Privacy Notice

Table of contents

Privacy notice
Scope
Key Terms
Data Controller
Data Protection Committee
How does three crowns obtain your personal data?
What about personal data which you provide to three crowns?
What personal data does three crowns collect from and about you?
Why do we need to collect and use your personal data?
Why is three crowns' legal basis for processing your personal data?
Special category and criminal records personal data
Direct Marketing
Who receives your personal data?
How do we protect your personal data?
Is your personal data transferred to "third countries" and, if so, what safeguards are in place?
How long will your personal data be retained by three crowns?
What are your rights?
How to make a complaint
Privacy Policy
Introduction
Definitions used by Three Crowns (From the GDPR)
Policy Statement
Responsibilities and Roles Under the GDPR
DATA PROTECTION PRINCIPLES
DATA SUBJECTS’ RIGHTS
LAWFUL BASIS FOR PROCESSING
Security of Data
RETENTION AND DISPOSAL OF PERSONAL DATA
DATA TRANSFERS OUTSIDE THE EEA
ACCOUNTABILITY
PERSONNEL RESPONSIBILITIES AND TRAINING
DATA BREACH NOTIFICATIONS
Privacy Notices
MANAGING DATA PROCESSORS
DIRECT ELECTRONIC MARKETING

Privacy notice

Scope

This Privacy Notice (“Notice”) describes how Three Crowns collects and uses your Personal Data in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection and privacy legislation. It tells you what Personal Data we collect, why we need it, how we use it and what protections are in place to keep it secure.

Key Terms

“Three Crowns,” “we,” “us,” and “our” mean Three Crowns (Services) LLP, Three Crowns (US) LLP, Three Crowns (Services) Pte. Ltd, and Three Crowns (Spain) SLP (to the extent that it processes Personal Data concerning persons (“Data Subjects”) in the European Union).

“Three Crowns Personnel” means Three Crowns’ prospective, present and past partners, employees, consultants and agency staff, and people connected to such persons.

“Personal Data” means information about individuals (including you), and from which such individuals could be identified.

“You” means individuals whose Personal Data we process including, but not limited to Three Crowns’ clients, Three Crowns’ client personnel, counter-parties, counter-party personnel, other solicitors/advisors, witnesses, suppliers, supplier personnel, job applicants, and individuals to whom we send marketing communications. “You” does not include Three Crowns Personnel.

Data Controller

Three Crowns is the Data Controller in relation to your Personal Data and is committed to protecting the privacy rights of individuals, including your rights.

Data Protection Committee

Three Crowns is not required under the GDPR to appoint a Data Protection Officer and, following a detailed analysis, does not consider it appropriate to do so on a voluntary basis. It has, however, established a Data Protection Committee (DPC), which is responsible for overseeing Three Crowns’ compliance with the GDPR and any other applicable data protection legislation and regulation. In addition, our Compliance Officer for Legal Practice (COLP) oversees compliance with our professional responsibilities and with legislative requirements.

The DPC can be contacted at [email protected] or at The JJ Mack Building, 33 Charterhouse Street, London EC1M 6HA, United Kingdom.

How does three crowns obtain your personal data?

In some circumstances, we may obtain your Personal Data from you directly including through your use of this website or a job application but, more typically, we will obtain your Personal Data from a third-party source. For example, we may collect information from our clients/our clients’ personnel, agents and advisors, other law firms/advisors which represent you, the company for whom you work, other organisations/persons with whom you have dealings, government agencies, credit reporting agencies, recruitment agencies, information or service providers, and publicly available records.

What about personal data which you provide to three crowns?

If you provide information to us about someone else (such as one of your associates, directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that information to us and that, without our taking any further steps, we may process that information in accordance with this Notice.

What personal data does three crowns collect from and about you?

We collect and use different types of Personal Data about you which will vary in type and detail depending on the circumstances and purpose of processing. Please consider the following illustrative and non-exhaustive examples:

  • Personal Data about you: name, address, date of birth, marital status, nationality, race, gender, preferred language, job title, work life, and restrictions and/or required accommodations, possibly about your family life;
  • Personal Data to contact you at work or home: name, address, telephone, and e-mail addresses;
  • Personal Data which may identify you: photographs and video, passport and/or driving license details, electronic signatures;
  • Personal Data to process any payment we might need to make to you: bank account details, HMRC numbers, and references (where applicable);
  • Personal Data to monitor your use of our website: IP address, traffic and location information, weblogs, and other communication information.

Why do we need to collect and use your personal data?

We need to collect and use your Personal Data for a number of reasons, the primary purpose being to provide legal advice and services to our clients, and which may involve the use of your Personal Data in the following (non-exhaustive) ways:

  • to contact you if you are involved in a matter we are undertaking for a client, whether in your professional or personal capacity;
  • to carry out investigations, risk assessments, and client due diligence;
  • to analyse the practices of your employer or other organisations and/or persons with whom you have dealings;
  • to review, draft, and disclose correspondence and other documents, including court documents;
  • to instruct third-parties on behalf of our clients; and
  • for comparison/analytical purposes and to formulate legal opinions and provide advice.

We may also process your Personal Data for effective business management purposes which may involve the use of your Personal Data in the following (non-exhaustive) ways:

  • to engage and contact suppliers;
  • to carry out internal reviews, investigations, audits;
  • to conduct business reporting and analytics;
  • to advertise and market the services that we provide;
  • to help measure performance and improve our services;
  • for recruitment purposes;
  • for regulatory and legislative compliance and related reporting; and
  • for the prevention and detection of crime.

Why is three crowns' legal basis for processing your personal data?

Under the GDPR, Three Crowns must identify a lawful basis for processing your Personal Data which may vary according to the type of Personal Data processed and the individual to whom it relates.

– Performance of a contract with you (where applicable):

Three Crowns is entitled to process the Personal Data it requires in order to fulfil its obligations under its contract with you. This will be the relevant legal basis if you are an individual client or supplier/other individual with a direct contractual relationship with Three Crowns.

– Legitimate interests of Three Crowns or a third-party:

We process some of your Personal Data on the basis that it is in our legitimate interests and/or the legitimate interests of a third-party to do so. This will primarily concern the processing of Personal Data that is necessary to provide legal advice and services to our clients. Three Crowns’ legitimate business interest in such instances is the proper performance of its function as an authorised and regulated provider of legal services. Three Crowns’ clients also have a legitimate interest (and a more general right in law) in obtaining legal advice and services.

Three Crowns’ broad interest in the provision of legal services as a basis for processing your Personal Data, and our clients’ corollary interest in the receipt of such services, can be broken down into more discreet categories which may include, but are not limited, to:

  • the interest in contacting individuals relevant to Three Crowns’ work and our clients’ matters, which may involve the use of your Personal Data;
  • the interest in reviewing documents and correspondence that have been disclosed to Three Crowns, Three Crowns’ clients, and third-parties which may contain your Personal Data;
  • the interest in reviewing and analysing all evidence available to Three Crowns and its clients, which may contain your Personal Data;
  • the interest in adducing legal arguments, creating documents and correspondence, which may contain your Personal Data;
  • the interest in disclosing documents and correspondence, which may contain your Personal Data, to various parties in the furtherance of Three Crowns’ clients’ objectives;
  • the interest in instructing third-parties on behalf of Three Crowns’ clients;
  • the interest in receiving payment from Three Crowns’ clients and third-parties and to facilitate payments to and from Three Crowns’ clients and third-parties; and
  • in order to allow for all of the above, the secure management and storage of your Personal Data, within our IT environment and hard-copy filing systems.

Three Crowns may also process your Personal Data on the basis that it is necessary for its legitimate business interests in the effective management and running of Three Crowns which may include, but is not limited to: engaging suppliers and supplier personnel; ensuring that its systems and premises are secure and running efficiently; for regulatory and legislative compliance, and related auditing and reporting; for insurance purposes; for recruitment/hiring purposes; for marketing purposes; and to facilitate, make, and receive payments.

Three Crowns does not consider that the processing of your Personal Data, on the basis that it is within Three Crowns’ legitimate interests (whatever such interests might be), is unwarranted because of any prejudicial effect on your rights and freedoms or your legitimate interests.

– Compliance with a legal obligation to which Three Crowns is subject:

In certain circumstances, Three Crowns must process your Personal Data in order to comply with its legal obligations. This might include, but is not limited to, Personal Data required: for tax and accounting purposes; for conflict checking purposes as required by the common law and Three Crowns’ regulators; and for Three Crowns to fulfil its compliance and other obligations under relevant legislation/regulation.

More information relating to legal bases for processing Personal Data can be found on the Information Commissioner’s website (see details below) or by contacting the DPC.

Special category and criminal records personal data

If Three Crowns processes your criminal records Personal Data or special category Personal Data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data, or sexual orientation, we will obtain your explicit consent to those activities unless this is not required by law (because, for example, it is processed for the purpose of exercising or defending legal claims) or the information is required to protect your health in an emergency. Where we are processing Personal Data based on your consent, you have the right to withdraw that consent at any time.

Direct Marketing

We may use your contact details to send you marketing materials provided we are permitted to do so by law. You always have the right to unsubscribe from any marketing. You can do so by clicking on the relevant link in the next email we send you, or by contacting the DPC using the details provided.

Who receives your personal data?

We may disclose your Personal Data to third-parties (outside of Three Crowns and Three Crowns Personnel) if, but only when, we have a legal basis to do. Such recipients include but are not limited to: co-counsel, other solicitors/barristers/experts/foreign law firms whom we instruct on your behalf; Three Crowns’ insurance brokers and underwriters; Three Crowns’ bank, auditors, and accountants; Three Crowns’ outsourced IT providers and other suppliers; HMRC; the Solicitors Regulation Authority; the Law Society; the Home Office and Passport Services; the other side/other parties on any given matter (lay and solicitor).

How do we protect your personal data?

We have security arrangements in place to guard against unauthorised access, improper use, alteration, destruction, or accidental loss of your Personal Data. We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any Personal Data we hold is not accessed by anyone unauthorised to access it. We have in place, and abide by, a specific information security policy about the security standards used to protect your Personal Data.

We are certified under the ISO/IEC 27001 standard, the world’s highest accreditation for information security and the only auditable international benchmark for information security management. To obtain this certification, the firm underwent a comprehensive set of internal and external reviews.

When we use third-party organisations to process your Personal Data on our behalf, they must also have appropriate security arrangements, must comply with our contractual requirements and instructions, and must ensure compliance with the GDPR and any other relevant data protection legislation.

Is your personal data transferred to "third countries" and, if so, what safeguards are in place?

In accordance with this Notice and the provisions of the GDPR, we may transfer your Personal Data to organisations located in “third countries” (those outside of the EEA). In addition to the security arrangements mentioned above in relation to our engagement of third-party organisations, where such transfers are required we will ensure that your Personal Data is adequately protected, for example, by using a contract for the transfer which contains specific data protection provisions (“Model Clauses”) that have been adopted by the European Commission or a relevant data protection authority.

The transfer of your Personal Data from Three Crowns (Services) LLP (our UK and Paris offices) to Three Crowns (US) LLP (our Washington, DC office), Three Crowns (Services) Pte. Ltd., or Three Crowns (Spain) SLP (our Madrid office) constitutes a transfer to a “third country” and, accordingly, these entities have contracted on such a basis. If you wish to see a copy of these Model Clauses, please contact the DPC.

How long will your personal data be retained by three crowns?

It is our policy to retain your Personal Data for the length of time required for the specific purposes for which it is processed by Three Crowns and which are set out in this Notice. However, we may be obliged to keep your Personal Data for a longer period, for example, where required by our legal and regulatory obligations or in order to ensure we have effective back-up systems. In such cases, we will ensure that your Personal Data will continue to be treated in accordance with this Notice, restrict access to any archived Personal Data, and ensure that all Personal Data is held securely and kept confidential.

What are your rights?

The GDPR generally affords individuals a right to access their Personal Data, to object to the processing of their Personal Data, to rectify, to erase, to restrict, and to port their Personal Data.

We have specific procedures in place in relation to Subject Access Requests (“SARs”) that you may be entitled to make. Put simply, a SAR is a request made by you which requires us to provide you with details of your Personal Data which we hold and process and a description of how we process it. Any questions or requests should be put in writing to the DPC.

There are exceptions to the rights of individuals in relation to their Personal Data and, particularly when we are processing your Personal Data for the purpose of providing legal advice to our clients, your rights may be limited. We will, at all times, respect your Personal Data and seek to be as transparent as possible, but please be aware that, in some instances, we may be restricted from even acknowledging that we process your Personal Data.

How to make a complaint

If you are unhappy with the information provided in this Notice or have concerns about the way in which Three Crowns processes your Personal Data, you may in the first instance contact the DPC and if you remain dissatisfied, then you may apply directly to the Information Commissioner, the Commission Nationale de l’Informatique et des Libertés for a decision, or Agencia Española de Protección de Datos (AEPD).

The Information Commissioner can be contacted at: – Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom www.ico.org.uk

The Commission Nationale de l’Informatique et des Libertés can be contacted at: – CNIL, 3 Place de Fontenoy, TSA 80715, 75334 PARIS, CEDEX 07, France www.cnil.fr

Agencia Española de Protección de Datos (AEPD) can be contacted at: – C/ Jorge Juan, 6, 28001 – Madrid, Spain www.aepd.es/es

Privacy Policy

Introduction

Everyone has rights about the way in which their personal data is handled. During the course of our activities at Three Crowns we will collect, store and process personal data about our clients, our employees, our suppliers and other third parties. We recognise that the correct and lawful treatment of this data will maintain confidence in our business and lead to effective business operations.

Everyone at the Firm is obliged to comply with this policy when processing personal data. Any breach of this policy may result in disciplinary action.

Background to the General Data Protection Regulation (“GDPR”)

The GDPR 2016 replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual EU Member States that were developed in compliance with the Data Protection Directive 95/46/EC (including the Data Protection Act 1998 in the UK).

The purpose of the GDPR is to protect the “rights and freedoms” of natural persons (i.e. living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

The GDPR applies to the processing of personal data by automated means (i.e. by computer) and to processing as part of a filing system (i.e. paper records) (Article 2 GDPR).

The GDPR will apply to all controllers that are established in the EU, such as Three Crowns (Services) LLP, who process the personal data of data subjects. It will also apply to controllers outside of the EU, such as Three Crowns US LLP, that process personal data in order to offer goods and services, or monitor the behaviour of data subjects who are resident in the EU.

Definitions used by Three Crowns (From the GDPR)

Article 4 GDPR definitions:

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.

Data processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data subject – any living individual who is the subject of personal data held by an organisation.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. (This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual).

Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

Data subject consent means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Third party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Policy Statement

Three Crowns’ Management Team are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information Three Crown collects and processes in accordance with the GDPR.

Compliance with the GDPR is described by this policy and other relevant policies such as the firm’s policy on Confidentiality and Information Security Policy.

The GDPR and this policy apply to all of Three Crown’ personal data processing functions, including those performed on the personal data of or received from clients, employees, suppliers and other third parties.

The firm’s Data Protection Committee (“DPC”), consisting of Constantine Partasides and the Risk and Compliance Team, is responsible for reviewing the register of processing annually in the light of any changes to Three Crown’ activities and to any additional requirements identified by means of data protection impact assessments. This register will be made available on request by the Information Commissioner’s Office.

This policy applies to all Partners, employees and consultants at Three Crowns, as well as outsourced suppliers.

This policy does not form part of any employee’s contract of employment and may be amended at any time.

Any breach of the GDPR will be dealt with under Three Crown’ disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.

Responsibilities and Roles Under the GDPR

Three Crowns is a data controller under the GDPR in relation to a large of amount of personal data and may also be a data processor in relation to other personal data from other controllers.

Compliance with the GDPR is the responsibility of everyone at Three Crowns as everyone will process personal data, which can include merely accessing such data as part of their role.

Three Crowns personnel must ensure that any personal data about them and supplied by them to Three Crowns is accurate and up-to-date (including where appropriate relating to their dependants, next of kin, etc).

Three Crowns’ Management Team and those with managerial or supervisory roles throughout Three Crown are responsible for developing and encouraging good information handling practices within Three Crowns.

The DPC is accountable to the Management Team of Three Crowns for the management of personal data and for ensuring that compliance with the GDPR and good practice can be demonstrated. This accountability includes development and implementation of the GDPR compliance as required by this policy; and security and risk management in relation to compliance with the policy. The DPC has specific responsibilities in respect of procedures such as the firm’s Subject Access Requests procedure and is the first point of call for Three Crowns personnel seeking clarification on any aspect of data protection compliance.

DATA PROTECTION PRINCIPLES

All processing of personal data must be conducted in accordance with the data protection principles as set out in Article 5 of the GDPR.

Three Crowns’ policies and procedures are designed to ensure compliance with these principles, though it should be noted that there are of course exceptions which apply to these general and overarching values.

Principle 1: Personal data must be processed lawfully, fairly and transparently

Lawfully – Three Crowns must identify a lawful basis before we can process personal data. These are often referred to as the “conditions for processing”.

Fairly – in order for processing to be fair, Three Crowns has to make certain information available to the data subjects. This requirement has increased under the GDPR and applies whether the personal data was obtained directly from the data subjects or from other sources. However, there are exceptions to such disclosures which may be applicable to law firms such as Three Crowns.

Transparently – the GDPR includes comprehensive requirements for Three Crowns to provide privacy information to data subjects. These are detailed and specific, placing an emphasis on making privacy notices understandable and accessible. However, again there are exceptions in the context of legal services and disputes.

Three Crowns’ approach to privacy notices is set out in this Policy.

Principle 2: Personal data can only be collected for specific, explicit and legitimate purposes

Data obtained for specified purposes by Three Crowns must not be used for a purpose that differs from those formally notified to data subjects.

Principle 3: Personal data must be adequate, relevant and limited to what is necessary for processing (aka “data minimisation”)

Three Crowns must not collect data that is not strictly necessary for the purpose for which it is obtained. However, in the context of the Firm’s legal services, where personal data is obtained from clients, Three Crowns has a relatively broad remit to advise and exercise control relating to the data.

Principle 4: Personal data must be accurate and kept up to date with every effort to erase or rectify without delay

Data stored by Three Crowns must be reviewed and updated as necessary. Whilst usually no data should be kept unless it is reasonable to assume that it is accurate, there are again exceptions, particularly where it is necessary to keep a record of data as it existed at a given point in time.

Three Crowns reviews on at least an annual basis the retention dates of all the personal data processed and data which is no longer required to be held will be securely deleted/destroyed in line with the Firm’s Retention Schedule.

Principle 5: Personal data must be kept in a form such that the data subject can be identified only as long as is necessary for processing.

It follows from the commentary for Principle 4 that wherever possible and practicable, if personal data is retained by Three Crowns beyond the processing date, access to it should be restricted (and it could also be minimised, encrypted or pseudonymised in order to protect the identity of the data subject in the event of a data breach).

Principle 6: Personal data must be processed in a manner that ensures the appropriate security

In determining appropriateness, Three Crowns’ DPC should also consider the extent of possible damage or loss that might be caused to data subjects if a security breach occurs, the effect of any security breach on Three Crown itself, and any likely reputational damage including the possible loss of client trust.

The additional “accountability” principle – the controller must be able to demonstrate compliance with the other Principles

The GDPR includes provisions that promote accountability and governance, including Article 5(2) which requires Three Crowns to demonstrate compliance with the principles above.

Three Crowns demonstrates compliance by implementing policies, adhering to procedures and best practice, and implementing appropriate technical and organisational measures (including data protection by design and by default, breach notification procedures and incident response plans etc).

DATA SUBJECTS’ RIGHTS

Data subjects may be able to exercise a number of rights in relation to the processing of their data by Three Crowns. These include the right to:

  • make access requests: regarding the nature of information held and to whom it has been disclosed (Subject Access Requests).
  • correction and deletion: rectify, block, erase (including the right to be forgotten) or destroy inaccurate data.
  • prevent processing: likely to cause damage or distress, or for the purposes of direct marketing.
  • complain to Three Crowns: relating to the processing of their personal data or the handling of requests.
  • claim compensation: if they suffer damage by any contravention of the GDPR.
  • involve the ICO: to assess whether any provision of the GDPR has been contravened.
  • portability: to have personal data transmitted to another controller.

Data subjects may make data access requests as described in Subject Access Request procedure, which ensures that Three Crowns’ response to the data access request complies with the requirements of the GDPR.

However, it should be noted that a data subject’s right to be notified that the Three Crowns even has their data in the first place, or their right to access, correction, erasure, etc., may be removed or curtailed where the Three Crowns can show that it is necessary on the basis of compelling legitimate grounds, for compliance with a legal obligation or the establishment, or the exercise or defence of legal claims.

LAWFUL BASIS FOR PROCESSING

Clearly the GDPR is not intended to prevent the reasonable day-to-day processing of personal data, but to ensure that it is done lawfully, fairly and transparently.

For personal data to be processed lawfully, such data must be processed on the basis of one of the legal grounds set out in the GDPR. These include (i) the data subject’s consent to the processing, (ii) that the processing is necessary for the performance of a contract with the data subject, (iii) for the compliance with a legal obligation to which the data controller is subject, or (iv) for the legitimate interests of the data controller or a third-party. (In connection with special category data, i.e. when sensitive personal data is being processed, additional conditions must be met.)

Consent

Three Crowns understands ‘consent’ to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the data subject’s wishes that, by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

We also note that Three Crowns, as the controller, must be able to demonstrate that consent was obtained for the processing operation, and that the data subject can then withdraw their consent at any time.

For all these reasons, in practice, except in very limited circumstances, Three Crowns is unlikely to rely on consent as a lawful basis for processing any personal data.

Finally, we must note that for sensitive personal data, explicit written consent of data subjects must be obtained unless an alternative basis for processing exists which may be “necessary for the exercise or defence of legal claims or where courts are acting in their judicial capacity” or “necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement”.

Necessary for the performance of a contract with the data subject

This is the relevant lawful basis on which Three Crowns will rely in relation to processing the personal data of Firm personnel. It can also be relied on in the context of personal data held for any individual clients, i.e. natural persons.

Compliance with a legal obligation to which the data controller is subject

This lawful basis can appropriately be relied upon when Three Crowns processes personal data to conduct conflict checks, client due diligence and in relation to records relating to PAYE, pensions and tax, by virtue of its legal obligations to comply with the common law, statue and regulation.

Legitimate interests of the data controller or a third party

Three Crowns will most commonly rely on this as a lawful basis for processing personal data on grounds that it is in the legitimate interests of the Firm and / or third parties (to include personnel, clients, suppliers etc) to do so. Such interests will differ according to the specific circumstances but, broadly, much of the processing undertaken by Three Crowns is likely to be in the legitimate interest of the Firm in carrying out its function / purpose in the most effective way.

In respect of relying on legitimate interests as a lawful basis for processing personal data, Three Crowns will always consider the interests / fundamental rights and freedoms of the data subject. Three Crowns’ status as a law firm and the conferral of legal, professional and ethical obligations (to include confidentiality and security) on both Three Crowns itself and its personnel, are robust safeguards which protect the rights and freedoms of relevant data subjects.

Exemptions

When Three Crowns processes personal data on the basis that it is necessary for the purpose of clients’ requesting and obtaining legal advice, it will be able to avail of certain exemptions to requirements under the GDPR (through Schedule 2, Part 1 of the UK Data Protection Bill) as relevant data subjects’ rights will be restricted in relation to the information that must be provided to them, as well as their right to rectification, to erasure, to restriction of processing, to portability, to object and to purpose limitation.

Security of Data

Three Crowns personnel are responsible for ensuring that any personal data that Three Crowns processes and for which we are responsible as part of our roles, is kept securely and is not disclosed to any third party unless that third party has been specifically authorised by Three Crowns to receive that information and has entered into a contract recognising their role as a data processor.

The Information Security Policy sets out detailed policies and procedures on Information Security, though what follows are the golden rules when it comes to protecting personal data:

  • Personal data should be accessible only to those who need to use it, and access internally may only be granted in line with the Firm’s Access Control policies [which are held and managed by the DPC working in conjunction with the IT Team.
  • Utmost care must be taken if personal data must be transferred and when such data is in transit:
    • Ensure third party recipients have agreed the required contractual terms, recognizing their role as a data processor;
    • Hard copy documents containing such data must be kept under close supervision when in use, and under lock and key when not in use;
    • Electronically stored information containing personal data must be protected through encryption / passwords; and
    • When using any device to view data, make sure your screen is not visible to others (e.g. that you are not overlooked on a train and that you ensure auto-lock and time-out settings are engaged).
  • All Three Crowns personnel are required to enter into an Acceptable Use Agreement which details these golden rules and other key personal responsibilities, such as to ensure strong passwords are used.
  • Hard copy records must not be accessible to unauthorised personnel and may not be removed from Three Crowns premises without explicit authorisation.
  • Personal data may only be deleted or disposed of in line with the Firm’s procedures. Hard copy records that have reached their retention date are to be shredded and disposed of securely as ‘confidential waste’.

RETENTION AND DISPOSAL OF PERSONAL DATA

Three Crowns shall not keep personal data in a form and in such a manner that permits identification of data subjects longer than the Firm has determined is necessary, in relation to the purposes for which the data was originally collected or for other purposes in accordance with law or best practice.

The retention period for different categories of personal data is set out in the Data Retention Schedule along with the criteria used to determine this period, including any legal or statutory obligations Three Crown has to retain the data.

Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – which requires that such data is processed in an appropriate manner to maintain security, thereby protecting the rights and freedoms of data subjects. Any disposal of data will be completed in accordance with Three Crowns’ secure disposal and deletion procedures.

Where personal data is retained as electronically stored information in back-ups and it would be disproportionate to attempt to delete such data, Three Crowns has determined that, provided adequate controls prevent back-up tapes and other storage devices being accessed with relevant approvals, in practice it is not possible to further process such data in a manner which permits the identification of or which threatens the rights and freedoms of any data subject. Such controls include preventing access by any personnel or third party except with the express approval of the DPC for specified purposes (for example where required by law or in relation to disclosure in the context of a legal claim).

DATA TRANSFERS OUTSIDE THE EEA

The default position under the GDPR is that all exports of data from within the European Economic Area (“EEA”) to non-EEA countries are unlawful unless there is an appropriate “level of protection for the fundamental rights of the data subjects” on the basis that one or more of the specified safeguards, or derogations apply. Please bear in mind that even providing a third party outside the EEA with access to personal data will amount to ‘transferring’ or ‘exporting’ such data.

In addition to this requirement for adequate protection (or reliance on a derogation), and as is the case with all processing of personal data (see above), there must be a lawful basis on which to transfer personal data outside of the EEA. This is likely to mirror the basis upon which Three Crowns relies for the initial processing (but, for whatever reason, it must be necessary for the data to be transferred outside of the EEA) and will vary depending on the specific circumstances.

Transfers to countries which the EU has confirmed have adequate protection

The European Commission can assess third countries, a territory and/or specific sectors within third countries to determine whether there is an appropriate level of protection for the rights and freedoms of natural persons.

Countries that are members of the EEA (Liechtenstein, Norway and Iceland), but not of the EU, are accepted as having met the conditions for an adequacy decision.

A list of countries that currently satisfy the adequacy requirements of the Commission are published in the Official Journal of the European Union (see http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.htm).

Transfers to US companies which certify to the EU-US Privacy Shield

The US is an example of a country outside the EEA which does not have adequate data protection laws.

If a transfer to the US takes place pursuant to the Privacy Shield framework (i.e. the transferee is signed up via the US Department of Commerce), the European Commission has declared that the US maintains an adequate level of protection for personal data transferred to the US from the EU.

If the Firm wishes to transfer personal data from the EEA to an organisation in the US it should check that the organisation is signed up with the Privacy Shield framework via the US Department of Commerce.

Other transfers outside the EEA

In the absence of the Privacy Shield or an adequacy decision, the Three Crowns can transfer personal data outside of the EEA to jurisdictions without adequate protection, e.g. the US, only in the following circumstances:

  • the Firm provides appropriate safeguards and provided data subjects can enforce their legal rights and have effective legal remedies (Article 46, GDPR); or
  • under one of the derogations for specific situations (Article 49, GDPR).

Appropriate safeguards include (but are not limited to):

  • binding corporate rules (Article 47, GDPR);
  • standard data protection clauses adopted by the European Commission;
  • standard data protection clauses adopted by the ICO and approved by the European (“the Model Clauses”).

Three Crowns may adopt approved model contract clauses (with any relevant other organisation) for the transfer of data outside of the EEA. This will amount to an automatic recognition of adequacy. This is the approach taken by the Firm to allow for the adequate protection of personal data when it is transferred from Three Crowns (Services) LLP to Three Crowns (US) LLP. To request a copy of these signed clauses, please contact the DPC.

In the absence of adequate protection or appropriate safeguards, a transfer of personal data outside of the EEA may only take place if one the derogations in Article 49, GDPR apply, including:

  • the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
  • the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
  • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
  • the transfer is necessary for the establishment, exercise or defence of legal claims.

Three Crowns may, from time to time, rely on such derogations in certain limited circumstances.

ACCOUNTABILITY

Three Crowns has established a data inventory and data flow process as part of its approach to address risks and opportunities throughout its GDPR compliance project. Three Crown’ data inventory and data flow determines:

  • source of personal data;
  • types of data subjects;
  • types of personal data;
  • processes that use personal data;
  • collection, storage, retention and transfers of the personal data; and
  • the use of data processors in connection with the data.

A risk assessment and compliance gap-analysis is built into this data inventory document, which means that Three Crowns is aware of any risks associated with the processing of particular types of personal data.

Data protection impact assessments (“DPIAs”)

DPIAs are also carried out where required in relation to the processing of personal data by Three Crowns, and in relation to processing undertaken by third parties on behalf of Three Crowns. This is where a type of processing, in particular using new technologies and taking into account the nature, scope, context and purposes of the processing is likely to result in a high risk to the rights and freedoms of natural persons.

Where, as a result of a DPIA it is clear that Three Crowns is about to commence processing of personal data that could cause damage and/or distress to the data subjects, the decision as to whether or not Three Crowns may proceed must be escalated for review to the DPC. If there are concerns, the DPC may need to escalate to the ICO.

PERSONNEL RESPONSIBILITIES AND TRAINING

As noted, all personnel at Three Crowns with day-to-day responsibilities involving personal data and processing operations, and those with permanent/regular access to personal data, must demonstrate compliance with the GDPR. The DPC also assigns specific data protection responsibilities, including in connection with training and awareness, to personnel as part of Three Crowns’ policies and procedures on personal data management and the accountability principle. For example, the IT Team have responsibilities in relation to the secure storage of electronically stored data and use of IT systems.

The DPC shall demonstrate and communicate to everyone at Three Crowns the importance of data protection and information security in their role and ensure that they understand how and why personal data is processed in accordance with Three Crowns’ policies and procedures.

The DPC and HR Team are responsible for organising relevant training for all responsible individuals and personnel generally, and for maintaining records of the attendance of staff at relevant training at appropriate intervals.

DATA BREACH NOTIFICATIONS

Any information security weaknesses and events must be reported immediately after they are seen or experienced. Such issues could potentially range from major systems failures involving loss of services on the one hand (e.g. caused by external threats) to more minor breaches of information integrity on the other (e.g. an email sent to the wrong recipient).

In all cases the DPC must be involved from the outset and Three Crowns personnel are hereby informed that they have no discretion as to whether reports should be made.

Internal reporting

Three Crowns personnel are required to be aware of and to follow this procedure in the event of a data breach or other security failure or incident, as ordinarily any such issue will involve a breach of the GDPR due to the all-encompassing definition of personal data.

As noted, reports must be made to the DPC without delay. The DPC does not keep a separate breach register relating to data protection as its Breach Register also covers legislative breaches. This is because a potential breach of security and data protection cannot be considered in isolation and requires consideration of the obligations placed on the law firm and lawyers more generally, including to notify circumstances which could give rise to a claim to the Firm’s indemnity insurance underwriters.

In making your report, please provide as much detailed information as possible: e.g. what went wrong, what (sequence of) actions you were executing at the time, what precise things or strange behaviour occurred, what appeared to be the breach or other issue, what services, facilities or equipment ceased to be available, awareness of any human errors or non-compliance with organisational policies, procedures or work instructions, or breaches of physical security.

However, again we stress that often time is of the essence in relation to a security breach. Please do not delay – and if in doubt, report it

Reporting to the ICO

Having invoked Three Crowns’ Breach Response Plans, the DPC will determine if the ICO and/or other third parties (including relevant data subjects) need to be notified in the event of a breach.

This involves an assessment of whether for example a security incident necessarily involves a breach of confidentiality or any compromise of personal data (e.g. in the event or encryption or otherwise where there were measures in place to render the personal data unusable to any person who is not authorised to access it. It also involves considering whether the personal data breach is likely to result in a risk to the rights and freedoms of the data subjects affected by such breach. In some situations, such breaches must be reported to the ICO within 72 hours. Such ICO reports must include a description of the nature of the breach, the categories of personal data affected, the approximate number of data subjects and records affected, the measures taken to manage the breach and the net consequences.

Breach response plans

The DPC is responsible for maintaining incident response plans and for coordinating and managing the response to any reported weakness or event, including documenting all investigation, emergency and corrective steps taken, and closing-out of the event. This involves working with the IT Team and other teams as required.

The steps involved in the incident response plan can be summarised as follows:

  • Analyse incident (understand the issue, including affected systems, assets and victims, and identify initial steps, communications and decisions to be made)
  • Assessment of ongoing risks (considering whether the incident may be reported or how it might escalate)
  • Formulate and implement plans (form teams and plans to contain and recover)
  • Containment and recovery (implement plans to return to business as usual)
  • Appropriate breach notification and other steps (reports to the SRA, insurers, ICO, etc, involving external experts or advisors, initiating disciplinary action, collecting and securing audit trails and forensic evidence, initiating any action for compensation from suppliers)
  • Evaluation and response (summary of the incident, root cause analysis, how was it fixed, could it have been prevented and could it have been managed more effectively?)

Privacy Notices

Three Crowns will always be transparent in its processing of personal data, subject to the derogations and exceptions noted in this Policy.

Three Crowns will very rarely collect personal data from a data subject whilst relying on consent as the lawful basis for processing. Where this is the case, Three Crowns must provide full and clear information on the processing purposes and in particular on the potential recipients.

When personal data has been obtained from a source other than the data subject, where required we will still take all reasonable steps to ensure and to demonstrate that the processing is fair and transparent, which includes explaining the categories of personal data received by the Firm and the potential recipients.

Exceptions to the need to provide such information include:

  • Where the data subject already has the information as it was provided to them by another party;
  • If the provision of the above information proves impossible or would involve an excessive effort; or
  • Where another exception applies which means that the provision of the privacy information is not required or not permissible.

Three Crowns’ privacy notices include the following:

  1. Website notice
  2. Engagement Terms (Terms of Business)
  3. Personnel Privacy Notice

MANAGING DATA PROCESSORS

Three Crowns will only select suppliers (to provide services to the Firm or to provide services to our clients where we instruct them as the client’s agent) which can ensure technical, physical and organisational security which is adequate to meet the requirements of the Firm and the GDPR.

When the supplier meets the definition of Three Crowns’ data processor, including when data processing activities are not the primary reason for the contract, Three Crowns as a controller will ensure that adequate security arrangements are provided for in the contract with the external processor and that the requirements of Article 28 GDPR are met.

A suitable level of pre-contract due diligence must always be undertaken on a data processor (including for example research and references). If the DPC considers it necessary because of the nature of the personal data to be processed or because of the particular circumstances of the processing, an audit of the supplier’s security arrangements may be conducted before entering into the contract. All data processing contracts allow Three Crowns to conduct regular audits of the supplier’s security arrangements during the period in which the supplier has access to the personal data.

Three Crowns’ processing contracts forbid suppliers from using further subcontractors without the Firm’s authorisation for the processing of personal data. Where we have permitted a supplier to subcontract the processing of personal data, the immediate supplier must prohibit the second-level contractor (or further down the chain) from subcontracting these processing operations without Three Crowns’ written authorisation. Contracts with second-level subcontractors will only be approved if they require the subcontractors to comply with at least the same security and other provisions as the primary subcontracting organisation (the initial supplier). Such contracts must specify that, when the contract is terminated, related personal data will either be destroyed or returned to Three Crowns, and so on down the chain of sub-contracting.

Three Crowns’ standard contractual clauses for data processor suppliers can requested from the DPC who you should consult in any event in advance of agreeing the terms, so that the centralised list of such suppliers is maintained.

DIRECT ELECTRONIC MARKETING

The law governing direct marketing by Three Crowns, via emails and other electronic formats, is complex and in a state of change. The GDPR must be read alongside other EU privacy laws. What follows below is the Firm’s Policy, and further information and advice can be requested from the DPC as required in relation to particular marketing campaigns.  The recognised lawful basis for the processing activity of direct marketing is the ‘legitimate interest’ basis discussed above. In other words, it is accepted for the purposes of the GDPR that Three Crowns has a legitimate interest in marketing directly to data subjects.

As a minimum, Three Crowns will ensure that it provides both businesses and individuals (whether clients or not) with the ability to opt out when sending electronic email marketing. This will be in the form of an ‘unsubscribe link’ or by providing them with a simple option to unsubscribe via an email address. This will ensure that the Firm is compliant with Article 21(2) GDPR which states that “the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing”. All marketing emails will (whether solicited (i.e. marketing that is actively requested by the recipient) or unsolicited messages) must clearly identify the Firm and provide a contact address for the recipient to either contact us or to opt out.