UK Data Protection Standards
Last updated: 23 February 2022
1. Scope and Purpose
2. Definitions and Interpretation
3. Access to the UK Standards
4. UK Standards Infrastructure
5. Processing Principles
6. The Accountability Principle
7. The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences
8. Rights of Individuals
9. Security
10. Internal Processing of Personal Data
11. Third Party Processing of Personal Data
12. Marketing
13. Compliance Audit
14. Co-operation with the Information Commissioner
15. Rights to enforce the UK Standards and rights of redress
16. Conflicts
17. Updating and Reviewing the UK Standards
Schedule 1. Data Processing Activities covered by these UK Standards
Schedule 2. Linklaters BCR Group Entities
1. Scope and Purpose
1.1 These standards (“UK Standards”) define the standards applicable to the Linklaters BCR Group Entities in relation to Personal Data:
- that is Processed by any of the Linklaters BCR Group Entities; and
- the Processing of which is subject to regulation by legislation implementing the UK GDPR.
1.2 The UK Standards apply only to:
- the Processing of Personal Data by a Linklaters Controller in the United Kingdom (“UK”);
- the Processing of Personal Data in the UK by a Linklaters Controller located outside of the UK;
- any transfer of Personal Data out of the UK by one of the Linklaters BCR Group Entities to another; and
- any Processing or onward transfer of Personal Data (which was previously subject to a transfer described above) by one Linklaters BCR Group Entity to another Linklaters BCR Group Entity that is outside of the UK.
1.3 The different types of Personal Data and the purposes for which, and the manner in which, they are Processed can be found in Schedule 1 (Data Processing Activities covered by these UK Standards).
1.4 These UK Standards, together with the declaration made by the UK Deed Poll, the data protection training provided to all BCR Group Entity staff on an annual basis and the BCR Group Entity Policies and Procedures demonstrate a commitment by the Linklaters BCR Group Entities to (where applicable) be bound by and to respect these UK Standards. All BCR Group Entity staff are contractually required to comply with these UK Standards (where applicable as outlined above) and all BCR Group Entity Policies and Procedures. Failure to comply is a disciplinary matter, which will result in disciplinary action being taken against relevant employees.
1.5 These UK Standards have been adopted by the Firm in addition to the global data protection standards that have been adopted as part of the Firm’s global binding corporate rules for the purposes of the EU General Data Protection Regulation (2016/679) (the “Global Standards”) which each Linklaters BCR Group Entity must comply with unless Applicable Law dictates otherwise or requires a higher standard for protection of Personal Data. The UK Standards apply only in the circumstances outlined in 1.2 above and do not supersede, replace or otherwise amend the Global Standards.
2. Definitions and Interpretation
2.1 Definitions
In these UK Standards the following terms and expressions have the meanings set out below save that if there is any conflict, apparent conflict or ambiguity in any of the terms set out below or any terms that are not defined in these UK Standards, such terms shall be interpreted in accordance with the UK GDPR:
“Applicable Law” means any applicable law, rule or regulation, whether or not having the force of law, but if not having the force of law only if persons to whom any such law, rule or regulation is intended to apply, generally comply with it;
“BCR Group Entity Policies and Procedures” means the following policies and procedures:
- Global Standards for Processing Personal Data
- UK Standards for Processing Personal Data
- Global Internal Privacy Policy
- Global IT Policy
- Information Security Policy
- Global Individuals Rights Policy
- Global Data Breach Policy
- Data Protection Impact Assessment Policy;
“Controller”, “Data Subject”, “Personal Data”, “Process”, “Processing”, “Processor”, “Recipient”, “Special Data” and “Third Countries” each has the meaning given to such term in the UK GDPR;
“Entity” means either a branch, local partnership or service entity within the Linklaters BCR Group Entities;
“Information Commissioner” means the UK’s Information Commissioner;
“Individual” has the meaning given to the term “Data Subject”;
“Linklaters BCR Group Entities” (also referred to together as the “Firm”) means the entities set out in the tables in Parts 1 and 2 of Schedule 2 (Linklaters BCR Group Entities), comprising all entities controlled by Linklaters LLP which are based in the UK and Third Countries and which are bound by the Firm’s UK binding corporate rules (“BCR”), as updated from time to time by Linklaters LLP;
“Linklaters Controller” means a Controller that is a Linklaters BCR Group Entity;
“Linklaters LLP” means the limited liability partnership established under English law whose registered office is at One Silk Street, London EC2Y 8HQ;
“Partners” means members (or employees or consultants with equivalent status and qualifications) of a Linklaters BCR Group Entity;
“Personnel” means individuals employed by a Linklaters BCR Group Entity or consultants acting on behalf of, or embedded in, a Linklaters BCR Group Entity;
“UK Deed Poll” means the deed poll entered into in connection with these UK Standards by Linklaters LLP in December 2020, as amended and/or restated from time to time; and
“UK GDPR” means the UK General Data Protection Regulation brought into force by virtue of Schedule 1 of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
2.2 Interpretation
References to a statute or statutory provision include:
- that statute or provision as from time to time modified, re-enacted or consolidated, whether before or after the date of these UK Standards;
- any past statute or statutory provision (as from time to time modified, re- enacted or consolidated) which that statute or provision has directly or indirectly replaced; and
- any subordinate legislation made from time to time under that statute or statutory provision which is in force at the date of these UK Standards.
References to:
- a “person” includes any company, partnership or unincorporated association (whether or not having separate legal personality); and
- a “company” shall include any company, corporation or any body corporate, wherever incorporated.
References to one gender include all genders and references to the singular include the plural and vice versa.
References to the “control” which Linklaters LLP has of any relevant Linklaters BCR Group Entity, include the effective control exercised by Linklaters LLP by virtue of: (i) any (direct/indirect) shareholding or other partnership or ownership interest held by Linklaters LLP (or any individual(s) or entity(ies) on behalf of (or on trust for) Linklaters LLP) in the relevant Linklaters BCR Group Entity, or (ii) members of Linklaters LLP, who have fiduciary duties to act in the best interests of Linklaters LLP, and whose welfare, career development and discipline is the responsibility of the Senior Partner of Linklaters LLP, acting as directors, members or partners of the relevant Linklaters BCR Group Entity with power to control or manage its business, and “controlled” shall be interpreted accordingly.
3. Access to the UK Standards
Linklaters LLP
25 Rue de Marignan
Paris
75008
4. UK Standards Infrastructure
4.1 Linklaters LLP will ensure that adequate resource is provided to maintain compliance with the UK Standards. This includes but is not limited to ensuring appropriate senior management responsibility and oversight of the UK Standards.
4.2 Whilst Linklaters LLP is not required to designate a data protection officer under the UK GDPR, Linklaters LLP has designated responsibility for overseeing compliance with the UK Standards to the Global Head of Regulatory Compliance. The key tasks of the Global Head of Regulatory Compliance are as follows:
- supporting the network of data protection champions and locally appointed data protection officers within the Linklaters BCR Group Entities, where required, to ensure compliance with data protection laws and to oversee compliance with the Global Standards and these UK Standards;
- ensuring that those who have permanent or regular access to Personal Data, or that are involved in the Processing of Personal Data, or in the development of tools used to Process Personal Data, are trained and informed of their rights and responsibilities in respect of the Global Standards and these UK Standards;
- ensuring that the Global Standards and these UK Standards will be incorporated into policies applicable to all Linklaters BCR Group Entities;
- reporting all relevant matters relating to the Processing of Personal Data to the Linklaters LLP’s Risk Committee;
- preparing and/or contributing to Linklaters LLP’s Risk Committee reports;
- acting as the point of contact for all data protection authorities in relation to any investigations or enquiries relating to the Processing of Personal Data; and
- taking responsibility for local complaints from Data Subjects.
4.3 To ensure that all relevant staff understand the requirements imposed by the Global Standards and these UK Standards, all personnel (including temporary staff and contractors) who have access to Personal Data, who are involved in the collection of Personal Data or who are involved in the development of tools used to process Personal Data are required to complete training on the obligations set out in the Global Standards and these UK Standards. Training is undertaken on induction and completion of refresher training is mandatory on an annual basis.
4.4 A network of data protection champions supports the Global Head of Law and Compliance with the implementation, monitoring and enforcement of the Global Standards and these UK Standards. The data protection champions are spread across different business functions and different geographic locations. In Germany Linklaters also has a locally appointed Data Protection Officer. An overview of the network of data protection champions is set out below:
5. Processing Principles
Unless otherwise dictated by Applicable Law, when acting as a Controller, a Linklaters BCR Group Entity shall observe the following principles when Processing Personal Data.
5.1 Lawfulness, fairness and transparency
Personal Data will be Processed lawfully, fairly and in a transparent manner in relation to the Data Subject. Personal Data will not be Processed unless one of the following legal bases for Processing is met:
- The Data Subject has given consent to the Processing.
- The Processing is necessary for performance of a contract with the Data Subject or to take steps at the request of the Data Subject prior to entering into a contract.
- The Processing is necessary for compliance with a legal obligation to which a Linklaters BCR Group Entity is subject.
- The Processing is necessary to protect the vital interests of the Data Subject or another natural person.
- The Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a Linklaters BCR Group Entity.
- The Processing is necessary for the purposes of the legitimate interests pursued by a Linklaters BCR Group Entity or by a third party and those interests are not overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.
5.2 Purpose limitation
Personal Data will be collected for specified, explicit and legitimate purposes and not further Processed in a manner that is incompatible with those purposes.
5.3 Data minimisation
Personal Data will be adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
5.4 Accuracy
Personal Data will be accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that Personal Data which is inaccurate, having regard to the purposes for which it is Processed, is erased or rectified without delay.
5.5 Storage limitation
Personal Data will be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the
Personal Data is Processed.
5.6 Integrity and confidentiality
Personal Data will be Processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
5.7 Transfers of Personal Data outside of the UK
A Linklaters BCR Group Entity will not transfer Personal Data outside of the UK to any Controller or Processor which is not a Linklaters BCR Group Entity unless such transfers comply with the requirements of the UK GDPR. A Linklaters BCR Group Entity will not transfer Personal Data outside of the UK to a Linklaters BCR Group Entity, unless and until the Linklaters BCR Group Entity outside of the UK receiving the Personal Data has taken all necessary steps to ensure compliance with these UK Standards through the provision of training on the UK Standards to all relevant personnel and through commitment from senior management to comply with the UK Standards.
5.8 Accountability
When acting as a Controller, a Linklaters BCR Group Entity will maintain appropriate documentary evidence in order to demonstrate compliance with the UK GDPR and these UK Standards. Details of how the Firm complies with the accountability principle are set out in Clause 6 (The Accountability Principle).
6. The Accountability Principle
Each Linklaters BCR Group Entity will ensure that it maintains evidence of compliance with these UK Standards in the following ways:
6.1 Linklaters LLP maintains a central record of Processing activities in accordance with, inter alia, the UK GDPR. The record includes details of the Processing activities of each Linklaters BCR Group Entity, including the contact details of each Linklaters BCR Group Entity, the purposes of the Processing, the categories of Data Subjects and Personal Data, the categories of recipients with whom Personal Data is shared, transfers of Personal Data to third countries, data retention periods and technical and organisational security measures in place to protect the Personal Data. Each Linklaters BCR Group Entity is responsible for keeping their section of the record up to date. Access to relevant sections of the record will be made available upon request by the Information Commissioner;
6.2 Where the Processing of Personal Data is likely to result in a high risk to the rights and freedoms of Data Subjects, prior to Processing the Personal Data, the relevant Linklaters BCR Group Entity will undertake a data protection impact assessment in accordance with Linklaters LLP’s Global Data Protection Impact Assessment Policy and associated documents; and
6.3 Linklaters LLP has a number of global data protection policies and associated documents to govern how the Linklaters BCR Group Entities Process Personal Data to ensure that all reasonable technical and organisational measures are in place in order to comply with, inter alia, the UK GDPR. Compliance with these policies is monitored in accordance with, inter alia, Clause 14 (Co-operation with the Information Commissioner) of these UK Standards.
7. The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences
In addition to complying with the Processing principles set out in Clause 5 (Processing Principles) of these UK Standards, each Linklaters BCR Group Entity will:
- comply with any additional legal steps required by Applicable Laws in the UK when processing Special Data and/or Personal Data relating to criminal convictions and offences;
- only Process Personal Data, Special Data and Personal Data relating to criminal convictions and offences if the Processing undertaken is in accordance with the legal basis for Processing as set out in the UK GDPR or under Applicable Law. In relation to Special Data, the conditions which permit Processing of Special Data include where the Data Subject has given their explicit consent to the Processing, where the Processing is necessary in connection with employment law obligations or exercise of employment law rights, where the Processing is necessary for the establishment, exercise or defence of legal claims and where the Processing is necessary for reasons of substantial public interest and is permitted by UK law (please note that this is not an exhaustive list of the conditions under which Processing of Special Data is permitted); and
- ensure the Processing is documented in Linklaters LLP’s central record of Processing activities, in which the legal basis for Processing Personal Data, Special Data and Personal Data relating to criminal convictions and offences is identified.
8. Rights of Individuals
8.1 It is the Firm's policy to respect the rights of Data Subjects and the Firm will act promptly and where applicable in accordance with the UK GDPR and Applicable Laws should any of these rights be exercised. A Data Subject may exercise any of their rights under these UK Standards at any time free of charge using the contact details set out in Clause 3 (Access to the UK Standards) of these UK Standards.
8.2 In relation to the right to be informed set out below in these UK Standards, information will be provided to Data Subjects as set out in the timeframes in that Clause. In relation to all other rights, a Linklaters BCR Group Entity will respond without undue delay and in any event within one calendar month. In exceptional cases this one calendar month period may be extended by two further calendar months if the request is particularly complex and involves a large number of requests. If a Linklaters BCR Group Entity wishes to make use of this extension, a Linklaters BCR Group Entity will inform the individual within the initial one calendar month period with the reasons for the delay.
8.3 When it is relevant to the Processing undertaken by a Linklaters BCR Group Entity, a Linklaters BCR Group Entity will observe the rights of individuals and will comply with Linklaters LLP’s Global Individuals’ Rights Policy and associated documents. Details of the rights of individuals are set out below:
Right to be informed about how Personal Data is used
Data Subjects have a right to be informed about how a Linklaters BCR Group Entity will use and share their Personal Data and to be informed about categories of recipients with whom their information will be shared and details of transfers of Personal Data to third countries. This explanation is provided to Data Subjects in a concise, transparent, intelligible and easily accessible format. A Linklaters BCR Group Entity ensures that it provides privacy notices to Data Subjects at the point where the relevant Linklaters BCR Group Entity collects Personal Data from them if collecting Personal Data directly. If a Linklaters BCR Group Entity does not collect the Personal Data directly from a Data Subject, the information will be provided to Data Subjects within one calendar month or, if earlier, at the point of first contact with the Data Subject or before Personal Data is disclosed to a third party. Privacy notices are written in clear and plain language and are provided free of charge.
Right to access Personal Data
Data Subjects have a right to obtain confirmation of whether a Linklaters BCR Group Entity is Processing their Personal Data, access to their Personal Data and information regarding how their Personal Data is being used by a Linklaters BCR Group Entity.
Right to have inaccurate Personal Data rectified
Data Subjects have a right to have any inaccurate or incomplete Personal Data rectified. If a Linklaters BCR Group Entity has disclosed the relevant Personal Data to any third parties, a Linklaters BCR Group Entity will take reasonable steps to inform those third parties of the rectification where possible.
Right to have Personal Data erased in certain circumstances
Data Subjects have a right to request that certain Personal Data held by a Linklaters BCR Group Entity is erased. This is also known as the right to be forgotten. This is not a blanket right to require all Personal Data to be deleted. A Linklaters BCR Group Entity will consider each request carefully in accordance with the requirements of, where applicable, the UK GDPR and Applicable Law.
Right to restrict processing of Personal Data in certain circumstances
Data Subjects have a right to block the Processing of their Personal Data in certain circumstances. This right arises in any of the following circumstances, if a Data Subject is disputing the accuracy of Personal Data, if a Data Subject has raised an objection to processing, if processing of Personal Data is unlawful and the Data Subject opposes erasure and requests restriction instead or if the Personal Data is no longer required by the relevant Linklaters BCR Group Entity but the Data Subject requires the Personal Data to be retained to establish, exercise or defend a legal claim.
Right to data portability
In certain circumstances, Data Subjects can request to receive a copy of their Personal Data in a commonly used electronic format. This right only applies to Personal Data that Data Subjects have provided to a Linklaters BCR Group Entity (for example by completing a form or providing information through a website). Information about a Data Subject which has been gathered by monitoring their behaviour will also be subject to the right to data portability. The right to data portability only applies if the Processing is based on the Data Subject’s consent or if the Personal Data must be processed for the performance of a contract and the Processing is carried out by automated means (i.e. electronically).
Right to object to Processing of Personal Data in certain circumstances, including where Personal Data is used for marketing purposes
Data Subjects have a right to object to Processing being carried out by a Linklaters BCR Group Entity if a Linklaters BCR Group Entity is Processing Personal Data based on legitimate interests or for the performance of a task in the public interest (including profiling), if a Linklaters BCR Group Entity is using Personal Data for direct marketing purposes, or if information is being processed for scientific or historical research or statistical purposes. Data Subjects will be informed that they have a right to object at the point of data collection and the right to object will be explicitly brought to the attention of the Data Subject and be presented clearly and separately from any other information.
Right not to be subject to automated decisions, including profiling, where the decision produces a legal effect or a similarly significant effect
Data Subjects have a right not to be subject to a decision which is based on automated processing, including profiling, where the decision will produce a legal effect or a similarly significant effect on the Data Subject.
9. Security
9.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, each Linklaters BCR Group Entity will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of Processing, including inter alia as appropriate:
- the pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.
9.2 All Linklaters BCR Group Entities will comply with Linklaters LLP’s Global Information Security Policy, Global IT Policy and associated documents. In addition, the Global Internal Privacy Policy requires all staff to solely process Personal Data in accordance with the instructions of the relevant Linklaters Controller.
10. Internal Processing of Personal Data
Linklaters LLP will procure that all Linklaters BCR Group Entities which Process Personal Data will follow the instructions of the relevant Linklaters Controller and will be bound by such instructions.
11. Third Party Processing of Personal Data
11.1 Before a Linklaters BCR Group Entity transfers Personal Data to a third party in furtherance of an outsourcing or other data processing arrangement or uses the services of a third party to Process Personal Data on its own behalf, it shall ensure that (where applicable) it complies with this Clause.
11.2 A Linklaters BCR Group Entity will:
- carry out pre-contractual due diligence checks on Processors to ensure that they are compliant with applicable requirements under the UK GDPR and only use Processors that provide sufficient guarantees to implement appropriate measures to ensure that the requirements of the UK GDPR and the rights of Data Subjects are met;
- ensure, arrangements with Processors are documented in a written contract and that contract includes as a minimum the mandatory clauses as set out in Article 28 of the UK GDPR and provisions relating to breach notification; and
- ensure that appropriate procedures are put in place to carry out due diligence on Processors to check that they continue to have adequate measures in place to enable compliance with the UK GDPR.
11.3 All Linklaters BCR Group Entities will ensure that third party Controllers and Processors to whom Personal Data is transferred afford a similar level of protection for that Personal Data as the Linklaters BCR Group Entity.
12. Marketing
13. Compliance Audit
- provide details of any relevant audit(s) in relation to Personal Data Processed under these UK Standards (in so far as the relevant audit(s) relate to compliance with the UK Standards), to the Information Commissioner, upon request from the Information Commissioner;
- permit the Information Commissioner to audit that Linklaters BCR Group Entity in order that the Information Commissioner may obtain the information necessary to demonstrate that Linklaters BCR Group Entity’s compliance (where applicable) with the UK Standards; and
- use reasonable endeavours to comply with requests from the Information Commissioner, acting reasonably and in the proper performance of its duties, in connection with the audit of the UK Standards, to the extent that any such requests are consistent with all Applicable Laws, regulations, professional standards and due process, without waiving any defences and/or rights of appeal available to that relevant Linklaters BCR Group Entity.
14. Co-operation with the Information Commissioner
14.1 Each Linklaters BCR Group Entity shall respond to all requests for information from the Information Commissioner on any issue related to these UK Standards, to the extent that such requests are consistent with Applicable Law, regulations, professional standards and due process.
14.2 Each Linklaters BCR Group Entity shall respect the decisions and advice of the Information Commissioner relating to the interpretation and application of the UK Standards to the extent consistent with Applicable Law, regulations, professional standards and due process and without waiving any defences and/or rights of appeal available to that Linklaters BCR Group Entity.
15. Rights to enforce the UK Standards and rights of redress
15.1 Data Subjects who believe that there has or may have been a breach of these UK Standards have the right to seek enforcement of the UK Standards and/or appropriate compensation for any damage arising from the breach. The right to seek enforcement and/or claim compensation is exercisable as a third-party beneficiary right and relates solely to the standards set out in the following clauses of these UK Standards (referred to in these UK Standards as the “Enforceable Rights”):
- Clause 3 (Access to the UK Standards) and Clause 4 (UK Standards Infrastructure);
- Clause 5 (Processing Principles);
- Clause 6 (The Accountability Principle);
- Clause 7 (The Legal Basis for Processing Personal Data, Special Data or Personal Data relating to criminal convictions and offences);
- Clause 8 (Rights of Individuals);
- Clause 9 (Security);
- Clause 10 (Internal Processing of Personal Data);
- Clause 11 (Third Party Processing of Personal Data);
- Clause 12 (Marketing);
- Clause 13 (Special Data and Personal Data relating to criminal convictions and offences);
- Clause 14 (Co-Operation with the Information Commissioner);
- Clause 15 (Rights of Redress); and
- Clause 16 (Conflicts).
15.2 The remedies available to Data Subjects for any breach of the Enforceable Rights are set out in Clause 15.3, Clause 15.4 and Clause 15.5 below.
15.3 Individuals may raise a complaint in relation to any breach of the Enforceable Rights under these UK Standards through Linklaters LLP’s Global Data Protection Complaints Procedure which is available on Linklaters LLP’s website and intranet. The Global Data Protection Complaints Procedure enables individuals to raise complaints in writing or by calling the telephone number set out in the Global Data Protection Complaints Procedure. Linklaters LLP has executed the UK Deed Poll as part of the process of implementing these UK Standards. As also set out in Linklaters LLP’s Global Data Protection Complaints Procedure, Data Subjects exercising their rights under the UK Standards shall be entitled to receive a copy of the UK Deed Poll, on request, on a confidential basis. For the avoidance of doubt, disclosure of the UK Deed Poll to a Data Subject’s legal representative will not be considered a breach of confidentiality. Further information regarding the Global Data Protection Complaints Procedure is available from the Global Head of Regulatory Compliance, whose contact details are set out in Clause 3 (Access to the UK Standards). A Data Subject may raise his or her concerns with the Information Commissioner or make a claim in court without having to go through Linklaters LLP’s Global Data Protection Complaints Procedure first.
15.4 A Data Subject may raise a complaint with the Information Commissioner if the Data Subject considers that any of the Enforceable Rights under these UK Standards have been breached.
15.5 Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with the Information Commissioner, a Data Subject also has the right to an effective judicial remedy where they consider that the Enforceable Rights under these UK Standards have been infringed.
15.6 A Data Subject may bring proceedings against Linklaters LLP in relation to the Enforceable Rights in the UK courts.
15.7 Linklaters LLP is established in the UK. Linklaters LLP accepts liability for any breaches of the UK Standards by a Linklaters BCR Group Entity that is not established in the UK. As such, Linklaters LLP accepts responsibility for and agrees to take the necessary action to remedy the acts of Non-UK entities which are in breach of the Enforceable Rights under these UK Standards and to pay any compensation due to a Data Subject for any material or non-material damages resulting from a breach of the Enforceable Rights by Linklaters BCR Group Entities. If a Data Subject claims that a breach of the Enforceable Rights has been committed by a Non-UK Entity, Linklaters LLP shall be exempt from liability in whole or part if it proves that the Non-UK Entity is not responsible for the event giving rise to the damage. If it is held that a breach of the Enforceable Rights has occurred, it shall be the responsibility of the Data Subject who brought the claim to prove that they incurred damage (whether that be material or non-material damage) as a result of such breach and to prove the amount of any material damage.
15.8 To the maximum extent permitted by Applicable Laws, Linklaters LLP shall not be liable to a Data Subject for:
- punitive or exemplary damages (i.e. damages intended to punish a party for its conduct, rather than to compensate the victim of such conduct); or
- indirect loss, consequential loss or special damages, howsoever caused,
provided that this shall not prevent a Data Subject from bringing a claim for non-material damage that arises directly as a result of a breach of the Enforceable Rights where such damage is a reasonably foreseeable consequence of the relevant breach.
15.9 In any event, Linklaters LLP shall only be liable for damages which have been: (i) agreed by Linklaters LLP with the relevant Data Subject; or (ii) awarded against Linklaters LLP by a judgment, order, or by any other legal award of a court or tribunal with valid jurisdiction.
16. Conflicts
16.1 If a Linklaters BCR Group Entity has reason to believe that any Applicable Law prevents it from complying with the UK Standards and may have a substantial effect on the protections provided by the UK Standards, that Linklaters BCR Group Entity will promptly inform the Global Head of Regulatory Compliance (whose contact details are set out in Clause 3 (Access to the UK Standards)) (except where prohibited by a law enforcement authority, such as prohibition under criminal law to preserve the confidentiality of a law enforcement investigation). Linklaters LLP will make a decision on how to proceed and will consult the Information Commissioner in cases of doubt.
16.2 Where a Linklaters BCR Group Entity is subject to any legal requirement in a third country (for example, any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body) which is likely to have a substantial adverse effect on the guarantees provided by the UK Standards, Linklaters LLP will make a decision on how to proceed and will report the problem to the Information Commissioner, providing details about the request, including information about the Personal Data requested, the requesting body, and the legal basis for the disclosure (unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation).
16.3 If a Linklaters BCR Group Entity is prohibited from making such notification to the Information Commissioner, the Linklaters BCR Group Entity will use its best efforts to obtain the right to waive the prohibition in order to communicate as much information as it can as soon as possible to the Information Commissioner. The Linklaters BCR Group Entity will maintain evidence in order to demonstrate that it sought to obtain the right to waive the prohibition.
16.4 In the event that, despite using its best efforts, the Linklaters BCR Group Entity is still unable to notify the Information Commissioner of any legally binding request for disclosure of the Personal Data by a law enforcement authority or state security body, or similar requests, Linklaters LLP will provide to the Information Commissioner on an annual basis, general information on the requests it received (for example the number of applications for disclosure, type of data requested, and requester if possible).
16.5 Notwithstanding the provisions of Clause 16.1 to Clause 16.4 (inclusive), where a Linklaters BCR Group Entity is subject to any legal requirement in a third country (for example, any legally binding request for disclosure of the Personal Data by a public authority, law enforcement authority or state security body) which is likely to have a substantial adverse effect on the guarantees provided by the UK Standards such disclosure will not be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
16.6 Linklaters LLP shall notify the Information Commissioner in accordance with Clause 17 (Updating and Reviewing the UK Standards) if Linklaters LLP determines that a change is required to the UK Standards to address the issue.
16.7 If any Applicable Law requires a higher level of protection for Personal Data than that set out in these UK Standards, the relevant Applicable Law will take precedence over these UK Standards in respect of that aspect of these UK Standards.
16.8 No Linklaters BCR Group Entity shall be responsible for a breach of the UK Standards, to the extent compliance with the UK Standards is prevented by Applicable Laws.
17. Updating and Reviewing the UK Standards
17.1 Linklaters LLP reserves the right to amend the UK Standards (including, without limitation, the addition of new Linklaters BCR Group Entities). Any changes to these UK Standards shall be reported to each Linklaters BCR Group Entity as soon as practicable and within three months of the amendment or variation. Any substantive changes to these UK Standards shall be reported to the Information Commissioner without undue delay. Any other non-substantive amendments to these UK Standards shall be reported to the Information Commissioner on an annual basis.
17.2 These UK Standards will be reviewed and updated as deemed necessary at least annually to ensure they continue to be accurate and relevant. Any amendments to these UK Standards will be posted on Linklaters LLP’s website and intranet.
17.3 Linklaters’ Regulatory Compliance team will be responsible for notifying Linklaters BCR Group Entities and the Information Commissioner of changes to the UK Standards and for ensuring that the UK Standards are reviewed on an annual basis.
Schedule 1. Data Processing Activities covered by these UK standards
| Data Transfers covered by these UK Standards |
1. In the context of its global practice, the Firm operates as a boundless firm and therefore Personal Data may be transferred between any of the Linklaters BCR Group Entities worldwide. The majority of the Firm’s processing of personal data that originates from within the European region (including the UK) is carried out at the two UK-based data processing centres (UK1 and UK2), which service the Firm’s offices in Europe. It is therefore likely that the bulk of data transfers out of the UK will originate from transfers of personal data from the UK based data processing centres to Linklaters BCR Group Entities within the EU. Transfers may also be made from the UK to the Firm’s remaining data centre in Hong Kong, which services the Asia region.
2. The Firm’s disaster recovery system necessitates additional replication between data centres to ensure data availability in the event of a data centre failure. Replication for key business systems such as email and the Firm’s document management system is as follows:
(a) UK1 replicated to UK2; |
| The nature and categories of Personal Data covered by these UK Standards |
1. The following categories of Personal Data are transferred by a Linklaters BCR Group Entity. Personal Data may also include Special Data:
(a) human resources-related data;
2. The nature of the Personal Data transferred by a Linklaters BCR Group Entity is as follows:
(a) personnel and partner Personal Data; |
| Type of Processing and the purpose for the Processing covered by these UK Standards |
Personal Data covered by the UK Standards is processed and transferred for the following core purposes:
1. administration of employees, and other activities of the Human Resources Team;
2. provision of legal services;
3. billing and accounts;
4. databank administration;
5. licensing and registration under Applicable Laws (for instance, maintaining practicing certificates);
6. maintaining information required for the prevention and/or prosecution of offenders and/or the prevention and detection of crime including fraud prevention and anti-money laundering;
7. maintaining client information and records of business relationships; and
8. maintaining information used in advertising and for public relations.
Whilst the Firm does not routinely process Special Data, the following Special Data are covered by the UK Standards and transferred for the following core purposes:
1. racial or ethnic origin for diversity monitoring;
2. criminal convictions for the prevention and detection of crime;
3. religious or philosophical beliefs for diversity monitoring;
4. physical or mental health conditions (including from accidents) for compliance with employment obligations and obligations towards the Firm’s insurers; and
5. sexual lifestyles or sexual orientation for diversity monitoring. |
| Categories of Data Subjects covered by these UK Standards |
1. personnel (including prospective personnel)
2. partners
3. members of the public
4. clients (and prospective clients)
5. other business-related contacts for example suppliers |
| Identification of Recipients in Third Countries covered by these UK Standards |
Please see Schedule 2 (Linklaters BCR Group Entities) Part 1 for details of transfers to Linklaters BCR Group Entities in Third Countries. |