Data Protection Standards

1. Scope and Purpose

2. The Global Context

3. Definitions and Interpretation

4. Access to the Standards

5. Standards Infrastructure

6. Processing Principles

7. The Accountability Principle

8. The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences

9. Rights of Individuals

10. Security

11. Internal Processing of Personal Data

12. Third Party Processing of Personal Data

13. Marketing

14. Compliance Audit

15. Co-operation with EU Data Protection Authorities

16. Rights to enforce the Standards and rights of redress

17. Conflicts

18. Updating and Reviewing the Standards

Schedule 1 - Data Processing Activities covered by these Standards

Schedule 2 - Linklaters BCR Group Entities

Part 1 – Linklaters BCR Group Entities in Relevant EEA Countries

Part 2 – Linklaters BCR Group Entities in Non-EEA Countries

 

1. Scope and Purpose
  • These global standards (“Standards”) define the standards applicable to the Linklaters BCR Group Entities in relation to Personal Data:
  • that is Processed by any of the Linklaters BCR Group Entities; and
  • the Processing of which is subject to regulation by legislation implementing the GDPR.
  • The Standards apply to:
  • the Processing of Personal Data by a Linklaters Controller in the European Economic Area (“EEA”);
  • the Processing of Personal Data in the EEA by a Linklaters Controller located outside of the EEA;
  • any transfer of Personal Data out of the EEA by one of the Linklaters BCR Group Entities to another; and
  • any Processing or onward transfer of Personal Data (which was previously subject to a transfer described above) by one Linklaters BCR Group Entity to another Linklaters BCR Group Entity that is outside of the EEA.

The different types of Personal Data and the purposes for which, and the manner in which, they are Processed can be found in Schedule 1 (Data Processing Activities covered by these Standards).

2. The Global Context

The Firm recognises that the use and disclosure of Personal Data has important implications for it, as a firm, and for the Data Subjects concerned. Most of the Firm's offices operate in countries which regulate the use of Personal Data and impose restrictions on overseas transfers. For the Firm to operate effectively in a multi-national way, the Firm has developed good working systems of data transfer and compliance and has adopted a global approach to privacy compliance evidenced by these Standards.

As the Firm is a global firm, it operates across a number of jurisdictions and countries both within and outside of the EEA. Not all jurisdictions and countries have the same data protection laws and regulations, therefore, in all circumstances, unless Applicable Law dictates otherwise or requires a higher standard of protection for Personal Data each Linklaters BCR Group Entity will comply with these Standards. In the event that Applicable Law dictates a higher standard for the protection of Personal Data, the Firm will meet such standards to the fullest extent possible.

3. Definitions and Interpretation

Definitions In these Standards the following terms and expressions have the meanings set out below save that if there is any conflict, apparent conflict or ambiguity in any of the terms set out below or any terms that are not defined in these Standards, such terms shall be interpreted in accordance with the GDPR:

  • Applicable Law” means any applicable law, rule or regulation, whether or not having the force of law, but if not having the force of law only if persons to whom any such law, rule or regulation is intended to apply, generally comply with it;
  • Controller”, “Data Subject”, “Personal Data”, “Process”, “Processing”, “Processor”, “Recipient”, “Special Data” and “Third Countries” each has the meaning given to such term in the GDPR;
  • Deed Poll” means the deed poll entered into by Linklaters LLP in August 2013, as amended and restated in May 2018;
  • DPA” means the competent supervisory authority in a Relevant EEA Country;
  • Entity” means either a branch, local partnership or service entity within the Linklaters BCR Group Entities;
  • GDPR” means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data;
  • Individual” has the meaning given to the term “Data Subject”;
  • Linklaters LLP” means the limited liability partnership established under English law whose registered office is at One Silk Street, London EC2Y 8HQ;
  • Linklaters BCR Group Entities” (also referred to together as the “Firm”) means the entities set out in the tables in Parts 1 and 2 of Schedule 2 (Linklaters BCR Group Entities), comprising all entities controlled by Linklaters LLP which are based in a Relevant EEA Country or in a Non-EEA Country and which are bound by the Firm’s binding corporate rules (“BCR”), as updated from time to time by Linklaters LLP;
  • Linklaters Controller” means a Controller that is a Linklaters BCR Group Entity;
  • Non-EEA Country” means a country listed as a “Non-EEA Country” in Part 2 of Schedule 2 (Linklaters BCR Group Entities) to these Standards;
  • Partners” means members (or employees or consultants with equivalent status and qualifications) of a Linklaters BCR Group Entity;
  • Personnel” means individuals employed by a relevant Linklaters BCR Group Entity or consultants acting on behalf of, or embedded in, a relevant Linklaters BCR Group Entity; and
  • Relevant EEA Country” means a country listed as a “Relevant EEA Country” in Part 1 of Schedule 2 (Linklaters BCR Group Entities) to these Standards.

Interpretation

  • References to a statute or statutory provision include:
    • (a) that statute or provision as from time to time modified, re-enacted or consolidated, whether before or after the date of these Standards;
    • (b) any past statute or statutory provision (as from time to time modified, re- enacted or consolidated) which that statute or provision has directly or indirectly replaced; and
    • (c) any subordinate legislation made from time to time under that statute or statutory provision which is in force at the date of these Standards.
  • References to:
    • (a) a “person” include any company, partnership or unincorporated association (whether or not having separate legal personality); and
    • (b) a “company” shall include any company, corporation or any body corporate, wherever incorporated.
  • References to one gender include all genders and references to the singular include the plural and vice versa.
  • References to the “control” which Linklaters LLP has of any relevant Linklaters BCR Group Entity, include the effective control exercised by Linklaters LLP by virtue of: (i) any (direct/indirect) shareholding or other partnership or ownership interest held by Linklaters LLP (or any individual(s) or entity(ies) on behalf of (or on trust for) Linklaters LLP) in the relevant Linklaters BCR Group Entity, or (ii) members of Linklaters LLP, who have fiduciary duties to act in the best interests of Linklaters LLP, and whose welfare, career development and discipline is the responsibility of the Senior Partner of Linklaters LLP, acting as directors, members or partners of the relevant Linklaters BCR Group Entity with power to control or manage its business, and “controlled” shall be interpreted accordingly.
4. Access to the Standards

The Standards will be made available on Linklaters LLP’s website and intranet. Any queries in respect of the Standards should be addressed to the following:

Postal address:
The Global Head of Law & Compliance
Linklaters LLP One Silk Street London EC2Y 8HQ
Email address: data.protection@linklaters.com

5. Standards Infrastructure
  • Linklaters LLP will ensure that adequate resource is provided to maintain compliance with the Standards. This includes but is not limited to ensuring appropriate senior management responsibility and oversight of the Standards.
  • Whilst Linklaters LLP is not required to designate a data protection officer under the GDPR, Linklaters LLP has designated responsibility for overseeing compliance of the Standards to the Global Head of Law & Compliance. The key tasks of the Global Head of Law & Compliance are as follows:
    • supporting the network of data protection champions and locally appointed data protection officers in a relevant Linklaters BCR Group Entity within Linklaters LLP, to ensure compliance with data protection laws and to oversee compliance with the Standards;
    • ensuring that those who have permanent or regular access to Personal Data, or that are involved in the Processing of Personal Data, or in the development of tools used to Process Personal Data, are trained and informed of their rights and responsibilities in respect of the Standards;
    • ensuring that the Standards, which form part of the BCRs, will be incorporated into policies applicable to all Linklaters BCR Group Entities;
    • reporting all relevant matters relating to the Processing of Personal Data to the Linklaters LLP’s Risk Committee; 5.2.5 preparing and/or contributing to Linklaters LLP’s Risk Committee reports;
    • acting as the point of contact for all data protection authorities in relation to any investigations or enquiries relating to the Processing of Personal Data; and
    • taking responsibility for local complaints from Data Subjects.
6. Processing Principles

Unless otherwise dictated by Applicable Law, when acting as a Controller, a Linklaters BCR Group Entity shall observe the following principles when Processing Personal Data.

  • Lawfulness, fairness and transparency: Personal Data will be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject.
  • Purpose limitation: Personal Data will be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
  • Data minimisation:  Personal Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
  • Accuracy: Personal Data will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that Personal Data which is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified without delay.
  • Storage limitation: Personal Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data is Processed.
  • Integrity and confidentiality: Personal Data will be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
  • Transfers of Personal Data outside of the EEA: A Linklaters BCR Group Entity will not transfer Personal Data outside of the EEA to any Controller or Processor which is not a Linklaters BCR Group Entity unless such transfers comply with the requirements of the GDPR.
  • Accountability: When acting as a Controller, a Linklaters BCR Group Entity will maintain appropriate documentary evidence in order to demonstrate compliance with the GDPR and these Standards. Details of how the Firm complies with the accountability principle are set out in Section 7 (The Accountability Principle).
7. The Accountability Principle

Each Linklaters BCR Group Entity will ensure that it maintains evidence of compliance with these Standards in the following ways:

  • Linklaters LLP maintains a central record of Processing activities in accordance with the GDPR. The record of Processing activities is kept up-to-date by each Linklaters BCR Group Entity and access to relevant sections of the record will be made available upon request by a relevant DPA;
  • where the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, prior to Processing the Personal Data, the relevant Linklaters BCR Group Entity will undertake a data protection impact assessment in accordance with Linklaters LLP’s Global Data Protection Impact Assessment Policy and associated documents; and
  • Linklaters LLP has a number of global data protection policies and associated documents to govern how the Linklaters BCR Group Entities Process Personal Data to ensure that all reasonable technical and organisational measures are in place in order to comply with the GDPR. Compliance with these policies is monitored in accordance with Section 15 (Co-operation with EU Data Protection Authorities) of these Standards.
8. The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences

In addition to complying with the Processing principles set out in Section 6 (Processing Principles) of these Standards, each Linklaters BCR Group Entity in a Relevant EEA Country will:

  • comply with any additional legal steps required by Applicable Laws in that Relevant EEA Country when processing Special Data and/or Personal Data relating to criminal convictions and offences;
  • only Process Personal Data, Special Data and Personal Data relating to criminal convictions and offences if the Processing undertaken is in accordance with the legal basis for Processing as set out in the GDPR or under Applicable Law; and
  • ensure the Processing is documented in Linklaters LLP’s central record of Processing activities, in which the legal basis for Processing Personal Data, Special Data and Personal Data relating to criminal convictions and offences is identified.
9. Rights of Individuals

It is the Firm's policy to respect the rights of Data Subjects and the Firm will act promptly and in accordance with the GDPR and Applicable Laws should any of these rights be exercised. A Data Subject may exercise any of their rights under these Standards at any time free of charge using the contact details set out in Section 4 (Access to the Standards) of these Standards.

In relation to the right to be informed set out below in these Standards, information will be provided to Data Subjects as set out in the timeframes in that Clause. In relation to all other rights, the relevant Linklaters BCR Group Entity will respond without undue delay and in any event within one calendar month. In exceptional cases this one calendar month period may be extended by two further calendar months if the request is particularly complex and involves a large number of requests. If the relevant Linklaters BCR Group Entity wishes to make use of this extension, the relevant Linklaters BCR Group Entity will inform the individual within the initial one calendar month period with the reasons for the delay.

When acting as a Controller, a Linklaters BCR Group Entity will observe the rights of individuals and will comply with Linklaters LLP’s Global Individuals’ Rights Policy and associated documents. Details of the rights of individuals are set out below:

  • Right to be informed about how Personal Data is used: Data Subjects have a right to be informed about how a Linklaters BCR Group Entity will use and share their Personal Data. This explanation is provided to Data Subjects in a concise, transparent, intelligible and easily accessible format. A Linklaters BCR Group Entity ensures that it provides privacy notices to Data Subjects at the point where Linklaters LLP collects Personal Data from them if collecting Personal Data directly. If a Linklaters BCR Group Entity does not collect the Personal Data directly from a Data Subject, the information is will be provided to Data Subjects within one calendar month or, if earlier, at the point of first contact with the Data Subject or before Personal Data is disclosed to a third party. Privacy notices are written in clear and plain language and are provided free of charge.
  • Right to access Personal Data: Data Subjects have a right to obtain confirmation of whether a Linklaters BCR Group Entity is Processing their Personal Data, access to their Personal Data and information regarding how their Personal Data is being used by a Linklaters BCR Group Entity.
  • Right to have inaccurate Personal Data rectified: Data Subjects have a right to have any inaccurate or incomplete Personal Data rectified. If a Linklaters BCR Group Entity has disclosed the relevant Personal Data to any third parties, a Linklaters BCR Group Entity will take reasonable steps to inform those third parties of the rectification where possible.
  • Right to have Personal Data erased in certain circumstances Data Subjects have a right to request that certain Personal Data held by a Linklaters BCR Group Entity is erased. This is also known as the right to be forgotten. This is not a blanket right to require all Personal Data to be deleted. A Linklaters BCR Group Entity will consider each request carefully in accordance with the requirements of the GDPR and Applicable Law.
  • Right to restrict processing of Personal Data in certain circumstances Data Subjects have a right to block the Processing of their Personal Data in certain circumstances. This right arises in any of the following circumstances, if a Data Subject is disputing the accuracy of Personal Data, if a Data Subject has raised an objection to processing, if processing of Personal Data is unlawful and the Data Subject opposes erasure and requests restriction instead or if the Personal Data is no longer required by the relevant Linklaters BCR Group Entity but the Data Subject requires the Personal Data to be retained to establish, exercise or defend a legal claim.
  • Right to data portability: In certain circumstances, Data Subjects can request to receive a copy of their Personal Data in a commonly used electronic format. This right only applies to Personal Data that Data Subjects have provided to a relevant Linklaters BCR Group Entity (for example by completing a form or providing information through a website). Information about a Data Subject which has been gathered by monitoring their behaviour will also be subject to the right to data portability. The right to data portability only applies if the Processing is based on the Data Subject’s consent or if the Personal Data must be processed for the performance of a contract and the Processing is carried out by automated means (i.e. electronically).
  • Right to object to Processing of Personal Data in certain circumstances, including where Personal Data is used for marketing purposes: Data Subjects have a right to object to Processing being carried out by a relevant Linklaters BCR Group Entity if a relevant Linklaters BCR Group Entity is Processing Personal Data based on legitimate interests or for the performance of a task in the public interest (including profiling), if a relevant Linklaters BCR Group Entity is using Personal Data for direct marketing purposes, or if information is being processed for scientific or historical research or statistical purposes. Data Subjects will be informed that they have a right to object at the point of data collection and the right to object will be explicitly brought to the attention of the Data Subject and be presented clearly and separately from any other information.
  • Right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect: Data Subjects have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on the Data Subject.
10. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Linklaters BCR Group Entity will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, including inter alia as appropriate:

  • the pseudonymisation and encryption of Personal Data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

All Linklaters BCR Group Entities will comply with Linklaters LLP’s Global Information Security Policy, Global IT Policy and associated documents.

11. Internal Processing of Personal Data

Linklaters LLP will procure that all Linklaters BCR Group Entities which Process Personal Data will follow the instructions of the relevant Linklaters Controller and will be bound by such instructions.

12. Third Party Processing of Personal Data

Before a Linklaters BCR Group Entity transfers Personal Data to a third party in furtherance of an outsourcing or other data processing arrangement or uses the services of a third party to Process Personal Data on its own behalf, it shall ensure that it complies with this Clause.

A Linklaters BCR Group Entity will:

  • carry out pre-contractual due diligence checks on Processors to ensure that they are compliant with applicable requirements under the GDPR and only use Processors that provide sufficient guarantees to implement appropriate measures to ensure that the requirements of the GDPR and the rights of Data Subjects are met;
  • ensure, arrangements with Processors are documented in a written contract and that contract includes as a minimum the mandatory clauses as set out in the GDPR and provisions relating to breach notification; and
  • ensure that appropriate procedures are put in place to carry out due diligence on Processors to check that they continue to have adequate measures in place to enable compliance with the GDPR.

The relevant Linklaters BCR Group Entity will ensure that third party Controllers and Processors to whom Personal Data is transferred afford a similar level of protection for that Personal Data as the Linklaters BCR Group Entity.

13. Marketing

Linklaters BCR Group Entities will not use Personal Data to send marketing information to any Data Subject (including any employee) who has requested not to receive marketing material.

If a Data Subject requests a Linklaters BCR Group Entity to stop processing their Personal Data for direct marketing purposes, the relevant Linklaters BCR Group Entity shall stop processing the Personal Data for those purposes in accordance with the deadlines specified by Applicable Laws.

Data Subjects are encouraged to make such requests via the forms provided for that purpose in the marketing materials, and may alternatively make any such request to their usual contact at the Firm or the Global Head of Law & Compliance (using the contact details set out in Section 4 (Access to the Standards)). In any event, such request can be made at any time free of charge.

14. Compliance Audit

Linklaters LLP’s Internal Audit Team and the Law & Compliance Team shall evaluate, test and report on the Linklaters BCR Group Entities’ compliance with the Standards on a regular basis. Where any non-compliance with the Standards is identified in such audits, the relevant audit professional will work with the relevant business manager to design and implement remediation measures. The audit professional will then track the progress of the remediation measures.

Information from audit reports relating to compliance with the Standards will be sent to the Global Head of Law & Compliance and, where relevant, the Linklaters Risk Committee.

Subject to the section below, a Linklaters BCR Group Entity in a Relevant EEA Country shall provide details of any relevant audit in that Relevant EEA Country or in relation to Personal Data exported from the EEA (in so far as they relate to compliance with the Standards), to the DPA in that Relevant EEA Country, upon request from that DPA.

Subject to the final paragraph of Section 14 below, a Linklaters BCR Group Entity in a Relevant EEA Country shall:

  • permit its relevant DPA to audit that Linklaters BCR Group Entity in order that the DPA may obtain the information necessary to demonstrate that Linklaters BCR Group Entity’s compliance with the Standards; and
  • use reasonable endeavours to comply with requests from any relevant DPA, acting reasonably and in the proper performance of its duties, in connection with the audit of the Standards, to the extent that any such requests are consistent with all Applicable Laws, regulations, professional standards and due process, without waiving any defences and/or rights of appeal available to that relevant Linklaters BCR Group Entity.

To the extent permitted by Applicable Laws a Linklaters BCR Group Entity in a Relevant EEA Country will only disclose compliance information to its relevant DPA provided that: (i) such information relates to compliance with the Standards; (ii) the information does not contain any commercially sensitive information about or belonging to Linklaters LLP, any other Linklaters BCR Group Entity, or any of their respective clients; (iii) the information does not contain any confidential information about or belonging to a third party; (iv) the information is not subject to the law of privilege; and (v) disclosure of the information would not be contrary to Applicable Law. For the avoidance of doubt, nothing in Section 14 above shall prevent a Linklaters BCR Group Entity from separating out the information in order to comply fully with the requirements of this Clause.

15. Co-operation with EU Data Protection Authorities

Each Linklaters BCR Group Entity in a Relevant EEA Country shall respond to all reasonable requests for information from the relevant DPA in that Relevant EEA Country which properly fall within that DPA’s ambit, to the extent that such requests are consistent with Applicable Law, regulations, professional standards and due process.

Each Linklaters BCR Group Entity in a Relevant EEA Country shall respect the decisions of the relevant DPA in that Relevant EEA Country relating to the interpretation and application of the Standards to the extent consistent with Applicable Law, regulations, professional standards and due process and without waiving any defences and/or rights of appeal available to that Linklaters BCR Group Entity.

16. Rights to enforce the Standards and rights of redress

Data Subjects who believe that there has or may have been a breach of these Standards have the right to seek enforcement of the Standards and/or appropriate compensation for any damage arising from the breach. The right to seek enforcement and/or claim compensation is exercisable as a third-party beneficiary right and relates solely to the standards set out in the following clauses (referred to in these Standards as the “Enforceable Rights”):

The remedies available to Data Subjects for any breach of the Enforceable Rights are set out below.

Individuals may raise a complaint in relation to any breach of the Enforceable Rights under these Standards through Linklaters LLP’s Global Data Protection Complaints Procedure which is available on Linklaters LLP’s website and intranet. Linklaters LLP has executed a Deed Poll as part of the process of implementing the BCR. As also set out in Linklaters LLP’s Global Data Protection Complaints Procedure, Data Subjects exercising their rights under the BCR shall be entitled to receive a copy of the Deed Poll, on request, on a confidential basis. For the avoidance of doubt, disclosure of the Deed Poll to a Data Subject’s legal representative will not be considered a breach of confidentiality. Further information regarding the Global Data Protection Complaints Procedure is available from the Global Head of Law & Compliance, whose contact details are set out in Section 4 (Access to the Standards). A Data Subject may raise his or her concerns with a DPA without having to go through Linklaters LLP’s Global Data Protection Complaints Procedure first.

A Data Subject may raise a complaint with a DPA if the Data Subject considers that any of the Enforceable Rights have been breached. A Data Subject may raise their complaint either in:

  • the Member State of his or her habitual residence;
  • the Member State of his or her place of work; or
  • the place of the alleged infringement.

Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a DPA, a Data Subject also has the right to an effective judicial remedy where they consider that the Enforceable Rights have been infringed.

A Data Subject may bring proceedings against Linklaters LLP in relation to the Enforceable Rights either in:

  • the courts of the jurisdiction where the relevant Linklaters BCR Group Entity that is alleged to have breached the Enforceable Rights is established; or
  • the courts of the Member State where the Data Subject has his or her habitual residence.

If there is a breach of any of the Enforceable Rights by a Linklaters BCR Group Entity in a Non-EEA Country (a “Non-EEA Entity”) a Data Subject may bring proceedings against Linklaters LLP in relation to the Enforceable Rights either in:

  • the courts of the EEA jurisdiction from where the relevant Linklaters BCR Group Entity exported the Personal Data; or
  • the courts of the EEA jurisdiction where Linklaters LLP has its EEA headquarters or where it has designated its Lead Supervisory Authority. A court chosen pursuant to this and the previous paragraph, being the “Selected Jurisdiction”.

The governing law of any claim brought by a Data Subject pursuant to the previous two paragraphs shall be the laws of England and Wales.

If a Data Subject claims that a breach of the Enforceable Rights has been committed by a Non-EEA Entity, Linklaters LLP shall be exempt from liability in whole or part if it proves that the Non-EEA Entity is not responsible for the event giving rise to the damage. If it is held that a breach of the Enforceable Rights has occurred, it shall be the responsibility of the Data Subject who brought the claim to prove that they incurred damage as a result of such breach and to prove the amount of such damage.

To the maximum extent permitted by Applicable Laws, Linklaters LLP shall not be liable to a Data Subject for:

  • punitive or exemplary damages (i.e. damages intended to punish a party for its conduct, rather than to compensate the victim of such conduct); or
  • indirect loss, consequential loss or special damages, howsoever caused.

If a Data Subject brings a claim for compensation for breach of the Enforceable Rights (an "Enforceable Rights Claim"), to the extent permissible under Applicable Laws, the following limits on liability shall apply:

  • where the Data Subject or the Data Subject's employer has a contract with the Firm (including with any member of the Firm) which contains limits on the Firm's liability ("Limits on Liability"), all Enforceable Rights Claims shall be subject to those Limits on Liability such that:
    • (a) any compensation for breach of that Data Subject’s Enforceable Rights shall be counted, together with all other compensation to which the Limits on Liability are expressed to apply (including under this section), towards any aggregate amounts that constitute such Limits on Liability; and
    • (b) Linklaters LLP shall not be liable to a Data Subject pursuant to these Standards for any damage in excess of the Limits on Liability; and
  • compensation payable by Linklaters LLP to a Data Subject for Enforceable Rights Claims shall in no event exceed £100,000 (one hundred thousand sterling pounds) in aggregate; provided in all cases that if more than one of the caps set out above is applicable, the lower cap will apply.

In any event, Linklaters LLP shall only be liable for damages which have been: (i) agreed by Linklaters LLP under a settlement or compromise agreement with the relevant Data Subject; or (ii) awarded against Linklaters LLP by a non-appealable judgment, order, or by any other legal award of a court or tribunal with valid jurisdiction.

17. Conflicts

If a Linklaters BCR Group Entity has reason to believe that any Applicable Law prevents it from complying with the Standards and may have a substantial effect on the protections provided by the Standards, that Linklaters BCR Group Entity will promptly inform the Global Head of Law & Compliance (whose contact details are set out in Section 4 (Access to the Standards)) (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). Linklaters LLP will make a decision on how to proceed and will consult the relevant DPA in cases of doubt.

Where a Linklaters BCR Group Entity is subject to any legal requirement in a third country (for example, any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body) which is likely to have a substantial adverse effect on the guarantees provided by the Standards, Linklaters LLP will make a decision on how to proceed and will report the problem to the relevant DPA, providing details about the request, including information about the Personal Data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).

If the relevant Linklaters BCR Group Entity is prohibited from making such notification to the relevant DPA, the relevant Linklaters BCR Group Entity will use its best efforts to obtain the right to waive the prohibition in order to communicate as much information as it can as soon as possible to that DPA. The relevant Linklaters BCR Group Entity will maintain evidence in order to demonstrate that it sought to obtain the right to waive the prohibition.

In the event that, despite using its best efforts, the relevant Linklaters BCR Group Entity is still unable to notify the relevant DPA of any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body, or similar requests, Linklaters LLP will provide to that DPA on an annual basis, general information on the requests it received (for example the number of applications for disclosure, type of data requested, and requester if possible).

Linklaters LLP shall notify the relevant DPAs in accordance with Section 18 (Updating and Reviewing the Standards) if Linklaters LLP determines that a change is required to the Standards to address the issue.

If any Applicable Law requires a higher level of protection for Personal Data than that set out in these Standards, the relevant Applicable Law will take precedence over these Standards in respect of that aspect of the Standards.

No Linklaters BCR Group Entity shall be responsible for a breach of the Standards, to the extent compliance with the Standards is prevented by Applicable Laws.

18. Updating and Reviewing the Standards

Linklaters LLP reserves the right to amend the Standards (including, without limitation, the addition of new Linklaters BCR Group Entity). Any substantive changes to these Standards shall be reported to each Linklaters BCR Group Entity in a Relevant EEA Country and to the relevant DPAs as soon as practicable and within three months of the amendment or variation. Any other non-substantive amendments to these Standards shall be reported to each Linklaters BCR Group Entity in a Relevant EEA Country and to the relevant DPAs on an annual basis.

These Standards will be reviewed and updated as deemed necessary at least annually to ensure they continue to be accurate and relevant. Any amendments to these Standards will be posted on Linklaters LLP’s website and intranet.

 

Schedule 1 - Data Processing Activities covered by these Standards
   
Data Transfers covered by these Standards

1. In the context of its global practice, the Firm operates as a boundless firm and therefore Personal Data may be transferred between any of the Linklaters BCR Group Entities worldwide. The majority of the Firm’s processing in the EU is carried out at the two UK-based data processing centres (UK1 and UK2), which service the Firm’s offices in Europe. It is therefore likely that the bulk of data transfers out of the EEA will originate in the UK and be transferred to the Firm’s remaining data centre in Hong Kong, which services the Asia region.

2. The Firm’s disaster recovery system necessitates additional replication between data centres to ensure data availability in the event of a data centre failure. Replication for key business systems such as email and the Firm’s document management system is as follows:

  • UK1 replicated to UK2;
  • UK2 replicated to UK1; and
  • Hong Kong replicated to UK2.
The nature and categories of Personal Data covered by these Standards

1. The following categories of Personal Data are transferred by a Linklaters BCR Group Entity. Personal Data may also include Special Data:

  • human resources-related data;
  • client-related data (predominantly contact details of individuals within client organisations); and
  • other business-related data (e.g. contact details of third party suppliers).

2. The nature of the Personal Data transferred by a Linklaters BCR Group Entity is as follows:

  • personnel and partner Personal Data;
  • client Personal Data;
  • third-party (e.g. supplier and prospective client) Personal Data;
  • sound and/or visual images; and
  • marketing data. 
Type of Processing and the purpose for the Processing covered by these Standards

Personal Data covered by the Standards is processed and transferred for the following core purposes:

  • 1. administration of employees, and other activities of the Human Resources Team;
  • 2. provision of legal services;
  • 3. billing and accounts;
  • 4. databank administration;
  • 5. licensing and registration under Applicable Laws (for instance, maintaining practicing certificates);
  • 6. maintaining information required for the prevention and/or prosecution of offenders and/or the prevention and detection of crime including fraud prevention and anti-money laundering;
  • 7. maintaining client information and records of business relationships; and
  • 8. maintaining information used in advertising and for public relations.

Whilst the Firm does not routinely process Special Data, the following Special Data are covered by the Standards and transferred for the following core purposes:

  • 1. racial or ethnic origin for diversity monitoring;
  • 2. criminal convictions for the prevention and detection of crime;
  • 3. religious or philosophical beliefs for diversity monitoring;
  • 4. physical or mental health conditions (including from accidents) for compliance with employment obligations and obligations towards the Firm’s insurers; and
  • 5. sexual lifestyles or sexual orientation for diversity monitoring.
Categories of Data Subjects covered by these Standards
    • 1. personnel (including prospective personnel)
    • 2. partners
    • 3. members of the public
    • 4. clients (and prospective clients)
    • 5. other business-related contacts for example suppliers
    Identification of Recipients in Third Countries covered by these Standards   Please see Schedule 2 (Linklaters BCR Group Entities) for details of transfers to Linklaters BCR Group Entities in Non-EU Countries.
     

     

    Schedule 2 - Linklaters BCR Group Entities

    Please use the links below to download the detailed information about Linklaters BCR Group Entities.