EU Privacy Policy

Sunstein Kann Murphy & Timbers LLP (SKMT) is a limited liability partnership organized under the laws of the Commonwealth of Massachusetts, USA.  SKMT is committed to protecting and respecting your privacy.

Our physical address is 125 Summer Street, Boston, MA 02110.

The scope of this policy is that it covers how we deal with personal information of EU citizens. If you wish to contact us about this policy or our retention or use of your personal information or if you have any requests, questions or comments regarding this policy or our handling of your personal data, please contact us at privacyofficer@sunsteinlaw.com.

Reference in this notice to “personal data” means any information relating to an EU citizen (whether that person is identified or identifiable, for example, if the information is taken on its own or together with some other information).

  1. How We Obtain Your Personal Data
  2. The Personal Data We Collect and Process
  3. How We Use Your Personal Data
  4. Legal Basis For Using Your Personal Data
  5. How We Share Your Personal Data
  6. Keeping Your Personal Data Secure
  7. Retaining Your Personal Data 
  8. Your Rights Regarding Your Personal Data
  9. Data Security
  10. Cookies
  11. Updates
  12. Your Right to Lodge a Complaint

How we obtain your personal data

As a law firm, we regularly receive personal data as part of our professional activities. We may collect your personal data:

  • As part of our business intake procedures;
  • When you or your organization seek legal advice or employment from us;
  • When you or your organization offer or provide services as our vendor;
  • When you email us or provide such data to us in other circumstances, such as when you request details about or attend a firm sponsored event.

Ordinarily, you will have provided any such data to us. But in some cases, we may collect data about you from a third party source, such as government or credit reporting agencies, an information or service provider or from public records.  In some cases, we may receive data about your use of our website or social media pages from third parties such as Linkedin, Constant Comment or Facebook.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Please let us know if you believe that any data we hold is inaccurate us.

The personal data we collect and process

The personal information that we collect and process may include:

  • Basic information, such as your name, your employer, your title or position and your relationship to a person;
  • Contact information, such as your physical address, email address and phone number(s);
  • Financial information, such as bank account details;
  • Technical information, such as your IP address;
  • Identification and background information provided by you or collected by us as part of our business acceptance processes;
  • Personal information provided to us by or on behalf of our clients, partners and employees or generated by us in the course or providing services and employment, which may include (so-called) special categories of data[1]
  • Details of your visits to our offices; and
  • Any other information relating to you which you may provide to us.

How we use your personal data (i.e. the purposes for which we use the information above)

Whether we receive your personal data directly from you or from a third party source, we will only use your personal data in connection with our ordinary professional activities (including the fulfillment of our legal or regulatory obligations). The purposes for which we use this information are set out in the following list:

  1. Providing legal advice or other services to our clients;
  2. Managing our business relationship with you or your organization, whether in connection with the provision or procurement of goods and services or as your employer or former employer, including processing payments, accounting, auditing, billing and collection and related support services;
  3. Acting in compliance with our legal obligations, including with respect to anti-money laundering, export controls and sanctions checks;
  4. Complying with court orders and other legal and regulatory requirements;
  5. Managing and securing the access to our offices, systems and online platforms;
  6. Providing information to third parties to whom we may choose to sell, transfer, or merge parts of our business. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy;
  7. Communicating with our contacts about developments in intellectual property law and in staying in touch with those whom we have met over the years such as:
    • Communicating with you with respect to legal developments, announcements, events and SKMT services which may be of interest to you;
    • Distributing surveys or marketing materials;
    • Gathering information regarding your preferences to improve the quality of our communications and interaction with you, such as through website analytics or the tracking of our client publications; and
  8. Any other purpose for which you have given consent. 

Legal basis for using your personal data.

We will only use your personal data when the law allows us to. The law sets out that we must tell you the “allowable reason” (known as a basis of processing) for any data we use for a particular purpose.

  • For purposes 1 and 2 above, we deal with your personal data because it is necessary for a contract that we have entered into with you (or, at your request, because we are taking steps to enter into such a contract with you).
    • If we are entering into a contract with your employer, we deal with this personal data because you have consented to your employer providing that data to us or it is otherwise in the legitimate interests of your employer or because your employer is under a legal obligation to provide it to us. However, we will ask your employer what their reason is for giving us the information about you if the reason is not necessary for the legal services we are providing to the employer.
    • or the legal transaction in which in which we were involved.
  • For purposes 3 and 4 above, we deal with your personal data because we are under a legal obligation to do so.
  • For purpose 5 above, we deal with your personal data because it is in our legitimate interests to run our business properly operationally (and your interests and fundamental rights do not override those interests).
  • For purpose 6 above, we deal with your personal data because it is in our legitimate interests to have the freedom to sell or dispose of our business (and your interests and fundamental rights do not override those interests because we will ensure as part of any contract involved that any new owner must abide by the rules in this Policy).
  • For purpose 7 above, we deal with your personal data because it is in our legitimate interests to market our business (and your interests and fundamental rights do not override those interests because we will always give you the ongoing opportunity and right to opt out of any use of your personal information for this purpose). For example, in relation to sending you marketing communications such as our newsletters, you have the right to withdraw consent to marketing at any time by contacting us at privacyofficer@sunsteinlaw.com.
  • Regarding purpose 8 above, generally we do not rely on your consent as a legal basis for processing your personal data in anything we do.  However, on the rare occasion where we might do this, we will ensure that any consent you give us is fully informed and that you have a right to withdraw that consent at any time. 

How we share your personal data

Where we share or transfer your personal data, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure its integrity and protection.

Our policy requires us to at all times ensure a level of data protection for your personal data at least as protective as those mandated by the European Union for the European Economic Area (EEA).

We may need to transfer personal data to third parties, including third parties based outside the EEA, for example (but not limited to) sub-contractors, other counsel and accountants and third parties involved in your matters. Whenever we transfer your personal data to external third parties based outside of the EEA, we will either:

  • ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
    • transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
    • use specific contracts approved by or consistent with the policies of the European Commission which give personal data the same protection it has in the EU.
    •  transfer data to service providers in the US that are part of the Privacy Shield (or any successor program) which requires them to provide similar protection to personal data shared between the EU and the US; or
  • Effectuate such a transfer on one of the conditions set forth in Article 49 of the GDPR, and in compliance with Article 49, such as making the transfer:
    • For the performance of a contact concluded in your interest;
    • For the establishment, exercise or defense of legal claims; or
    • With your specific informed consent for the transfer (having warned you of any risks involved).  

Keeping your personal data secure

We will take appropriate technical and organizational measures against unauthorized or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data in accordance with our internal security procedures covering its storage, access and destruction. Personal data may be stored on our own technology systems or those of our vendors or in paper files. 

Retaining your personal data

We will delete your personal data:

  • when it is no longer reasonably required for the purpose for which it was originally held or collected (unless we obtain your permission to use it for another purpose); or
  • you withdraw your consent (where applicable), provided that we are not legally required or otherwise permitted to continue to hold such data.

We may retain your personal data for an additional period to the extent deletion would require us to overwrite our automated disaster recovery backup systems or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period. 

Your rights regarding your personal data

You have the right to:

  1. Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  2. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  3. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  Note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  4. Object to processing of your personal data where we are relying on a legitimate interest (of our own or of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.  In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  5. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  6. Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  7. Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent.  If you withdraw your consent, we may not be able to provide certain products or services to you.  We will advise you if this is the case at the time you withdraw your consent.

If you wish to exercise any of the rights set out above, please contact us at privacyofficer@sunsteinlaw.com.  We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests.  In this case, we will notify you and keep you updated.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights).  However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive – alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights).  This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.  We may also contact you to ask for further information in relation to your request to speed up our response.

We will not use your data for any automated decision making or any profiling (except as set out above in this Policy).

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. 

Cookies 

SKMT’s website and its communications to others do not use cookies (small text files) which can be stored on the hard drive of your accessing device (such as a computer or phone).  If you disable cookies with your web browser, you should still be able to access all of our website. 

Updates

This Privacy Policy was updated on May 24, 2018. We reserve the right to amend this Privacy Policy from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on this website and will be effective upon posting.  However, if we collect data from you, if this Policy has changed, we will notify you of changes when we collect that data.  

Your right to lodge a complaint

We hope you will not have complaints. If you do, please let us know how we can help to resolve that complaint. You should contact privacyofficer@sunsteinlaw.com if you have any complaints and we will do our best to resolve these in the first instance.

However, if you feel that we have not handled information relating to you properly, or if you have contacted us about how we use your personal data and you are unhappy with our response, you have the right to lodge a complaint with a supervising authority for data legislation in the European Union. Because we deal in English, we suggest the primary supervising authority you should contact is the Information Commissioner’s Office (ICO) in the UK. The ICO can be reached by phone on +44 303 123 1113 or through an online form at https://ico.org.uk/concerns/

 

[1]A full definition of “special” categories of GDPR personal data is data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.