1. About us
Slaughter and May is an international law firm. We are committed to safeguarding the privacy of the personal information that is provided to us or collected by us during the course of our business as well as the personal information we receive from visitors to our Slaughter and May website and any associated websites under our control (together our “Websites”). Slaughter and May is the data controller of any personal information collected by or provided to us in the circumstances described below in section 2.
This Privacy notice explains how we may collect and use any personal information that we obtain about you and your rights in relation to that information. In line with our aim to have a consistent approach to protecting personal data, this is a global policy that we follow in each of our offices. It is based on data protection principles that are set out in the UK and relevant European Union data protection laws. Where we have offices in jurisdictions with significantly different data protection laws it may be that the rights and obligations set out in this Privacy notice do not apply. If you have any questions about how this Privacy notice applies to you or want to make a complaint to us about how we handle your personal information, please contact the firm’s Privacy Partner or your contact at our international offices (details are set out in section 8 below).
We may provide you with additional privacy notices where we believe that it is appropriate to do so. Those additional notices supplement and should be read together with this Privacy notice.
2. The scope of this Privacy notice
This Privacy notice applies in the following circumstances:
- when we conduct open source searches on you in connection with our business development or business acceptance processes;
- when we agree to provide legal services to you or the organisation you work for;
- when you or the organisation you work for are a counterparty of one or more of our clients;
- when you request information from us or provide information to us;
- when you apply for a role or work experience opportunity, open day or insight event with us;
- when you visit our offices and our Websites;
- when you complete application forms on various sections of our Websites;
- if you are an alumni of the firm;
- when you attend our seminars or other hosted events (including virtual events organised by us and hosted on third party platforms) and/or register to access our Apps; and
- when you are entered onto our mailing lists to receive publications and other marketing emails (see section 3.2 for further information).
3. What information do we collect about you and how?
3.1 Business development and business acceptance
We collect personal information about prospective clients and their beneficial owners, controllers and/or directors as part of business development initiatives and our business acceptance process. The type of personal information we may collect includes name, address, nationality, business interests, track record and employment history. We obtain this information from you or your employer directly and from publicly available open sources either directly or through a third party.
We may also collect personal information about other individuals who may be, or working for, counterparties of our clients or our prospective clients or otherwise involved on matters we may be acting on.
3.2 Legal services and keeping you up to date with relevant marketing and events
The type of personal information that we may collect includes current and historical information including your name and contact details (such as your address, email address and telephone numbers) and identifiers such as your organisation, employment history, professional and business expertise and positions held.
We will also collect personal information you choose to provide to us directly, or, for example, through your use of our Apps or other online services, and information about your other dealings with us and our clients, including contact we have with you in person, by telephone, letter, email or online. This information may include access or dietary requirements which may reveal information about your health or religious beliefs. We obtain personal information from your IP address and the operating systems and web browsers that you use to access our Websites. It enables us to identify which organisations have visited our Websites and we use this information to compile statistical data on the use of those sites to help us to improve the user experience.
We collect personal information directly from you, from our clients or other parties to a matter and their authorised representatives. We may also collect personal information from third parties such as your employer, other organisations that you have dealings with, regulators, government agencies, credit reporting agencies, publicly available records (including electronic data sources to carry out checks to enable us to comply with applicable law), information or service providers (some of whom may process your personal information on our behalf), third party platforms that we engage to host our training and events, recruitment agencies and other law firms or professional advisers. Your personal information may be collected in the firm’s contact database when you register to receive legal updates or we otherwise receive your contact details.
We use a third party service provider to manage the firm’s contact database and deliver emails to inform you about our services, legal developments and updates and invite you to Slaughter and May events (including those we may jointly host with other organisations).
You can control the information you receive through our direct marketing function by using the “Managing your preferences” option at the bottom of the emails. If you no longer wish to receive marketing emails relating to our services by email or post, you can unsubscribe at any time by using the “Unsubscribe” option on the email footer or by contacting [email protected].
If you apply for a role or work experience opportunity, open day or insight event at the firm we will collect personal information directly from you, or from recruitment agencies, recruitment websites and apps or other third parties involved in our recruitment and screening process. The firm’s Recruitment Privacy Notice (“RP Notice”) provides more detailed guidance on how the personal information we collect during our recruitment process is processed by us. The RP Notice is accessible via this link.
3.4 Alumni (including former partners)
If you are a former employee and have joined or wish to join our alumni programme or you are a former partner, we will collect personal information such as your name, contact details, email address, information about your employment with and after the firm and any other information we may have received from you that is relevant to the alumni programme or your position as a former partner.
This information is used to keep in touch with you and help you to engage with the programme. You can provide us with as little or as much information as you wish. Your personal information may be shared with third parties who help us to organise events to which you may be invited on a need to know basis only.
4. How we use your information
We will only use your personal information if and to the extent that applicable law allows. We will therefore only process your personal information if:
- it is necessary for the performance of a contract with you or the organisation you work for;
- it is necessary in connection with a legal obligation;
- you have given your consent (where necessary) to such use or the organisation you work for has obtained your consent (where necessary) to share your information with us; or
- if we (or a third party) have a legitimate interest which is not overridden by your interests or your rights and freedoms. Such legitimate interests include the provision of legal services, running the firm’s business and marketing relevant services directly to you.
We may use your personal information to:
- consider whether we can pursue certain business development initiatives;
- comply with our legal obligations to identify and verify the identity of our clients and their beneficial owners and to identify and assess the risks of money laundering and terrorist financing which may apply to our business;
- deliver legal services to you and/or the organisation you work for, if you are a client;
- carry out identity and security checks when you visit our offices (including capturing your image on CCTV);
- run the firm’s business (e.g. carry out administrative or operational processes, including recruitment);
- maintain and develop our business relationship with you;
- improve our services and products to you, if you or the organisation you work for are a client or prospective client;
- identify services you may be interested in;
- send you marketing and invite you to events;
- monitor and analyse our business; or
- process and respond to requests, enquiries or complaints received from you.
We will only retain your personal information for as long as is necessary for the purpose for which it was collected, including for the purposes of complying with any legal, regulatory, accounting or reporting requirements. Personal information processed in connection with our business acceptance processes and/or providing legal services will be retained in accordance with the firm’s Retention and destruction policy unless we agree otherwise with you, in writing. If you wish to know more about the firm’s Retention and destruction policy or any of the firm’s different retention periods, please contact [email protected].
5. How and why do we share your personal information?
We may share your personal information with our offices, branches, in-house companies and associated partnerships due to, for example, our shared IT systems and/or cross jurisdictional working on a matter. We use third parties who provide services on our behalf and will share your information with them, for example a technology supplier may have access to your personal information when providing software support, or a company we use for a communications campaign or to host our events may process the personal information of our contacts or attendees for us.
During the course of working with you or the organisation you work for we may use certain third party technology services to assist with our work on the matter. Where these services are integral to our work for you (for example, the use of word processing software provided by Microsoft and due diligence tools provided by Luminance, the AI software solution that we helped to develop), we deploy them as a matter of course. We also use various ancillary services, for example, software that is capable of effecting bulk data transfers or facilitating e-signatures and virtual completions. In addition we make use of third party technology services that are more integral to the work we do, i.e. running the firm’s business. These services include, amongst other things, cloud security systems and subscription application services. The use of these integral and ancillary services may require your personal information to be held in the cloud on infrastructure managed by the relevant service provider.
We may also have to share your personal information with regulators, government and enforcement agencies, courts and other third parties.
To enable us to provide the services set out in this Privacy notice, it is likely that we will transfer your personal information to countries outside the jurisdiction where you provided it or where we collected it, for example information that we collect through cookies or through your completion of our online forms. Therefore, if you are based outside the UK (for example, in the European Economic Area (EEA)), your data may be transferred to the UK and other third countries as set out below.
Your personal information may be accessed by our offices, branches, in-house companies and associated partnerships and third parties in countries whose laws provide varying levels of protection for personal information.
Some of your personal information may be stored in a cloud located within or outside of the UK or the EEA and managed by a third party service provider. In adopting this approach, the confidentiality of your personal information is of key importance to us and we conduct careful due diligence on the security of any third party technology systems we use.
Where we transfer your personal information outside the UK or the EEA we will take reasonable steps to ensure that your information is treated securely and the means of transfer provide adequate safeguards.
Personal information shared between Slaughter and May offices is subject to a data sharing agreement which sets out the standards each office must follow.
We may share your personal information with third parties where:
- you have consented to us doing so (where necessary) or the organisation that you work for has obtained your consent for us to do so (where necessary);
- we are under a legal, regulatory or professional obligation to do so (for example, to comply with anti-money laundering or sanctions requirements or in relation to our employment obligations);
- it is necessary for the purpose of, or in connection with, legal proceedings or in order to exercise or defend legal rights;
- it is in our or a third party’s legitimate interest to share the information, and that legitimate interest is not overridden by your rights or freedoms; or
- it is appropriate to disclose the information to parties with whom we have promotional arrangements (such as jointly hosted events).
If you would like more detailed information about the legal bases upon which we rely to process your information and the third parties we use, please contact [email protected].
We use up to date data storage and security to hold your personal information securely in electronic and physical form to protect your personal information from unauthorised access, improper use or disclosure, unauthorised modification or unlawful destruction or accidental loss. Our IT usage and security policy is supported by our ISO 27001 certification and other security standards, processes and procedures. Our premises are access controlled and our electronic databases require logins and password authentication.
All our partners, staff and third party service providers who have access to confidential information (including personal information) are subject to confidentiality obligations.
However, the transmission of information via the internet is not completely secure. Although we take appropriate and proportionate steps to manage the risks posed, we cannot guarantee the security of your information transmitted to our online services.
7. Third party sites
Our Websites contain links to other sites which are controlled by third parties, for example in the Community and Environment section. We also use social media sites, such as LinkedIn, Facebook and Twitter and third party platform to host events, training and seminars. You should review these other sites’ privacy policies. We do not accept any responsibility for the information you provide on those sites or their collection and use of your personal information.
8. Your rights
You have certain rights that you can exercise under certain circumstances in relation to the personal information that we hold. These rights are to:
- request access to your personal information (known as a subject access request) and request certain information in relation to its processing;
- request rectification of your personal information;
- request the erasure of your personal information;
- request that we restrict the processing of your personal information; and
- object to the processing of your personal information.
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once the firm has received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
If you would like to exercise any of these rights, please contact the Privacy Partner in writing by emailing [email protected] or by letter to:
Slaughter and May
One Bunhill Row
You will not, in general, have to pay a fee to exercise any of your individual rights set out in this Privacy notice. However, we may refuse to provide access and may charge a fee for access if the relevant data protection legislation allows us to do so, in which case we will provide reasons for our decision as required by the law.
If you are outside the UK and would prefer to contact a Slaughter and May office in your jurisdiction about the way we process your information, please refer to the contact information set out in the Legal and Regulatory Information pages. If you do not have a usual local contact, please address your enquiry to the Privacy Partner.
The firm has appointed the Privacy Partner to oversee compliance with this Privacy notice. If you have any questions about this policy or how we handle your personal information, please contact them as set out above.
We hope that the firm’s Privacy Partner can resolve any query or concern you raise about our use of your personal information. If you feel we have not handled your query or concern to your satisfaction you can contact the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues at ico.org.uk/concerns or telephone 0303 123 1113.
If you are based outside the UK, you may also have the right to submit a complaint to the relevant supervisory authority in your jurisdiction.
Updated: November 2022