Asia-Pacific region, the Middle East and other locations outside the DIFC.
Transfers to Unaffiliated Third Parties
Courts, tribunals, government authorities and related parties or counterparties with whom we share personal data, the third-party vendors identified in Section 4 and business partners are in some cases located outside the DIFC. Unless the recipients are located in countries that have been deemed adequate by the Commissioner, we put in place data transfer agreements based on the applicable DIFC Commissioner-approved Standard Contractual Clauses or rely on other available data transfer mechanisms (Binding Corporate Rules, approved Certifications or Codes of Conduct) to protect the personal data so transferred. In exceptional cases, we may rely on statutory derogations for international data transfers.
Our Affected Offices (and other Squire Patton Boggs offices that are recipients of personal data received from them) retain personal data only for as long as necessary for the purposes for which the data was collected, except where necessary to meet our legal obligations (for example, in relation to AML requirements) or in order to establish, exercise or defend potential legal claims or to pursue our legitimate interests.
The DIFC-DPL provides certain rights to data subjects in relation to their personal data. These include the rights to:
- Request details about the personal data that we process, and obtain a copy of the data that we hold about them (to the extent this is not in breach of a legal obligation of professional secrecy to which we are subject in relation to client data entrusted to us and that would, therefore, prevent us from informing the relevant data subjects)
- Correct or update their personal data subject to the above
- Port personal data that the data subject has provided to us, in machine readable format, to another supplier
- Erase the data that we hold about them in some cases
- Restrict or object to its processing in some cases
- Object to processing:
- Based on grounds relating to the individual’s particular situation, where the processing is based on the legitimate interest of Squire Patton Boggs or our clients
- Where personal data is being processed for direct marketing purposes
- Where any decision based solely on automated processing, including Profiling, produces legal consequences concerning them or other seriously impactful consequences and to require such decision to be reviewed manually.
- Not be discriminated against in pricing and legal services for exercising any of their rights and, for the avoidance of doubt, unless permitted by the DIFC-DPL, Squire Patton Boggs will not:
- Deny data subjects use of our legal services;
- Charge different prices or rates for our services, including through granting discounts or other benefits, or imposing penalties;
- Provide data subjects with a different level or quality of legal services in exchange for the retention or use of any personal data that data subjects have provided to us; and
- Suggest that data subjects may receive a different price or rate for our services or a different level or quality of services.
Where consent is the basis for processing their personal data, the individual may decline to give his or her consent, or to withdraw consent to the processing at any time.
These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject in the performance of legal services.
In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to processing) may make it impossible for us to achieve the purposes identified in Section 3 of this Privacy Notice and provide effective legal services.
The processing of requests for action by Squire Patton Boggs in regard to the exercise of a data subject’s rights under the DIFC-DPL is overseen by an internal team consisting of the DSAR Manager, the Office of General Counsel, the local data privacy contact and other professionals needed to respond to the particular request.
Any individual wishing to assert his or her rights under the DIFC-DPL should address the relevant request to:
Squire Patton Boggs (MENA) LLP
Dubai International Financial Center
Burj Daman Office Tower, Level 10
P.O. Box 111713
United Arab Emirates
+971 4 447 8700
By email: DataSubjectRequests@squirepb.com
Further information and a form that can be used by a data subject at his discretion to exercise these rights may be downloaded here.
Data subjects also have the right to submit a complaint concerning our processing of their personal data to the Commissioner.
“Client” means an individual or legal entity that is or was a client of Squire Patton Boggs pursuant to an existing or past retainer, or that makes or made contact with or has or had discussions with Squire Patton Boggs with a view to such a retainer being established (whether or not such a retainer was or is subsequently established).
“Controller” means an individual or entity who or which, alone or jointly, determines the purposes and means of processing of personal data (and, where relevant, this term shall have the specific meaning attributable to it for the purposes of the DIFC-DPL).
“Commissioner” means the person appointed by the President of the DIFC pursuant to Article 43(1) of the DIFC-DPL to administer the law.
“DFSA” means the Dubai Financial Services Authority.
“DIFC” means the Dubai International Financial Centre.
“DIFCA” means the Dubai International Financial Centre Authority.
“DIFC-DPL” means the DIFC Data Protection Law, DIFC Law No. 5 of 2020.
“DSAR” means Data Subject Action Request pursuant to the provisions of Articles 33 to 37 of the DIFC-DPL, relating to the rights of data subjects under the DIFC-DPL.
“Individual” means a human person (also sometimes referred to as a “natural” person).
“Joint Controller” means any Controller that jointly determines the purposes and means of processing with another Controller.
“Legal Notices” means the Legal Notices page on the Squire Patton Boggs website which hosts this Privacy Notice.
“Personal data” means any information relating to an identified or identifiable individual (a “data subject”). An identifiable individual is one whose identity can be established by one or more identifiers (for example, their name) specific to that individual.
“Processing” means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means an individual or entity who or which processes personal data on behalf of a controller.
“Profiling” means the automated processing of personal data to evaluate the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the person's performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements.
“Recipient” means an individual or entity to whom or to which personal data are transmitted or disclosed.
“Retainer” means a contract, established under the laws and regulations of the relevant jurisdiction, for the provision of legal services by Squire Patton Boggs to a client.
“Third party” when used to describe a data subject, means an individual who is not a client.
“Third-party data” means personal data of a third party.
“UAE” means the United Arab Emirates.
Dubai International Financial Centre
Burj Daman Office Tower, Level 10
P.O. Box 111713
United Arab Emirates
+971 4 447 8700
2 & A Half Devonshire Square
London EC2M 4UJ
+44 20 7655 1000
4900 Key Tower
127 Public Square
Cleveland, OH 44114
United States of America
+1 216 479 8500