Osborne Clarke values the privacy of those who provide Personal Data to it and recognises the importance of protecting Confidential Information.  This privacy and confidentiality policy (the “Policy”) describes how and why we collect, store and use Personal Data and Confidential Information, and provides information about individuals’ rights.

This Policy applies to both Personal Data supplied to Osborne Clarke either by an individual or by others and to Confidential Information supplied by clients or prospective clients. We may use Personal Data and Confidential Information supplied to us for any of the purposes as set out in this Policy, or as otherwise disclosed at the point of collection.

This Policy is an important document. We recommend that you read it carefully and retain a copy for your future reference.

In this Policy, we use the terms:

“Confidential Information” refers to information supplied to an OC Member Firm(s) or Network Firm(s) by a client or prospective client, which is identified as being confidential at the time of disclosure or would be regarded as confidential by a reasonable person or is protected by a regulatory obligation of confidentiality;

“Engagement Letter” refers to a written document which sets out the terms and conditions of the engagement of a specific OC Member Firm and which describes the services to be provided to you by the specific entity. Such engagement terms should be relied upon in determining liability for the services provided. Unless explicit written agreement is given by each OC Member Firm involved, no OC Member Firm is responsible for the acts or omissions of, nor has any authority to obligate or otherwise bind, any other OC Member Firm;

“Network Firm” includes Osborne Clarke Services (company number: 3049484), Osborne Clarke Trustees Limited (SRA reference: 199769), Oval Nominees Limited (company number: 1865795), Ovalsec Limited (company number: 1379423), Open Trustees (company number 2679647) and Osborne Clarke International Services Ltd (company number: 8096377) – the registered office of each of the above companies is 2 Temple Back East, Temple Quay, Bristol, BS1 6EG.

“OC Member Firm” refers to any entity, including Osborne Clarke Verein, which is a member of the international Osborne Clarke network (“Network Firm”) or which is a member firm of Osborne Clarke Verein, a Swiss Verein (“Osborne Clarke Verein Member Firm”);

“Osborne Clarke Verein Member Firm” are those firms listed on the Osborne Clarke website. Each Osborne Clarke Verein Member Firm is a separately constituted and regulated legal entity or partnership which provides legal and other client services in accordance with the laws of the jurisdictions in which it operates. Osborne Clarke Verein is a Swiss verein which does not itself provide legal or other client services;

“Personal Data” has the meaning set out in EU Regulation 2016/679 (the “GDPR”). This includes any information about an individual from which that person can be identified;

“we”, “us”, and “our” (and other similar terms) refer to – as the relevant context dictates – either: the OC Member Firm(s) contracting party (or parties) as referred to in your Engagement Letter; or the OC Member Firm(s) contracting party (or parties) as referred to in any contract we enter into with you; or if you have not yet instructed an OC Member Firm, or we have not yet finalised our written engagement, the OC Member Firm(s) that you are proposing to instruct or are instructing; or Osborne Clarke LLP (SRA reference: 619990) as owner of the Osborne Clarke website, osborneclarke.com. In each of the above cases, when dealing with Personal Data, the relevant OC entity will be the data controller as prescribed in the entity’s local law (the “Data Controller”);

“you” and “your” (and other similar terms) refer to – as the relevant context dictates – our clients, individuals associated with our clients, contacts, suppliers, job applicants, staff and visitors to the Osborne Clarke website, www.osborneclarke.com.

Your rights in relation to Personal Data and how to exercise them

 Under certain circumstances you have the following rights:

  • the right to ask us to provide you, or a third party, with copies of the Personal Data we hold about you at any time and to be informed of the contents and origin, verify its accuracy, or else request that such information be supplemented, updated or rectified according to the provisions of local law;
  • the right to request erasure, anonymisation or blocking of your Personal Data that is processed in breach of the law;
  • the right to object on legitimate grounds to the processing of your Personal Data. In certain circumstances we may not be able to stop using your Personal Data. If that is the case, we’ll let you know and explain why; and
  • withdrawal of consent – when Personal Data are processed on the basis of consent an individual may withdraw consent at any time (this may apply to processing of special categories of Personal Data where you have instructed us to act on your behalf and includes the following: racial/ethnic origin, political opinions, religious or philosophical beliefs and trade union membership). In the event that you no longer want to receive any marketing material from us, please use the unsubscribe option (which is in all of our marketing emails to you), or contact the relevant Data Controller as set out below.

To exercise such rights and if you have any questions about how we collect, store and use Personal Data, then please contact us using the details as set out in the “Data Controller contact information” section below.

What basis do we have for processing your Personal Information?

We will only process Personal Data where we have a lawful reason for doing so.  The lawful basis for processing Personal Data by us will be one of the following:

  • the processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
  • the processing is necessary in order for us to comply with our legal or regulatory obligations (such as compliance with anti-money laundering legislation and for conflict checking purposes);
  • the processing is necessary for the pursuit of our legitimate business interests (including that of the delivery and the promotion of our services);
  • processing is necessary for the establishment, exercise or defence of legal claims; or
  • the data subject has given consent to the processing of his or her Personal Data for one or more specific purposes*

*This applies to marketing communications in the Netherlands and Germany.

What Personal Data do we collect and process?

We aim to be transparent about why and how we collect and process Personal Data.  For further information on our processing activities please review the relevant section below:

Business contacts

Collection

OC Member Firms process Personal Data about contacts using a client relationship management tool (“InterAction”).  Personal Data is collected and added to InterAction by OC Member Firm staff, and includes:  name, email address, job title, telephone number, area of business, job role, jurisdiction, language, seniority and other business contact information.  The Personal Data may also be collected by virtue of us providing our services to you or at a networking event.  In addition Personal Data may also be collected via the Osborne Clarke website, www.osborneclarke.com.

Use

  • For contact and communication purposes: we may use your contact information to send you legal updates that we may circulate from time to time, news about any events we are organising or participating in, and/or other information about us and the services provided by OC Member Firms that we believe may be of interest to you.  You can specify your contact preferences when registering online to receive communications from us (for example, through the Osborne Clarke website, www.osborneclarke.com) or by subsequently advising us of your contact preferences using options provided on all of our marketing emails or the contact details as set out in the “Data Controller contact information” section below.
  • Making contact details available to OC Member Firm staff.
  • Performing analytics – such as trends, sales intelligence, marketing effectiveness (such as click and open rates) uptake and progress.
  • Utilising artificial intelligence to research news feeds, sites, posts etc and performing analytics to assist us in contacting you with relevant information.

Retention

Personal Data is retained on InterAction for as long as it is necessary for the purposes set out above (being the length of the business relationship).  If a business contact requests to be forgotten their contact details will be deleted from InterAction.  If a business contact opts out of receiving marketing materials their details will still be retained (as our lawyers may still be in contact – and we will need to retain a record of their request not to be contacted) but marketing materials will no longer be sent.

Clients and individuals associated with clients

Collection

We request that our clients only provide Personal Data which is necessary for us to carry out our services.

If we need Personal Data in respect of individuals associated with clients in order to provide legal services we ask our clients to provide this Policy to the data subjects.

In the majority of circumstances we will collect Personal Data from our clients or from third parties acting on behalf of our clients.

Use 

  • Providing legal services: we will use and disclose Personal Data in such a manner as we believe is reasonably necessary to provide our services, for example we may need to instruct overseas counsel on your behalf (including correspondence with you), to liaise with other professional service providers in relation to matters that we are handling, or because we need to liaise with the opposing party on a matter you have instructed us on. Personal Data will be shared with any other OC Member Firm(s), where they are supporting the relevant instruction(s).
  • Administration: to collect our fees or costs in connection with other legal enforcement, we will use Personal Data to agree payment arrangements, and to collect our fees and costs owing to us in connection with legal enforcement.
  • Managing client relationships: providing clients with information on our services and legal updates that we consider may be relevant to them; arranging and hosting events; and identifying where we may make improvements in service delivery.
  • Client engagement: as part of our client onboarding process we carry out certain background searches to verify whether or not there are any potential issues that may mean we cannot work with a particular person (for instance to identify criminal convictions, politically exposed persons, sanctions or other potential reputational issues).
  • Compliance with relevant regulations: this may include use of your Personal Data (e.g. evidence of your identity) in order to fulfil our obligations to check the identity of our clients in compliance with anti-money laundering law and regulations; it may also include sharing Personal Data with other OC Member Firm(s), for the purposes of completing conflict checks, or where another OC Member Firm is being instructed on a new matter and information held on a previous or current matter is required (or useful) for the purposes of complying with regulatory obligations. Personal Data provided for the purposes of compliance with our anti-money laundering obligations will only be used for the purposes of preventing money laundering and terrorist financing or as permitted by or under law unless you have consented to its use for any other purpose.
  • Our third-party business partners, including RELX (UK) Limited, trading as LexisNexis (“LexisNexis”), may provide us with your Personal Data in order to enable us to conduct background checks and screening activities, comply with our legal obligations and for other purposes as described in this Policy. LexisNexis is responsible for any Personal Data which they may collect and hold about you until it is received by us. To learn more about how LexisNexis collects and uses your Personal Data please see their privacy policy at: https://www.lexisnexis.com/global/privacy/en/article-14-bis.page .

Retention

Our general retention period for documentation created for the purpose of providing legal services is 13 years. In some instances there are legal and regulatory exceptions which may require documentation to be held for longer or shorter periods. In particular, we are required to retain customer due diligence documentation for 5 years after completion of any transaction or the end of the business relationship with you and for no longer than 10 years unless you have consented to its retention for a longer period or a longer period is required under any relevant regulation or for the purposes of court proceedings. If you require further information please contact us using the details as set out in the “Data Controller contact information” section below.

Job applicants

Please refer to information made available when applying online for further details as to how Personal Data is collected, processed and how long it is retained for.

Journalists

Collection

Personal Data, including name, email address, telephone number and other business contact information, may be collected from PR agencies or from databases that we subscribe to.

Use

  • Press releases and joint press releases from our clients/organisations that we are working with.
  • Invitations to meet OC Member Firm staff.
  • Press party.
  • To highlight any spokespeople who may be of interest on a specific industry theme or topic relevant to the journalist.
  • Business trips may require the use of the Personal Data to assist us with travel arrangements.
  • Internal communications.

Retention

Personal Data will be retained for as long as it is necessary for the purposes of the above, or if you advise us you no longer wish to be contacted your Personal Data will be removed from our contact lists.

Suppliers (including individual contractors)

Collection

Personal Data, including name, email address, telephone number and other business contact information, is collected to receive services from suppliers, to manage the relationship with the supplier, and for the provision of services to our clients.

Use

  • To receive services from our suppliers: please note that we will use and disclose their Personal Data in such manner as we believe is reasonably necessary to receive and to review the provision of those services from suppliers.
  • Services to clients: if a supplier is assisting us in delivering services to our clients we will process Personal Data to manage that relationship.
  • Administration: to agree payment arrangements with our suppliers, and to make payments to them.

Retention

A general retention period of 13 years will be applied unless there are any legal and or regulatory exceptions which may require documentation to be held for shorter or longer periods.  If you require further information please contact us using the details as set out in the “Data Controller contact information” section below.

Staff

Personal Data in relation to staff will be held on various internal systems and applications. A privacy notice which sets out the purposes for which Personal Data will be processed and contains information on data subject rights is provided to staff at the commencement of employment. If further information is required please contact your local Human Resources department.

Visitors to the Osborne Clarke website

Collection

We do not routinely monitor IP addresses for visitors to our website. Personal Data will be collected if you sign up to attend any of our events and/or to receive our marketing literature.

Use

  • Business contacts: if you have signed up to attend one of our events or to receive our marketing literature please see the paragraph above headed ‘Business contacts’.

 

Who else may have access to your Personal Data?

On occasion, we may need to share your Personal Datawith third parties.  We will only share Personal Data where we are legally permitted to do so.

Where you supply us with Personal Data as a client, we will assume, unless you instruct us otherwise in writing, that we can disclose your Personal Data in such manner as we believe is reasonably necessary to provide our services (including as described in this Policy), or as is required under applicable law. This might be because, for example, we may pass your Personal Data to third parties such as:

  • credit-checking agencies for credit control reasons;
  • events: we may need to pass on your Personal Data (e.g. name, company, occupation) to a third party in connection with management of an event, in which case the details will only be used by the third party for that specific purpose;
  • business partners, service providers and other affiliated third parties: to enable us to provide our services to you, we may need to share your Personal Datawith another OC Member Firm, our business partners (including other professional advisers such as accountants or auditors), external service providers and/or overseas counsel. Our arrangements with external service providers currently cover the provision of support services including IT, AML/CDD checks, events management, document production, business and legal research, secretarial services, marketing and business development and facilities management;
  • OC Member Firms: to provide services to you (to include circumstances where an OC Member Firm is setting up a new matter, and another OC Member Firm has relevant information on their file(s) from a previous or ongoing instruction, which is required to enable them to meet their regulatory obligations, including for the purposes of conflict checking and anti-money laundering checks) and also so that another OC Member Firm may contact you (including by email) if you have expressly agreed to receive marketing communications about legal developments, services or events which may be of interest to you; through the joint use of centralised IT tools; to manage our international client relationships; and to respond to your requests concerning access, rectification, objection and cancellation as regards the processing of your Personal Data; and
  • disclosures required by law or regulation: in certain circumstances, please note that we may be required to disclose Personal Data under applicable law or regulation, including to law enforcement agencies or in connection with proposed or actual legal proceedings.

International transfers of Personal Data (including to outsourced service providers)

From time to time, we may need to transfer your Personal Data to other OC Member Firms, who may have offices that are located in territories outside of the European Economic Area (“EEA”), including in the USA, in order to provide you with the services required.

Please note that the legal regimes of some territories outside of the EEA do not always offer the same standard of data protection as those inside the EEA, although we will ensure that your Personal Datais only ever treated in accordance with this Policy.

Where necessary, we have entered into standard European Commission approved form model data protection clauses with other OC Member Firms who have offices that are located in territories outside of the EEA, to provide you with the service required and with our external service providers and business partners in relation to services that they may provide that involve processing data from locations outside of the EEA for which we are Data Controller.

How we deal with your Confidential Information

On occasion, we may want to share your Confidential Information with other OC Member Firms and third parties. We will only share Confidential Information where we are legally permitted to do so.

Where you supply us with Confidential Information, we will assume, unless you instruct us otherwise in writing, that we can disclose your Confidential Information in such manner as we believe is reasonably necessary to provide the services which you have requested from any OC Member Firm (including as described in this Policy), or as is required under applicable law. Examples of where this may be applicable include the following:

  • business partners, service providers and other affiliated third parties: to enable us to provide our services to you, we may need to share your Confidential Information with other OC Member Firms, our business partners (including other professional advisers such as accountants or auditors), external service providers and/or overseas counsel. Our arrangements with external service providers currently cover the provision of support services including IT, AML/CDD checks, events management, document production, business and legal research, secretarial services, marketing and business development and facilities management;
  • OC Member Firms: through the joint use of centralised IT tools; to manage our international client relationships; and in circumstances where an OC Member Firm is setting up a new matter (or assisting with an existing matter), and another OC Member Firm has relevant information (including anti-money laundering documentation) on file from a previous or ongoing instruction which is useful for the purposes of complying with regulatory obligations; and
  • disclosures required by law or regulation: in certain circumstances, please note that we may be required to disclose Confidential Information under applicable law or regulation, including to OC Member Firms (for instance, for the purposes of completing conflict checks and anti-money laundering checks), to law enforcement agencies, or in connection with proposed or actual legal proceedings.

How we look after your Personal Data and Confidential Information

We have in place appropriate technical and organisational security measures to protect your Personal Data against unauthorised or unlawful use, and against accidental loss, damage or destruction.

We put in place strict confidentiality agreements (including data protection obligations) with our third party service providers.

Links to other websites

 The Osborne Clarke website, www.osborneclarke.com, may link to other, unaffiliated third party websites.  Please note that Osborne Clarke is not, and cannot, control or be responsible for the content or privacy and confidentiality practices of any third party websites.  You must always carefully review the privacy and confidentiality policy of any third party website that you may visit in order to understand how the operators of that website may collect, store and use your Personal Data.

Updates to this Policy

This Policy was last updated in February 2021.  Please check back regularly to keep informed of updates to this Policy.

Data Controller contact information

Each OC Member Firm and each Network Firm is a Data Controller:

UK, USA & Network Firms

Osborne Clarke LLP
One London Wall
London
EC2Y 5EB
Email:  Privacy.UK@osborneclarke.com

Germany

Osborne Clarke Rechtsanwälte Steuerberater Partnerschaft mit beschränkter Berufshaftung
Innere Kanalstr. 15
D-50823 Köln
Email:  DPO.Germany@osborneclarke.com

Spain

Osborne Clarke Espana S.L.P
Av. Diagonal 477
planta 20
08036 Barcelona
Email:  DPO.Spain@osborneclarke.com

Italy

Osborne Clarke Studio Legale
Corso di Porta Vittoria 9
20122 Milan
Email:  Privacy.Italy@osborneclarke.com

Belgium

Osborne Clarke cvba/scrl
Bastion Tower
Marsveldplein 5 Place du Champ de Mars
B-1050 Brussels
Belgium
Email: Privacy.Belgium@osborneclarke.com

France

Osborne Clarke SELAS
163 boulevard Malesherbes
75017 Paris
Email:  Privacy.France@osborneclarke.com

Netherlands

Osborne Clarke N.V.
Jachthavenweg 130
1081 KJ Amsterdam
Email:  Privacy.Netherlands@osborneclarke.com

Sweden

Osborne Clarke Advokatfirma AB
Grev Turegatan 30
114 38 Stockholm
Email:  Privacy.Sweden@osborneclarke.com

Singapore

OC Queen Street (Singapore)
1 Raffles Place #04-61
One Raffles Place Tower 2
Singapore 048616
Email:  DPO.Singapore@osborneclarke.com

China

Zhang Yu & Partners
Suite 708
West Wing
Shanghai Centre
1376 Nanjing Road West
Shanghai
PRC 200040
Email: Privacy.China@oclegalchina.com

 

Complaints

While we hope that you will not need to, if you want to complain about our use of Personal Data please send an email detailing your complaint to the relevant Privacy Officer (or DPO if the complaint is in relation to the use of Personal Data in Osborne Clarke Germany, Spain or Singapore) at the above email address.

You also have the right to lodge a complaint with the relevant supervisory authority. Please see further details below:

UK Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow
Cheshire
SK9 5AF
www.ico.org.uk
Tel: 0303 123 1113
Tel:  029 2067 8400 (calls in Welsh)
Email: casework@ico.org.uk
Germany  German Data Protection Regulators
Spain

Spanish Data Protection Agency, either physically at:

Calle Jorge Juan, 6
28001
Madrid

or via https://sedeagpd.gob.es/sede-electronica-web/.

Italy Garante per la protezione dei data personali
Piazza di Monte Citorio n. 121
00186
Romawww.gpdp.it –  www.garanteprivacy.it
E-mail: urp@gpdp.it
Fax: (+39) 06.69677.3785
Centralino telefonico: (+39) 06.69677.1
Belgium Belgian Data Protection Authority
Rue de la Presse 35
1000 BrusselsTel: +32 (0)2 274 48 00
Fax: +32 (0)2 274 48 35
contact@apd-gba.be
France  Commission Nationale de l’Informatique et des Libertés
Adresse postale:
3 Place de Fontenoy
TSA 80715 – 75334
PARIS CEDEX 07Tél : 01 53 73 22 22(du lundi au jeudi de 9h à 18h30 / le vendredi de 9h à 18h)
Fax : 01 53 73 22 00
Online form for complaints: https://www.cnil.fr/fr/plaintes
Netherlands Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAGTel: (+31) – (0)70 – 888 85 00
Fax: (+31) – (0)70 – 888 85 01
Sweden Datainspektionen
Box 8114
SE-104 20 StockholmSweden Office address:Drottninggatan 29, 5th floor
StockholmE-mail: datainspektionen@datainspektionen.seTel:  +46 8 657 61 00
Singapore Personal Data Protection Commission
460 Alexandra Road
#10-02 PSA Building
Singapore
119963T +65 6377 3131
F +65 6273 7370
Email:  info@pdpc.gov.sg
China Cyberspace Administration of China