HR privacy notice

1. INTRODUCTION

Kennedys takes the protection of your personal data seriously.

Kennedys is an international legal practice carried on by Kennedys Law LLP and its affiliated firms. References to “Kennedys”, “we” or “us” in this HR Privacy Notice mean Kennedys Law LLP and other firms authorised to use the Kennedys name. A full list of these entities is available at www.kennedyslaw.com/regulatory.

This HR Privacy Notice describes how Kennedys processes personal data about partners, employees and individual contractors of Kennedys.

We may amend this HR Privacy Notice at any time and for any reason. The updated version will be available by following the “Privacy” link on the HR section of the Kennedys intranet. You should check the HR Privacy Notice regularly for changes.

2. DATA PROTECTION LAWS

Kennedys’ EU offices are bound by the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”). Kennedys UK offices are bound by the GDPR as incorporated into the law the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (the “UK GDPR”). Unless otherwise indicated, references in this Privacy Notice to the GDPR include the UK GDPR.

Kennedys’ other offices outside the EU are subject to their local data protection laws.

In this Privacy Notice, the terms personal data, controller, processor, data subject, consent, recipient, third party, processing and profiling have the meanings given to them in the GDPR.

3. CONTROLLER CONTACT DETAILS

The controller for the processing of personal data under this HR Privacy Notice is:

Kennedys
25 Fenchurch Avenue
London
EC3M 5AD
United Kingdom
Telephone: +44 20 7667 9667
Email: dataprotection@kennedyslaw.com
Website: www.kennedyslaw.com

Contact details for each individual Kennedys Group entity are listed at www.kennedyslaw.com/regulatory.

Any Kennedys Group entity that is not established in the EU appoints as its EU representative:

Kennedys
Second Floor, Bloodstone Building
Sir John Rogerson’s Quay
Dublin 2
D02 KF24
Ireland
Telephone: +353 1 878 0055
Email: dataprotection@kennedyslaw.com
Website: www.kennedyslaw.com

4. DATA PROTECTION OFFICER CONTACT DETAILS

If you have any questions about this HR Privacy Notice or about our personal data processing practices, or if you wish to exercise any of your rights as a data subject, you may contact Kennedys’ Data Protection Officer for your region at dataprotection@kennedyslaw.com or as follows:

United Kingdom & European Union

Andrew Coates
Regional Data Protection Officer
Kennedys
25 Fenchurch Avenue
London EC3M 5AD, United Kingdom
Telephone: +44 20 7667 9063
Email: andrew.coates@kennedyslaw.com

Asia-Pacific & Middle East

Nicholas Blackmore
Regional Data Protection Officer
Kennedys
Level 36, 140 William St
Melbourne VIC 3000, Australia
Telephone: +613 9498 6602
Email: nicholas.blackmore@kennedyslaw.com

North America

Matt Lodge
Regional Data Protection Officer
Kennedys
120 Mountain View Boulevard
Basking Ridge NJ 07920, USA
Telephone: +1 908 848 1225
Email: matthew.lodge@kennedyscmk.com

South America

Isadora Talamo
Regional Data Protection Officer
Kennedys
25 Fenchurch Avenue
London EC3M 5AD, United Kingdom
Telephone: +44 20 7667 9236
Email: isadora.talamo@kennedyslaw.com

5. LEAD SUPERVISORY AUTHORITY CONTACT DETAILS

If you have a complaint about our personal data processing practices, you should first contact Kennedys’ Data Protection Officer for your region. If you are not satisfied with our response, you have the right to lodge your complaint with the following supervisory authority:

United Kingdom (UK GDPR)
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom
Telephone: +44 (0) 303 123 1113
Email: casework@rco.org.uk
Website: https://ico.org.uk

European Union (GDPR)
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
Telephone: +353 578 684 800
Website: https://www.dataprotection.ie/

If you are located outside the EU or the UK, you may also contact your local data protection authority. Kennedys’ Data Protection Officer for your region can provide contact details.

6. HOW WE MAY PROCESS YOUR PERSONAL DATA

Kennedys will collect certain personal data about partners, employees and individual contractors of Kennedys.

  • Types of personal data collected

We collect a range of personal data about partners, employees and contractors of Kennedys, including name, contact details, profile photos, date of birth, government–issued identifiers (e.g. ID numbers, passport numbers, national insurance numbers, tax numbers), marital status, educational records, qualifications/CV, languages, visa status, contract details, remuneration details, employment performance and development, use of and access to Firm-purchased resources, disciplinary record, sickness records, health and medical information, and contact details and date of birth for next of kin.

We may collect data about ethnicity, disability and sexual orientation for diversity policy purposes, but this data will be collected on an anonymous basis and stored so that no individual is identifiable from the information.

  • Purposes of processing

We may process your personal data for purposes related to your partnership, employment or contractor relationship. These may include paying your salary or fees, monitoring your performance and development, disciplinary action, making decisions about promotions, managing the firm’s resources, contacting you or your family in an emergency, and other similar purposes.

  • Legal basis for processing

Partners, employees and contractors of Kennedys all have a contract with Kennedys which requires and allows Kennedys to process their personal data in various ways for the purposes of the partnership, employment or contractor relationship. Kennedys will process partner, employee and contractor personal data as necessary for the performance of that contract and to take steps to enter into that contract.

For processing which is not required for the performance of that contract, Kennedys will generally rely on Kennedys’ legitimate interests in:

  • employing and managing its partners, employees and contractors;
  • providing legal services (such as advice and litigation), claims handling services (such as claims administration, management and processing) and other professional services (such as debtor and asset tracing) to its clients, ensuring those services are of high quality, and complying with all regulations which apply to the provision of those services; and
  • developing and growing its business and its relationships, understanding the needs of its clients and prospective clients, and providing insights and commentary on legal issues.

Kennedys will only rely on those legitimate interests to process personal data where:

  • the processing is necessary for the purposes of those for the purposes of those legitimate interests; and
  • those legitimate interests are not overridden by the data subject’s interests or fundamental rights and freedoms.

Kennedys may still ask for consent to process personal data in some situations, for example where processing is necessary to provide optional employee benefits, such as health insurance.

  • Recipients or categories of recipients

We may disclose your personal data to:

  • clients, barristers, court officials, experts and other third parties involved in a client matter, for purposes related to the matter;
  • business development targets, for business development purposes; and
  • third parties who provide human resources, payroll, administrative, storage, telecommunications, information technology and other services to us in support of our business (however, we will ensure that all such suppliers are subject to obligations not to use or disclose that data).

In most countries, we are required by law to provide certain personal data about you to government authorities. This may include reporting amounts we pay you to taxation authorities, arranging work permits and visas, and reporting your employment status to immigration authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

  • Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Many of Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the matter, including personal data, to a Kennedys office or third party in that country.

For the purposes of the GDPR, the European Commission issues adequacy decisions on the data privacy laws of non-EU countries. The majority of countries to which Kennedys may transfer personal data are not covered by an EC adequacy decision. However, many of them do have local data privacy laws which are similar to the GDPR.

All Kennedys Group entities worldwide will treat your personal data in accordance with this HR Privacy Notice and their local data privacy law. All Kennedys offices outside the EU have entered into an agreement which requires them to treat all personal data transferred to them from Kennedys’ EU offices in accordance with the GDPR.

In addition, Kennedys adopts following safeguards when transferring personal data overseas:

  • Kennedys will always make such transfers in accordance with the requirements of the data privacy laws of your home country;
  • Kennedys will require that any overseas third party to which it discloses your personal data to: (a) only use that personal data for the purposes for which it was disclosed; (b) use all technical and organisational measures which are reasonable in the circumstances to secure that personal data; (c) delete that personal data when it is no longer required; and (d) treat that personal data in accordance with this HR Privacy Notice and their local data privacy law; and
  • Kennedys technology and control mechanisms are designed and monitored by Kennedys in the UK and are internally assessed for compliance against our Security Policy and ISO27001 standards by an IT Security Manager. A six-monthly assessment of the processes and controls is also carried out by external auditors, who provide certification against ISO27001.

 

  • Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys may retain your personal data for the duration of your partnership, employment or contractor relationship. After the end of that relationship, Kennedys may continue to retain your personal data:

  • which it is required to retain under any applicable law (for example, under employment or taxation laws); or
  • which it still needs for any purpose relating to the partnership, employment or contractor relationship (for example, to pay any remaining entitlements or to defend the firm in the event of a dispute).

This will generally mean that Kennedys will retain your personal data for at least six years after the end of your partnership, employment or contractor relationship.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

  • Requirement to provide personal data

In most cases, it is mandatory to provide the above personal data to us. Without that personal data, we would be unable to manage your partnership, employment or contractor relationship. In most countries, we are required by law to collect certain personal data about you.

In some cases, it is optional to provide personal data. We will tell you where this is the case. Providing us with optional personal data may allow us to provide additional benefits to you or to improve our client services or workplace. For example, it is not mandatory to tell us what languages you speak, but doing so will help us offer a better service to clients.

7. AUTOMATED DECISION-MAKING INCLUDING PROFILING

Kennedys does not engage in any automated decision-making or profiling.

“Automated decision-making” means a decision based solely on automated processing of personal data (without human intervention) which produces legal effects concerning the person or otherwise significantly affects the person.

“Profiling” is a form of automated decision-making. It uses personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is generally associated with systems based on artificial intelligence and machine learning. A system will be provided with a set of personal data and trained to identify correlations, and to then use those correlations to predict future behaviour by individuals.

8. YOUR RIGHTS

If you are located in the European Union or the United Kingdom

If you are located in the EU or the UK, you have certain rights in relation to your personal data as follows:

  • Access: You have the right to obtain access to and a copy of any personal data we hold about you. You also have the right to find out whether your personal data has been transferred outside the EU and any safeguards relating to this transfer.
  • Rectification: If you consider that any personal data we hold about you is incorrect or incomplete, you have the right to ask us to correct or complete that personal data.
  • Erasure: In certain circumstances, you have the right to ask us to erase any personal data we hold about you.
  • Restriction of processing: In certain circumstances, you have the right to ask us not to process your personal data for certain purposes.
  • Objection to processing: In certain circumstances, you have the right to object to us processing your personal data for certain purposes.
  • Data portability: In certain circumstances, you have the right to request a copy of your personal data in a structured, commonly used and machine-readable format.
  • Withdrawing consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time.

For more information about these rights, visit https://ico.org.uk/for-the-public/

To make a request pursuant to these rights, contact Kennedys’ Data Protection Officer for United Kingdom/Europe (see section 3 above).

If you are located outside the European Union and the United Kingdom

If you are not located in the EU or the UK, you may still have rights in relation to your personal data under your local data privacy law. Many countries provide data subjects with a right to seek access to any personal data we hold about you, and to request correction of that data if it is incorrect.

To make a request pursuant to these rights, contact Kennedys’ Data Protection Officer for your region (see section 3 above).