• Who-we-are-banner

    Privacy notice

Last updated June 2024

 

What is this Privacy Notice about?

Charles Russell Speechlys LLP and its subsidiary and associated entities (we or us) are committed to maintaining the privacy and confidentiality of information you provide to us. This Privacy Notice describes our current policies and practices with regard to your personal data, which we collect from you directly and/or through your use of our website and/or through our business dealings with or in relation to you.

Personal data, or personal information, means any information about you from which you can be identified. Personal data includes special category personal data (as defined by law and further described below).

This Privacy Notice applies to everyone about whom we hold personal data who is not a current (or former) member, employee, worker or individual contractor of ours or someone who has applied for a job with us. The Privacy Notice applicable to job applicants is available here.

The people to whom this Privacy Notice applies therefore include:

  • our clients and customers;
  • our suppliers and contractors;
  • other law firms, barristers, experts and other people instructed by us in the course of our work for our clients;
  • individuals who use our website;
  • journalists and individuals who visit our offices or attend any of our events;
  • individuals emailing, telephoning or otherwise contacting us for any purpose, which may include:
    • about services to be provided by us;
    • about services to be provided to us;
    • requests for press or media content;
    • individuals contacting us in the performance of their employment or other role for another entity;
  • individuals whose contact details have been made available to us for marketing purposes or for the purposes of future communication e.g. the exchange of business cards at an event;
  • individuals whose personal data is provided to us by a third party, for example, relating to a potential dispute or another matter on which we are advising, or a trust beneficiary or a lawyer acting for another party to a transaction; and
  • individuals with whom we deal or whose personal data is provided to us as part of our pro bono and corporate social responsibility programmes and activities.

This Privacy Notice does not form part of any contract we have with you, and we may amend it from time to time. We are continually improving our methods of communication and adding new functionality and features to this website and our existing services and administrative processes. Because of these ongoing changes, changes in the law and the changing nature of technology our data protection practices will change from time to time. We encourage you to check this page frequently.

If you have any questions about this policy, please contact DataProtection@crsblaw.com.

What information do we hold about you?

Personal data, or personal information, means any information about an individual from which that person can be identified.

We may collect, store, and use some, or all, of the following categories of personal information about you:

  • Personal contact details such as name, title, addresses, telephone numbers, email addresses and business contact information.
  • Date of birth.
  • Gender.
  • Marital status and dependants.
  • Bank account details.
  • Any other personal information required by us to verify your identity for our “know your client” and anti-money laundering checks including identification documentation such as your passport or driving licence and utility bills.
  • Information included on invoices provided by contractors and suppliers.
  • Information about your use of our information and communications systems including, for the avoidance of doubt, any personal use by you of such systems, such as information about your personal devices through your use of our Wi-Fi at any of our offices, our website, or portals.
  • Photographs if you attend any of our events.
  • Records of your attendance at any of our offices (which may include CCTV records being made available to us by our building managers from time to time).
  • Information about you, including your online profile, activities and interests, that may be used to support networking at our events.
  • Any other information provided by you, or any third party, to us, in connection with any matter on which you or one of our clients has instructed us to act or advise.

We may also collect, store and use more sensitive personal information (Special Categories of personal data/information) to the extent that you voluntarily share it with us, including the following types of information:

  • Information about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
  • Trade union membership.

Information about your health, including any medical condition, health and sickness records. And we may process information about criminal convictions and offences, where authorised by law and in accordance with appropriate safeguards. See further information below.

How is this information collected?

We collect personal information about you through:

  • information which you provide directly to us;
  • information collected automatically through our website or our client portals;
  • information about you provided to us by third parties including our clients, other people with whom we are communicating when we deal with any matter for our clients, PR agencies and databases to which we subscribe and other third parties.
How do we use this information?

Our lawful bases for using your personal information

We use the categories of information in the list above to allow us to, as relevant:

  • perform our contract with you;
  • comply with legal obligations; and
  • pursue legitimate interests of our own (for example, in furtherance of our own business) or third parties’ (such as our clients’) legitimate interests.

We may also use your personal information in the following situations:

  • Where we need to protect your interests (or someone else’s interests).
  • Where it is needed in the public interest or for any official purposes.

How we may use your personal information

The types of situations in which we may process your personal information (our ‘purposes’), depending upon the nature of your relationship with us, are listed below:

  • to provide you with our services and other information, including your use of our website;
  • to issue invoices, manage accounts and records, collect payments and debts or administer payments to you;
  • to provide our services to our clients;
  • to facilitate you providing your services to us;
  • to contact you to inform you of our services or events and to send you updates on issues we think will be of interest to you and in relation to or arising from our events and publications;
  • to respond to any query you have made of us, including providing information about our people and services where you have made a website inquiry;
  • for marketing purposes and market research;
  • to administer our website and help us improve our services;
  • for press releases, invitations to meet our staff and management team, press events, to highlight any spokespeople;
  • to comply with our legal obligations;
  • determining the terms on which we work with our clients and suppliers;
  • undertaking checks as to your identity, credit, immigration status and similar if we will be working together;
  • in our business management and planning, including accounting and auditing and otherwise in the furtherance of our business;
  • in conducting reviews of our relationship, including managing performance and expectations on either side;
  • gathering evidence and investigating any matter related to a concern or dispute, including conducting any mediation, arbitration or litigation process;
  • making arrangements for the extension, re-contracting or termination of our working relationship;
  • to prevent fraud;
  • to ensure network and information security, including preventing unauthorised access to our computer and electronic communications systems and preventing malicious software distribution;
  • to conduct data analytics studies relating to your use of our website;
  • complying with our obligations in respect of the Solicitor’s Regulatory Authority and related regulatory (including foreign regulatory) requirements;
  • in furtherance of our pro bono and corporate social responsibility initiatives, which we consider to be core elements of our business;
  • in our emergency contact and business continuity procedures; and
  • complying with any request by you.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.

Please note that we may process your personal information without your knowledge or consent in compliance with the above where this is required or permitted by law.

Special Categories of personal information

When we can use it

Special Categories of personal information require higher levels of protection. We may process such information in the following circumstances:

  • with your explicit written consent;
  • processing is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), for obtaining legal advice or otherwise necessary for the purposes of establishing, exercising or defending legal claims;
  • processing is necessary for reasons of substantial public interest; or
  • processing is necessary for the purposes of preventive or occupational medicine, of the assessment of working capacity;
  • where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent; or
  • where you have already made the information public.

How we may use it

We may use Special Categories of personal information in the following ways:

  • to provide our services and other information, including your use of our website, to you;
  • to provide our services to one of our clients;
  • to facilitate you providing your services to us;
  • to respond to any query you have made of us, including providing information about our people and services where you have made a website inquiry;
  • to comply with our legal obligations;
  • gathering evidence and investigating any matter related to a concern or dispute, including conducting any mediation, arbitration or litigation process;
  • complying with our obligations in respect of the Solicitor’s Regulatory Authority and related regulatory (including foreign regulatory) requirements;
  • in furtherance of our pro bono and corporate social responsibility initiatives, which we consider to be core elements of our business; and
  • complying with any request by you.
Our use of artificial intelligence tools

We have adopted an in-house generative AI tool, ‘CRSidekick’, which is powered by GPT-4 technology, to enhance the services we provide to you. This tool assists us in various tasks including improving the quality, speed and efficiency of our services, drafting text, and extracting and summarising information from documents.

We may process limited categories personal data through the use of our CRSidekick chatbot.

Purpose of Data Processing

Any personal data processed by the CRSidekick chatbot is used for the purpose of providing services to you or for our own internal business purposes, which includes but is not limited to client communication, document drafting, preparation of outlines and work plans, service quality and efficiency enhancements, and information extraction and summarisation. For this purpose, we rely on our legitimate interests to provide efficient services to you and where this is not applicable, we will obtain your consent to use the tool.

Personal data collected through our CRSidekick chatbot is not used for the purpose of training the generative AI model. The AI tool, developed by Springbok using OpenAI's GPT-4 technology, is pre-trained and does not require nor utilise client or any other personal data for continuous learning or model improvement.

Our commitment to data privacy extends to ensuring that the integrity of personal data is maintained and that it is used strictly within the bounds of the legal services provided to you. We take caution to segregate and protect personal data from being accessed or used in any way that is not explicitly authorised or subject to an appropriate lawful basis and in line with our data protection obligations.

Data Sharing

Personal data processed by the CRSidekick chatbot may be accessed by our technology provider, Springbok, strictly for the purposes of retrieving audit or usage records, or for providing support services in limited cases. We have contractual agreements in place with Springbok as our data processor to ensure the protection of your data in compliance with the applicable data privacy laws.

A copy of Springbok’s privacy notice is available here: https://springbok.ai/privacy

Data Storage and Security

Personal data processed within the CRSidekick chatbot is hosted within the UK and EU, in compliance with the UK GDPR and Data Protection Act 2018. As described later in this privacy notice, we have implemented appropriate technical and organisational measures to protect your data against unauthorised or unlawful processing and against accidental loss, destruction, or damage.

International Data Transfers

International transfers of data may occur when a member of staff in our international offices accesses the AI platform. In such cases, the processing of data will occur within that international office and Springbok in the UK, and will be subject at a minimum to the protections afforded by the UK GDPR and DPA.

Automated Decision-Making

The CRSidekick chatbot is not used for making automated decisions that have legal or similarly significant effects on individuals. The CRSidekick chatbot is designed to supplement, rather than replace, human decision-making and expertise. Therefore, our policy is that the tool should be used with caution and outputs should be subject to appropriate review by the user.

Consent

We do not need your consent to process your personal data where we have another legal basis to do so, as set out above. However, if we do need to seek your consent to processing, we will provide you with reasonable details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent.

You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us and, where you have given consent, this can be withdrawn at any time by contacting our Data Privacy Officer.

Information about criminal convictions

We may only use information relating to criminal convictions where the law allows us to do so. This will usually be where such processing is necessary to carry out our legal and regulatory requirements, such as our anti-money laundering and anti-fraud requirements.

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent, or where you have already made the information public.

Automated decision making

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We are allowed to use automated decision-making in the following circumstances:

  • Where we have notified you of the decision and given you 21 days to request a reconsideration of the decision.
  • Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  • In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
    You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

We do not currently envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

Data Sharing

Why might you share my personal information with third parties?

We do share your personal data with third parties, (including third-party service providers and our other entities) where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.

If we do share personal data, we require third parties to take appropriate security measures and only process your personal data for specified purposes.

Which third-party service providers process my personal information?

“Third parties” includes third-party service providers (including contractors and designated agents) and our other entities, including our nominee and trust companies.

In particular, your personal data is likely to be processed by other entities within our corporate group which includes the separate legal entities in France, Luxembourg and Switzerland and our branch offices outside the EEA in the United Arab Emirates, Qatar, Hong Kong and Bahrain. We have appropriate arrangements in place to require those additional group entities to protect your personal data in the same way as Charles Russell Speechlys LLP.

We may share your personal information with the Solicitor’s Regulatory Authority and other foreign regulators for regulatory purposes and with other governmental or similar authorities or as may otherwise be required by law, for example, in relation to taxation.

As part of our relationship, we may also provide your personal data to third parties. For example, the nature of the work we provide to our clients may require us to engage with and provide your personal data (as relevant to the matter) to third parties such as barristers, experts, translators and data-site or other document hosting services. We may provide your personal data to third party event organisers or webinar hosts.

We may also provide your personal data to the third-party service providers we use in the course of administering our business, for example, word processing services, auditors, IT systems providers, lawyers and other professional advisors, insurers, credit and identity check providers.

Your personal information may also be provided to the press and other media sources as part of any agreed press release relating to any transaction we work on with you.

We may also disclose any personal information to comply with a legal requirement, for the administration of justice, interacting with anti-fraud databases, to protect your vital interests, to protect the security or integrity of our databases or this website, to take precautions against legal liability or in the event of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event including disclosure of your information to any successor of ours.

Transferring information outside the UK and the EU

We may transfer the personal information we collect about you to countries outside the UK and the EU in order to perform our contract with you.

As set out above, your data may be processed by our other entities, including those outside of the UK and the EU. Some of our third-party service providers are also based outside the UK and the EU, for example, our word processing services in South Africa. However, to ensure that your personal information does receive an adequate level of protection, we have put in place contractual obligations to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects UK, EU and local laws on data protection.

If you require further information about these protective measures, you can request it from the Data Privacy Officer.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We have a Data Protection Policy with which our staff are required to comply, and we have provided training to our staff regarding their obligations in ensuring the security of your personal data. Staff are aware that misuse of personal data may be grounds for disciplinary action against them.

We also have procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data Retention

Our intention is to retain your personal information for only as long as necessary to fulfil the purposes for which we collected it, including for the purposes of professional regulations, our insurance or other business custom or satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider its amount, nature, and sensitivity, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process it and whether we can achieve those purposes through other means.  If you would like any further information about our internal data retention processes you should contact DataProtection@crsblaw.com.

Rights of access, correction, erasure, and restriction

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to be told about how that information has been collected and used.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
  • Object to processing of your personal information where we are relying on our own legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.
  • Withdraw consent for the processing of your personal information. In the limited circumstances where you have provided your consent to the collection and processing of special category personal data you may wish to withdraw your consent. If you notify us of such withdrawal we will no longer process that personal information unless we have another legitimate basis for doing so.

You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

How you exercise these rights

Any request in relation to any of the above rights should be directed to the Data Privacy Officer at DataProtection@crsblaw.com.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who does not have the right to receive it.

Unsubscribe

If you have received any email from us with information about any of our services, events or legal updates, you are entitled to be removed from our electronic mailing list. You can do that by updating your preferences by clicking the link in any email that we send you or by replying to that email, or sending an email to enquiries@crsblaw.com with “email unsubscribe” in the subject heading. You may also unsubscribe by writing to Marketing Department, Charles Russell Speechlys LLP, 5 Fleet Place, London, EC4M 7RD.

Data collected through this website – cookies and similar technologies

In addition to the personal information we collect as described above, we use technology to collect anonymous information about the use of our website. For example, our web server automatically logs which pages of our website our visitors view, their IP addresses and which web browsers they use. This technology does not personally identify you – it simply enables us to compile statistics about our visitors and their use of our website.

Our website contains hyperlinks to other pages on our website. We may use technology to track how often these links are used and which pages on our website our visitors choose to view. Again, this technology does not identify you personally – it simply enables us to compile statistics about the use of these hyperlinks.

In order to collect the anonymous data described in the preceding paragraph we may use cookie technology on our website.

A cookie is a small piece of information that is sent to your browser and stored on your computer’s hard drive, mobile phone or other device. Cookies do not damage your computer.

You can set your browser to notify you when you receive a cookie. This enables you to decide if you want to accept it or not. However, some of the services and features offered through our website may not function properly if your cookies are disabled.

We use two types of cookies on our website:

Strictly necessary cookies

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies services you have asked for cannot be provided. They are deleted when you close the browser.

Performance cookies

These cookies collect information in an anonymous form about how visitors use our website. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it.

We may also use your IP address to help diagnose problems with our server, to administer our website and to improve the service we offer to you. An IP address is a numeric code that identifies your computer on a network, or in this case, the internet. Your IP address might also be used to gather broad demographic information.

We may perform IP lookups to determine which domain you are coming from (e.g. aol.com, yourcompany.com) to gauge more accurately your users’ demographics.

Information about these types of cookies and technologies or about website usage is not combined with information about you from any other source.

None of the cookies or technologies that we use in this way personally identify you (unless, in the very rare circumstance, your domain is identical to your name).

Consent

To comply with current legislation we need to ask for your consent to set the performance cookies described above. When you arrive on our website a pop-up message will appear asking for your consent to place performance cookies on your device. In order to provide your consent, please click ‘continue’. Once your consent has been provided this message will not appear again when you revisit our website. If you, or another user of your computer, wish to withdraw your consent at any time, you can do so by altering your browser settings.

You can find out more information about cookies at www.allaboutcookies.org and www.youronlinechoices.com/uk/.

Links to other websites

This website may contain hyperlinks to websites that are not operated by us. These hyperlinks are provided for your reference and convenience only and do not imply any endorsement of the activities of such third party websites or any association with their operators. We do not control these websites and are not responsible for their personal data practices. We recommend you review any privacy notice posted on any site you visit before using the site or providing any personal data.

Further questions, feedback or complaints

If you have any questions or feedback about this Privacy Notice or how we handle your personal information, please contact the Data Privacy Officer at DataProtection@crsblaw.com or by writing to Privacy Officer, Charles Russell Speechlys LLP, 5 Fleet Place, London, EC4M 7RD.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues or your local equivalent regulator.

Charles Russell Speechleys LLP is registered as a controller with the ICO under registration number: Z5107115.

Changes to this Privacy Notice

We reserve the right to update this Privacy Notice at any time and we may also notify you in other ways from time to time about the processing of your personal information.

Back to top