Privacy Notice Regarding the Processing of UK and EU Personal Data About Clients and Other Business Contacts

Introduction

1. Data Controllers

More information [2]

2. Data Protection Officer

More information [3]

Email:

Post:

3. Categories and Sources of Personal Data That We Process, Why We Do So and Lawful Bases for Processing

More information [4]

i. Provide, charge for and manage the delivery of legal services and communicate with our corporate clients in relation to the same.

More information [5]

• Business contact details
• Bank account details and related personal data
• Account management information

ii. Provide legal services to our clients where third-party data is necessary and relevant to the legal matter.

iii. Provide legal services to our clients where the processing of special categories of personal data relevant to the legal issues is involved.

• Necessary for the establishment, exercise or defence of legal claims;
• Based on the explicit consent of the individual concerned; or
• Based on personal data which are manifestly made public by the data subject.

i. Compliance with applicable KYC legislation, including laws on UK and European anti-money laundering (“AML”), anti-terrorism, anti-bribery, anti-corruption, contravention of international trade rules and other crimes.

During our client inception procedures, we process:

• Personal data concerning individual clients; and
• Personal data of the officers, shareholders, trustees, beneficial owners, authorised signatories, and other individuals associated with our corporate clients

as necessary to perform the required due diligence.

More information [8]

• Identification documentation
• Personal contact details
• Employment and credit history
• Other information as necessary to complete required background checks

• The individuals themselves;
• The potential client with which they are associated;
• Third party sources

• Identification documentation
• Personal contact details
• Employment and credit history

• The individuals themselves;
• The potential client with which they are associated;
• Third party sources

• Bank account details
• Personal financial information, such as asset ownership;
• Credit histories

• The individuals themselves;
• Public sources
• Third party sources

i. Compliance with legal, regulatory and ethical requirements OR

More information [11]

ii. Ensure our services are provided free from any conflicts.

During our client inception procedures, we may sometimes process personal data about individuals related or adverse to our clients.

In either case, we may not be able to move forward with providing legal services if the personal data are not provided to enable us to complete checks required by law.

More information [12]

Limited personal data to establish whether conflicts are present, such as:

• Records of litigation;
• Board memberships;
• Shareholdings.

• The individuals themselves;
• Public sources
• Subscription services such as legal directories

i. Communicate and otherwise conduct business with our suppliers.

More information [13]

• Business contact details

i. Provide clients, prospective clients and other business contacts with news, alerts and events opportunities on topics of interest to them.

More information [14]

• Business contact details
• Individuals’ subscription preferences
• Event registration details

ii. Record information about our business development and marketing activities, such as meetings and other interactions with clients and prospective clients.

More information [15]

• Notes of business interactions

g) To Facilitate Communications With Our Clients, Vendors and Other Business Contacts

More information [16]

• Audio/video recordings

Our UK and EU Offices also share personal data with trusted suppliers and business partners pursuant to our contractual arrangements.

More information [22]

• Data transfer agreements based on the applicable EU Commission-approved Standard Contractual Clauses or UK International Data Transfer Addendum, as applicable; or
• Other available data transfer mechanisms (Binding Corporate Rules, approved Certifications or Codes of Conduct); or
• In exceptional cases, we may rely on statutory derogations for international data transfers.

Any individual wishing to assert their rights under the Applicable Data Protection Laws should address the relevant request to:

By post:

By email:

“Applicable Data Protection Law”

means the EU GDPR, the UK GDPR, the UK Data Protection Act 2018 and any national laws governing the protection of personal data as may be amended from time to time.

"Client"

means an individual or legal entity that is or was a client of Squire Patton Boggs pursuant to an existing or past retainer, or that makes or made contact with or has or had discussions with Squire Patton Boggs with a view to such a retainer being established (whether or not such a retainer was or is subsequently established).

"Controller"

means an individual or entity who or which, alone or jointly, determines the purposes and means of processing of personal data (and, where relevant, this term shall have the specific meaning attributable to it for the purposes of the Applicable Data Protection Law).

"DSAR"

means Data Subject Action Request, relating to the rights of data subjects under the Applicable Data Protection Law.

"EU"

means the European Union or, where relevant in the given context, the European Economic Area.

"EU GDPR"

means the General Data Protection Regulation, (EU) 2016/679, and applicable national implementing legislation.

“GDPR”

means the EU GDPR and/or the UK GDPR, as applicable.

"Individual"

means a human person (also sometimes referred to as a "natural" person).

"Legal Notices"

means the Legal Notices page on the Squire Patton Boggs website which hosts this Privacy Notice.

"Personal data"

means any information relating to an identified or identifiable individual (a "data subject"). An identifiable individual is one whose identity can be established by one or more identifiers (for example, their name) specific to that individual.

"Processing"

means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor"

means an individual or entity who or which processes personal data on behalf of a controller.

"Recipient"

means an individual or entity to whom or to which personal data are transmitted or disclosed.

"Retainer"

means a contract, established under the laws and regulations of the relevant jurisdiction, for the provision of legal services by Squire Patton Boggs to a client.

"Third party"

when used to describe a data subject, means an individual who is not a client.

"Third-party data"

means personal data of a third party.

“UK”

means the United Kingdom of Great Britain and Northern Ireland.

“UK GDPR”

means UK legislation incorporating the provisions of the EU GDPR into the body of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

[1]

Squire Patton Boggs is a global law firm operating under a Swiss verein structure that comprises Squire Patton Boggs (UK) LLP, Squire Patton Boggs (US) LLP and other constituent legal entities. A full description of our organisation listing all of our offices worldwide is provided in our Legal Notices page.

We provide legal services primarily to corporate clients. The types of personal data that we process are those necessary for us to provide our clients with effective legal representation locally, regionally and globally and to carry out various ancillary activities.

Back

[2]

Our UK and EU Offices are branch offices of, or are otherwise associated with, either Squire Patton Boggs (UK) LLP or Squire Patton Boggs (US) LLP. These are listed in Annex 1 to this Privacy Notice.

If you are a client of one or more of our UK and EU Offices, or an individual related or adverse to one of our clients, the relevant data controller is the Squire Patton Boggs legal entity retained by our client. If you contract with our UK and EU Offices in any other capacity, your data controller will be the Squire Patton Boggs entity with which you contract.

For cross-border matters, and in relation to personal data shared by several of our UK and EU Offices, the relevant entities may operate as joint controllers that will collaborate with one another, as necessary, to comply with our obligations under the Applicable Data Protection Laws, including to address requests by data subjects to exercise their rights, as set out in Section 7.

Back

[3]

The core business of Squire Patton Boggs is the provision of legal services to corporate clients and does not involve the large-scale processing of personal data. Squire Patton Boggs has nonetheless elected to appoint a DPO who acts on behalf of all of our UK and EU Offices in order to support our firmwide data protection compliance efforts.

Please direct all general communications or queries relating to this Privacy Notice or the firm’s compliance with Applicable Data Protection Laws to our DPO. With regard to the exercise of data subject rights under the Applicable Data Protection Laws, a specific email address is provided in Section 7.

Back

[4]

The information that we collect and process in relation to our clients for the purposes of providing legal services to them is primarily company data and business information.

In some cases, it may be necessary for us to process personal data specific to the matter at hand in order to properly advise and act for our clients. It is not possible to identify every potential category of personal data that we may process as lawyers acting for our clients, since these are as diverse as the legal issues that we are retained to address. The most typical categories are identified in the tables, along with the relevant sources, purpose and lawful bases for processing.

Where we obtain personal data from a client in relation to connected individuals or adverse parties, or other third-party data that is subject to the Applicable Data Protection Law, we do so on the basis that our client has satisfied its own obligations as a controller in its own right in relation to the collection, processing and transfer of such personal data to us.

In many cases, it would be impossible, or would require disproportionate effort on our part, to provide notice of processing directly to these third parties. In most circumstances, we will in any event be subject to a legal obligation of professional secrecy in relation to client data that are entrusted to us and, therefore, are not permitted to inform the relevant data subjects of our data processing.

Back

[5]

In order to provide, charge for and manage the delivery of legal services and communicate with our corporate clients in relation to the same, it is in our legitimate interests as a law firm, and those of our clients, to process personal data relevant to the legal services we provide them. When we are retained by individual clients, we process their data as necessary for us to provide legal services under the terms of our engagement with them and comply with relevant local bar rules.

The categories of personal data that we process for this purpose, which our clients usually provide to us, include the following:

• Business contact details of clients (the individual business contact’s name, position, company affiliation, physical and email addresses, telephone numbers, etc.) – for purposes of communication in relation to our provision of legal services to them;
• Bank account details and related personal data necessary for us to make and receive payments – in order to receive or pay out transaction completion monies or other transaction-related funds such as disbursements, to pay court fees, and to invoice our clients and receive payment; and
• Account management information (which may include financial or account performance data related to individuals) – to enable us to assess the provision of our services to clients, for our own internal administrative purposes or at the request of our clients.

Back

[6]

We may process third-party data as necessary for the provision of legal services to our clients. This information may include personal data about a client's individual employees, customers or suppliers or about individuals employed or otherwise associated with an adversary or counterparty. We may obtain this information from our clients, from public sources or from third parties, depending on the relevant circumstances. For example:

• In corporate or litigation matters, we may need to process the personal data of, or sent to us by, transactional counterparties or opponents in proceedings involving our clients, emails sent to or from employees of our clients or counterparties, and biographical data concerning witnesses and prospective witnesses and legal and other advisers to such third parties.
• Where it is necessary for our lawyers to review large numbers of documents in relation to litigation matters or investigations, we may use automated systems to help us identify documents of interest, which may contain personal data.

Back

[7]

In some cases, the client personal data or third-party data that we process in relation to a particular matter may involve the processing of special categories of personal data where relevant to the legal issues involved (for example, in connection with immigration proceedings, data protection, pensions, health and safety regulation or labour and employment matters). The lawful basis upon which we process such data will depend on the circumstances of each case, and may be carried out on the basis that the processing is:

• Necessary for the establishment, exercise of defence of legal claims;
• Based on the explicit consent of the individual concerned; or
• Based on personal data which are manifestly made public by the data subject.

Back

[8]

For these purposes, it may be necessary for us to obtain various types of information from the relevant individuals themselves or the potential client with which they are associated. The information required may include:

• Identification documentation such as passports and national identity cards;
• Personal contact details such as home address and other contact details;
• Employment status and history;
• Credit history; and
• Other information as necessary to complete required background checks.

Where necessary, and as authorized by applicable law, we may also need to collect information pertaining to alleged criminal offenses or convictions of individuals related to the potential client.

The personal data is used to determine whether we are prohibited by applicable laws from engaging with the client or to identify and evaluate any risks associated with the individual’s economic circumstances, reliability or behavior. Depending on the outcome, we may elect, or be required, to decline to enter into a client relationship.

Back

[9]

To complete the required background checks, we may also rely on third-party sources such as:

• Credit rating agencies;
• Identity verification agencies;
• Publicly accessible sources such as public registers and publicly available internet sites; and
• Subscription services that provide screening against lists of politically exposed persons and prohibited and/or sanctioned persons identified by the UK or EU governments.

Back

[10]

This data may be obtained directly from the individuals concerned as well as from public sources and third-party subscription services or credit vetting agencies.

Back

[11]

In most cases, we have a legal obligation to process limited amounts of personal data in order to perform "conflict checks" before incepting clients. Such conflict checks may be required by various laws, regulations and "best practice" ethical guidelines to which Squire Patton Boggs, as a law firm, is subject. These checks may sometimes involve the processing of personal data about individuals related or adverse to our clients, such as records of litigation in which they are involved, board memberships or shareholdings. We may obtain this information from the individuals concerned, from public sources or from subscription services such as legal directories.

Back

[12]

In circumstances where a legal obligation does not apply, we have a mutual legitimate interest with our clients to ensure that our services are provided free from any conflicts of interest, and rely on our clients to ensure that the individuals involved receive proper notice.

Back

[13]

For the purposes of dealing with suppliers, it is in our legitimate interests and those of our vendors for us to process the business contact details of the vendors' individual account representatives in order to communicate and otherwise conduct business with them.

The information that we typically process for this purpose is provided by the vendor and includes the appointed business contact’s:

• Name
• Position
• Company affiliation
• Physical and email addresses
• Telephone numbers

Back

[14]

It is in our legitimate interest as a law firm to collect and process business contact data needed to provide requesting clients and contacts with copies of our newsletters on legal developments covering different practice areas, client alerts, blogs, invitations to seminars, online webinars and similar events that we offer and other marketing materials, where we believe this may be of interest.

The personal data that we collect for these purposes includes the following:

• Business contact details, such as name, address, email address, phone number, company name, company address, title or position;
• Individuals’ subscription preferences. Where relevant, information provided by these individuals about their preferences in relation to receiving updates from us on developments in particular practice areas and industry sectors, firm-sponsored events and the like.
• Event registration details, such as name, company name, title or positon, and email address.

We generally obtain the business contact details and preference information that we use for marketing communications and business development activities directly from our clients or prospects. This includes visitors to our website, who may register online to opt-in to receiving client alerts, newsletters, invitations to events and other information from us.

We may also obtain your business contact details and information about your preferences in regard to the subject matter of newsletters and other materials or events that we offer when you provide us with your business card at conferences that we sponsor or network with our lawyers and staff at meetings or events.

We obtain the consent of prospective clients and others with whom we do not have an existing client relationship before sending them our marketing materials by electronic means, where required by applicable electronic marketing communications rules. We have in place an effective online tool for users to manage requests to opt out or modify their preferences in relation to the subject matter and categories of information they receive.

Back

[15]

We collect business contact data to record information about our business development and marketing activities, such as meetings and other interactions with clients and prospective clients. The personal data that we collect for these purposes includes the date and time of business interactions, notes of the meetings or events.

Back

[16]

We use audio and video conferencing services provided by third parties for the purposes of providing legal advice, training, client service and to deliver webinars. In some cases, we may record a call for evidentiary purposes or memorialise a webinar for further training use. In such cases, we will notify the participants that the call is being recorded. Depending on the circumstances, the lawful basis for recording the call will be either the participants’ consent or to provide evidence of a business communication.

Back

[17]

Transfers of personal data between and among our UK and EU Offices (see Annex 1), as well as with lawyers in other offices of the firm, may be necessary in order to deliver legal services to our clients efficiently and effectively or at the request of our clients. For example, a particular matter may involve legal issues or proceedings in multiple jurisdictions, and in these cases we may share personal data relating to the matter amongst selected Squire Patton Boggs colleagues based in our offices around the world, unless we are instructed otherwise by our client in relation to a particular matter. These cross-border transfers within the firm are governed by intra-group controller arrangements and processor agreements, as appropriate.

Back

[18]

Other firm functions that involve the transfer of client-related and business contact personal data to selected members of management and staff located in our offices within and outside the UK and the EU include financial management, client billing, firm management and administration.

Back

[19]

Marketing data containing UK and EU business contact details and client preferences in regard to legal developments in specific practice areas, client alerts, newsletters and events are accessible by selected members of the Squire Patton Boggs marketing team and may be shared with lawyers working in offices outside the UK and the EU. Client-related and business contact information collected in the course of networking and business development activities may be shared among lawyers and staff in our UK and EU Offices and collaboratively with colleagues in Squire Patton Boggs offices around the globe.

Back

[20]

Subject to the client’s prior authorization, our contentious practice sometimes relies on e-discovery software that is operated by an expert team with the firm that is based in the United States and virtual data rooms that are hosted on the firm’s United States servers.

Back

[21]

For security purposes (in particular back-up and failover), all client data, which may include personal data, within the UK and the EU are stored on servers based in the UK and mirrored on Squire Patton Boggs servers located in the United States, where certain firmwide applications are hosted.

Back

[22]

Our UK and EU Offices also share personal data with trusted suppliers and business partners pursuant to our contractual arrangements. The data recipients include, for example, IT service providers, marketing and events management platforms, telecommunications operators, banking institutions, data room administrators, document review service providers, credit vetting agencies, background check firms, legal directories, third-party consultants or experts, local counsel, barristers, opposing counsel, auditors, and professional indemnity insurers together with their appointed legal and other advisors. If requested by our clients, this may also include e-billing and matter management platform services providers.

Back

[23]

We may also share personal data collected for the purposes of client retainers with external recipients in circumstances where we have a legal obligation to do so, including but not limited to courts, tribunals, regulatory authorities, tax authorities and law enforcement.

Back

[24]

We provide information, which may include personal information to Experian, a credit reference agency (CRA) and they will give us information about you, such as about your financial history. We do this to assess creditworthiness, check your identity, manage your account, trace and recover debts and prevent criminal activity. We will also continue to exchange information about you with Experian on an ongoing basis, including about your settled accounts and any debts not fully repaid on time. CRAs will share your information with other organisations. The identities of the CRAs, and the ways in which they use and share personal information, are explained in more detail at http://www.experian.co.uk/crain/index.html.

Back

[25]

In order to manage the preferences of our clients, website visitors and other business contacts efficiently and maintain the accuracy of the data we collect, we utilize third-party marketing and events management platforms and other solutions.

Back

[26]

It may be necessary for our UK and EU Offices from time to time to share client data with potential merger partners located in countries outside the UK and EU in cases where negotiations have reached a reasonably advanced stage. Any personal data that may be transferred to a potential merger partner will be limited to that which is necessary for the transaction to proceed, and will be safeguarded by protective contractual measures, including the EU Standard Contractual Clauses where required.

Back

[27]

Courts, tribunals, government authorities and related parties or counterparties with whom we share personal data, the third-party vendors identified in Section 4 and business partners are in some cases located outside the UK and the EU. Unless the recipients are located in countries that have been deemed adequate by the European Commission, we put in place data transfer agreements based on the applicable European Commission-approved Standard Contractual Clauses or UK International Data Transfer Addendum or rely on other available data transfer mechanisms (Binding Corporate Rules, approved Certifications or Codes of Conduct) to protect the personal data so transferred. In exceptional cases, we may rely on statutory derogations for international data transfers.

Back

[28]

The right of access applies only to the extent this is not in breach of a legal obligation of professional secrecy to which we are subject in relation to client data entrusted to us and that would, therefore, prevent us from informing the relevant data subjects.

Back

[29]

The right to rectification applies only to the extent this is not in breach of a legal obligation of professional secrecy to which we are subject in relation to client data entrusted to us.

Back

[30]

Port personal data that the data subject has provided to us, in machine readable format, to another supplier

Back

[31]

The right to erasure applies in some cases and only to the extent this is not in breach of a legal obligation of professional secrecy to which we are subject in relation to client data entrusted to us.

Back

[32]

The right to restriction or objection applies in some cases, and only to the extent this is not in breach of a legal obligation of professional secrecy to which we are subject in relation to client data entrusted to us.

Back

[33]

The right to object may be exercised:

• Based on grounds relating to the individual’s particular situation, where the processing is based on the legitimate interest of Squire Patton Boggs or our clients; or
• Where personal data is being processed for direct marketing purposes.

Back

[34]

Where consent is the basis for processing their personal data, the individual may decline to give their consent, or withdraw consent to the processing at any time.

Back

[35]

The processing of requests for action by Squire Patton Boggs in regard to the exercise of a data subject’s rights under the Applicable Data Protection Law is overseen by an internal team consisting of the DSAR Manager, the Office of General Counsel, the DPO and other professionals as needed to respond to the particular request.

Back