Data processing terms and conditions
A – General information
- In these terms and conditions, The Legal 500 guarantees to implement appropriate technical and organisational measures to meet the requirements of Art 28. EU GDPR and ensure the protection of the rights of all data subjects.
- The Legal 500 is a wholly-owned subsidiary of Legalease Ltd, a registered UK company whose contact details are as follows: 188-190 Fleet Street, London EC4A 2AG.
- For these purposes The Legal 500 includes Legalease Ltd and Legalease Research Services.
B – Nature and scope of data processing
- Your firm permits the reasonable use of information marked for publication provided by you in the form of submissions documents, specifically practice submissions (set out in MS Word) and client referee contact details (set out in MS Excel).
- Your firm permits the fair and anonymised use of client referee contact details to seek feedback on your firm’s practice(s) to augment and inform published research, and to notify those clients by email of the publication of the research. In order to provide that service it may be necessary for The Legal 500 to collect, process, and/or use personal contact data. The nature and purpose of the data collection, processing and use comply with the requirements of these terms and conditions and your firm’s specific instructions resulting from these requirements. Any additional collection, processing or use of personal data is prohibited.
- The duration of the period in which The Legal 500 may use any personal data is limited by these terms and conditions.
- Publication of research will always take place within 9 months of client referees being contacted. Email notification that publication has taken place will always take place within 28 days of publication. All client referee contact data will be permanently erased within 28 days of publication.
- The types of data involved are ordinarily the names and contact information of client and law firm referees and specific lawyers representing particular practice areas or case-work.
C – Technical and organisational measures
- The Legal 500 will take the technical and organisational measures specified in Annex 1 and thereby provides sufficient guarantees within the meaning of Art 20 para 1 GDPR.
- The Legal 500 may from time to time adapt technical measures specified in Annex 1 to reflect technical improvements or progress, however, the standards documented in Annex 1 shall not be lowered. Where material alterations or adjustments are made to processes, The Legal 500 will consult in advance with your firm. No material changes will be made to the way data is handled without the consent of all law firms affected.
D – Law firms’ rights and obligations
- Your law firm may demand at any time that personal data be rectified, erased, blocked or surrendered. Instructions to do so must be provided in text form (eg by email) to The Legal 500, and The Legal 500 must acknowledge and confirm such instructions without undue delay in text form. Your law firm may set The Legal 500 a reasonable time limit for implementing any such instructions.
- “Erased” in the context of these terms and conditions means the permanent removal of personal data from any email research campaigns; and permanent deletion from databases used to manage future such research.
- Your law firm is entitled to designate to The Legal 500 in text form one or more persons who are authorised to give instructions and may determine that The Legal 500 is not authorised to accept instructions from any persons other than the persons authorised to give instructions. Those designations will apply until your law firm notifies The Legal 500 in text form of any change regarding the persons authorised to give instructions.
- If your law firm determines that The Legal 500 is collecting, processing or using personal data in violation of any applicable data protection law, or in violation of these terms and conditions, your law firm will notify The Legal 500 without undue delay.
E – The Legal 500’s rights and obligations
- The Legal 500 is responsible for compliance with the provisions of data protection law. In particular, The Legal 500 will ensure that the rights of the data subjects are safeguarded (Art. 12 et seqq. and 82 GDPR) and the notification obligation under Art. 33 GDPR is complied with.
- The Legal 500 will collect, process or use the personal data exclusively for the purposes of Legal 500 research and will do so in accordance with these terms and conditions. No personal data will be transferred to a third country; third party service provider with the exception of those listed in section F below; or any international organisation unless required to do so by EU law or UK law (in such a case The Legal 500 shall inform your law firm before processing, unless that law prohibits such information on important grounds of public interest.
- The Legal 500 will ensure that the natural persons acting under The Legal 500’s authority who have access to personal data supplied by law firms will process such data only in accordance with sentence 2.
- All client referee data supplied to The Legal 500 by law firms shall be erased from any email research campaigns, and from all databases used to manage future such campaigns, within 28 days of publication.
- If The Legal 500 believes that any instruction given to it by your law firm regarding data processing is in violation of the provisions of GDPR, or the UK Data Protection Act, or any other applicable data protection provisions, The Legal 500 must notify your law firm accordingly without undue delay. The Legal 500 is entitled to suspend compliance with the relevant instruction until it has been confirmed or amended by your law firm.
- The Legal 500 will notify your law firm without undue delay of any violation of provisions for the protection of personal data, of provisions of these terms and conditions or of any instructions given to The Legal 500 by your law firm that was committed by The Legal 500 or any of its employees.
The Legal 500 will assist any law firm in
(a) ensuring the security of the data processing (Art. 32 GDPR);
(b) notifying the supervisory authorities of any breaches of personal data protection provided for by law (personal data breaches) (Art. 33 GDPR): In particular, The Legal 500 will fully inform any law firm without undue delay of the time, nature and scope of data breaches (including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned) as well as of the likely adverse consequences of the data breaches; The Legal 500 will furthermore notify any law firm without undue delay what measures it has taken to secure the data and to prevent further data breaches as well as who is a contact person for more information; The Legal 500 will also offer recommendations for measures to mitigate the potential adverse consequences for the data subject;
(c) communicating to the data subject that there has been a personal data breach (Art. 34 GDPR);
(d) carrying out a data protection impact assessment and consulting with supervisory authorities, if necessary (Art. 35 et seq. GDPR);
7) The Legal 500 is not authorised to process any personal data supplied by your law firm outside the business premises of The Legal 500 unless your law firm has given its prior written consent.
8) The Legal 500 will assist any law firm in maintaining records of personal data processing activities and will itself maintain an equivalent record of processing activities (Art. 30 GDPR).
F – Commissioning of sub-processors for personal data
- The commissioning of sub-processors by The Legal 500 to handle personal data is not permitted without the prior written consent of your law firm(s).
- The Legal 500 will not use third-party services to process or handle personal contact data with the exception of the service providers (acting as processors) based in the US and EEA set out below:
|NAME OF PROVIDER||FUNCTION||BASED IN||DATA SECURITY INFORMATION LINK|
|Adestra||Email marketing software||US, EEA||https://www.adestra.com/email-marketing-platform/security/?highlight=Security|
In selecting this service provider, we ensured that data protection standards established by these terms and conditions could be maintained by the service provider; that in the course of processing conducted by the service provider personal data is only transferred to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission (see European Commission: Adequacy of the protection of personal data in non-EU countries); and that the service provider is part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US (for further details, see European Commission: EU-US Privacy Shield).
G – Confidentiality and data secrecy
- The Legal 500 will bind its employs to maintain data personal data secrecy when taking up their duties.
- The Legal 500 is obliged to keep confidential all personal data supplied by your law firm except where that data is specifically marked up for publication.
- The Legal 500 is bound by all data protection legislation in the UK Data Protection Act 2018, and the EU GDPR 2018.
- Information covered by the duty of confidentiality comprises in particular all information in relation to clients and/or other business partners of your firm that has not been specifically marked up for publication, including but not limited to trade and business secrets of these clients and/or other business partners as well as all business processes relating to them, including the information regarding the existence of such processes. The fact that your firm and/or a specific lawyer has been instructed in a certain matter by a client is also covered by the duty of confidentiality, except where your firm has specifically marked that information up for publication in a submission document.
- Moreover, any business and trade secrets of your law firm, internal office information as well as information about the personal, financial or tax situation of your law firm, its partners or the employees of your law firm that become known to The Legal 500 when carrying out its research shall also be subject to the same duty of confidentiality, except where that information is a matter of public record or has been marked out as available for publication within your law firm’s submission.
- The duty of confidentiality does not relate to obvious information or information already in the public domain.
- The Legal 500 undertakes to obtain secrets of third parties and law firms only to the extent that this is necessary for the conduct of its research.
- The Legal 500 undertakes not to testify or to make any statements before courts or public authorities in respect of facts concerning your law firm of which it has been made aware in the course of conducting its research without the prior consent of your law firm.
- The Legal 500 will grant access to information to its employees only to the extent that this is necessary for the conduct of The Legal 500’s research.
- The obligations set out in s1-9 above shall continue to apply after The Legal 500’s research period has concluded.
H – Rights of client referee data subjects
- The Legal 500 will assist your firm in safeguarding the rights of data subjects, in particular the right to be provided with information and access to as well as the right to rectification, data portability, blocking or erasure of their respective personal data and The Legal 500 will transmit any required information back to your firm on request.
- The Legal 500 will erase all client referee personal data on completion of its research process and following notification within 28 days of publication to the client referee by email that the research has been published.
- “Erase” in the context of these terms and conditions means the permanent removal of personal data from any email research campaigns; and permanent deletion from databases used to manage future such research.
ANNEX 1 – TECHNICAL AND ORGANISATIONAL MEASURES FOR THE PROTECTION OF DATA
The Legal 500 seeks at all times to meet the principles of data protection by design and data protection by default. To that end, we undertake the following measures:
- To minimise the amount of processing of personal data required – we have developed processes which are designed to: a) process all data once only, and in as straightforward a fashion as possible; b) add administrative safeguards to minimise the amount of manual intervention required to process the data; c) reduce to the bare minimum the number of software applications required to handle the data.
- The personal contact data we are using is available for scrutiny on request at all times from the point of submission by a law firm to publication of the research either by the data subject or the law firm that supplied the information.
- All collection of personal data will be initiated and controlled from the UK.
- The data is stored for as short a time as possible on secure servers. We use logically separated databases, multiple servers and comprehensive backups to ensure we minimise the risk of data leaks or loss and run regular penetration tests to ensure that all of our infrastructure is secure against exploitation and free of vulnerabilities.
- We use carefully selected email research software suppliers with the highest available levels of data protection and security guarantees, and international reputations for data handling (for example Adestra) with guarantees regarding safeguarding of data privacy attached to the service they provide, and we are regularly in contact to ensure that they are able to fulfil the specific data protection obligations pertinent to our processes, and have due regard for the state of the art generally (see section F of the terms and conditions above for more details).
- We do not transfer, process or otherwise handle any personal contact data outside of the UK.
- We will never under any circumstances make any submissions or personal contact data available to any third party, or to any product outside of The Legal 500 research process.