In the course of our acting for you, we may receive information relating to you, your directors, shareholders, beneficial owners, employees, agents, associates and family members. In this Policy, we refer to this information as "personal information".
This Policy sets out the basis on which we will process this personal information. Please read the Policy carefully to understand our practices regarding personal information and how we will use it.
The data controller in respect of personal information is Richards Kibbe & Orbe LLP, a limited liability partnership registered in England and Wales under number OC314284. Our registered office is at Dashwood House, 12th Floor 69 Old Broad Street, London, EC2M 1QS.
Richards Kibbe & Orbe LLP is registered under the Data Protection Act 1998 with registration number Z9282548.
Richards Kibbe & Orbe LLP is authorised and regulated by The Solicitors Regulation Authority.
Richards Kibbe & Orbe LLP is affiliated with the US law firm by the same name, Richards Kibbe & Orbe LLP, a limited liability partnership established under the laws of the State of New York with DOS ID number 2850676 and having its principal offices at 200 Liberty Street, New York, NY 10281-1003, USA.
References in this Policy to “RK&O”, “we”, “our” and “us” are references to Richards Kibbe & Orbe LLP, the UK data controller and its affiliated US law firm.
We are not required to appoint a formal data protection officer under data protection laws. However, RK&O’s Data Protection Contact is Matthew Hughes.
If you have any questions about this policy or your information, or to exercise any of your rights as described in this policy or under applicable data protection laws, you can contact us as follows:
Data Protection Contact
Richards Kibbe & Orbe LLP
12th Floor, Dashwood House
69 Old Broad Street
London EC2M 1QS
By email: email@example.com
By telephone: +44 (0) 20 7382 4880
Anyone processing personal data must comply with the principles of processing personal data as follows:
This Policy describes the personal information that we collect and explains how we comply with these principles.
We collect the personal information as necessary to enable us to carry out your instructions and to manage and operate our business, and to comply with our legal and regulatory obligations.
The personal information that we collect includes, but is not limited to, the following:
You confirm that you are authorised to provide to us the personal information which we shall process on your behalf.
Where the personal information relates to your directors, shareholders, beneficial owners, employees, agents, associates or family members it is not reasonably practicable for us to provide to them the information set out in this Policy. Accordingly, where appropriate you are responsible for providing this information to any such person.
We collect most of this information from you directly, however, we may also collect information:
We process personal information on the basis of one or more of the following:
You may also supply us with, or we may receive, special categories of (or “sensitive”) personal data. This is defined by data protection laws to include personal data revealing a person’s racial or ethnic origin, religious or philosophical beliefs, or data concerning health.
We process these special categories of personal data on the basis of one or more of the following:
We may also collect and store personal data relating to criminal convictions and offences (including the alleged commission of offences).
This data is only processed where it is necessary for the purposes of:
RK&O shall use personal information and any other information which we may collect for the purpose of:
Where we request personal information to identify you for compliance with anti-money laundering regulations, we shall process such information only for the purposes of preventing money laundering or terrorist financing, or as otherwise set out in this Policy or permitted by law.
RK&O acts as a data controller in relation to the processing of personal information as set in this Policy. However, in some circumstances we may process personal data on your behalf as a data processor for the purposes of data protection laws. Where we process any personal information on your behalf as your data processor, the terms set out in our data processing addendum, a copy of which is available on request from our Data Protection Contact, shall apply.
We may use personal information to notify you about important legal developments and services which we think you may find valuable, for sending you newsletters, invitations to seminars and similar marketing.
In this connection we may disclose personal data to our affiliated international offices or to third parties providing marketing services to us, or with whom we are conducting joint marketing exercises.
We may contact you by post, email, telephone or SMS.
You can tell us if you do not wish to receive direct marketing by writing to us or by notifying the Data Protection Contact whose details are set out above.
If you would like to unsubscribe from any email newsletter or other email marketing, you can also click on the ‘unsubscribe’ button at the bottom of the email. It may take a few days for this to take effect.
Email which you send to us or which we send to you may be monitored by us to ensure compliance with professional standards and our internal compliance policies. Monitoring is not continuous or routine but may be undertaken on the instruction of a partner where there are reasonable grounds for doing so.
Our information technology systems are operated by us but some data processing is carried out on our behalf by third parties. Details regarding these third-party data processors can be obtained from our Data Protection Contact whose details are given above.
Where processing of personal data is carried out by a third-party data processor on our behalf we endeavour to ensure that appropriate security measures are in place to prevent unauthorised access to or use of your data.
Personal information will be retained by us and will not be shared, transferred or otherwise disclosed to any third party, except as set out in this Policy.
If we are working with other professional advisers on your behalf we shall assume that we may disclose your information to them, unless you instruct us otherwise.
We may disclose and share personal information
Should we be requested by certain authorities to provide them with access to your information in connection with the work we have done, or are doing, for you, we will comply with that request only to the extent that we are bound by law to do so and, in so far as it is allowed, we will notify you of that request or provision of information.
In certain circumstances, solicitors are required by statute to make a disclosure to the National Crime Agency where they know or suspect that a transaction may involve a crime including money laundering, drug trafficking or terrorist financing. If we make a disclosure in relation to your matter(s), we may not be able to tell you that a disclosure has been made.
We may transfer personal information to a successor firm or company which acquires the legal practice carried on by us. If this happens, we shall ensure that you are notified of the transfer and we shall secure a commitment from the firm or company to which we transfer personal information to comply with applicable data protection laws.
Access to your information and updating your information
Right to object
You have the right to object at any time to our processing of your personal information used for direct marketing purposes.
Where we process your information based on our legitimate interests
You also have the right to object, on grounds relating to your particular situation, at any time, to processing of your personal information which is based on our legitimate interests. Where you object on this ground, we shall no longer process your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Your other rights
You also have the following rights under data protection laws to request that we rectify your personal information which is inaccurate or incomplete.
In certain circumstances, you have the right to:
Please note that the above rights are not absolute, and we may be entitled to refuse requests, wholly or partly, where exceptions under applicable law apply.
You can exercise any of your rights as described in this policy and under data protection laws by contacting the Data Protection Contact.
Except as described in this policy or provided for under applicable data protection laws, there is no charge for the exercise of your legal rights. However, if your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or (b) refuse to act on the request.
Where we have reasonable doubts concerning the identity of the person making the request, we may request additional information necessary to confirm their identity.
We store your information in hard copy and in electronic format. We use industry standard technical and organisational measures to protect information from the point of collection to the point of destruction. For example:
We will only transfer personal data to a third party if they agree to comply with those procedures and policies, or if they put in place adequate measures themselves.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will endeavour to protect your personal information, we cannot guarantee the security of your data transmitted over the internet. In most, if not all instances, we would expect to use a secure transfer site for this purpose.
RK&O is an international organisation with offices in the UK and the USA. Authorised personnel may access your information in any country in which we operate. Therefore, it may be necessary to transfer your information to our affiliated firm in the USA.
The USA is not currently subject to a decision of the European Commission on the adequacy of the protection of personal data. However, we shall take appropriate or suitable safeguards with respect to the transfer of your data to the USA by implementing standard data protection clauses adopted by the European Commission. Details regarding these safeguards can be obtained from our Data Protection Contact whose details are given above.
Personal information received by us will only be retained for as long as necessary to fulfil our engagement. Following the end of our engagement we will retain your information for as long as necessary and permitted for legal, regulatory, fraud and other financial crime prevention and legitimate business purposes. After this period, your personal data will be securely destroyed in accordance with our Data Retention Policy. Further details regarding our data retention policy can be obtained from our Data Protection Contact whose details are given above.
The Data Protection Contact is Matthew Hughes who can be contacted at firstname.lastname@example.org and to whom complaints should be addressed.
In addition, you have the right to complain to the Information Commissioner’s Office (https://ico.org.uk/) about our data processing activities in relation to your personal information if you think they infringe applicable data protection laws (ICO helpline on +44 (0) 303 123 1113).
The current version will always be available from us in hard copy or on our website.
We may change this Policy from time to time. We will post a prominent notice on our website to notify you of any significant changes to this Policy or update you by other appropriate means.
This Policy was last updated on 4 April 2018.