Privacy Policy

Last updated: October 2024

1. Introduction

As a global professional services business with law at its core, we are committed to safeguarding the privacy and security of the personal information in our care. This policy explains how we collect your personal information, what we do with it and your rights in respect of it. We have a separate policy which sets out similar information relating to the cookies that we use, which can be found here.

When we say 'we', 'our', 'us' or 'Pinsent Masons' in this policy, we are referring to all or any of the entities which make up the international Pinsent Masons group, as the context requires. An explanation of some of the other terminology that we use in this policy is set out in section 11.

2. Who and where we are

Pinsent Masons provides legal and other professional services globally via a number of entities. These include Pinsent Masons LLP, its subsidiaries and any affiliates which practise under the name Pinsent Masons, or which Pinsent Masons LLP or its partners operate as separate businesses, e.g. Out-Law, Vario and MPillay.

For country specific information about our business, including a list of our offices and the jurisdictions in which we operate, please click here.

Our global reach means that we are subject to the differing data protection regimes of the jurisdictions in which we operate. We strive to achieve uniformity of data protection practices across the Pinsent Masons group, whilst also complying with all data protection laws. This policy reflects the EU GDPR standard of protection of personal information and references the relevant Articles of the EU GDPR where appropriate. In those jurisdictions where data protection regimes differ significantly to the EU GDPR, elements of this policy may not apply, for example individuals' rights in relation to their personal information, and this policy does not establish rights or obligations which are additional to those prescribed in the applicable local data protection law.

2.1 Data Controller

We are the data controller of the personal information that we process, i.e. the organisation which determines, alone or jointly with another party, how your personal information is processed and for what purposes. This means that we are legally responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the personal information that we handle.

Most of Pinsent Masons' main IT systems are located in the UK or EU and controlled by Pinsent Masons LLP. Much of Pinsent Masons’ internal business operations are also centralised in the UK, operating out of Pinsent Masons LLP to support the business globally. Pinsent Masons LLP is the data controller of personal data processed for these centralised services. However, depending on the jurisdiction from which our legal or other services are provided to you, or in which your personal information is otherwise processed by us, Pinsent Masons LLP or another entity in the Pinsent Masons group may be the data controller in respect of your personal information.

Where we transfer your personal data to third parties, in certain circumstances those third parties may also be data controllers. More information about this is provided in the 'Disclosure' sections of the tables in section 5 of this policy.

2.2 Contacting us

We want to offer you a means of contacting the right people in our organisation as swiftly and easily as possible. We therefore have in place dedicated email addresses, which are managed by our team of Privacy specialists, who support our global network on Privacy matters.

You may contact our Privacy specialists with any questions about this policy, or our Privacy practices more generally at PrivacyTeam@pinsentmasons.com. You have rights in respect of the personal information of yours in our care. More information about these rights is set out in section 8 of this policy. You may exercise your rights by emailing our Privacy specialists at DataSubjectRequest@pinsentmasons.com. Whilst our team of Privacy specialists operate through our centralised business operations in the UK, for which Pinsent Masons LLP is the data controller, the team works closely with information law and data protection specialists working from PM offices across our global network. As such, our dedicated email addresses have global reach, and your communications are directed to the appropriate data controller within the Pinsent Masons group, as appropriate.

You are of course welcome to contact any of our offices directly (relevant contact information is found here). In addition, we have a dedicated email address for Privacy matters relating to our operations in South Africa: PrivacyTeamSA@pinsentmasons.com. (Please also see section 13.1 of this policy for more information about how we comply with applicable data protection law in South Africa.)

3. Transfers of personal information across our business and to our suppliers

Our global presence means that your personal information may be transferred across the business worldwide due, for example, to our shared IT systems and datacentres, and cross-border working practices. Personal data transfers are facilitated across the Pinsent Masons group by way of an intra group agreement which applies contractual protections and other appropriate safeguards required under applicable data protection law to all such transfers of personal data within the Pinsent Masons group. Such contractual protections include obligations on PM entities outside the EU and UK to resist and challenge demands for data made by local government agencies, to the extent possible.

We also use a number of suppliers and service providers in connection with the operation of our business who may have access to the personal information that we process, e.g. IT suppliers when providing us with software support or cloud services, or a company which we use for a marketing campaign when processing your contact information on our behalf. In all cases, your personal information is handled and protected in accordance with applicable data protection law. Where we use cloud services, our data will generally be hosted within the UK or EU, those being the locations which offer the highest level of data protection regulation of all the regions in which we operate. Where any personal data is processed by suppliers outside the EEA in countries that the UK and/or the EU have not assessed as providing an adequate level of data protection, we ensure that personal data is adequately protected in accordance with applicable data protection law, and in particular Article 46 of the UK GDPR and the EU GDPR, by ensuring information security and other appropriate safeguards are in place, and using approved model contract clauses to cover the transfer or by ensuring that the supplier has Binding Corporate Rules in place.

4. Whose personal information do we process?

We collect and process the personal information:

of our non-client contacts, such as those who use our website and online services, attend our webinars, seminars and events, and subscribe to our newsletters, email services and other promotional services (see section 5.1, 'Service Users, Non-client Contacts and Visitors', for more information);
obtained or created in relation to the legal services we provide, including the personal information of:

our clients, our client contacts, their people and third parties engaged by our clients (see 5.2, 'Clients and Client Contacts');
client counterparties and other third parties connected to the matters on which we are working for our clients (see 5.5, 'Service Providers and Other Non-client Individuals / Third Parties'); and
professional advisers, experts and consultants involved in the work that we carry out for our clients or engaged by us to support our client work (see 5.5);

of those who apply for a job or work placement with us (see 5.3, 'Applicants');
of our people;
of Varios and prospective Varios (see 5.4, 'Varios and Prospective Varios'); and
of contractors, suppliers and other third parties connected to the operation of our business (see 5.5).

5. How do we process your personal information?

We will only process your personal information where we are permitted to do so by law, meaning when we have one or more legal basis to do so. The following subsections explain how we process your personal information depending on the context of how personal information typically comes into our care, and include further information about the legal basis or bases that we rely on in those circumstances.

In certain circumstances, we rely on the legal ground known as 'legitimate interests' to process your personal information. This is where the processing of your personal information is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, but which is not detrimental to you and would have minimal impact on your privacy. We undertake an assessment of any potential impact on your privacy before we process your personal information for our legitimate interests.

Insofar as we wish to use your personal information for purposes other than those mentioned above, we will check whether these additional purposes are compatible with the original purposes within the meaning of Article 6(4) of the EU GDPR. Depending on the circumstances, we will inform you about the change of purpose and obtain your consent for the further processing of your personal information.

If you would like more details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been set out in the relevant subsection below, please email us as at PrivacyTeam@pinsentmasons.com.

5.1 Service users, contacts and visitors
If you use our website or other online services (e.g., our sector-specific blogs and tech-based client solutions), attend our webinars, seminars or events, or subscribe to our newsletters, email services or other promotional services.

Data controller

In relation to our global website and online services, and our global initiatives, such as webinars, seminars and events, newsletters, email services or other promotional services, Pinsent Masons LLP ordinarily acts as data controller.

In relation to local initiatives, the Pinsent Masons entity organising or delivering these may be the data controller.

Legal bases for processing
- You have provided us with your consent to use your personal information, e.g. in the course of subscribing to our newsletters, completing a survey of ours, signing-up to an event or creating an online account via our website (Article 6(1)(a) EU GDPR).
- It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
- It is necessary for the performance of a contract with you, e.g. in connection with the provision of legal or other professional services to you involving our online tools, products and systems (Article 1(6)(b) EU GDPR).
We process special category personal data, as necessary, with your consent (Article 9(2)(a) EU GDPR).

Types of personal data
- Identification information, e.g. title, name, the company you work for, and your job title or position.
- Contact information, e.g. your address, email address, phone number, and marketing preferences.
- Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
- Financial information, e.g. bank and payment card details.
- Technical information, e.g. IP address, details of visits made to our premises such as turnstile/ swipe card access logs, and details of visits made to our online services such as the volume of traffic, statistics concerning which articles or content you have viewed, online registration details and login credentials.
- Diversity, health, religious beliefs or other special category personal information.
- Images, e.g. CCTV footage taken at our premises and photos taken at our seminars or events.
- Any other information relating to you which you may provide to us.
Collection
- Directly from you, e.g. when you register for our online or in-person events, seminars, or webinars, or to receive communications from us, or when you subscribe to our online services or provide information through electronic platforms made available to you in connection with services that we provide to you. We use third party software to help us manage our email communications. When we send you such communications, we gather information through unique links contained within them which enable us to track who opens particular articles or emails so that we can assess their relevance and improve how we interact with you. In doing so, we do not use any technology (e.g., cookies) to store or access data on your device.
- Via our website, e.g. connection data sent to our webserver by your browser when you connect to our website.
- Via web based services such as our tech-based client solutions and sector-specific blogs, e.g. some analytical information may be collected through electronic platforms made available to you in connection with services that we provide to you.
- Other publicly available sources, subject always to our obligations under applicable law.
Use
- To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
- To provide and improve our services and products, e.g. by monitoring and recording information relating to web based services such as how and when systems are accessed and how data is uploaded, to analyse performance, subject always to our obligations under applicable law.
- To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
- For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
- Subject always to our obligations under applicable law, to improve your experience of our website, newsletters and other services, e.g. by monitoring and recording information relating to your browsing behaviour to make personalised content available to you more efficient and relevant.
- To facilitate our internal business operations, e.g. internal record keeping and accounting.
- Subject always to our obligations under applicable law to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
- For information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity, and scanning communications for appropriate content, attachments and viruses.
Disclosure

Your personal information may be transferred worldwide:
- across the Pinsent Masons group;
- to service providers who support the operation of our business;
- to law enforcement, judicial, governmental and regulatory agencies, or professional bodies or similar where and to the extent that we are compelled to do so by law, regulation or professional obligations; and
- to other third parties in limited circumstances, e.g. where we run a joint seminar/ webinar with a third party that you wish to attend (and where the event is a webinar, your registration name may be visible to other attendees during the event).
Some of these recipients may be acting as data controllers. In all cases, the personal information of yours that we share will be limited to the minimum required for the relevant purpose and subject to the appropriate provisions and safeguards regarding data subjects’ rights, information security, disclosure, confidentiality and data protection. For more information about personal data transfers, please see section 3 of this policy.
5.2 Where we are providing services to our clients
Where we are instructed on a legal matter or are engaged for other professional services we may process the personal information of clients and client contacts, counterparty contacts and litigants in person, advisors, experts, counsel, witnesses, and other individuals named in or connected with the services that we provide to our clients.

Data controller

In relation to client matter data we act as data controller, rather than as a data processor, subject to local laws and relevant data protection/ supervisory authority guidance in the jurisdictions where we operate. The Pinsent Masons entity that is instructed on a matter will typically be the data controller in this context.

As a professional services company, we are subject to the professional codes of conduct and regulations which apply to all law firms and we are not able to agree to act only on our clients' instructions in relation to the data we process.

In relation to our global communications and business development initiatives, Pinsent Masons LLP ordinarily acts as data controller (please refer to section 2.1 of this policy for more information). For local communications and initiatives, the Pinsent Masons entity organising or delivering these may be the data controller.

Legal bases for processing
- It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
- It is necessary for the performance of a contract with our client, e.g. in connection with the provision of legal or other professional services to our client (Article 1(6)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information, e.g. in the course of completing a survey or signing-up to an event (Article 6(1)(a) EU GDPR).
We process special category personal data, as necessary:
- To establish, exercise or defend legal claims (Article 9(2)(f) EU GDPR).
- With your consent (Article 9(2)(a) EU GDPR).
- In relation to personal data which has been made public by you (Article 9(2)(e) EU GDPR).
- For reasons of public interest in connection with a statutory provision (Article 9(2)(g) EU GDPR).
We process criminal offence data, where necessary:
- With your consent.
- Which has been manifestly made public by the data subject.
- In relation to legal claims.
- To prevent or detect unlawful acts.
- To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
- In relation to our obligations concerning suspicion of terrorist financing or money laundering.
We may process criminal offence data relating to:
- individuals who are involved in corporate crime cases, matters concerning victims of crime or other matters for which criminal offence information of our clients and/or their people informs our work for the client;
- non-corporate clients; and
- individuals who are connected to or involved in the structure of our corporate client entities, such as directors, beneficial owners and Politically Exposed Persons.
In respect of personal information provided to us by you or our clients in certain of the jurisdictions in which we operate, additional national data protection lawful basis requirements may apply.

Types of personal data
- Identification information, e.g. title, name, date of birth, the company you work for, your job title or position, and your passport or other official forms of ID.
- Contact information, e.g. your address, email address, phone number, and marketing preferences.
- Financial information, e.g. bank details and identifiers, and fees information.
- Professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us.
- Technical information, e.g. IP address, records of your visits to our online services, your online registration details and login credentials, records of your visits to our premises (e.g. turnstile/ swipe access logs).
- Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
- Special category personal data, e.g. diversity, health and religious/philosophical beliefs.
- Images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events.
- Other personal information provided to us by you, by our client, or by third parties on our client's behalf to inform our work for our client, or generated or sourced by us in the course or providing legal or other professional services to our client, which may include special categories of personal data and personal data relating to criminal convictions and offences or related to security measures.
- Any other information relating to you which you or our client may provide to us.
Collection
- Directly from you or our client, e.g. to inform our work for our client and for connected purposes such as relationship management and file opening procedures.
- From third parties, .e.g. further information to verify your identity or inform our work for our client may be collected from other professional advisers and third parties connected to a matter, publicly available resources, for example, courts and public records, company registers, official insolvency announcements, press releases published by clients, information published by media outlets including social media.
- Directly from you, e.g. when you register for our online or in-person events, seminars, or webinars, or to receive communications from us.
- When you subscribe to our online services or provide information through electronic platforms made available to you in connection with services that we provide to you.
- Via our website, e.g. connection data sent to our webserver by your browser when you connect to our website.
- Via web based services, e.g. analytical information collected through electronic platforms made available to you in connection with services that we provide to you or our client.
Use
- To deliver our services to you or our client.
- To manage and administer our relationship with you or our client, e.g., communicating with you, instruction, and conflict checking, file opening and billing procedures, and credit checks.
- To facilitate our internal business operations, e.g. internal record keeping, procurement and accounting practices.
- To establish, exercise or defend legal claims.
- As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
- To complete any request that you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
- Subject always to our obligations under applicable law, to improve our services and products, e.g. by monitoring and recording information relating to web based services such as how and when systems are accessed and how data is uploaded, to ensure the integrity of documents and data files and information security.
- To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
- For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
- Subject always to our obligations under applicable law, to improve your experience of our website, newsletters and other services, e.g. by monitoring and recording information relating to your browsing behaviour to make personalised content available to you more efficient and relevant.
- Subject always to our obligations under applicable law, to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
- For information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
- So that you may provide a reference for us, in connection with a bid or tender, where we have agreed that you are happy to do so.
- For referral purposes: we maintain a database of legal services providers and personal information relating to other third parties such as experts for similar purposes.
Disclosure

Your personal information:
- may be transferred worldwide:
- will be stored in:
5.3 Applicants
If you apply for a job, work placement or vacation scheme with us, including if you proceed to the onboarding stage having been successful in your application (excluding Vario applicants; see 5.4).

In certain of the jurisdictions in which we operate, we carry out pre-employment vetting checks. For details of our pre-employment vetting practices in respect of criminal offences (UK only), please refer to section 14 of this Policy.

Data controller

For applications made to Pinsent Masons via our website, Pinsent Masons LLP is usually the data controller. If your online application is for a position in another Pinsent Masons entity, that entity may also be a data controller of the personal information that you provide via our website.

For applications made by other means, the Pinsent Masons entity to which the application is made may be data controller.

Legal bases for processing
- It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
- It is necessary in order for us to takes steps, at your request, to enter into a contract with you (Article 1(6)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
We process special category personal data, as necessary:
- With your consent (Article 9(2)(a) EU GDPR).
- In relation to personal information which has been made public by you (Article 9(2)(e) EU GDPR).
- For the purposes of carrying out the obligations and exercising specific rights of ours or yours in the field of employment and social security and social protection law (Article 9(2)(b) EU GDPR).
- For reviewing and improving equality of opportunity and treatment (Article 9(2)(g) EU GDPR and Paragraph 8(2) of Schedule 1 of the Data Protection Act 2018, as applicable).
We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:
- With your consent.
- In relation to legal claims.
- To prevent or detect unlawful acts.
- To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
- To protect the public against dishonesty.
- To prevent fraud.
For details of the pre-employment vetting practices in respect of criminal offences that we carry out in the UK only, please refer to section 14 of this Policy.

Types of personal data
- Personal information, including name, date of birth, address, contact details, qualifications, languages, education and employment history and your results/responses from psychometric tests/other online assessments conducted during the Pinsent Masons recruitment process.
- Next-of-kin and dependants' information.
- Special category personal data, e.g. ethnicity, health and religious/philosophical beliefs where we are legally permitted to do so.
- Information concerning your/your parent’s socio-economic background where you choose to provide this to us e.g. where you apply for a fee earning role in the UK, your previous eligibility for free school meals, whether you were ever in care or are/were a carer, your parents’ occupations, whether you were the first in your household to attend university or whether you are/were a refugee/asylum seeker.
- Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status. For details of the pre-employment vetting practices in respect of criminal offences that we carry out in the UK only, please refer to section 14 of this Policy.
- Financial information including bank details and identifiers (e.g. National Insurance numbers).
- Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
- Technical information, e.g. IP address, records of your visits to our website, your online registration details and login credentials (for our website application facility), records of your visits to our premises (e.g. turnstile/ swipe access logs).
- Any other information relating to you that you may provide to us.
Collection
- Directly from you, e.g. via your application, submission of your CV, completing our diversity questionnaires, in interviews, and at recruitment events and networking occasions.
- From third parties, including recruitment agencies/platforms, our own staff by way of the Staff Introduction scheme, providers of background checking services, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media such as LinkedIn. For details of the pre-employment vetting practices in respect of criminal offences that we carry out in the UK (only), please refer to section 14 of this Policy.
Use
- For our recruitment processes, including vetting and background checks where appropriate, and to assess suitability, eligibility and fitness to work. For details of the pre-employment vetting practices in respect of criminal offences that we carry out in the UK (only), please refer to section 14 of this Policy.
- For human resources administration, in respect of your application and our onboarding process (if applicable).
- For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements and the application, audit and enforcement of our policies in respect of in person meetings/ interviews and, if applicable, for your future role at Pinsent Masons.
- For ensuring fair and non-discriminatory recruitment practices and for diversity reporting/monitoring statistics where we are legally permitted to do so.
- For information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
- For reporting purposes when required to do so by law or regulation.
Disclosure

Your personal information:
- may be transferred worldwide:
- will be stored in:
5.4 Varios and prospective Varios
If you apply to become, or are working with us as, a Vario.

In certain of the jurisdictions in which we operate, we carry out pre-joining vetting checks. For details of our pre-joining vetting practices in respect of criminal offences (UK only), please refer to section 14 of this Policy.

Data controller

Pinsent Masons LLP is usually the data controller in respect of processing of the personal information of Varios and applicants to the Vario business.

Legal bases for processing
- It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
- It is necessary for the performance of a contract with you or in order for us to takes steps, at your request, to enter into a contract with you (Article 6(1)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
We process special category personal data, as necessary:
- With your consent (Article 9(2)(a) EU GDPR).
- In relation to personal information which has been made public by you (Article 9(2)(e) EU GDPR).
- For the purposes of carrying out the obligations and exercising specific rights of ours or yours in the field of employment and social security and social protection law (Article 9(2)(g) EU GDPR).
We process criminal offence data, where necessary, e.g., as part of the recruitment process for particular roles:
- With your consent.
- In relation to legal claims.
- To prevent or detect unlawful acts.
- To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
- To protect the public against dishonesty.
- To prevent fraud.
For details of the pre-joining vetting practices in respect of criminal offences that we carry out in the UK (only), please refer to section 14 of this Policy.

Types of personal data
- Personal information, including name, date of birth, address, contact details, qualifications, and education and employment history.
- Next-of-kin information (where applicable, e.g. emergency contact information for Vario’s placed at Pinsent Masons).
- Special category personal data, e.g. diversity, ethnicity, health and religious/philosophical beliefs.
- Pre-employment vetting information including the results of financial and criminal records checks, verification of address and qualifications, references, official forms of ID and right to work status. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in the UK (only), please refer to section 14 of this Policy.
- Character suitability information, including the results of psychometric tests.
- Financial information including bank details and identifiers, e.g. National Insurance numbers.
- Technical information, e.g. IP address, browsing preferences, online registration details and login credentials, records of your visits to our premises (e.g. turnstile/ swipe access logs).
- Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
- Any other information relating to you that you may provide to us.
Collection
- Directly from you, e.g. via your application to become a Vario, submission of your CV, completion of our diversity questionnaires, populating your information in our CRM System, when you visit our premises, in interviews, in catch-ups, and at events and networking occasions.
- From third parties, including recruitment agencies, clients of ours with whom you may be placed, providers of background checking services, providers of psychometric testing, former employers or other referees, academic institutions, professional bodies, and publicly available resources, including professional social media platforms such as LinkedIn. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in certain of the jurisdictions in which we operate, please refer to section 14 of this Policy.
Use
- For recruitment purposes, including vetting and background checks where appropriate, and to assess suitability, eligibility and fitness to work. For details of the pre-joining vetting practices in respect of criminal offences that we carry out in the UK (only), please refer to section 14 of this Policy.
- For administration and management purposes including remuneration, managing all aspects of our relationship with you, and connecting and placing Varios with suitable clients.
- For health and safety reasons (e.g. to inform access, adjustment and dietary requirements for interviews, placements and for our meetings and events), and for the application, audit and enforcement of our policies and other terms and conditions relating to you becoming or working as a Vario.
- For information security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
- For any other purposes connected with you being or becoming a Vario.
Disclosure

Your personal information:
- may be transferred worldwide:
- will be stored in:
5.5 Service providers and other individuals
If you are: a supplier or other service provider, or you work for or represent a supplier or service provider; an individual named in or connected with matters on which we are advising a client, including counterparty contacts and litigants in person, advisors, experts, counsel, witnesses, and other individuals named in or connected with the services that we provide to our clients; or you work from a sublet area of a building that we own or for which Pinsent Masons has the main tenancy.

Data controller

In relation to services procured for the global Pinsent Masons group, Pinsent Masons LLP ordinarily acts as data controller. For services procured locally, the Pinsent Masons entity engaging you for those services may be the data controller.

In relation to individuals named in or connected with maters on which we are advising a client, the Pinsent Masons entity that is instructed on the matter will typically be the data controller.

Legal bases for processing
- It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section of this table (Article 6(1)(f) EU GDPR).
- It is necessary for the performance of a contract with you (Article 6(1)(b) EU GDPR).
- To meet our legal and regulatory obligations (Article 6(1)(c) EU GDPR).
- You have provided us with your consent to use your personal information (Article 6(1)(a) EU GDPR).
We process special category personal data, as necessary:
- To establish, exercise or defend legal claims (Article 9(2)(f) EU GDPR).
- With your consent (Article 9(2)(a) EU GDPR).
- In relation to personal data which has been made public by you (Article 9(2)(e) EU GDPR).
- For reasons of public interest in connection with a statutory provision (Article 9(2)(g) EU GDPR).
We process criminal offence data, where necessary:
- With your consent.
- Which has been manifestly made public by the data subject.
- In relation to legal claims.
- To prevent or detect unlawful acts.
- To comply with regulatory requirements relating to unlawful acts and dishonesty and/or for reasons of public interest combined with a statutory provision (e.g., to protect the public against dishonesty, to prevent fraud).
- To protect the public against dishonesty.
- To prevent fraud.
- In relation to our obligations concerning suspicion of terrorist financing or money laundering.
We may process criminal offence data relating to individuals who are:
- involved in corporate crime cases, matters concerning victims of crime or other matters for which criminal offence information informs our work for our clients;
- client counterparties; and
- connected to or involved in the structure of our corporate client entities, our corporate client counterparty entities and our suppliers and service providers, such as directors, beneficial owners and Politically Exposed Persons.
Types of personal data
- Personal identifiers e.g. title, name, date of birth, address, email address and phone number.
- Professional contact information, e.g. the organisation you work for, your job title or position, address, email address and phone number.
- Professional information, e.g., your expertise and experience, feedback on your services (including opinions) from our people and/ or our clients and other information relevant and connected to how you may have performed any service referred to you by us.
- Financial information, e.g. bank details and identifiers, and fees information.
- Personal data contained in documents and correspondence exchanged with you or relating to you, including statements and opinions of yours or statements about you or opinions of you.
- Where you are named in or connected with matters on which we are advising a client, any personal information about you provided to us by or on behalf of our clients or generated by us in the course or providing legal services to our clients, which may include special categories of data.
- Diversity, health or religious beliefs information.
- Images, e.g. CCTV footage taken at our premises and photos taken at our meetings or events.
- Technical information, e.g. IP address, details of visits made to our premises such as turnstile/ swipe card access logs, and details of visits made to our online services such as the volume of traffic, online registration details and login credentials.
- Any other information relating to you which you may provide to us.
Collection
- Directly from you.
- From the organisation that you work for.
- From our clients.
- From third parties, such as other professional advisers and third parties connected to a matter, and through publicly available sources including court and public records and social media.
Use
- To deliver our services to our clients.
- For referral purposes: we maintain a database of legal services providers and personal information relating to other third parties such as experts for similar purposes.
- To manage and administer our relationship with you e.g. communicating with you, and instruction and billing procedures.
- To facilitate our internal business operations, e.g. internal record keeping, and procurement and accounting practices (in respect of suppliers and other service providers).
- To establish, exercise or defend legal claims.
- As required by law and to comply with our statutory and regulatory obligations, e.g. anti-money laundering, disclosure obligations and court orders.
- For the prevention and detection of criminal activity.
- For information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, e.g. by monitoring patterns of activity and scanning communications for appropriate content, attachments and viruses.
- So that you may provide a reference for us, in connection with a bid or tender, where we have agreed that you are happy to do so.
- For health and safety reasons, (e.g. to inform access, adjustment and dietary requirements for our meetings and events) and the application, audit and enforcement of our policies.
- For reviewing and improving equality of opportunity and treatment.
Disclosure

Your personal information:
- may be transferred worldwide:
- will be stored in:

6. Our Use of New and Novel Technologies

We strive to be at the forefront of innovation, both when providing legal services to our clients, as well as ensuring that our back-office processes are as efficient and cost-effective as possible. To this end, we may occasionally adopt new technology tools and develop innovative digital solutions of our own. Such tools may leverage artificial intelligence or cloud-based technologies owned by third parties.

New technology tools may be used for the following purposes:

To automate repetitive tasks;
To assist with our anti-money laundering (AML) and know your client (KYC) procedures;
To help manage emails, meetings and tasks;
To assist with reviews of large volumes of documents;
To generate machine translations; and
To develop, test and train the tools themselves.

Prior to the adoption of any tool which takes advantage of artificial intelligence or cloud-based functionality, we conduct an extensive due diligence process in line with industry best practice, including with reference to our internal data privacy policies and security certifications. This ensures that confidentiality, security and the transparent, ethical use of new technologies are always prioritised. Where such tools are used as part of the provision of legal services to our clients, any outputs they generate will be vetted by appropriately-qualified and experienced members of our fee-earning team. Where necessary, we will seek client consent for the use of any tool which is used for client work outside of our normal business operations.

7. For how long do we keep your information?

Your personal information is retained by us in accordance with applicable law and regulation. Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:

potential claims or litigation;
guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
how long we need to keep the data to fulfil the original purpose for which it was collected;
the nature and sensitivity of personal data; and
legal obligations to which we are subject.

This means that, in general, we delete personal information when: the purpose for its processing has been fulfilled or the contractual relationship with our client, you or your company has ended; all mutual claims have been fulfilled; and there are no other legal obligations to retain the personal information nor legal bases for further processing. Typically, we retain personal information in client files for 10 years after the completion of the matter, unless there are specific circumstances compelling us to retain the client files for a longer period.

More information about your rights in respect of the personal information of yours in our care, including how to contact us to exercise these or with questions around our retention practices in respect of your personal information, is set out in section 8 of this Policy.

8. Your rights

Depending on where you are in the world and which of the Pinsent Masons entities processes your personal information, you may have rights in respect of that personal information. For example, the following rights are provided for under the UK and EU data protection regimes:

to be informed about the collection and use of your personal information;
to ask whether we process your personal information and request a copy of it if so;
to object to decisions that we may make based solely on the automated processing of your personal information;
in certain circumstances, to object to processing of your personal information where we do so for the purposes of our legitimate interests;
to request that any inaccurate or incomplete personal information of yours in our care is rectified or competed;
in certain circumstances, to restrict our processing of your personal information;
in certain circumstances, to receive your personal information or have your personal information transmitted to another organisation in a structured, commonly used and machine readable format;
in certain circumstances, to request that we delete your personal information; and
to object to our processing of your personal information for direct marketing purposes.

Not all of these rights are absolute, which means that they may only apply in certain situations and may be subject to legal exceptions and exemptions. To exercise your rights, please email us at DataSubjectRequest@pinsentmasons.com. You may also write to us at Privacy Team, Pinsent Masons, 55 Colmore Row, Birmingham, B3 2FG, United Kingdom. Please also refer to section 13.1 of this policy for any further information concerning certain of our non-European offices in respect of exercising your rights in relation to your personal information.

You may change your marketing preferences or let us know that you no longer wish to receive any marketing communications from us by:

logging into your Pinsent Masons account and updating your preferences (via our website or via the link at the foot of each email that you have received from us) - please note it may take up to 72 hours for changes to take effect; or
sending an email to PrivacyTeam@pinsentmasons.com; or
writing to us at Privacy Team, Pinsent Masons, 55 Colmore Row, Birmingham, B3 2FG, United Kingdom.

9. How to make a complaint

Our Privacy Team oversees our compliance with data protection laws and this policy, and provides guidance and advice to the firm and our people. Our Compliance Officer for Legal Practice ('COLP') oversees compliance with our professional responsibilities and the reporting of any failures to comply with legislative requirements, including data protection.

Please direct any complaint relating to how the firm has processed your personal information to PrivacyTeam@pinsentmasons.com. You may also write to us at Privacy Team, Pinsent Masons, 55 Colmore Row, Birmingham, B3 2FG, United Kingdom. We hope that we can resolve any query or concern you raise about our processing of your personal information.

The EU General Data Protection Regulation and certain other applicable data protection laws give you the right to lodge a complaint with a data protection supervisory authority ('DPA'), usually in the country or state where you work, normally live or where any alleged infringement of data protection laws has occurred. Details of EU Member State DPAs and EEA DPAs can be found here. Details of the DPAs relevant to other jurisdictions in which we operate, including the UK, are set out in section 13 of this policy.

10. Links to other websites

We sometimes provide you with links to other websites, but these websites are not under our control. We are not liable to you for any issues arising in connection with their use of your information, the website content or the services offered to you by those websites.

We recommend that you check the privacy policy and terms and conditions on each website to see how each third party will process your information.

11. Terminology used in this Privacy Policy

"checking organisations"	means an organisation registered with a criminal records bureau to (a) submit basic checks through a web service or by other means; (b) to submit standard and enhanced checks, and is entitled by law to ask an individual to reveal their full criminal history; or (c) any other approved organisation engaged by the firm to carry out criminal checks on its behalf;
"client"	any person or organisation to whom the firm provides a service and who is identified as a client on the firm's practice management system, regardless of whether time is recorded or a fee is charged;
"contact"	an individual who is a contact of the firm, including any client, any potential or former client, any supplier, any consultant, or any another professional advisor and any other contact of the firm;
"criminal offence data"	is personal data relating to criminal convictions and offences or related security measures. This encompasses a wide range of information about criminal activity, allegations, investigations and proceedings. It includes not just data which is obviously about a specific criminal conviction or trial, but also any other personal data relating to criminal convictions and offences, including unproven allegations, information relating to the absence of convictions and personal data of victims and witnesses of crime. It also encompasses a wide range of related security measures, including personal data about penalties, conditions or restrictions placed on an individual as part of the criminal justice process, or civil measures which may lead to a criminal penalty if not adhered to.
"criminal record bureau"	means the Disclosure and Barring Service, Disclosure Scotland, AccessNI and other equivalent criminal record bureaus of the jurisdictions in which the firm operates;
"criminal record certificate"	means a criminal records certificate issued by a criminal record bureau in response to a criminal record check;
"criminal record check"	is a request submitted to a criminal records bureau to find out whether an individual has a criminal record;
"data"	recorded information whether stored electronically, on a computer, or in certain paper-based filing systems;
"data controller"	a person who or organisation which, alone or jointly with others, determines how personal information is processed and for what purposes;
"EU GDPR" or "General Data Protection Regulation"	means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and repealing Directive 95/46/EC (General Data Protection Regulation) OJ L 119/1, 4.5.2016;
"individual" or "you"	the person whose personal information is being collected, held or processed;
"partner(s)"	refers to a member of Pinsent Masons LLP or an employee or consultant of Pinsent Masons with equivalent standing;
"our/PM people"	means partners, members, consultants, employees, temporary workers, agency and casual workers, contractors, collaborators, volunteers and those on work placements providing services to/working for Pinsent Masons;
"personal information" or "personal data"	information (including opinions) which relates to an individual and from which they can be identified either directly or indirectly through other data which the firm has or is likely to have in its possession. These individuals are sometimes referred to as data subjects;
"policy"	the global privacy policy as amended from time to time;
"process" or "processing"	any activity that involves personal information. It includes obtaining, recording or holding the personal information, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal information to third parties as a result of those third parties having access to it;
"special category personal data" or "special category personal information"	means information revealing someone's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic information, biometric information, information concerning health or concerning sex life or sexual orientation;
"UK GDPR"	means the Data Protection Act 2018 and the UK GDPR (as defined in the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019); and
"Vario"	a consultant working for Pinsent Masons' freelance legal and professional services resource business.

12. Defined terms used in our Standard Terms of Business for the provision of professional services to our clients

The data protection and marketing provisions of the Pinsent Masons Standard Terms of Business for the provision of professional services to our clients include certain defined terms. These defined terms and the meanings attributed to them are set out below, with further variances specific to certain jurisdictions described in 13.1.

Client Personal Data	means all personal data processed by Pinsent Masons its agents, affiliates or sub-contractors under or in connection with the Agreement and for which the Client is Controller;
Controller	means (a) “controller”, “responsible party” or “data user”, or equivalent term as defined in the Data Protection Laws where applicable;
Data Subject	means a living natural person who can be identified, directly or indirectly;
Data Protection Laws	means (a) the EU Data Protection Laws, the UK Data Protection Laws or any other applicable law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding pronouncement , including findings, orders, decisions and judgements of a competent court or regulator with jurisdiction as updated and amended from time to time which relates to the protection of individuals with regards to the processing of personal data to which a party is subject; and (b) any code of practice or statutory guidance published by a competent Regulator from time to time;
EU Data Protection Law	means (a) General Data Protection Regulation (EU) 2016/679 (“GDPR”); (b) Directive 2002/58/EC on privacy and electronic communications as incorporated into law by applicable implementing legislation; and (c) any other applicable member state laws in the European Economic Area from time to time;
“personal data”	means (a) “personal data” or “personal information” or equivalent term as defined any information relating to a data subject as set out in the Data Protection Laws where applicable;
“process” and “processing”	shall have the meaning set out in the Data Protection Laws, where applicable, or equivalent term used to define any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means;
Regulator	means any supervisory authority or independent public authority which has competence to monitor, apply and/or enforce the Data Protection Laws, in order to protect the rights and freedoms of natural persons in relation to processing of personal data, including those organisations referred to in sections 9 and 13 of this Privacy Policy;
Restricted Country	means a country, territory or jurisdiction which is not deemed to provide adequate protection of personal data in accordance with the Data Protection Laws (and in particular, where applicable, Article 45 (1) of GDPR);
Security Requirements	means the requirements regarding the security of personal data, as set out in the Data Protection Laws (including, where applicable, the measures set out in Article 32(1) of GDPR (taking due account of the matters described in Article 32(2) of GDPR));
Transparency Requirements	means the requirements of lawfulness, fairness and transparency set out in the Data Protection Laws, (and in particular, where applicable, Articles 13 and 14 of GDPR); and
UK Data Protection Law	means the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 and the GDPR as the same are amended in accordance with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended by SI 2020 no. 1586).

13. Further information in relation to our non-European office and the relevant DPAs

13.1 Important differences in how personal information is processed by our non-European offices

We explain below any essential differences in how personal data is processed by our international offices.

South Africa

Where our South Africa office provides legal or other services to you or where your personal information is processed in South Africa by us, then, in compliance with data protection law applicable in South Africa, we process personal information relating to identifiable existing legal entities in the same manner as described for the processing of personal data of individuals in this policy.

You can find further information on how we comply with relevant laws and how you might exercise your rights in our PAIA and POPIA Manual or by contacting our Information Officer at PrivacyTeamSA@pinsentmasons.com.

Our PAIA and POPIA Manual also provide copies of the necessary forms that you must use if you wish to exercise certain rights.

13.2 Non-European DPAs

Australia	The Privacy Commissioner, under the Office of the Australian Information Commissioner. GPO Box 5218, Sydney NSW 2001 https://www.oaic.gov.au/
Dubai	UAE Data Office (not yet operational). Note: On 28 November 2021, the UAE Cabinet announced that it had enacted the Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data, as issued on 20 September 2021. Executive Regulations are expected within six months from the issuance date, and organisations must comply with the requirements of the law six months from the publication of the Executive Regulations.
Qatar - Qatar Financial Centre ('QFC')	The Employment Standards Office at the QFC. Employment Standards Office, Qatar Financial Centre, Level 8, QFC Tower 1, Westbay, Doha, Qatar Tel: +974 44967609 Email: eso@qfc.qa http://www.qfc.qa/en/Operate/Pages/ESO.aspx
Hong Kong	The Office of the Privacy Commissioner for Personal Data 12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong http://www.pcpd.org.hk/
People's Republic of China ('PRC')	Rules relating to personal information protection and data security are part of a complex framework and are found across various laws and regulations. The three main pillars of the personal information protection framework in the PRC are the relatively new Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Data Security Law (DSL). Pursuant to PIPL, the Cyberspace Administration of China (CAC) is primarily responsible for the overall planning and coordination of personal information protection and related supervision (http://www.cac.gov.cn/). However, sector-specific regulators, such as the People's Bank of China or the China Banking and Insurance Regulatory Commission, may also monitor and enforce data protection issues of regulated institutions within their sector.
Singapore	Personal Data Protection Commission 10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438 Tel: +65 6377 3131 Fax: +65 6577 3888 Email: info@pdpc.gov.sg http://www.pdpc.gov.sg/
South Africa	The office of the Information Regulator has been established under the Protection of Personal Information Act 4 of 2013 ('POPIA'). The Information Regulator is to be responsible for investigating and attempting to resolve complaints.
United Kingdom	Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline number: 0303 123 1113 Home \| ICO

14. Our personnel vetting practices in respect of criminal offences

Criminal offence information may be requested of prospective PM people and prospective Varios as part of our UK recruitment processes before an offer of employment is made unconditional. This practice is limited to our UK operations. This Privacy Policy is regularly reviewed and updated, and should our practice of requesting criminal offence information of prospective PM people and prospective Varios for certain roles expand outside the UK, we will tell you here. Our vetting practices are carried out always in accordance with applicable law.

If we are not permitted to or are not justified in seeking information about criminal offences for a role, we will not ask candidates for criminal offence information. We will not seek criminal offence information from any source other than the individual concerned, a criminal record bureau or a checking organisation.

Criminal offence information will only ever be used by the firm for the purposes for which it was originally collected. Criminal record certificate information will be handled, kept, and disposed of in accordance with the firm's Pre-employment Checks Policy: candidates may email HRcompliance@pinsentmasons.com to request a copy.

Recruitment of ex-offenders policy statement

We are committed to the fair treatment of our people, prospective PM people and users of our services, regardless of their offending background.

The firm promotes equality of opportunity for all with the right mix of talent, skills and potential. Having a criminal record will not necessarily bar an individual from working with us and we welcome applications from a wide range of candidates, including those with criminal records.

The firm selects all candidates for interview based on their skills, qualifications and experience.

Circumstances in which candidates may be asked to provide criminal offence information

A criminal record check or a request for criminal offence information from an individual is only requested after a thorough risk assessment has indicated that doing so is both proportionate and relevant to the position concerned.

The type of criminal records information and level of criminal record check that the firm is entitled to request will depend on the nature of the role for which the individual's suitability is being assessed. When recruiting for a role, we assess whether:

it is appropriate to limit the criminal offence information sought to offences that have a direct bearing on suitability for the job in question; and
the information provided should be verified with a criminal record bureau.

If candidates are asked to provide criminal offence information

Where we request criminal offence information from an individual but do not request a criminal record check, we will ask the individual to provide only criminal offence information in relation to convictions and cautions that the firm would be legally entitled to see in a criminal record check for the relevant role.

If it is assessed that we should verify criminal records information with a criminal record check, we will comply with any criminal record bureau code of practice to which we are subject and provide the individual concerned with a copy of the firm's Pre-employment Checks Policy.

The firm will not rely on previously-issued criminal record certificates.

Criminal offence information verified through a criminal record check

Once criminal offence information has been verified through a criminal record check, we will:

if inconsistencies emerge between the information provided by the individual and the information in the criminal record certificate, give the individual the opportunity to provide an explanation; and
record that a criminal record check was completed and whether it yielded a satisfactory or unsatisfactory result.

Where an unprotected conviction or caution is disclosed

If we have concerns about the information that has been disclosed by a criminal record bureau, or the information is not as expected, we will discuss our concerns with the candidate and carry out a risk assessment.

Our risk assessment will take into account the circumstances and background of any offences and whether they are relevant to the position in question, balancing the rights and interests of the individual, PM people, clients, suppliers and the public.

We treat all applicants fairly but reserve the right to withdraw an offer of employment if an individual does not disclose relevant information, or if a criminal bureau check reveals information which we reasonably believe would make an individual unsuitable for a role.

Disputing the content of a criminal record certificate

Individuals may raise a dispute with a criminal record bureau if they believe that there has been a mistake in the contents of their certificate, for example a mistake in:

the records provided, for example incorrect or irrelevant information on convictions; or
their personal details.

Dispute processes may vary by criminal record bureau and the relevant criminal record bureau should be contacted directly for guidance on how to raise a dispute.

Other notices and information

Sectors and what we do
Sectors we work in
What we do