We undertake to take all reasonable steps to safeguard and maintain the confidentiality, integrity and accessibility of information entrusted to us by you. We may release information where that is necessary for the legal services that we provide to you, where it relates to the administration of our relationship with you, where we work jointly in a project with a third party or where we are required to disclose information by law or by any professional or regulatory body. We may in certain circumstances be required by law to report to the National Crime Agency or other governmental authorities any evidence or suspicion we have of money laundering or crime in general. In such an event, we are prohibited from notifying the client of the fact or content of such a report.
In addition, for the purpose of legal and accounting audits, other Kennedys’ personnel or third parties may conduct audits of our records from time to time. Your files may be reviewed as part of such an exercise but we will ensure that any party carrying out such an audit signs a confidentiality agreement or is otherwise bound by similar rules of professional ethics governing client confidentiality in relation to the information. If you do not wish your files to be accessed in this way please let us know as soon as possible.
We will not disclose the nature of the work we carry out for you without your written consent unless it is already public knowledge.
In the event of any claim (including wasted costs proceedings) or other complaint being intimated or brought against us you will allow us to disclose and rely on all documents and information so that the court or tribunal has all relevant information available to it.
In the course of carrying out your instructions we may communicate with you via e-mail. You should be aware that the internet is not a secure medium and we cannot guarantee the security or integrity of such communications despite the industry-standard checks we carry out on all e-mails. If you require a greater level of security, you should raise this with us at the outset.
Lien, Document Storage and Retrieval
When the present instruction is concluded we are entitled to keep all your papers and documents while there is money owing to us. Once our costs have been paid we will, unless other arrangements are specifically agreed in writing by a partner, return your original documents. We will store a set of copies for an appropriate period of at least 7 years from the date of the last bill we send you for the matter, after which we will securely destroy those records. We will not destroy deeds, wills or other legal instruments where you have asked us to deposit such documents in safe custody. If you ask us to retrieve information that involves more than merely delivering documents to you from storage, we reserve the right to charge you for the time spent and/or costs incurred.
You may provide personal data to Kennedys (and vice-versa) in connection with this agreement (“Personal Data”). The Personal Data may relate to you (if you are an individual), to your officers, employees and contractors (if you are an organisation) or to other individuals connected with your matter (for example, claimants, policyholders and witnesses) (“Data Subjects”).
You will comply with your obligations, and Kennedys will comply with our obligations, in relation to the Personal Data under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) as incorporated into the law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and any other applicable privacy or data protection laws, including in relation to the disclosure of Personal Data to the other party in connection with this agreement.
If you are an individual, you should review Kennedys’ Privacy Notice at www.kennedyslaw.com/privacy. Section 6.1 of the Privacy Notice contains specific information on how Kennedys processes your personal data. The key points of that Privacy Notice are:
- we will collect personal data about you in order to provide legal and other professional services to you and for other purposes related to that purpose;
- we may collect that personal data from you, third parties or public sources;
- we may also use your contact details and interests to manage and develop our relationship with you and to send you communications about our services and firm events;
- the bases for this processing are to perform our contract to provide services to you, and for Kennedys’ legitimate interests in conducting and developing its business;
- we may disclose your personal data to our suppliers and to third parties involved in your matter;
- we may transfer and store your data overseas and your personal data may be accessed by Kennedys personnel worldwide;
- we generally retain your personal data on a matter file for 7 years from the date of the last bill, or for longer if required by law;
- it is mandatory to provide certain personal data to us, otherwise we may be unable to act for you; and
- you may exercise your rights to access, correct, erase, restrict or object to the processing of your personal data by contacting Kennedys’ Data Protection Officer at email@example.com.
Where practicable, you should direct the Data Subjects to review the relevant sections of Kennedys’ Privacy Notice at www.kennedyslaw.com/privacy. Section 6.2 of the Privacy Notice contains specific information on how Kennedys processes the personal data of your officers, employees and contractors; section 6.3 contains specific information on how Kennedys processes the personal data of other individuals connected with your matter.
If you are located wholly or partly outside the United Kingdom, Kennedys (as “data exporter”) and you (as “data importer”) hereby enter into the Standard contractual clauses (controller to controller transfers) (set II) approved by EC Decision 2004/915/EC, as amended replaced or superseded from time to time, including by an equivalent decision under the GDPR (the “Standard Contractual Clauses”) in respect of any cross-border transfer of Personal Data from Kennedys to you which would otherwise be prohibited by the UK GDPR (a “UK GDPR Restricted Transfer”). The Standard Contractual Clauses shall come into effect on the commencement of the relevant UK GDPR Restricted Transfer. Unless otherwise agreed between the parties, the Standard Contractual Clauses will be deemed to have been completed by the parties as follows: (a) in clause II(h) of the Standard Contractual Clauses, the data importer will choose option (i); and (b) Annex B of the Standard Contractual Clauses will be completed with the appropriate details set out in Kennedys’ Privacy Notice at www.kennedyslaw.com/privacy. This clause shall not apply to a UK GDPR Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, to avoid doubt, do not include obtaining consents from data subjects), is to allow the relevant UK GDPR Restricted Transfer to take place without breach of the UK GDPR.