Privacy notice

This privacy notice sets out information about Kennedys’ privacy practices and your rights.

1 Introduction

Kennedys takes the protection of your personal data seriously.

Kennedys is an international legal practice carried on by Kennedys Law LLP and its affiliated firms. References to “Kennedys”, “we” or “us” in this Privacy Notice mean Kennedys Law LLP and other firms authorised to use the Kennedys name. A full list of these entities is available on our legal notices page.

This Privacy Notice sets out information about Kennedys’ privacy practices and your rights. Expand the section(s) below to see information about how Kennedys processes your personal data.

We may amend this Privacy Notice at any time and for any reason. The updated version will be available by following the “Privacy” link on our website footer at www.kennedyslaw.com. You should check the Privacy Notice regularly for changes.

2 Data protection laws

Kennedys is bound by the European Union (“EU”) General Data Protection Regulation 2016/679 (“GDPR”). Kennedys’ offices outside the EU are subject to their local data protection laws.

In this Privacy Notice, the terms personal data, controller, processor, data subject, consent, recipient, third party, processing and profiling have the meanings given to them in the GDPR.

3 Controller contact details

The controller for the processing of personal data under this Privacy Notice is:

Kennedys
25 Fenchurch Avenue, London EC3M 5AD, United Kingdom
Telephone: +44 20 7667 9667
Email: dataprotection@kennedyslaw.com
Website: www.kennedyslaw.com

Contact details for each individual Kennedys Group entity are listed on our legal notices page.

4 Data Protection Officer contact details

If you have any questions about this Privacy Notice or about our personal data processing practices, or if you wish to exercise any of your rights as a data subject, you may contact Kennedys’ Data Protection Officer for your region at dataprotection@kennedyslaw.com or as follows:

United Kingdom/Europe 

Andrew Coates
Regional Data Protection Officer
Kennedys
25 Fenchurch Avenue
London EC3M 5AD, United Kingdom
Telephone: +44 20 7667 9063
Email: andrew.coates@kennedyslaw.com

Asia-Pacific & Middle East

Nicholas Blackmore
Regional Data Protection Officer
Kennedys
Level 36, 140 William St
Melbourne VIC 3000, Australia
Telephone: +613 9498 6602
Email: nicholas.blackmore@kennedyslaw.com

North America 

Matt Lodge
Regional Data Protection Officer
Kennedys CMK
120 Mountain View Boulevard
Basking Ridge NJ 07920, USA
Telephone: +1 908 848 1225
Email: matthew.lodge@kennedyscmk.com

South America

Isadora Talamo
Regional Data Protection Officer
Kennedys
25 Fenchurch Avenue
London EC3M 5AD, United Kingdom
Telephone: +44 20 7667 9236
Email: isadora.talamo@kennedyslaw.com

5 Lead supervisory authority contact details

If you have a complaint about our personal data processing practices, you should first contact Kennedys’ Data Protection Officer for your region. If you are not satisfied with our response, you have the right to lodge your complaint with the following supervisory authority:

Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
United Kingdom
Telephone: +44 (0) 303 123 1113
Email: casework@rco.org.uk
Website: https://ico.org.uk

If you are located outside the EU or the UK, you may also contact your local data protection authority. Kennedys’ Data Protection Officer for your region can provide contact details.

6 Specific situations in which we may process your personal data

Kennedys collects and processes personal data in a number of different situations. Expand the section(s) below which apply to you to see information about how Kennedys processes, your personal data.

6.1 Clients

We will process certain personal data about clients who are individuals.

Types of personal data we collect

To engage and serve you as a client, we will need to collect personal data about you, including your name, position, address, contact details and business details. We may also collect data on the industry in which you operate and your business and personal interests.

In some countries, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.

In the course of your matter, we may collect other personal data about you that is relevant to the matter - see section 6.3 below for further information about this.

Generally, we will obtain this personal data directly from you. Sometimes, we may obtain personal data about you from third parties (for example, a doctor may provide a report about your health) or public sources (for example, we may obtain data about your directorships from a company search).

Purposes of processing

(a) We will process your personal data for the purpose of providing legal and other professional services to you and for other purposes related to that purpose (for example, to carry out conflict checks, to comply with anti-money laundering and terrorism financing laws, and to send you invoices).

(b) We may also use your contact details and interests to manage and develop our relationship with you and to send you communications about our services and firm events – see section 6.4 below for further information about this.

Legal basis for processing under the GDPR

When you become a client, you enter into a contract with Kennedys for the provision of services. The processing described in paragraph (a) above is necessary for taking steps to enter into that contract, or for the performance of that contract. Some of that processing is necessary to comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws). 

The processing described in paragraph (b) above is necessary for the purposes of Kennedys’ legitimate interests in developing and growing its business. See section 7 below for more details about Kennedys’ legitimate interests.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

For the purposes of your matter, we may disclose your personal data to third parties who provide services which assist us with your matter and to third parties who are involved in the matter - see section 6.3 below for further information about this.

In some countries, we are required by law to provide your personal data to government authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client documentation and matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain client and matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

As a client, it is mandatory to provide us with basic personal data such as your name and contact details. If you do not provide this data, we will not be able to act for you.

In some countries, we are required by law to collect certain personal data about you. If you do not provide this data, we will not be able to act for you.

It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and services we can provide to you may be limited or may not take into account your particular circumstances. 

6.2 Officers, employees or contractors of clients

We may collect personal data from officers, employees or contractors of clients which are organisations.

Types of personal data we collect

To engage and serve your organisation as a client, we may need to collect personal data about you, including your name, position, address, contact details and business details. We may also collect data on the industry in which your organisation operates and your business and personal interests.

In some countries, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.

In the course of your matter, we may collect other personal data about you that is relevant to the matter - see section 6.3 below for further information about this.

Generally, we will obtain this personal data directly from you. Sometimes, we may obtain personal data about you from third parties (for example, a doctor may provide a report about your health) or public sources (for example, we may obtain data about your directorships from a company search).

Purposes of processing

We will process your personal data for the purpose of providing legal and other professional services to you and for other purposes related to that purpose (for example, to carry out conflict checks, to comply with anti-money laundering and terrorism financing laws, and to send you invoices).

We may also use your contact details and interests to manage and develop our relationship with you and to send you communications about our services and firm events – see section 6.4 below for further information about this.

Legal basis for processing

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and other professional services to its clients and in developing and growing our business. See section 7 below for more details about Kennedys’ legitimate interests.

Some of that processing is necessary to comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws). 

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

For the purposes of your matter, we may disclose your personal data to third parties who provide services which assist us with your matter and to third parties who are involved in the matter - see section 6.3 below for further information about this.

In some countries, we are required by law to provide your personal data to government authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client documentation and matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain client and matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

As a client, it is mandatory to provide us with basic personal data such as your name and contact details. If you do not provide this data, we will not be able to act for you.

In some countries, we are required by law to collect certain personal data about you. If you do not provide this data, we will not be able to act for you.

It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and services we can provide to you may be limited or may not take into account your particular circumstances. 

6.3 Individuals involved in or connected with a client matter

In the course of a client matter, we may collect certain personal data about individuals who are involved in or connected with the matter. This may include claimants, policyholders, witnesses, investigators, experts, advisors and consultants, and individuals connected with any other parties involved in the matter.

Types of personal data we collect

In the course of a matter, we may collect personal data about individuals who are involved in or connected with the matter. The types of personal data we collect will depend on what is necessary for and relevant to the matter.

Basic personal data we collect include names, addresses, contact details and job/business details. We may also collect identifying details such as date of birth, national insurance numbers and identification numbers. If the matter relates to an insurance claim, we will collect personal data that is relevant to that claim, such as the circumstances of the incident, ownership of a motor vehicle, or the nature of any injuries suffered. It may also include information like credit history and electoral roll details. The personal data we collect may also include special categories of personal data if relevant to a matter, such as disability, health and medical information.

Depending on the circumstances, we may obtain this personal data directly from the individual, from third parties or public sources. We may obtain personal data from third parties including investigators, doctors, experts, insurers, witnesses and other parties involved in the matter. We may collect personal data from public sources including social media, company records, the land registry, births deaths and marriages, insurance industry databases, credit reporting agencies and the electoral roll.

Purposes of processing

We process your personal data for the purpose of providing legal and other professional services to our client and for other purposes related to the provision of these services (for example, to gather evidence, to identify witnesses and to conduct legal proceedings).

If the matter relates to an insurance claim, our intelligence team may process your personal data in the course of conducting investigations and analysis on that claim for our client. These investigations may involve tracing people connected with the claim, conducting background research on claimants, or determining whether a claim is fraudulent.

Legal basis for processing under the GDPR

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and other professional services to its clients. See section 7 below for more details about Kennedys’ legitimate interests.

The processing by our intelligence team to determine whether a claim is fraudulent is necessary for the purposes of insurers’, policyholders’ and the public’s legitimate interests in administering claims efficiently, identifying potentially fraudulent claims and helping prevent insurance fraud.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client or to third parties who provide services to our client in support of its business. For example, if our intelligence team identifies a person who has posted to social media about an incident and may be a potential witness, we will provide that person’s details to our client.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to barristers, investigators, experts, or translators, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

We may disclose your personal data to public authorities or registrars if necessary for the conduct of the matter. For example, in a property transaction, we will need to disclose your personal data to the land registry.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. We will need to retain personal data for commercial and legal purposes. How long we will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

If the matter relates to an insurance claim, our intelligence team may retain your personal data indefinitely to assist in future investigations.

Kennedys is required to retain certain matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect your participation in and rights in relation to the matter.

6.4 Business development targets

Kennedys will collect certain personal data about individuals who it targets for business development and marketing activities and communications. This includes anyone who we have, or would like to develop, a business relationship with.

Types of personal data we collect

We may collect personal data about you, including your name, job title, position, address, contact details and business details. We may also collect data on the industry in which your organisation operates and your business and personal interests. If we invite you to an event, we may ask for personal data about your dietary and accessibility requirements. If you use the Kennedys events app, it will ask for your name, job title, company and email address.

Generally, we will obtain this personal data directly from you – for example, from your business card or email signature block. Sometimes, we may obtain personal data about you from a third party (for example, a colleague may provide us with your details) or a public source (for example, we may obtain data about your business interests from Linkedin).

Purposes of processing

We may use your personal data to track our business development engagement with you, to help us understand your business and to help us develop and implement our business development strategies.

We may use your contact details and interests to keep you updated on important legal developments and to invite you to, and provide you with information about, our seminars and events. When your details are first entered into our marketing database, we will send you a “Welcome to Kennedys” email, which will allow you to set your preferences as to which types of marketing communications you would like to receive, or completely opt-out of receiving marketing communications from Kennedys. There will also be links to “Update details and preferences” and “Unsubscribe” in every marketing communication we send to you.

Legal basis for processing

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and other professional services to its clients and in developing and growing our business and our relationships. See section 7 below for more details about Kennedys’ legitimate interests.

In some cases, data protection or anti-spam laws may require us to obtain your consent to send you particular types of marketing communication. For example, if you are an “individual subscriber” in the UK under the UK Privacy and Electronic Communications Regulations, we may require consent to send you email communications. In those cases, we will only carry out such processing based on and in accordance with your consent.

Recipients or categories of recipients

Generally, we will not disclose any personal data that we hold about you for business development or marketing purposes to anyone outside Kennedys.

The only exceptions to this are:

  • We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business (however, we will ensure that all such suppliers are subject to obligations not to use or disclose that data); and
  • We may provide attendees’ names, titles, companies and any dietary or mobility requirements to third parties who assist us in staging an event (for example, the venue owner, a security provider, an event co-host, a catering company or the presenter), but only if that is necessary as part of staging the event.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including our business development system, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys may retain your personal data for as long as we have the right to send marketing communications to you. Once you withdraw your consent, we may keep some basic personal data on our “anti-marketing list” to ensure we do not start marketing to you again.

We may retain Kennedys events app login details to allow you to continue to log in to the app.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide your personal data to us for business development purposes. The more personal data you provide to us, the more relevant our business development activities and communications will be to you.

Specific notice for marketing communications from Kennedys Hong Kong office

Marketing and business development communications from our Hong Kong office will comply with the Personal Data (Privacy) Ordinance, which requires that we provide you with the following notice. We intend to use your contact details and interests to send you communications about our services and firm events. We may not do so without your consent. We obtain this consent through our initial “Welcome to Kennedys” email, which you will receive when your details are first entered into our marketing database. The “Welcome to Kennedys” email will allow you to set your preferences as to which types of marketing communications you would like to receive, or completely opt-out of receiving marketing communications from Kennedys altogether. There will also be links to “Update details and preferences” and “Unsubscribe” in every marketing communication we send to you.

6.5 Partner, employee or contractor of a Kennedys associate office or correspondent firm

Kennedys may collect certain personal data about individuals who are partners, employees or contractors of Kennedys’ associate offices or correspondent firms.

Types of personal data we collect

As part of Kennedys relationship with your firm (either as a member of the Kennedys network or as a correspondent firm), we may need to collect personal data about you, including your name, position, address, contact details, areas of expertise, qualifications and experience.

If we are providing services to you, in some countries, we may be required by law to collect certain identifying information about you. This may include your name, address, identification or business numbers. We may also be required to view or take a copy of your passport or identity documents.

We may collect this personal data directly from you or indirectly from your firm.

Purposes of processing

We may process your personal data for the purpose of providing services to your firm and/or receiving services from your firm, and for other purposes related to that purpose (for example, to issue or pay invoices for those services). If you are a correspondent firm, we may add your details to our database of correspondent firms, so that our other lawyers are aware of your expertise.

We may also use your contact details and interests to send you communications about our services and firm events – see section 6.4 above for further information about this.

Legal basis for processing under the GDPR

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and claims processing services to clients and in developing and growing our business. See section 7 below for more details about Kennedys’ legitimate interests.

Some of that processing is necessary to comply with applicable laws (for example, legal practice rules or anti-money laundering and terrorism financing laws). 

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client in the course of providing services to them.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to barristers, investigators, experts, or translators, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

We may disclose your personal data to public authorities or registrars if necessary for the conduct of the matter. For example, in a property transaction, we will need to disclose your personal data to the land registry.

In some countries, we are required by law to provide your personal data to government authorities.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files, ad our accounts system and our correspondent firm database, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys generally retains client matter files for at least six years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain client and matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

If we are providing services to your firm, it is mandatory to provide us with basic personal data such as your name and contact details. If we do not have this data, we will not be able to provide services to your firm.

It is optional to provide most other personal data. However, in many cases, if you do not provide that data, the advice and services we can provide to your organisation may be limited. It may also affect our ability to assess your organisation’s suitability to provide services to us.

In some countries, we are required by law to collect your identification or business number and/or view or take a copy of your passport or identity documents. If you do not provide this data, we will not be able to act for your organisation.

6.6 Subject-matter experts

Kennedys will collect certain personal data about experts who assist or advise (or may potentially advise or assist) Kennedys in relation to a client matter. This may include doctors, psychologists, forensic experts and other subject matter experts.

Types of personal data we collect

To engage you as an expert, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications, experience and performance.

We may obtain this data directly from you, from third parties (for example, recommendations from clients) or from public sources (for example, a website or directory).

Purposes of processing

(a) We may process your personal data for the purpose of providing your expert services as part of our legal and other professional services to our client and for other purposes related to that purpose (for example, to pay you for your services).

(b) We may also add you to our internal experts’ database, so that other lawyers within the firm can see your expertise and contact you for future matters.

(c) With your consent, we may disclose your details to other Kennedys’ clients and other third parties (such as counsel, co-defendants and claimants’ solicitors) for the purpose of considering whether to instruct you in relation to future matters.

Legal basis for processing under the GDPR

When you provide expert services to Kennedys, you enter into a contract with Kennedys for the provision of services. The processing described in paragraph (a) above is necessary for taking steps to enter into that contract, or for the performance of that contract.

The processing in paragraph (b) above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and claims processing services to clients. See section 7 below for more details about Kennedys’ legitimate interests.

The processing in paragraph (c) above is based on your consent.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client in the course of providing legal and other professional services to them.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to a barrister, an investigator or a translation service, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

With your consent, we may also disclose your personal data to other Kennedys clients who require your expertise.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and the experts’ database, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data on our experts’ database for at least six years after you last provided services to us.

Kennedys generally retains client matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect your participation in and rights in relation to the matter.

6.7 Barristers

Kennedys will collect certain personal data about barristers who assist Kennedys in relation to a client matter.

Types of personal data we collect

To engage you as counsel, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications, experience and performance.

We may obtain this data directly from you, from third parties (for example, recommendations from other counsel) or from public sources (for example, a website or directory).

Purposes of processing

(a) We may process your personal data for the purpose of providing your services as part of our legal and other professional services to our client and for other purposes related to that purpose (for example, to pay you for your services).

(b) We may also add you to our internal database of counsel, so that other lawyers within the firm can see your expertise and contact you for future matters.

(c) With your consent, we may disclose your details to other Kennedys’ clients and other third parties (such as co-defendants and claimants’ solicitors) for the purpose of considering whether to instruct you in relation to future matters.

Legal basis for processing under the GDPR

When you provide your services to Kennedys, you enter into a contract with Kennedys for the provision of services. The processing described in paragraph (a) above is necessary for taking steps to enter into that contract, or for the performance of that contract.

The processing in paragraph (b) above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal services to clients. See section 7 below for more details about Kennedys’ legitimate interests.

The processing in paragraph (c) above is based on your consent.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may disclose your personal data to our client in the course of providing legal and other professional services to them.

We may disclose your personal data to third parties who provide legal and non-legal services which assist us with the matter. For example, we may disclose your data to an expert witness, an investigator or a translation service, if that is necessary for the conduct of the matter.

We may disclose your personal data to third parties who are involved in the matter. For example, when we file court documents in a legal proceeding, that will involve providing any personal data contained in those court documents to the court and the other parties involved in the proceeding.

With your consent, we may also disclose your personal data to other Kennedys clients who require your expertise.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and the experts’ database, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a client matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the client matter, including your personal data, to a Kennedys office or third party in that country.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data on our database of counsel for at least six years after you last provided services to us.

Kennedys generally retains client matter files for at least 6 years after the end of the matter, in case a dispute arises in relation to the matter. It may retain some client matter files for longer than this (for example, property related matters).

Kennedys is required to retain certain matter information for a specified period by corporate and tax laws, legal industry regulations and our insurance providers.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect your participation in and rights in relation to the matter.

6.8 Individual supplier to Kennedys

Kennedys will collect certain personal data about suppliers to Kennedys who are individuals. (For experts, see section 6.6 above; for barristers, see section 6.7 above.)

Types of personal data we collect

To engage you as a supplier, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications and experience.

Purposes of processing

We may process your personal data for the purpose of allowing you to provide, and for receiving, your services and for other purposes related to that purpose (for example, to pay you for your services).

Legal basis for processing under the GDPR

When you become a supplier, you enter into a contract with Kennedys for the provision of services. The processing described above is necessary for taking steps to enter into that contract, or for the performance of that contract.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

If necessary in connection with the services, we may disclose your personal data to our client and to parties involved in a client matter.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and our accounts system, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data for at least six years after you last provided services to us.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect our ability to assess your suitability to provide services to us, or your ability to provide services to us.

6.9 Individual associated with an organisation which is a supplier to Kennedys

Kennedys will collect certain personal data about individuals associated with organisations who are suppliers to Kennedys.

Types of personal data we collect

To engage your organisation as a supplier, we will need to collect personal data about you, including your name, position, address, contact details, business details, qualifications and experience.

Purposes of processing

We may process your personal data for the purpose of allowing your organisation to provide, and for receiving, your organisation’s services and for other purposes related to that purpose (for example, to pay your organisation for its services).

Legal basis for processing under the GDPR

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and other professional services to clients. See section 7 below for more details about Kennedys’ legitimate interests.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

If necessary in connection with the services, we may disclose your personal data to our client and to parties involved in a client matter.

In exceptional circumstances, we may be required or permitted by law to disclose personal data, for example to law enforcement authorities or to prevent a serious threat to public safety.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including electronic matter files and our accounts system, are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys will generally retain your personal data for at least six years after your organisation last provided services to us.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

It is optional to provide most of the above personal data. However, in many cases, if you do not provide that data, it may affect our ability to assess your organisation’s suitability to provide services to us, or your organisation’s ability to provide services to us.

6.10 Contacting us with a query

Kennedys will collect certain personal data about you if you contact us with a query, by mail, email, fax or through our website.

Types of personal data we collect

We may collect your name and contact details, and any other personal data in your correspondence to us.

Purposes of processing

We may use your personal data to respond to your query.

Legal basis for processing

The processing described above is necessary for the purposes of Kennedys’ legitimate interests in operating a law firm which provides legal and other professional services to clients. See section 7 below for more details about Kennedys’ legitimate interests.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

Otherwise, we will not disclose your personal data outside Kennedys, unless that is necessary to respond to your query.

Transfers

We may transfer your personal data overseas.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Kennedys Group’s information systems, including our email system, are accessible by Kennedys’ offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

See section 8 below for information about the safeguards Kennedys adopts when transferring personal data overseas.

Retention period

Kennedys will only retain personal data for as long as it has a legitimate purpose to do so. Kennedys will need to retain personal data for commercial and legal purposes. How long it will need to retain personal data for these purposes will depend on the specific personal data.

Kennedys may retain your personal data for as long as it takes to respond to your query. After we have responded to your query, we may retain your personal data for follow up or record-keeping purposes.

Once Kennedys has no legal or commercial reasons to retain personal data, it will be securely deleted or destroyed.

Requirement to provide personal data

You may choose what personal data you provide when you send us a query.

6.11 Ki

Kennedys offers Ki, a claims administration and fraud detection tool, to its clients. Insurers and other compensators can submit claims they receive to Ki for review. Ki assesses claims and fraud risk by comparing the submitted claim against a database of historical claims and other claims analysis. It organises and provides a score to the client to indicate the likelihood that the claim is fraudulent.

Types of personal data collected

The Ki database combines historical insurance claims records from multiple insurers, insurance industry databases, government databases and other public sources.

Insurance claims records may contain a range of personal data about individuals associated with the claim - the claimant, the policyholder, witnesses and other people involved in the incident. This data may include names, addresses, contact details and business details. The other types of personal data will depend on the nature of the claim. It may include special categories of personal data if relevant to a claim, such as disability, health and medical information.

Purposes of processing

Ki processes personal data for the purposes of claims administration and assessing whether a claim is likely to be fraudulent.

Ki does not involve any automated decision-making – it organises claims and scores each one to indicate the likelihood of fraud and reports those scores to the client. Our client then decides what action they take in relation to the claim.

Legal basis for processing under the GDPR

The processing described above is necessary for the purposes of insurers’, policyholders’ and the public’s legitimate interests in administering claims efficiently, identifying potentially fraudulent claims and helping prevent insurance fraud.

Recipients or categories of recipients

We may disclose your personal data to third parties who provide administrative, storage, telecommunications, information technology and other services to us in support of our business. However, we will ensure that all such suppliers are subject to obligations not to use or disclose that data.

We may share the personal data held in the Ki database with clients who use the Ki tool.

Transfers

The personal data in the Ki database is not transferred outside the United Kingdom and the European Union. Ki is hosted on Kennedys’ servers in the United Kingdom and is only accessible to a limited number of Kennedys personnel, all of whom are located in the United Kingdom and the European Union. All of Kennedys’ insurer clients who use Ki are based in the United Kingdom and the European Union.

Retention period

Kennedys will only retain insurance claims records in the Ki database for as long as it provides the Ki fraud detection tool to its clients.

7 Legitimate interests

As noted in section 6 above, in some situations, Kennedys may process your personal data on the basis of its “legitimate interests”.

Kennedys Group is an international law firm, which provides a wide range of legal and other professional services to its clients. It has partners, employs employees and engages contractors around the world.

As such, Kennedys has a legitimate interest in:

  • providing legal services (such as advice and litigation), claims handling services (such as claims administration, management and processing) and other professional services (such as debtor and asset tracing) to its clients, ensuring those services are of high quality, and complying with all regulations which apply to the provision of those services;
  • developing and growing its business and its relationships, understanding the needs of its clients and prospective clients, and providing insights and commentary on legal issues; and
  • employing and managing its partners, employees and contractors.

Kennedys will only rely on those legitimate interests to process personal data where:

  • the processing is necessary for the purposes of those for the purposes of those legitimate interests; and
  • those legitimate interests are not overridden by the data subject’s interests or fundamental rights and freedoms.


8 Transfers

As noted in section 6 above, Kennedys may transfer your personal data to other countries.

The information systems of Kennedys Group are hosted on central servers located in the United Kingdom and Singapore. Any personal data that we store on our systems will be transferred to one of those locations.

Many of Kennedys Group’s information systems, including electronic matter files, client information and finance systems are accessible by Kennedys offices around the world. This means your personal data may be accessed by Kennedys’ personnel overseas.

When a matter involves obtaining legal or other professional advice from another country, we may need to transfer details about the matter, including personal data, to a Kennedys office or third party in that country.

For the purposes of the GDPR, the European Commission issues adequacy decisions on the data privacy laws of non-EU countries. The majority of countries to which Kennedys may transfer personal data are not covered by an EC adequacy decision. However, many of them do have local data privacy laws which are similar to the GDPR.

All Kennedys Group entities worldwide will treat your personal data in accordance with this Privacy Notice and their local data privacy law. In addition, all Kennedys offices outside the EU have entered into an agreement which requires them to treat all personal data transferred to them from Kennedys’ EU offices in accordance with the GDPR.

In addition, Kennedys adopts following safeguards when transferring personal data overseas:

  • Kennedys will always make such transfers in accordance with the requirements of the data privacy laws of your home country;
  • Kennedys will require that any overseas third party to which it discloses your personal data to: (a) only use that personal data for the purposes for which it was disclosed; (b) use all technical and organisational measures which are reasonable in the circumstances to secure that personal data; (c) delete that personal data when it is no longer required; and (d) treat that personal data in accordance with this Privacy Notice and their local data privacy law; and
  • Kennedys technology and control mechanisms are designed and monitored by Kennedys in the UK and are internally assessed for compliance against our Security Policy and ISO27001 standards by an Information Security Manager. A continual assessment of the processes and controls is also carried out by external auditors, who provide certification against ISO27001.

9 Automated decision-making including profiling

Kennedys does not engage in any automated decision-making or profiling.

“Automated decision-making” means a decision based solely on automated processing of personal data (without human intervention) which produces legal effects concerning the person or otherwise significantly affects the person.

“Profiling” is a form of automated decision-making. It uses personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Profiling is generally associated with systems based on artificial intelligence and machine learning. A system will be provided with a set of personal data and trained to identify correlations, and to then use those correlations to predict future behaviour by individuals.

10 Kennedys Toolkit

Kennedys provides a number of legal technology products to its clients. You can read more about the Kennedys Toolkit.

Kennedys is the “controller” in relation to Ki, our fraud detection tool. Section 6.11 above describes how we process personal data for the purposes of Ki.

Most of our other products, including @Scene and KLAiM, allow our clients to process data relating to insurance claims and other legal matters. To the extent that Kennedys processes any personal data through these tools, it does so only in accordance with its clients’ instructions. For these tools, Kennedys is the “processor” and its clients are the “controller”.

Kennedys is not a controller or processor of any personal data in Cybersettle.

11 Cookies

Our website uses cookies.

Cookies are small, harmless text files placed on a computer’s hard drive. The information the cookie contains is set by the website the user is visiting and can be used by that website whenever the user returns to the site. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which web pages and services can be assigned to the specific web browser in which the cookie was stored. This allows visited websites to differentiate your web browser from other browsers.

We use cookies to collect data on how visitors use our website. These cookies are completely anonymous and do not contain any personal data.

We will seek your consent before storing any cookies on your computer. You can refuse to accept cookies. However, doing this may affect the functionality you can access on our website.

If you wish, you can use your browser settings to restrict or block the use of cookies. However, doing this may affect the functionality you can access on some websites. You can find more information at www.allaboutcookies.org.

For more information about our use of cookies, please refer to our Cookies Notice.

12 Your rights

If you are located in the European Union or the United Kingdom

If you are located in the EU or the UK, you have certain rights in relation to your personal data as follows:

  • Access: You have the right to obtain access to and a copy of any personal data we hold about you. You also have the right to find out whether your personal data has been transferred outside the EU and any safeguards relating to this transfer.
  • Rectification: If you consider that any personal data we hold about you is incorrect or incomplete, you have the right to ask us to correct or complete that personal data.
  • Erasure: In certain circumstances, you have the right to ask us to erase any personal data we hold about you.
  • Restriction of processing: In certain circumstances, you have the right to ask us not to process your personal data for certain purposes.
  • Objection to processing: In certain circumstances, you have the right to object to us processing your personal data for certain purposes.
  • Data portability: In certain circumstances, you have the right to request a copy of your personal data in a structured, commonly used and machine-readable format.
  • Withdrawing consent: If we are processing your personal data based on your consent, you have the right to withdraw that consent at any time.

For more information about these rights, visit https://ico.org.uk/for-the-public/.

To make a request pursuant to these rights, contact Kennedys’ Data Protection Officer for United Kingdom/Europe (see section 3 above).

If you are located outside the European Union and the United Kingdom

If you are not located in the EU or the UK, you may still have rights in relation to your personal data under your local data privacy law. Many countries provide data subjects with a right to seek access to any personal data we hold about you, and to request correction of that data if it is incorrect.

To make a request pursuant to these rights, contact Kennedys’ Data Protection Officer for your region (see section 3 above).