Privacy notice

This privacy notice sets out information about Kennedys’ privacy practices and your rights.

1 Introduction

Kennedys takes the protection of your personal data seriously.

Kennedys is an international legal practice carried on by Kennedys Law LLP and its affiliated firms. References to “Kennedys”, “we” or “us” in this Privacy Notice mean Kennedys Law LLP and other firms authorised to use the Kennedys name. A full list of these entities is available on our legal notices page.

This Privacy Notice sets out information about Kennedys’ privacy practices and your rights. Expand the section(s) below to see information about how Kennedys processes your personal data.

We may amend this Privacy Notice at any time and for any reason. The updated version will be available by following the “Privacy” link on our website footer at www.kennedyslaw.com. You should check the Privacy Notice regularly for changes.

2 Data protection laws

Kennedys’ EU offices are bound by the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”). Kennedys UK offices are bound by the GDPR as incorporated into the law the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (the “UK GDPR”). Unless otherwise indicated, references in this Privacy Notice to the GDPR include the UK GDPR.

Kennedys’ other offices outside the EU are subject to their local data protection laws.

In this Privacy Notice, the terms personal datacontrollerprocessordata subjectconsentrecipientthird partyprocessing and profiling have the meanings given to them in the GDPR.

3 Controller contact details

The controller for the processing of personal data under this Privacy Notice is:

Kennedys
20 Fenchurch St
London EC3M 3BY
United Kingdom
Telephone: +44 20 7667 9667
Email: dataprotection@kennedyslaw.com
Website: www.kennedyslaw.com

Contact details for each individual Kennedys Group entity are listed at www.kennedyslaw.com/regulatory.

Any Kennedys Group entity that is not established in the EU appoints as its EU representative:

Kennedys
Second Floor, Bloodstone Building,
Sir John Rogerson’s Quay,
Dublin 2, D02 KF24,
Ireland
Telephone: +353 1 878 0055
Email: dataprotection@kennedyslaw.com
Website: www.kennedyslaw.com

4 Data Protection Officer contact details

If you have any questions about this Privacy Notice or about our personal data processing practices, or if you wish to exercise any of your rights as a data subject, you may contact Kennedys’ Data Protection Officer for your region at dataprotection@kennedyslaw.com or as follows:

United Kingdom & European Union 

Andrew Coates
Regional Data Protection Officer
Kennedys

20 Fenchurch St
London EC3M 3BY, United Kingdom
Telephone: +44 20 7667 9063
Email: andrew.coates@kennedyslaw.com

Asia-Pacific & Middle East

Nicholas Blackmore
Regional Data Protection Officer
Kennedys
Level 9 360 Elizabeth Street
Melbourne VIC 3000, Australia
Telephone: +613 9498 6699
Email: nicholas.blackmore@kennedyslaw.com

North America 

Joshua A. Mooney
Regional Data Protection Officer
Kennedys
1600 Market Street, Suite 1410
Philadelphia, Pennsylvania 19103
USA
Telephone: +1 267 479 6706
Email: Joshua.Mooney@kennedyslaw.com

Latin America

Regional Data Protection Officers
Kennedys
Javier Vijil
Telephone: +1 305 371 1111
Email: Javier.Vijil@kennedyslaw.com
Susana Martinez Cabrera
Email: Susana.Martinez@kennedyslaw.com

5 Lead supervisory authority contact details

If you have a complaint about our personal data processing practices, you should first contact Kennedys’ Data Protection Officer for your region. If you are not satisfied with our response, you have the right to lodge your complaint with the following supervisory authorities:

United Kingdom (UK GDPR)

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: +44 (0) 303 123 1113
Email: casework@rco.org.uk
Website: https://ico.org.uk

European Union (GDPR)

Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Telephone: +353 578 684 800
Website: https://www.dataprotection.ie/

If you are located outside the EU or the UK, you may also contact your local data protection authority. Kennedys’ Data Protection Officer for your region can provide contact details.

6 Specific situations in which we may process your personal data

Kennedys processes personal data in a number of different situations. Expand the section(s) below which apply to you to see information about how Kennedys processes, your personal data.

Kennedys will process certain personal data about clients who are individuals.

Types of personal data we collect

To engage and serve you as a client, we will need to collect personal data about you, including your name, position, address, contact details and business details. We may also collect data on the industry in which you operate and your business and personal interests.

In some countries, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.

In the course of your matter, we may collect other personal data about you that is relevant to the matter - see section 6.3 below for further information about this.

Generally, we will obtain this personal data directly from you. Sometimes, we may obtain personal data about you from third parties or public sources (for example, we may obtain data about your directorships from a company search).

Purposes of processing and legal basis for processing

We will process your personal data for the purposes indicated in the left hand column. The legal basis for processing under the GDPR is indicated in the right hand column.

Purpose of processing

Legal basis for processing

To provide legal and other professional services to you and to carry out administrative tasks related to those services (for example, to carry out conflict checks and to send you invoices).

Necessary for performance of your contract with Kennedys, or to take steps prior to entering into that contract.

To comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws).

Necessary to comply with legal obligations to which Kennedys is subject.

To manage and develop our relationship with you and to send you communications about our services and firm events – see section 6.4 below for further information about this.

Necessary for the purposes of Kennedys’ legitimate interests in developing and growing its business. See section 7 below for more details about Kennedys’ legitimate interests.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

For the purposes of your matter, we may disclose your personal data to third parties who provide services which assist us with your matter and to third parties who are involved in the matter - see section 6.3 below for further information about this.

In some countries, we are required by law to provide your personal data to government authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client documentation and matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain client and matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

As a client, it is mandatory to provide us with basic personal data such as your name and contact details. If you do not provide this data, we will not be able to act for you.

In some countries, we are required by law to collect certain personal data about you. If you do not provide this data, we will not be able to act for you.

It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and services we can provide to you may be limited or may not take into account your particular circumstances.

Kennedys may process certain personal data about officers, employees or contractors of its clients.

Types of personal data we collect

To engage and serve your organisation as a client, we may need to collect personal data about you, including your name, position, address, contact details and business details. We may also collect data on the industry in which your organisation operates and your business and personal interests.

In some countries, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.

In the course of your matter, we may collect other personal data about you that is relevant to the matter - see section 6.3 below for further information about this.

Generally, we will obtain this personal data directly from you. Sometimes, we may obtain personal data about you from third parties (for example, your organisation may provide your business contact details) or public sources (for example, we may obtain data about your directorships from a company search).  

Purposes of processing and legal basis for processing

We will process your personal data for the purposes indicated in the left hand column. The legal basis for processing under the GDPR is indicated in the right hand column.

Purpose of processing

Legal basis for processing

To provide legal and other professional services to your organisation and to carry out administrative tasks related to those services (for example, to carry out conflict checks and to send you invoices).

Necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to its clients. See section 7 below for more details about Kennedys’ legitimate interests.

To comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws).

Necessary to comply with legal obligations to which Kennedys is subject.

To manage and develop our relationship with you and your organisation and to send you communications about our services and firm events – see section 6.4 below for further information about this.

Necessary for the purposes of Kennedys’ legitimate interests in developing and growing its business. See section 7 below for more details about Kennedys’ legitimate interests.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

For the purposes of your matter, we may disclose your personal data to third parties who provide services which assist us with your matter and to third parties who are involved in the matter - see section 6.3 below for further information about this.

In some countries, we are required by law to provide your personal data to government authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client documentation and matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain client and matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

As a client, it is mandatory to provide us with basic personal data such as your name and contact details. If you do not provide this data, we will not be able to act for you.

In some countries, we are required by law to collect certain personal data about you. If you do not provide this data, we will not be able to act for you.

It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and services we can provide to you may be limited or may not take into account your particular circumstances.

In the course of a client matter, Kennedys may process certain personal data about individuals who are involved in or connected with the matter. This may include claimants, policyholders, witnesses, investigators, experts, advisors and consultants. It may include both individuals who are connected with our client, and individuals who are connected with other parties involved in a dispute or transaction.

For example, when we are representing our client in litigation, we may process personal data about individuals involved in the litigation for the purpose of representing and advising our client in relation to the litigation. This may include the plaintiff and the defendant, directors, employees or contractors of the plaintiff and the defendant, witnesses called by the plaintiff and the defendant, and other individuals involved in the litigation.

Types of personal data we collect

In the course of a matter, we may collect personal data about individuals who are involved in or connected with the matter. The types of personal data we collect will depend on what is necessary for and relevant to the matter.

Basic personal data we collect include names, addresses, contact details and job/business details. We may also collect identifying details such as date of birth, national insurance numbers and identification numbers. If the matter relates to an insurance claim, we will collect personal data that is relevant to that claim, such as the circumstances of the incident, ownership of a motor vehicle, or the nature of any injuries suffered. It may also include information like credit history and electoral roll details. The personal data we collect may also include special categories of personal data if relevant to a matter, such as disability, health and medical information.

Depending on the circumstances, we may obtain this personal data directly from the individual, from third parties or public sources. We may obtain personal data from third parties including investigators, doctors, experts, insurers, witnesses and other parties involved in the matter. We may collect personal data from public sources including social media, company records, the land registry, births deaths and marriages, insurance industry databases, credit reporting agencies and the electoral roll.

Purposes of processing and legal basis for processing

We will process your personal data for the purposes indicated in the left hand column. The legal basis for processing under the GDPR is indicated in the right hand column.

Purpose of processing

Legal basis for processing

To provide legal and other professional services to our client and to carry out administrative tasks related to those services (for example, to carry out conflict checks, gather evidence, identify witnesses and conduct legal proceedings).

Necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to its clients. See section 7 below for more details about Kennedys’ legitimate interests.

To comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws).

Necessary to comply with legal obligations to which Kennedys is subject.

If the matter relates to an insurance claim, to conduct investigations and analysis on that claim for our client. These investigations may involve tracing people connected with the claim, conducting background research on claimants, or determining whether a claim is fraudulent.

Necessary for the purposes of insurers’ and policyholders’ legitimate interests and the public interest in administering claims efficiently, identifying potentially fraudulent claims and helping prevent insurance fraud.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client or to third parties who provide services to our client in support of its business. For example, if our intelligence team identifies a person who has posted to social media about an incident and may be a potential witness, we will provide that person’s details to our client.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to barristers, investigators, experts, or translators, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

We may disclose your personal data to third parties in the course of making enquiries and gathering evidence in relation to a dispute. For example, if you claim that you were involved in an accident, we may ask a witness to provide evidence about the accident, and in the course of doing so, we may need to disclose certain personal data about you to that witness. 

We may disclose your personal data to public authorities or registrars if necessary for the conduct of the matter. For example, in a property transaction, we will need to disclose your personal data to the land registry.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. We will need to retain personal data for commercial and legal purposes. How long we will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

If the matter relates to an insurance claim, our intelligence team may retain your personal data indefinitely to assist in future investigations.

Kennedys is required to retain certain matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect your participation in and rights in relation to the matter.

Kennedys may process certain personal data about individuals who it targets for business development and marketing activities and communications. This includes anyone who we have, or would like to develop, a business relationship with. It also includes anyone who subscribes to receive publications, news, event invitations and marketing updates from us through our website.

Types of personal data we collect

We may collect personal data about you, including your name, job title, position, address, contact details and business details. We may also collect data on the industry in which your organisation operates and your business and personal interests. If we invite you to an event, we may ask for personal data about your dietary and accessibility requirements. If you use the Kennedys events app, it will ask for your name, job title, company and email address.

Generally, we will obtain this personal data directly from you – for example, from your business card or email signature block. Sometimes, we may obtain personal data about you from a third party (for example, a colleague may provide us with your details) or a public source (for example, we may obtain data about your business interests from Linkedin).

If you subscribe to publications, news, event invitations and marketing updates through our website, we will also collect your internet protocol (IP) address. We only collect IP addresses so that we can detect if a particular IP address is spamming our subscription form with fake subscription requests. We do not use those IP addresses for any other purpose.

Purposes of processing

We may use your personal data to track our business development engagement with you, to help us understand your business and to help us develop and implement our business development strategies.

We may use your contact details and interests to keep you updated on important legal developments and to invite you to, and provide you with information about, our seminars and events. When your details are first entered into our marketing database, we will send you a “Welcome to Kennedys” email, which will allow you to set your preferences as to which types of marketing communications you would like to receive, or completely opt-out of receiving marketing communications from Kennedys. There will also be links to “Update details and preferences” and “Unsubscribe” in every marketing communication we send to you.

Legal basis for processing

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to its clients and in developing and growing its business and its relationships. See section 7 below for more details about Kennedys’ legitimate interests.

In some cases, data protection or anti-spam laws may require us to obtain your consent to send you particular types of marketing communication. For example, if you are an “individual subscriber” in the UK under the UK Privacy and Electronic Communications Regulations, we may require consent to send you email communications. In those cases, we will only carry out such processing based on and in accordance with your consent.

Recipients or categories of recipients

Generally, we will not disclose any personal data that we hold about you for business development or marketing purposes to anyone outside Kennedys.

The only exceptions to this are:

  • we may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business (however, we will ensure that all such suppliers are subject to obligations not to use or disclose that data); and
  • we may provide attendees’ names, titles, companies and any dietary or mobility requirements to third parties who assist us in staging an event (for example, the venue owner, a security provider, an event co-host, a catering company or the presenter), but only if that is necessary as part of staging the event.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including our business development system, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys may retain your personal data for as long as we have the right to send marketing communications to you. Once you withdraw your consent, we may keep some basic personal data on our “anti-marketing list” to ensure we do not start marketing to you again.

We may retain Kennedys events app login details to allow you to continue to log in to the app.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

As we undertake the majority of our business development communications by email, we do require an email address in order to provide you with business development communications. Otherwise, it is optional to provide your personal data to us for business development purposes. The more personal data you provide to us, the more relevant our business development activities and communications will be to you.

Specific notice for marketing communications from Kennedys Hong Kong office

Marketing and business development communications from our Hong Kong office will comply with the Personal Data (Privacy) Ordinance, which requires that we provide you with the following notice. We intend to use your contact details and interests to send you communications about our services and firm events. We may not do so without your consent. We obtain this consent through our initial “Welcome to Kennedys” email, which you will receive when your details are first entered into our marketing database. The “Welcome to Kennedys” email will allow you to set your preferences as to which types of marketing communications you would like to receive, or completely opt-out of receiving marketing communications from Kennedys altogether. There will also be links to “Update details and preferences” and “Unsubscribe” in every marketing communication we send to you.

Kennedys may process certain personal data about individuals who are partners, employees or contractors of Kennedys’ associate offices or correspondent firms.

Types of personal data we collect

As part of Kennedys relationship with your firm (either as a member of the Kennedys network or as a correspondent firm), we may need to collect personal data about you, including your name, position, address, contact details, areas of expertise, qualifications and experience.

If we are providing services to you, in some countries, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.

We may collect this personal data directly from you or indirectly from your firm.

Purposes of processing

We may process your personal data for the purpose of providing services to your firm and/or receiving services from your firm, and for other purposes related to that purpose (for example, to issue or pay invoices for those services). If you are a correspondent firm, we may add your details to our database of correspondent firms, so that our other lawyers are aware of your expertise.

We may also use your contact details and interests to send you communications about our services and firm events – see section 6.4 above for further information about this.

Legal basis for processing under the GDPR

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to its clients and in developing and growing its business. See section 7 below for more details about Kennedys’ legitimate interests.

Some of that processing is necessary to comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws). 

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client in the course of providing services to them.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to barristers, investigators, experts, or translators, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

We may disclose your personal data to public authorities or registrars if necessary for the conduct of the matter. For example, in a property transaction, we will need to disclose your personal data to the land registry.

In some countries, we are required by law to provide your personal data to government authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, ad our accounts system and our correspondent firm database, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client matter files for at least six years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain client and matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

If we are providing services to your firm, it is mandatory to provide us with basic personal data such as your name and contact details. If we do not have this data, we will not be able to provide services to your firm.

It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and services we can provide to your organisation may be limited. It may also affect our ability to assess your organisation’s suitability to provide services to us.

In some countries, we are required by law to collect your identification or business number and/or view or take a copy of your passport or identity documents. If you do not provide this data, we will not be able to act for your organisation.

Kennedys may process certain personal data about experts who assist or advise (or may potentially advise or assist) Kennedys in relation to a client matter. This may include doctors, psychologists, forensic experts and other subject matter experts.

Types of personal data we collect

To engage you as an expert, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications, experience and performance.

We may obtain this data directly from you, from third parties (for example, recommendations from clients) or from public sources (for example, a website or directory).

Purposes of processing and legal basis for processing

We will process your personal data for the purposes indicated in the left hand column. The legal basis for processing under the GDPR is indicated in the right hand column.

Purpose of processing

Legal basis for processing

To provide your expert services as part of our legal and other professional services to our client and for other purposes related to that purpose (for example, to pay you for your services).

Necessary for performance of your contract with Kennedys, or to take steps prior to entering into that contract.

To add you to our internal experts’ database, so that other lawyers within the firm can see your expertise and contact you for future matters.

Necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to clients. See section 7 below for more details about Kennedys’ legitimate interests.

With your consent, we may disclose your details to other Kennedys’ clients and other third parties (such as counsel, co-defendants and claimants’ solicitors) for the purpose of considering whether to instruct you in relation to future matters.

Your consent to the processing.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client in the course of providing legal and other professional services to them.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to a barrister, an investigator or a translation service, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

With your consent, we may also disclose your personal data to other Kennedys clients who require your expertise.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and the experts’ database, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data on our experts’ database for at least six years after you last provided services to us.

Kennedys generally retains client matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect your participation in and rights in relation to the matter.

Kennedys may process certain personal data about barristers who assist Kennedys in relation to a client matter.

Types of personal data we collect

To engage you as counsel, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications, experience and performance.

We may obtain this data directly from you, from third parties (for example, recommendations from other counsel) or from public sources (for example, a website or directory).

Purposes of processing and legal basis for processing

We will process your personal data for the purposes indicated in the left hand column. The legal basis for processing under the GDPR is indicated in the right hand column.

Purpose of processing

Legal basis for processing

To provide your services as part of our legal and other professional services to our client and for other purposes related to that purpose (for example, to pay you for your services).

Necessary for performance of your contract with Kennedys, or to take steps prior to entering into that contract.

To add you to our internal counsel database, so that other lawyers within the firm can see your expertise and contact you for future matters.

Necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to its clients. See section 7 below for more details about Kennedys’ legitimate interests.

With your consent, we may disclose your details to other Kennedys’ clients and other third parties (such as co-defendants and claimants’ solicitors) for the purpose of considering whether to instruct you in relation to future matters.

Your consent to the processing.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client in the course of providing legal and other professional services to them.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to an expert witness, an investigator or a translation service, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

With your consent, we may also disclose your personal data to other Kennedys clients who require your expertise.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and the experts’ database, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data on our database of counsel for at least six years after you last provided services to us.

Kennedys generally retains client matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect your participation in and rights in relation to the matter.

Kennedys may process certain personal data about suppliers to Kennedys who are individuals. (For subject-matter experts, see section 6.6 above; for barristers, see section 6.7 above.)

Types of personal data we collect

To engage you as a supplier, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications and experience.

Purposes of processing

We may process your personal data for the purpose of allowing you to provide, and for receiving, your services and for other purposes related to that purpose (for example, to pay you for your services).

Legal basis for processing under the GDPR

The processing described above is necessary for performance of your contract with Kennedys, or to take steps prior to entering into that contract.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

If necessary in connection with the services, we may disclose your personal data to our client and to parties involved in a client matter.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and our accounts system, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data for at least six years after you last provided services to us.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect our ability to assess your suitability to provide services to us, or your ability to provide services to us.

Kennedys may process certain personal data about individuals associated with organisations who are suppliers to Kennedys.

Types of personal data we collect

To engage your organisation as a supplier, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications and experience.

Purposes of processing

We may process your personal data for the purpose of allowing your organisation to provide, and for receiving, your organisation’s services and for other purposes related to that purpose (for example, to pay your organisation for its services).

Legal basis for processing under the GDPR

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in providing legal and other professional services to its clients. See section 7 below for more details about Kennedys’ legitimate interests.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

If necessary in connection with the services, we may disclose your personal data to our client and to parties involved in a client matter.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and our accounts system, are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data for at least six years after your organisation last provided services to us.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect our ability to assess your organisation’s suitability to provide services to us, or your organisation’s ability to provide services to us.

Kennedys may process certain personal data about you if you contact us with a query, by mail, email, fax or through our website.

Types of personal data we collect

We may collect your name and contact details, and any other personal data you include in your correspondence to us.

Purposes of processing

We may use your personal data to respond to your query.

Legal basis for processing

When you contact us with a query that requires or requests a response, we take that as a freely given, specific, informed and unambiguous indication that you want us to process your personal data to the extent necessary to respond to your query (unless you indicate otherwise in your query). As such, we rely on your consent to process your personal data to respond to your query. You can withdraw this consent at any time, but then we may be unable to respond to your query.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

Otherwise, we will not disclose your personal data outside Kennedys, unless that is necessary to respond to your query.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including our email system, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys may retain your personal data for as long as it takes to respond to your query. After we have responded to your query, we may retain your personal data for follow up or record-keeping purposes.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

You may choose what personal data you provide when you send us a query.

For more information, please read Kennedys IQ’s Privacy Notice on the Kenendys IQ site.

7 Legitimate interests

As noted in section 6 above, in some situations, Kennedys may process your personal data on the basis of its “legitimate interests”.

Kennedys Group is an international law firm, which provides a wide range of legal, claims handling and other professional services to its clients. It has partners, employs employees and engages contractors around the world.

As such, Kennedys has a legitimate interest in:

  • providing legal services (such as advice and litigation), claims handling services (such as claims administration, management and processing) and other professional services (such as debtor and asset tracing) to its clients, ensuring those services are of high quality, and complying with all regulations which apply to the provision of those services;
  • developing and growing its business and its relationships, understanding the needs of its clients and prospective clients, and providing insights and commentary on legal issues; and
  • employing and managing its partners, employees and contractors.

Kennedys will only rely on those legitimate interests to process personal data where:

  • the processing is necessary for the purposes of those for the purposes of those legitimate interests; and
  • those legitimate interests are not overridden by the data subject’s interests or fundamental rights and freedoms.


8 Transfers

As noted in section 6 above, Kennedys may transfer your personal data to other countries.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Many of Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the matter, including personal data, to a Kennedys office or third party in that country.

For the purposes of the GDPR, the European Commission issues adequacy decisions on the data privacy laws of non-EU countries. The majority of countries to which Kennedys may transfer personal data are not covered by an EC adequacy decision. However, many of them do have local data privacy laws which are similar to the GDPR.

All Kennedys Group entities worldwide will treat your personal data in accordance with this Privacy Notice and their local data privacy law. In addition, all Kennedys offices outside the EU have entered into an agreement which requires them to treat all personal data transferred to them from Kennedys’ EU offices in accordance with the GDPR.

In addition, Kennedys adopts following safeguards when transferring personal data overseas:

  • Kennedys will always make such transfers in accordance with the requirements of the data privacy laws of your home country;
  • Kennedys will require that any overseas third party to which it discloses your personal data to: (a) only use that personal data for the purposes for which it was disclosed; (b) use all technical and organisational measures which are reasonable in the circumstances to secure that personal data; (c) delete that personal data when it is no longer required; and (d) treat that personal data in accordance with this Privacy Notice and their local data privacy law; and
  • Kennedys technology and control mechanisms are designed and monitored by Kennedys in the UK and are internally assessed for compliance against our Security Policy and ISO27001 standards by an Information Security Manager. A continual assessment of the processes and controls is also carried out by external auditors, who provide certification against ISO27001.

9 Automated decision-making including profiling

Kennedys does not engage in any automated decision-making or profiling.

“Automated decision-making” means a decision based solely on automated processing of personal data (without human intervention) which produces legal effects concerning the person or otherwise significantly affects the person.

“Profiling” is a form of automated decision-making. It uses personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is generally associated with systems based on artificial intelligence and machine learning. A system will be provided with a set of personal data and trained to identify correlations, and to then use those correlations to predict future behaviour by individuals.

10 Kennedys IQ Platform and Tools

Kennedys IQ Platform helps manage your claims more efficiently. It is our data-powered platform to help you manage your claims in less time, at a lower cost and with better outcomes. You can read more about that here

Kennedys is the “controller” in relation to the Portal Manager and Fraud Detector features. Section 6.11 above describes how we process personal data for the purposes of those tools.

Most of our other tools, such as Recovery Manager, allow our clients to process data relating to insurance claims and other legal matters. To the extent that Kennedys processes any personal data through these tools, it does so only in accordance with its clients’ instructions. For these tools, Kennedys is the “processor” and its clients are the “controller”.

11 Cookies

Our website uses cookies. You can manage your cookies in the footer of this website at any time.

Cookies are small, harmless text files placed on a computer’s hard drive. The information the cookie contains is set by the website the user is visiting and can be used by that website whenever the user returns to the site. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which web pages and services can be assigned to the specific web browser in which the cookie was stored. This allows visited websites to differentiate your web browser from other browsers.

We use cookies to collect data on how visitors use our website. These cookies are completely anonymous and do not contain any personal data.

We will seek your consent before storing any cookies on your computer. You can refuse to accept cookies. However, doing this may affect the functionality you can access on our website.

If you wish, you can use your browser settings to restrict or block the use of cookies. However, doing this may affect the functionality you can access on some websites. You can find more information at www.allaboutcookies.org.

For more information about our use of cookies, please refer to our Cookies Notice

12 Your rights

If you are located in the European Union or the United Kingdom

If you are located in the EU or the UK, you have certain rights in relation to your personal data as follows:

  • Access: You have the right to obtain access to and a copy of any personal data we hold about you. You also have the right to find out whether your personal data has been transferred outside the EU and any safeguards relating to this transfer.
  • Rectification: If you consider that any personal data we hold about you is incorrect or incomplete, you have the right to ask us to correct or complete that personal data.
  • Erasure: In certain circumstances, you have the right to ask us to erase any personal data we hold about you.
  • Restriction of processing: In certain circumstances, you have the right to ask us not to process your personal data for certain purposes.
  • Objection to processing: In certain circumstances, you have the right to object to us processing your personal data for certain purposes.
  • Data portability: In certain circumstances, you have the right to request a copy of your personal data in a structured, commonly used and machine-readable format.
  • Withdrawing consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time.

For more information about these rights, visit https://ico.org.uk/for-the-public/.

To make a request pursuant to these rights, contact Kennedys’ Data Protection Officer for United Kingdom and European Union (see section 3 above).

If you are located outside the European Union and the United Kingdom

If you are not located in the EU or the UK, you may still have rights in relation to your personal data under your local data privacy law. Many countries provide data subjects with a right to seek access to any personal data we hold about you, and to request correction of that data if it is incorrect.

To make a request pursuant to these rights, contact Kennedys’ Data Protection Officer for your region (see section 3 above).