Client privacy notice

This notice explains how Mills & Reeve LLP, 24 King William Street, London, EC4R 9AT will collect, use or otherwise process your personal data.

“Personal data” is information relating to you as a living, identifiable individual. Mills & Reeve LLP will process your personal data in accordance with data protection and privacy laws applicable to the firm (including, as applicable: the Data Protection Act 2018, the UK GDPR and the EU GDPR).

What information may we hold about you?
In the course of our activities, we may obtain a range of personal data about you. This data may be received from you, or it may be received from a third party such as another professional advisor, witness, opponent, court, counterparty or obtained from a public source.

The types of personal data that we hold might include:
- Contact details
- Identification documents including NI numbers, passport and visa details
- Information about you, in connection with matters that we are acting on
- Financial information (including invoicing information, credit searches, bank account, card and tax details)
- Biographical information about your job, background, interests, and personal life
- Expressions of opinion about you
- Images captured by CCTV cameras at our offices
- Marketing information (e.g. which of our services are relevant/potentially relevant to you, details of your visits to our website, attendance at events)
We may also generate personal data about you in connection with our work for you or in connection with marketing activity. Our marketing systems record information such as your contact details, your responses to event invitations and interactions with us and with marketing emails (e.g. what events you attended, which marketing emails you have opened or what links you have accessed). They also record your preferences such as your preferred location for attending events at our offices, and of the sectors and services that you are interested in.
The purpose and legal basis for processing your personal data
We act as a data controller alongside our clients in respect of personal data related to their matters or prospective instructions and whenever we are exercising our professional judgement. Occasionally, we may act as a processor of data on behalf of a client e.g. where we process personal data without providing any legal advice in relation to that personal data.

The basis upon which we process your personal data and consequences to you of not providing it, depend upon the type of personal data involved, our relationship with you, and the purpose for which the data is needed.

To the extent that we have a contract with you (or one is in prospect), the primary legal basis for processing your personal data is that the processing is necessary for the performance of our contract with you, or in order to take steps at your request prior to entering into a contract
In addition, processing of your personal data may be necessary for compliance with our legal and professional obligations to our clients and to third parties. This includes for example, our professional and contractual duties to our clients, the courts and our obligations to regulators. It also includes other legal obligations we have, for example to identify clients and to report suspected money laundering to the National Crime Agency. Personal data we obtain from you to satisfy our legal obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 will be used only for the purposes of preventing money laundering, terrorist financing or proliferation financing, or for such other purposes as may be permitted by law or to which you have consented.

Further, processing may be necessary in pursuit of our legitimate interests. We have legitimate interests:
- in complying with our legal and professional obligations;
- in maintaining the security of the systems, premises, equipment and information to prevent cyber or physical incidents;
- in monitoring capacity and quality to deliver an appropriate level of service to our clients;
- in developing new systems or undertaking training and know-how sharing internally with relevant lawyers;
- in conducting market research on issues that we believe that you have an interest in or could offer useful insights to inform commercial decisions or to assist in product development; and
- in the case of processing your data for marketing purposes, in marketing our services including providing information about our services which are or may be of interest to you and building our relationships with clients and prospective clients.
The addendum below sets out detail of additional legal bases applicable to processing the personal data of particular types of work we may undertake for you.
Marketing

We will use your details to provide you with information about our work, activities and matters such as invitations to events and seminars that we think you will find of interest. From time to time we may invite you to events that we run jointly with other organisations. If you register for such an event then we may share your contact details with that organisation.

We do not otherwise share your data for marketing purposes.

When you access the Mills & Reeve website, further relevant privacy information and details of the data we collect and process is set out in our website privacy policy and our cookies policy. We may use the information we collect about your interactions with our website to tailor our marketing communications to those areas that we consider are most likely to interest you (“profiling”).

You may opt out of all or manage these marketing communications by signing up for a My M&R account and updating your preferences there.
Special category personal data and details of criminal offences
Certain personal data is subject to additional safeguards under data protection legislation. Such information includes details of
- your racial or ethnic origin;
- your political opinions;
- your religious beliefs or other beliefs of a similar nature;
- whether you are a member of a trade union;
- your physical or mental health or condition;
- your sexual life;
- the commission or alleged commission by you of any offence, or
- any proceedings for any offence committed or alleged to have been committed by you, the disposal of such proceedings or the sentence of any court in such proceedings.
It may be necessary for us to process some sensitive personal data in order to comply with legal or regulatory obligations (including making reasonable adjustments for clients with disabilities), or if we need to do so in order to seek confidential legal advice, or establish or defend legal claims.

Otherwise, we will only process your sensitive personal data with your explicit consent. If you voluntarily send us your sensitive personal data, we shall treat that as your explicit consent for us to hold that data, which otherwise shall only be processed in accordance with this policy. Where such data is processed by us on the basis of your explicit consent, you may withdraw your consent at any time: this will not affect the lawfulness of any processing based on your consent before you withdrew it.
The consequences if you decide not to provide data

If you decide not to supply personal data that we have requested and as a result we are unable to comply with our professional, legal or regulatory obligations, then we may have to cease acting for you or may be unable to enter into a relevant contract with you.
Who will see or use your data and who might we share it with?

Your personal data may be seen or used by our partners and staff (whether lawyers or support staff) in the course of their duties or others lawfully working with us in the ordinary course of our business (for example, former staff or partners working with us on a consultancy basis).

We may need to share your data with relevant third parties for example other professional advisers, auditors, counter parties, witnesses, courts and tribunals in order to fulfil our legal and professional obligations, or to undertake searches about you (e.g. credit searches using agencies such as Equifax, TransUnion, Creditsafe and GlobalX), or where you ask us to share your data. Where information is disclosed to a credit reference agency, the agency may keep a record of that information and disclose it (and the fact that a search was made) to its other customers, including for the purposes of assessing the risk of giving credit and occasionally to prevent fraud, money laundering and to trace debtors.

We may also outsource some of our support services or engage consultants and others to support us (for example secretarial, marketing, courier, translation or IT services). In these cases relevant personal data would be provided to and processed by the provider of such services, in accordance with the terms of our contract with them and to the extent appropriate for the performance of that contract.

We might need to share or transfer your data confidentially with relevant parties and/or their professional advisers if there is a merger, acquisition, change of control, joint venture or other similar arrangement involving Mills & Reeve LLP.

Exceptionally we might need to share your personal information in order to obtain necessary confidential legal advice or to comply with our insurance, legal or regulatory obligations. For example, we may have to provide some or all of the information to our insurers, legal advisors, public authorities such as HMRC, or to a court/tribunal.
Transfer of your data to other countries

In the course of carrying out the activities referred to above we may transfer your data to other countries, which may not have the same legal protections for your data as the UK.

Where data is being transferred outside of the UK and/or European Economic Area, we will take steps to ensure that your data is adequately protected in accordance with UK legal requirements and the EU GDPR (as applicable).

Otherwise for example we may transfer your data if it is necessary for performance of our contractual duties to you, or because we have other legal obligations to transfer the data, or it is necessary for important reasons of public interest. If you require further detail about the protections in connection with any particular relevant transfer, matter or jurisdiction please ask us.
How long will we keep your data

We expect to retain your personal data in accordance with our retention policies. This policy is reviewed periodically and the periods for storage specified in it may alter depending on the requirements of law and regulation, client requirements, best practice and insurance.

We may be obliged to suspend any planned destruction or deletion under our retention policy where legal or regulatory proceedings require it or where proceedings are underway such as require the data to be retained until those proceedings have finished. For example, under current legislation we must hold certain information relating to some trusts until at least 5 years have passed following the final distribution from the trust.
Your rights over your data

You have the right to request copies of the personal data we hold about you. If you wish to obtain a copy of your personal data, you may contact us by emailing [email protected]. You also have the right to ask for inaccuracies in your data to be corrected, and in certain circumstances for us to stop processing your data or for your data to be erased. Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them.

If you have any questions about this privacy statement, the practices of this web site or your dealings with this web site, please use the following contact point: [email protected]. If you believe that we have not complied with any of our obligations under data protection laws in the UK, please let us know. You have the right to lodge a complaint with the Information Commissioner’s Office.

Addendum: Additional information for specific types of work

Individual/Group - Trustees and personal representatives
Purposes and legal basis for processing your personal data	Under new disclosure rules, Trustees are required to obtain and hold particular information about certain trusts. You are a Trustee, settlor, beneficiary or potential beneficiary of a relevant trust. Where we act as Trustee, the legal basis for processing your personal data is that it is necessary for compliance with our legal obligations. Where we are contracted to provide trust administration on your behalf, the processing is necessary for the performance of that contract.
The consequences if you decide not to provide your data	Trustees and personal representatives who fail to comply with the disclosure requirements risk fines and criminal convictions. If you decide not to supply personal data that we have requested, it will not be possible to make any income or capital distributions to you from the trust.
Who will see or use your data?	Your personal data will be seen and used by staff involved in the administration of your trust. It will also be given to HMRC where required by the new disclosure rules. It is possible that HMRC will be required to send the data outside of the UK if a request is made by certain EEA authorities.

Version 4: updated November 2022

Client privacy notice

How can we help you?

Visitors

Existing clients

Staff