Data Protection Standards
Last updated: April 2019
1. Scope and Purpose
- These global standards (“Standards”) define the standards applicable to the Linklaters BCR Group Entities in relation to Personal Data:
- that is Processed by any of the Linklaters BCR Group Entities; and
- the Processing of which is subject to regulation by legislation implementing the GDPR.
- The Standards apply to:
- the Processing of Personal Data by a Linklaters Controller in the European Economic Area (“EEA”);
- the Processing of Personal Data in the EEA by a Linklaters Controller located outside of the EEA;
- any transfer of Personal Data out of the EEA by one of the Linklaters BCR Group Entities to another; and
- any Processing or onward transfer of Personal Data (which was previously subject to a transfer described above) by one Linklaters BCR Group Entity to another Linklaters BCR Group Entity that is outside of the EEA.
These Standards, together with the declaration made by the Deed Poll, the data protection training provided to all BCR Group Entity staff on an annual basis and the BCR Group Entity Policies and Procedures demonstrate a commitment by the Linklaters BCR Group Entities to be bound by and to respect the Standards. All BCR Group Entity staff are contractually required to comply with these Standards and all BCR Group Entity Policies and Procedures. Failure to comply is a disciplinary matter, which will result in disciplinary action being taken against relevant employees.
2. The Global Context
The Firm recognises that the use and disclosure of Personal Data has important implications for it, as a firm, and for the Data Subjects concerned. Most of the Firm's offices operate in countries which regulate the use of Personal Data and impose restrictions on overseas transfers. For the Firm to operate effectively in a multi-national way, the Firm has developed good working systems of data transfer and compliance and has adopted a global approach to privacy compliance evidenced by these Standards.
As the Firm is a global firm, it operates across a number of jurisdictions and countries both within and outside of the EEA. Not all jurisdictions and countries have the same data protection laws and regulations, therefore, in all circumstances, unless Applicable Law dictates otherwise or requires a higher standard of protection for Personal Data each Linklaters BCR Group Entity will comply with these Standards. In the event that Applicable Law dictates a higher standard for the protection of Personal Data, the Firm will meet such standards to the fullest extent possible.
3. Definitions and Interpretation
Definitions In these Standards the following terms and expressions have the meanings set out below save that if there is any conflict, apparent conflict or ambiguity in any of the terms set out below or any terms that are not defined in these Standards, such terms shall be interpreted in accordance with the GDPR:
- “Applicable Law” means any applicable law, rule or regulation, whether or not having the force of law, but if not having the force of law only if persons to whom any such law, rule or regulation is intended to apply, generally comply with it;
- “BCR Group Entity Policies and Procedures” means the following policies and procedures:
Global Standards for Processing Personal Data
Global IT Policy
Information Security Policy
Global Individuals Rights Policy
Global Data Breach Policy
Data Protection Impact Assessment Policy;
- “Controller”, “Data Subject”, “Personal Data”, “Process”, “Processing”, “Processor”, “Recipient”, “Special Data” and “Third Countries” each has the meaning given to such term in the GDPR;
- “Deed Poll” means the deed poll entered into by Linklaters LLP in August 2013, as amended and restated in May 2018;
- “Entity” means either a branch, local partnership or service entity within the Linklaters BCR Group Entities;
- “GDPR” means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data;
- “Individual” has the meaning given to the term “Data Subject”;
- “Linklaters LLP” means the limited liability partnership established under English law whose registered office is at One Silk Street, London EC2Y 8HQ;
- “Linklaters BCR Group Entities” (also referred to together as the “Firm”) means the entities set out in the tables in Parts 1 and 2 of Schedule 2 (Linklaters BCR Group Entities), comprising all entities controlled by Linklaters LLP which are based in a Relevant EEA Country or in a Non-EEA Country and which are bound by the Firm’s binding corporate rules (“BCR”), as updated from time to time by Linklaters LLP;
- “Linklaters Controller” means a Controller that is a Linklaters BCR Group Entity;
- “Member State” means a country forming part of the European Union;
- “Non-EEA Country” means a country listed as a “Non-EEA Country” in Part 2 of Schedule 2 (Linklaters BCR Group Entities) to these Standards;
- “Partners” means members (or employees or consultants with equivalent status and qualifications) of a Linklaters BCR Group Entity;
- “Personnel” means individuals employed by a Linklaters BCR Group Entity or consultants acting on behalf of, or embedded in, a Linklaters BCR Group Entity;
- “Relevant EEA Country” means a country listed as a “Relevant EEA Country” in Part 1 of Schedule 2 (Linklaters BCR Group Entities) to these Standards; and
- “SA” means the competent supervisory authority in a Relevant EEA Country.
- References to a statute or statutory provision include:
- (a) that statute or provision as from time to time modified, re-enacted or consolidated, whether before or after the date of these Standards;
- (b) any past statute or statutory provision (as from time to time modified, re- enacted or consolidated) which that statute or provision has directly or indirectly replaced; and
- (c) any subordinate legislation made from time to time under that statute or statutory provision which is in force at the date of these Standards.
- References to:
- (a) a “person” include any company, partnership or unincorporated association (whether or not having separate legal personality); and
- (b) a “company” shall include any company, corporation or any body corporate, wherever incorporated.
- References to one gender include all genders and references to the singular include the plural and vice versa.
- References to the “control” which Linklaters LLP has of any relevant Linklaters BCR Group Entity, include the effective control exercised by Linklaters LLP by virtue of: (i) any (direct/indirect) shareholding or other partnership or ownership interest held by Linklaters LLP (or any individual(s) or entity(ies) on behalf of (or on trust for) Linklaters LLP) in the relevant Linklaters BCR Group Entity, or (ii) members of Linklaters LLP, who have fiduciary duties to act in the best interests of Linklaters LLP, and whose welfare, career development and discipline is the responsibility of the Senior Partner of Linklaters LLP, acting as directors, members or partners of the relevant Linklaters BCR Group Entity with power to control or manage its business, and “controlled” shall be interpreted accordingly.
4. Access to the Standards
The Standards will be made available on Linklaters LLP’s website and intranet. Any queries in respect of the Standards should be addressed to the following:
The Global Head of Law & Compliance
Linklaters LLP One Silk Street London EC2Y 8HQ
Email address: email@example.com
5. Standards Infrastructure
- Linklaters LLP will ensure that adequate resource is provided to maintain compliance with the Standards. This includes but is not limited to ensuring appropriate senior management responsibility and oversight of the Standards.
- Whilst Linklaters LLP is not required to designate a data protection officer under the GDPR, Linklaters LLP has designated responsibility for overseeing compliance of the Standards to the Global Head of Law & Compliance. The key tasks of the Global Head of Law & Compliance are as follows:
- supporting the network of data protection champions and locally appointed data protection officers within the Linklaters BCR Group Entities, where required, to ensure compliance with data protection laws and to oversee compliance with the Standards;
- ensuring that those who have permanent or regular access to Personal Data, or that are involved in the Processing of Personal Data, or in the development of tools used to Process Personal Data, are trained and informed of their rights and responsibilities in respect of the Standards;
- ensuring that the Standards, which form part of the BCRs, will be incorporated into policies applicable to all Linklaters BCR Group Entities;
- reporting all relevant matters relating to the Processing of Personal Data to the Linklaters LLP’s Risk Committee; 5.2.5 preparing and/or contributing to Linklaters LLP’s Risk Committee reports;
- acting as the point of contact for all data protection authorities in relation to any investigations or enquiries relating to the Processing of Personal Data; and
- taking responsibility for local complaints from Data Subjects.
- To ensure that all relevant staff understand the requirements imposed by these Standards, all personnel (including temporary staff and contractors) who have access to Personal Data, who are involved in the collection of Personal Data or who are involved in the development of tools used to process Personal Data are required to complete training on the obligations set out in these Standards. Training is undertaken on induction and completion of refresher training is mandatory on an annual basis.
- A network of data protection champions supports the Global Head of Law and Compliance with the implementation, monitoring and enforcement of these Standards. The data protection champions are spread across different business functions and different geographic locations. In Germany Linklaters also has a locally appointed Data Protection Officer. An overview of the network of data protection champions is set out below:
- The Data Subject has given consent to the Processing.
- The Processing is necessary for performance of a contract with the Data Subject or to take steps at the request of the Data Subject prior to entering into a contract.
- The Processing is necessary for compliance with a legal obligation to which the a Linklaters BCR Group Entity is subject.
- The Processing is necessary to protect the vital interests of the Data Subject or another natural person.
- The Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Linklaters BCR Group Entity.
- The Processing is necessary for the purposes of the legitimate interests pursued by a Linklaters BCR Group Entity or by a third party and those interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
- Purpose limitation: Personal Data will be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
- Data minimisation: Personal Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
- Accuracy: Personal Data will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that Personal Data which is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified without delay.
- Storage limitation: Personal Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed.
- Integrity and confidentiality: Personal Data will be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
- Transfers of Personal Data outside of the EEA: A Linklaters BCR Group Entity will not transfer Personal Data outside of the EEA to any Controller or Processor which is not a Linklaters BCR Group Entity unless such transfers comply with the requirements of the GDPR. A Linklaters BCR Group Entity will not transfer Personal Data outside of the EEA to a Linklaters BCR Group Entity, unless and until the Linklaters BCR Group Entity outside of the EEA receiving the Personal Data has taken all necessary steps to ensure compliance with these Standards through the provision of training on the Standards to all relevant personnel and through commitment from senior management to comply with the Standards.
- Accountability: When acting as a Controller, a Linklaters BCR Group Entity will maintain appropriate documentary evidence in order to demonstrate compliance with the GDPR and these Standards. Details of how the Firm complies with the accountability principle are set out in Section 7 (The Accountability Principle).
- Linklaters LLP maintains a central record of Processing activities in accordance with the GDPR. The record includes details of the Processing activities of each Linklaters BCR Group Entity, including the contact details of each Linklaters BCR Group Entity, the purposes of the Processing, the categories of Data Subjects and Personal Data, the categories of recipients with whom Personal Data is shared, transfers of Personal Data to third countries, data retention periods and technical and organisational security measures in place to protect the Personal Data. Each Linklaters BCR Group Entity is responsible for keeping their section of the record up to date. Access to relevant sections of the record will be made available upon request by a SA;
- Where the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, prior to Processing the Personal Data, the relevant Linklaters BCR Group Entity will undertake a data protection impact assessment in accordance with Linklaters LLP’s Global Data Protection Impact Assessment Policy and associated documents; and
- Linklaters LLP has a number of global data protection policies and associated documents to govern how the Linklaters BCR Group Entities Process Personal Data to ensure that all reasonable technical and organisational measures are in place in order to comply with the GDPR. Compliance with these policies is monitored in accordance with Section 15 (Co-operation with EU Data Protection Authorities) of these Standards.
- comply with any additional legal steps required by Applicable Laws in a Relevant EEA Country when processing Special Data and/or Personal Data relating to criminal convictions and offences;
- only Process Personal Data, Special Data and Personal Data relating to criminal convictions and offences if the Processing undertaken is in accordance with the legal basis for Processing as set out in the GDPR or under Applicable Law. In relation to Special Data, the conditions which permit Processing of Special Data include where the Data Subject has given their explicit consent to the Processing, where the Processing is necessary in connection with employment law obligations or exercise of employment law rights, where the Processing is necessary for the establishment, exercise or defence of legal claims and where the Processing is necessary for reasons of substantial public interest and is permitted by Union or Member State law (please note that this is not an exhaustive list of the conditions under which Processing of Special Data is permitted); and
- ensure the Processing is documented in Linklaters LLP’s central record of Processing activities, in which the legal basis for Processing Personal Data, Special Data and Personal Data relating to criminal convictions and offences is identified.
- Right to be informed about how Personal Data is used: Data Subjects have a right to be informed about how a Linklaters BCR Group Entity will use and share their Personal Data and to be informed about categories of recipients with whom their information will be shared and details of transfers of Personal Data to third countries. This explanation is provided to Data Subjects in a concise, transparent, intelligible and easily accessible format. A Linklaters BCR Group Entity ensures that it provides privacy notices to Data Subjects at the point where Linklaters LLP collects Personal Data from them if collecting Personal Data directly. If a Linklaters BCR Group Entity does not collect the Personal Data directly from a Data Subject, the information is will be provided to Data Subjects within one calendar month or, if earlier, at the point of first contact with the Data Subject or before Personal Data is disclosed to a third party. Privacy notices are written in clear and plain language and are provided free of charge.
- Right to access Personal Data: Data Subjects have a right to obtain confirmation of whether a Linklaters BCR Group Entity is Processing their Personal Data, access to their Personal Data and information regarding how their Personal Data is being used by a Linklaters BCR Group Entity.
- Right to have inaccurate Personal Data rectified: Data Subjects have a right to have any inaccurate or incomplete Personal Data rectified. If a Linklaters BCR Group Entity has disclosed the relevant Personal Data to any third parties, a Linklaters BCR Group Entity will take reasonable steps to inform those third parties of the rectification where possible.
- Right to have Personal Data erased in certain circumstances Data Subjects have a right to request that certain Personal Data held by a Linklaters BCR Group Entity is erased. This is also known as the right to be forgotten. This is not a blanket right to require all Personal Data to be deleted. A Linklaters BCR Group Entity will consider each request carefully in accordance with the requirements of the GDPR and Applicable Law.
- Right to restrict processing of Personal Data in certain circumstances Data Subjects have a right to block the Processing of their Personal Data in certain circumstances. This right arises in any of the following circumstances, if a Data Subject is disputing the accuracy of Personal Data, if a Data Subject has raised an objection to processing, if processing of Personal Data is unlawful and the Data Subject opposes erasure and requests restriction instead or if the Personal Data is no longer required by the relevant Linklaters BCR Group Entity but the Data Subject requires the Personal Data to be retained to establish, exercise or defend a legal claim.
- Right to data portability: In certain circumstances, Data Subjects can request to receive a copy of their Personal Data in a commonly used electronic format. This right only applies to Personal Data that Data Subjects have provided to a Linklaters BCR Group Entity (for example by completing a form or providing information through a website). Information about a Data Subject which has been gathered by monitoring their behaviour will also be subject to the right to data portability. The right to data portability only applies if the Processing is based on the Data Subject’s consent or if the Personal Data must be processed for the performance of a contract and the Processing is carried out by automated means (i.e. electronically).
- Right to object to Processing of Personal Data in certain circumstances, including where Personal Data is used for marketing purposes: Data Subjects have a right to object to Processing being carried out by a Linklaters BCR Group Entity if a Linklaters BCR Group Entity is Processing Personal Data based on legitimate interests or for the performance of a task in the public interest (including profiling), if a Linklaters BCR Group Entity is using Personal Data for direct marketing purposes, or if information is being processed for scientific or historical research or statistical purposes. Data Subjects will be informed that they have a right to object at the point of data collection and the right to object will be explicitly brought to the attention of the Data Subject and be presented clearly and separately from any other information.
- Right not to be subject to automated decisions, including profiling where the decision produces a legal effect or a similarly significant effect: Data Subjects have a right not to be subject to a decision which is based on automated processing, including profiling where the decision will produce a legal effect or a similarly significant effect on the Data Subject.
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
- carry out pre-contractual due diligence checks on Processors to ensure that they are compliant with applicable requirements under the GDPR and only use Processors that provide sufficient guarantees to implement appropriate measures to ensure that the requirements of the GDPR and the rights of Data Subjects are met;
- ensure, arrangements with Processors are documented in a written contract and that contract includes as a minimum the mandatory clauses as set out in Article 28 of the GDPR and provisions relating to breach notification; and
- ensure that appropriate procedures are put in place to carry out due diligence on Processors to check that they continue to have adequate measures in place to enable compliance with the GDPR.
- permit a SA to audit that Linklaters BCR Group Entity in order that the SA may obtain the information necessary to demonstrate that Linklaters BCR Group Entity’s compliance with the Standards; and
- use reasonable endeavours to comply with requests from any SA, acting reasonably and in the proper performance of its duties, in connection with the audit of the Standards, to the extent that any such requests are consistent with all Applicable Laws, regulations, professional standards and due process, without waiving any defences and/or rights of appeal available to that relevant Linklaters BCR Group Entity.
- (a) Section 2 (The Global Context), Section 4 (Access to the Standards) and Section 5 (Standards Infrastructure);
- (b) Section 6 (Processing Principles);
- (c) Section 7 (The Accountability Principle);
- (d) Section 8 (The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences);
- (e) Section 9 (Rights of Individuals);
- (f) Section 10 (Security);
- (g) Section 11 (Internal Processing of Personal Data);
- (h) Section 12 (Third Party Processing of Personal Data);
- (i) Section 13 (Marketing);
- (j) Section 14 (Special Data and Personal Data relating to criminal convictions and offences);
- (k) Section 15 (Co-Operation with EU Data Protection Commissioners);
- (l) Section 16 (Rights of Redress); and
- (m) Section 17 (Conflicts).
- the Member State of his or her habitual residence;
- the Member State of his or her place of work; or
- the place of the alleged infringement.
- the courts of the Member State where the relevant Linklaters BCR Group Entity has an establishment; or
- the courts of the Member State where the Data Subject has his or her habitual residence.
- punitive or exemplary damages (i.e. damages intended to punish a party for its conduct, rather than to compensate the victim of such conduct); or
- indirect loss, consequential loss or special damages, howsoever caused.
- UK1 replicated to UK2;
- UK2 replicated to UK1; and
- Hong Kong replicated to UK2.
- human resources-related data;
- client-related data (predominantly contact details of individuals within client organisations); and
- other business-related data (e.g. contact details of third party suppliers).
- personnel and partner Personal Data;
- client Personal Data;
- third-party (e.g. supplier and prospective client) Personal Data;
- sound and/or visual images; and
- marketing data.
- 1. administration of employees, and other activities of the Human Resources Team;
- 2. provision of legal services;
- 3. billing and accounts;
- 4. databank administration;
- 5. licensing and registration under Applicable Laws (for instance, maintaining practicing certificates);
- 6. maintaining information required for the prevention and/or prosecution of offenders and/or the prevention and detection of crime including fraud prevention and anti-money laundering;
- 7. maintaining client information and records of business relationships; and
- 8. maintaining information used in advertising and for public relations.
- 1. racial or ethnic origin for diversity monitoring;
- 2. criminal convictions for the prevention and detection of crime;
- 3. religious or philosophical beliefs for diversity monitoring;
- 4. physical or mental health conditions (including from accidents) for compliance with employment obligations and obligations towards the Firm’s insurers; and
- 5. sexual lifestyles or sexual orientation for diversity monitoring.
- 1. personnel (including prospective personnel)
- 2. partners
- 3. members of the public
- 4. clients (and prospective clients)
- 5. other business-related contacts for example suppliers
6. Processing Principles
Unless otherwise dictated by Applicable Law, when acting as a Controller, a Linklaters BCR Group Entity shall observe the following principles when Processing Personal Data. Personal Data will not be Processed unless one of the following legal bases for Processing is met:
7. The Accountability Principle
Each Linklaters BCR Group Entity will ensure that it maintains evidence of compliance with these Standards in the following ways:
8. The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences
In addition to complying with the Processing principles set out in Section 6 (Processing Principles) of these Standards, each Linklaters BCR Group Entity will:
9. Rights of Individuals
It is the Firm's policy to respect the rights of Data Subjects and the Firm will act promptly and in accordance with the GDPR and Applicable Laws should any of these rights be exercised. A Data Subject may exercise any of their rights under these Standards at any time free of charge using the contact details set out in Section 4 (Access to the Standards) of these Standards.
In relation to the right to be informed set out below in these Standards, information will be provided to Data Subjects as set out in the timeframes in that Clause. In relation to all other rights, a Linklaters BCR Group Entity will respond without undue delay and in any event within one calendar month. In exceptional cases this one calendar month period may be extended by two further calendar months if the request is particularly complex and involves a large number of requests. If a Linklaters BCR Group Entity wishes to make use of this extension, a Linklaters BCR Group Entity will inform the individual within the initial one calendar month period with the reasons for the delay.
When it is relevant to the Processing undertaken by a Linklaters BCR Group Entity, a Linklaters BCR Group Entity will observe the rights of individuals and will comply with Linklaters LLP’s Global Individuals’ Rights Policy and associated documents. Details of the rights of individuals are set out below:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Linklaters BCR Group Entity will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, including inter alia as appropriate:
11. Internal Processing of Personal Data
Linklaters LLP will procure that all Linklaters BCR Group Entities which Process Personal Data will follow the instructions of the relevant Linklaters Controller and will be bound by such instructions.
12. Third Party Processing of Personal Data
Before a Linklaters BCR Group Entity transfers Personal Data to a third party in furtherance of an outsourcing or other data processing arrangement or uses the services of a third party to Process Personal Data on its own behalf, it shall ensure that it complies with this Clause.
A Linklaters BCR Group Entity will:
All Linklaters BCR Group Entities will ensure that third party Controllers and Processors to whom Personal Data is transferred afford a similar level of protection for that Personal Data as the Linklaters BCR Group Entity.
Linklaters BCR Group Entities will not use Personal Data to send marketing information to any Data Subject (including any employee) who has requested not to receive marketing material.
If a Data Subject requests a Linklaters BCR Group Entity to stop processing their Personal Data for direct marketing purposes, the relevant Linklaters BCR Group Entity shall stop processing the Personal Data for those purposes in accordance with the deadlines specified by Applicable Laws.
Data Subjects are encouraged to make such requests via the forms provided for that purpose in the marketing materials, and may alternatively make any such request to their usual contact at the Firm or the Global Head of Law & Compliance (using the contact details set out in Section 4 (Access to the Standards)). In any event, such request can be made at any time free of charge.
14. Compliance Audit
Linklaters LLP’s Internal Audit Team and the Law & Compliance Team shall evaluate, test and report on the Linklaters BCR Group Entities’ compliance with the Standards. Such audits and monitoring take place on a rolling basis with audits scheduled for different teams throughout the year. Where any non-compliance with the Standards is identified in such audits, the relevant professional, from either the Internal Audit or Law and Compliance team, will work with the relevant business manager to design and implement remediation measures. The audit professional will then track the progress of the remediation measures.
Information from audit reports relating to compliance with the Standards will be sent to the Global Head of Law & Compliance and, where relevant, the Linklaters Risk Committee. Information on the results of audits will also be included in reports to either Linklaters’ Executive Committee or any sub-committee of the Executive Committee to which the authority to review the results of such audits is delegated.
Subject to the section below, a Linklaters BCR Group Entity provide details of any relevant audit(s) in relation to Personal Data Processed under these Standards (in so far as the relevant audit(s) relate to compliance with the Standards), to the SA, upon request from the SA;
To the extent permitted by Applicable Laws a Linklaters BCR Group Entity will only disclose compliance information toa SA provided that: (i) such information relates to compliance with the Standards; (ii) the information does not contain any commercially sensitive information about or belonging to Linklaters LLP, any other Linklaters BCR Group Entity, or any of their respective clients; (iii) the information does not contain any confidential information about or belonging to a third party; (iv) the information is not subject to the law of privilege; and (v) disclosure of the information would not be contrary to Applicable Law. For the avoidance of doubt, nothing in Section 14 above shall prevent a Linklaters BCR Group Entity from separating out the information in order to comply fully with the requirements of this Clause.
15. Co-operation with EU Data Protection Authorities
Each Linklaters BCR Group Entity shall respond to all requests for information from a SA on any issue related to these Standardss to the extent that such requests are consistent with Applicable Law, regulations, professional standards and due process.
Each Linklaters BCR Group Entity shall respect the decisions and advice of a SA relating to the interpretation and application of the Standards to the extent consistent with Applicable Law, regulations, professional standards and due process and without waiving any defences and/or rights of appeal available to that Linklaters BCR Group Entity.
16. Rights to enforce the Standards and rights of redress
Data Subjects who believe that there has or may have been a breach of these Standards have the right to seek enforcement of the Standards and/or appropriate compensation for any damage arising from the breach. The right to seek enforcement and/or claim compensation is exercisable as a third-party beneficiary right and relates solely to the standards set out in the following clauses (referred to in these Standards as the “Enforceable Rights”):
The remedies available to Data Subjects for any breach of the Enforceable Rights are set out below.
Individuals may raise a complaint in relation to any breach of the Enforceable Rights under these Standards through Linklaters LLP’s Global Data Protection Complaints Procedure which is available on Linklaters LLP’s website and intranet. The Global Data Protection Complaints Procedure enables individuals to raise complaints in writing or by calling the telephone number set out in the Global Data Protection Complaints Procedure.Linklaters LLP has executed a Deed Poll as part of the process of implementing the BCR. As also set out in Linklaters LLP’s Global Data Protection Complaints Procedure, Data Subjects exercising their rights under the BCR shall be entitled to receive a copy of the Deed Poll, on request, on a confidential basis. For the avoidance of doubt, disclosure of the Deed Poll to a Data Subject’s legal representative will not be considered a breach of confidentiality. Further information regarding the Global Data Protection Complaints Procedure is available from the Global Head of Law & Compliance, whose contact details are set out in Section 4 (Access to the Standards). A Data Subject may raise his or her concerns with a SA or make a claim in court without having to go through Linklaters LLP’s Global Data Protection Complaints Procedure first.
A Data Subject may raise a complaint with a SA if the Data Subject considers that any of the Enforceable Rights have been breached. A Data Subject may raise their complaint either in:
Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a SA, a Data Subject also has the right to an effective judicial remedy where they consider that the Enforceable Rights have been infringed.
A Data Subject may bring proceedings against Linklaters LLP in relation to the Enforceable Rights either in:
A court chosen pursuant to this and the previous paragraph, being the “Selected Jurisdiction”.
Linklaters LLP accepts responsibility for and agrees to take the necessary action to remedy the acts of Non-EEA entities which are in breach of the Enforceable Rights and to pay any compensation due to a Data Subject for any material or non-material damages resulting from a breach of the Enforceable Rights by Linklaters BCR Group Entities.If a Data Subject claims that a breach of the Enforceable Rights has been committed by a Non-EEA Entity, Linklaters LLP shall be exempt from liability in whole or part if it proves that the Non-EEA Entity is not responsible for the event giving rise to the damage. If it is held that a breach of the Enforceable Rights has occurred, it shall be the responsibility of the Data Subject who brought the claim to prove that they incurred damage as a result of such breach and to prove the amount of such damage. (whether that be material or non-material damage) as a result of such breach and to prove the amount of any material damage.
To the maximum extent permitted by Applicable Laws, Linklaters LLP shall not be liable to a Data Subject for:
provided that this shall not prevent a Data Subject from bringing a claim for non-material damage that arises directly as a result of a breach of the Enforceable Rights where such damage is a reasonably foreseeable consequence of the relevant breach.
In any event, Linklaters LLP shall only be liable for damages which have been: (i) agreed by Linklaters LLP with the relevant Data Subject; or (ii) awarded against Linklaters LLP by a judgment, order, or by any other legal award of a court or tribunal with valid jurisdiction.
If a Linklaters BCR Group Entity has reason to believe that any Applicable Law prevents it from complying with the Standards and may have a substantial effect on the protections provided by the Standards, that Linklaters BCR Group Entity will promptly inform the Global Head of Law & Compliance (whose contact details are set out in Section 4 (Access to the Standards)) (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). Linklaters LLP will make a decision on how to proceed and will consult the relevant SA in cases of doubt.
Where a Linklaters BCR Group Entity is subject to any legal requirement in a third country (for example, any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body) which is likely to have a substantial adverse effect on the guarantees provided by the Standards, Linklaters LLP will make a decision on how to proceed and will report the problem to the relevant SA, providing details about the request, including information about the Personal Data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).
If a Linklaters BCR Group Entity is prohibited from making such notification to the relevant SA, the Linklaters BCR Group Entity will use its best efforts to obtain the right to waive the prohibition in order to communicate as much information as it can as soon as possible to that SA. The Linklaters BCR Group Entity will maintain evidence in order to demonstrate that it sought to obtain the right to waive the prohibition.
In the event that, despite using its best efforts, the Linklaters BCR Group Entity is still unable to notify the relevant SA of any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body, or similar requests, Linklaters LLP will provide to that SA on an annual basis, general information on the requests it received (for example the number of applications for disclosure, type of data requested, and requester if possible).
Notwithstanding the provisions of Clause 17.1 to Clause 17.4 (inclusive), where a Linklaters BCR Group Entity is subject to any legal requirement in a third country (for example, any legally binding request for disclosure of the Personal Data by a public authority, law enforcement authority or state security body) which is likely to have a substantial adverse effect on the guarantees provided by the Standards such disclosure will not be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
Linklaters LLP shall notify the relevant SA in accordance with Section 18 (Updating and Reviewing the Standards) if Linklaters LLP determines that a change is required to the Standards to address the issue.
If any Applicable Law requires a higher level of protection for Personal Data than that set out in these Standards, the relevant Applicable Law will take precedence over these Standards in respect of that aspect of the Standards.
18. Updating and Reviewing the Standards
Linklaters LLP reserves the right to amend the Standards (including, without limitation, the addition of new Linklaters BCR Group Entity). Any changes to these Standards shall be reported to each Linklaters BCR Group Entity as soon as practicable and within three months of the amendment or variation. Any substantive changes to these Standards shall be reported to the relevant SAs without undue delay. Any other non-substantive amendments to these Standards shall be reported to the relevant SAs on an annual basis.
These Standards will be reviewed and updated as deemed necessary at least annually to ensure they continue to be accurate and relevant. Any amendments to these Standards will be posted on Linklaters LLP’s website and intranet.
Linklaters’ Law & Compliance team will be responsible for notifying Linklaters BCR Group Entities and relevant SAs of changes to the Standards and for ensuring that the Standards are reviewed on an annual basis.
Schedule 1 - Data Processing Activities covered by these Standards
|Data Transfers covered by these Standards||
1. In the context of its global practice, the Firm operates as a boundless firm and therefore Personal Data may be transferred between any of the Linklaters BCR Group Entities worldwide. The majority of the Firm’s processing in the EU is carried out at the two UK-based data processing centres (UK1 and UK2), which service the Firm’s offices in Europe. It is therefore likely that the bulk of data transfers out of the EEA will originate in the UK and be transferred to the Firm’s remaining data centre in Hong Kong, which services the Asia region.
2. The Firm’s disaster recovery system necessitates additional replication between data centres to ensure data availability in the event of a data centre failure. Replication for key business systems such as email and the Firm’s document management system is as follows:
|The nature and categories of Personal Data covered by these Standards||
1. The following categories of Personal Data are transferred by a Linklaters BCR Group Entity. Personal Data may also include Special Data:
2. The nature of the Personal Data transferred by a Linklaters BCR Group Entity is as follows:
|Type of Processing and the purpose for the Processing covered by these Standards||
Personal Data covered by the Standards is processed and transferred for the following core purposes:
Whilst the Firm does not routinely process Special Data, the following Special Data are covered by the Standards and transferred for the following core purposes:
|Categories of Data Subjects covered by these Standards
|Identification of Recipients in Third Countries covered by these Standards||Please see Schedule 2 (Linklaters BCR Group Entities) for details of transfers to Linklaters BCR Group Entities in Non-EU Countries.|