Privacy statement

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients or our volunteering programme, or where you apply for a job or work placement with us or our clients, or provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events, including webinars and other digital events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

Your information will be treated securely and in strict confidence, in line with industry best practice.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

• About us
• Useful words and phrases
• What information do we collect?
• What information do we collect?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Gowling WLG Middle East Limited is an independent entity and part of the Gowling WLG group. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and who your data controller is.

Each country has different Data Protection Laws. In Abu Dhabi, the Abu Dhabi Global Market (ADGM) (a free zone where our Abu Dhabi office is located), Data Protection Regulations 2021 apply.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us.

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our Abu Dhabi Office please write to us at Gowling WLG Middle East Limited, Office 14, Floor 7, Al Khatem Tower, Abu Dhabi Global Market Square, Al Maryah Island, Abu Dhabi, UAE, or complete our online form, or you may submit a complaint to the ADGM Commissioner of Data Protection by completing the complaint forms and sending them via email to data.protection@adgm.com.

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful words and phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

Personal data	This means any information referring to an identified or identifiable natural person. This will include information such as telephone numbers, names, addresses, e-mail addresses, photographs, voice recordings. It will also include expressions of opinion about data subjects (and their own expressions of opinion/intentions). It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.
Sensitive personal data or special categories of data	This means any personal data (directly or indirectly) relating to: racial or ethnic origin; political opinions; religious or philosophical beliefs criminal convictions and offences or related security measures; sexual life (including sexual orientation); genetic data or biometric data for the purpose of uniquely identifying you.
Processing	This means any operations performed on personal data, including: collecting, obtaining, recording, retrieving, reviewing, consulting, storing or holding it; organising, adapting or altering it; disclosing, transmitting, disseminating or otherwise making it available; and aligning, blocking, restricting, erasing or destroying it.
Data subject	This means the identified or identifiable natural person to whom the Personal Data relates.
Supervisory authority	The authority responsible for implementing, overseeing and enforcing the Data Protection Laws.
Data controller	This means any person who alone or jointly with others determines the purposes and means of the processing of Personal Data.
Data processor	This means any person who processes the Personal Data on behalf of the data controller.
Data Protection Laws	This means the laws which govern the handling of data - the list of laws applicable to ADGM are listed at the top of this Privacy Notice.

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• Identity and contact data; such as your name, address, phone number, email address, date of birth, company you work for and your position.
• Financial data, such as payment related information (for example, for billing purposes).
• Identification and background information provided by you or collected as part of our on-boarding process. We will process identification and background information as part of our onboarding process including anti-money laundering, conflict, reputational and financial checks, and to fulfil any other legal or regulatory requirements which apply to us.
• Video images/photographs/audio; in connection with identification checks, CCTV, providing/receiving training, remote meetings.
• Reception registration and/or visitor security pass where you attend our offices i.e. for legal services, insight day, consultancy support, an event or to provide IT support.
• Any other information relating to you or third parties which you give us so we may provide you with our service.

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, wish to attend, or have attended, one of our events or seminars, attend one of our voluntary programmes or raise any complaint, enquiry or information request with us.

We will also collect information that you share with us to help us understand your situation, your hobbies and preferences and to represent your best interests when you instruct us/become a contact or client of Gowling WLG Middle East Limited, or as a result of your relationship with one or more of our clients, where you supply us or our clients with services, or where you apply for work experience, insight scheme or a job or work placement with us or our clients.

We will also collect personal data where you are representing your organisation for example as part of procurement or tender. Where you provide third party technical support we may process your data where you provide us with technical support remotely by connecting to our systems or services.

Special category personal data personal data

If we ask you to provide us with your special category personal data, we will explain why we need that data and how we intend to use it and your rights. If necessary, we will ask you for your consent first.

You may provide us with yours or a third party's special category personal data where it is necessary in connection with services we provide, such as information about a person's physical or mental health, alleged criminal activities.

You may provide us with your special category personal data such as your health data to inform us of any dietary requirements or reasonable adjustments required where you are attending one of our offices or events.

We may need to process your special categories of personal data if processing is necessary to comply with laws that apply to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on their behalf and have agreed that you can. In addition, where you give us personal data belonging to someone else, you must ensure that you have the necessary grounds, consents or authorisations to provide it to us. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Children's data

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children where it is necessary in connection to legal services we provide to our clients or in connection with our Probono initiatives.

We may also process children's data in connection with our HR and CSR programmes such as our Insight scheme. Children's personal data processed in connection with our Insight Scheme is usually limited to name, contact details, school/college name and CV.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Laws.

Why do we process your personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

We collect your information so that we can:

• Deliver Legal Services - to provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive.
• Comply with our Legal and Regulatory obligations - such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business information and financial information, and/or other legally mandated forms of identification.
• Carry out administration - to bill for our work, carry out searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you; to carry out recruitment activities if you are applying for a job or work placement with us or our clients; to analyse and help us manage our practice; to maintain and update our records.
• Carry out Business Development and Marketing - to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business. You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages, by completing our online form or by emailing us at data.enquiry@gowlingwlg.com. See 'Your Rights' for further information.
• Maintain Quality Standards - to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes.
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints that we may receive.
• Keep people and buildings safe - to help ensure security and for crime prevention, we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras.
• To monitor our website usage to improve our services - please see our cookies policy which explains what cookies are and why we use them.

How is processing your personal data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you have agreed to enter with Gowling WLG (UK) LLP. For example, because you are using Gowling WLG (UK) LLP for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services and by retaining us you agree that we may do so.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

If necessary for the performance of a task

If the processing is necessary for the performance of a task carried out in the interests of the DIFC, or in the exercise of the DIFCA, the DFSA, the Court and the Registrars' functions or powers vested in the Data Controller or in a Third Party to whom the data are disclosed.

Legitimate interest

Processing your Personal Data is also legal if it is based on our ‘legitimate interests’ which are not overridden by your data protection interests or fundamental rights and freedoms. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records.
• To ensure regulatory compliance - for example that conflict checks are carried out before we start work and to erect information barriers to restrict access to certain information and to comply with all aspects of our regulatory obligations.
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations.
• To permit us to pursue available remedies or limit any damages that we may sustain.
• To permit us to manage and respond to any complaints.
• To liaise with representatives of clients of corporates and other business clients.
• To market our services.
• To carry out recruitment and administer work experience and work placement activities.

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Special Category Personal Data

In certain circumstances, we may process your special category personal data for the following reasons and subject to the following exceptions:

• Consent
• For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
• Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
• The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Laws. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
• We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG (UK) LLP offices, group entities, subsidiaries and affiliates, partnerships operating under the Gowling brand.
• Third party service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services.
• Third party service providers of certain business support tasks to Gowling WLG (UK) LLP including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving, recruitment agencies and storage.
• Charities and organisations in connection with our volunteering programmes.
• External inspectors or auditors.
• Providers of business development and marketing support services, in order to provide event and marketing support.
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, such as the UAE Legal Affairs Department of the Ministry of Justice, ADGM Courts, the Financial Services Regulatory Authority, Registration Authority, the Solicitors Regulation Authority (SRA), HMRC, Health & Safety Executive and National Crime Agency (NCA). This may be (i) in the event that we are required to make a disclosure under various legislation and regulation; or (ii) where we have a legal, regulatory or professional obligation to do so; or (iii) where we are required to protect the safety or rights or our clients, staff or others; (iv) or to exercise, establish or defend our legal rights.
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.

If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of the ADGM

In the context of its global practice, Gowling WLG Middle East Limited and affiliated businesses or subsidiaries transfers Personal Data between its offices, the free flow of information being essential for the efficient conduct of its international business. A number of our offices and affiliates are located outside the ADGM.

Any transfer of your Personal Data from Gowling WLG Middle East Limited entities and affiliated businesses or subsidiaries in the ADGM to any affiliated businesses or subsidiaries entities in any country outside, will be subject to a mechanism that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach, and if necessary we will gather your written consent first.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

We have strong information security management systems in place to safeguard your personal information. Our practices are aligned with internationally recognised standards for information security and risk management, demonstrating our commitment to protecting data through robust controls, continuous monitoring, and a culture of security awareness across the organisation.

If you have any particular concerns about your information, please contact us (see 'How to contact us' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Type of work/data	Minimum Retention Period
Original documentation	Permanently, or until returned to you
File documentation	Six years
CDD documentation	Six years after the end of the client relationship
Contracts with suppliers/third parties	Six years after expiry of contract
Complaints, correspondence and data relating to complaints	Six years following closure of the complaint
Professional negligence claims, correspondence and data relating to PII claims	Six years following conclusion of the claim
Applications/CVs/interview records for jobs-unsuccessful	Twelve months after notifying unsuccessful candidates (unless we have obtained express consent from the candidate to hold for longer)

Your rights

As a data subject, you have the right to:

• Withdraw consent

  Where the basis for processing your Personal Data is consent, you may withdraw your consent at any time by completing our online form.

• Be informed

You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights (as set out in this Privacy Policy).

• Access your Personal Data

You have the right to obtain access to your information (if we’re processing it), and certain other information (similar to that provided in this Policy).

• Rectification of Personal Data

You are entitled to have your information corrected if it’s inaccurate or incomplete.

• Erasure of Personal Data

Subject to certain exceptions, you may request the deletion or removal of your information where there is no compelling reason for us to keep using it.

• Data portability

You may obtain and reuse your personal information for your own purposes across different services. For example, you can ask us to transfer your information easily between our IT systems and another law firm or advisor safely and securely.

• Object to Processing

You have the right to object to certain types of processing, including processing for direct marketing (i.e. if you no longer want to be contacted with potential opportunities).

• Restriction of processing

In certain circumstances, you have the right to request that we restrict the processing of your Personal Data.

• Rights in relation to automated decision making

Subject to certain exceptions, you have the right not to be subject to a decision based solely on automated processing.

• Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible.

You may also complain to the ADGM Commissioner of Data Protection by completing the complaint forms and sending them via email to data.protection@adgm.com.

August 2025

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients or our volunteering programme, or where you apply for a job or work placement with us or our clients, or provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events, including webinars and other digital events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

Your information will be treated securely and in strict confidence, in line with our ISO27001 accreditation.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

We also have produced a video notice to tell you the relevant points of what we do with your personal data.

• About us
• Useful words and phrases
• What information do we collect?
• Why do we process your personal data?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Gowling WLG (UK) LLP is an independent entity and part of the Gowling WLG group. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and who your data controller is.

Each country has different Data Protection Laws. In Belgium, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679, applies.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your Rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us.

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our Belgium office please write to us at The Library, Square Ambiorix 10, BE-1000,  Brussels, Belgium or you can contact our UK offices by sending an email to data.enquiry@gowlingwlg.com or write to us at Gowling WLG (UK) LLP, Two Snowhill, Birmingham B4 6WR. If you wish to submit a complaint to the Belgium Supervisory Authority: Data Protection Authority, Rue de la Presse 35, 1000 Brussels, Belgium. http://www.privacycommission.be.

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful Words and Phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• Identity and contact data; such as your name,
• address,
• phone number,
• email address,
• date of birth, company you work for and your position financial data; such as payment related information,
• identification and background information provided by you or collected as part of our on-boarding process. We will process identification and background information as part of our onboarding process including anti-money laundering, conflict, reputational and financial checks, and to fulfil any other legal or regulatory requirements which apply to us.,
• video images/photographs/audio; in connection with identification checks, CCTV, providing/receiving training, remote meetings,
• location data; reception registration and/or visitor security pass where you attend our offices ie for legal services, insight day, consultancy support, an event or to provide IT support,
• financial information ie. for billing purposes,
• any other information relating to you or third parties which you give us so we may provide you with our service.

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, wish to attend, or have attended, one of our events or seminars, attend one of our voluntary programmes or raise any complaint, enquiry or information request with us.

We will also collect information that you share with us to help us understand your situation, your preferences and to represent your best interests when you instruct us/become a client of Gowling WLG (UK) LLP, or as a result of your relationship with one or more of our clients, where you supply us or our clients with services, or where you apply for work experience, insight scheme or a  job or work placement with us or our clients.

We will also collect personal data where you are representing your organisation for example as part of procurement or tender. Where you provide third party technical support we may process your data where you provide us with technical support remotely by connecting to our systems or services.

Special category personal data personal data

If we ask you to provide us with your special category personal data, we will explain why we need that data and how we intend to use it and your rights. If necessary, we will ask you for your consent first.

You may provide us with yours or a third party's special category personal data where it is necessary in connection with services we provide, such as information about a person's physical or mental health, alleged criminal activities.

You may provide us with your special category personal data such as your health data to inform us of any dietary requirements or reasonable adjustments required where you are attending one of our offices or events.

We may need to process your special categories of personal data if processing is necessary to comply with laws that apply to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on their behalf and have agreed that you can. In addition, where you give us personal data belonging to someone else, you must ensure that you have the necessary grounds, consents or authorisations to provide it to us. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Children's data

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children where it is necessary in connection to legal services we provide to our clients or in connection with our Probono initiatives.

We may also process children's data in connection with our HR and CSR programmes such as our Insight scheme. Children's personal data processed in connection with our Insight Scheme is usually limited to name, contact details, school/college name and CV.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Laws.

Why do we process personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

We collect your information so that we can:

• Deliver Legal Services - Provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive;
• Comply with our Legal and Regulatory obligations - such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business and financial information, and/or other legally mandated forms of identification;
• Carry out administration - Bill for our work, carry out searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you; to carry out recruitment activities if you are applying for a job or work placement with us or our clients; to analyse and help us manage our practice; to maintain and update our records.
• Carry out Business Development and Marketing - to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business. You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com
• If you have consented to receive marketing materials from us, you can opt out at any time. See 'Your Rights' for further information. You can also manage your preferences by sending a message to iaadmin@gowlingwlg.com
• Maintain Quality Standards - to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes;
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints that we may receive;
• Keep people and buildings safe - to help ensure security and for crime prevention; we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras;
• To monitor our website usage to improve our services - please see our cookies policy which explains what cookies are and why we use them.

How is processing your data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you have agreed to enter with Gowling WLG (UK) LLP. For example, because you are using Gowling WLG (UK) LLP for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services and by retaining us you agree that we may do so.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

Legitimate interest

Processing your Personal Data is also legal if it is based on our ‘legitimate interests’ which are not overridden by your data protection interests or fundamental rights and freedoms. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records
• To ensure regulatory compliance - for example that conflict checks are carried out before we start work and to erect information barriers to restrict access to certain information and to comply with all aspects of our regulatory obligations
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations
• To permit us to pursue available remedies or limit any damages that we may sustain
• To permit us to manage and respond to any complaints
• To liaise with representatives of clients of corporates and other business clients
• To market our services
• To carry out recruitment and administer work experience and work placement activities

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Special Category Personal Data

In certain circumstances, we may process your special category personal data for the following reasons and subject to the following exceptions:

• Consent
  For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
  Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
  The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Laws. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
  We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG (UK) LLP offices, group entities, subsidiaries and affiliates, partnerships operating under the Gowling brand;
• Third party service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services;
• Third party service providers of certain business support tasks to Gowling WLG (UK) LLP including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving, recruitment agencies and storage;
• Charities and organisations in connection with our volunteering programmes
• External inspectors or auditors
• Providers of business development and marketing support services, in order to provide event and marketing support;
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, such as the Solicitors Regulation Authority (SRA), HMRC, Health & Safety Executive and National Crime Agency (NCA). This may be (i) in the event that we are required to make a disclosure under various legislation and regulation; or (ii) where we have a legal, regulatory or professional obligation to do so; or (iii) where we are required to protect the safety or rights or our clients, staff or others; (iv) or to exercise, establish or defend our legal rights;
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.
• If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of the UK and EEA

In the context of its global practice, Gowling WLG (UK) LLP and affiliated businesses or subsidiaries transfers Personal Data between its offices, the free flow of information being essential for the efficient conduct of its International business. A number of our offices and affiliates are located outside the European Economic Area. Where we transfer personal data outside the UK and EEA, to a country without adequacy regulation, we implement the EC and UK standard contractual clauses to require that personal data remains protected. We also implement EC and UK standard contractual clauses or an alternative transfer mechanism with our third party service providers and partners where there is an international transfer of personal data to a country without adequacy regulations. Any transfer of your personal data outside of the UK or EEA to a third party or another office of ours will be subject to appropriate data protection safeguards that protect your data privacy rights.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information. For UK and European data protection law purposes, the European Commission and the ICO considers that Canada's federal privacy law offers adequate levels of protection to safeguard your privacy rights.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

We have robust information security management systems in place to protect your personal information and are ISO27001 accredited. ISO27001 is an international information security standard which is widely recognised as an indication of best practice in information security and information risk management.

If you have any particular concerns about your information, please contact us (see 'How to contact us?' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Your rights

As a data subject, you have the following rights under the Data Protection Laws:

• the right of access to Personal Data relating to you;
• the right to correct or update any mistakes in your information;
• the right to object to our processing of your personal data in certain circumstances such as where we are processing it for our legitimate interests
• the right to ask us to stop contacting you with direct marketing (opt-out/unsubscribe);
• rights in relation to know details of any automated decision making;  
• the right to restrict or prevent your Personal Data being processed;
• the right to have your Personal Data ported to another data controller (e.g. if you decide to contract with a different service provider);
•  the right to withdraw your consent where we are processing your personal data based on consent ;
• the right to erasure where you believe we have no good reason to continue processing it;
• right to lodge a complaint with a data protection authority.

These rights are explained in more detail below, but if you have any comments, concerns or complaints about the use of your Personal Data by us, please contact us (please refer to section "How to contact us").

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to access Personal Data relating to you

You may ask to see what Personal Data we hold about you and be provided with:

• a copy of your personal data;
• details of the purpose for which it is being or is to be processed;
• details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers;
• the period for which it is held (or the criteria we use to determine how long it is held);
• any information available about the source of that data; and
• whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the Personal Data easily, please provide us as much information as possible about the type of Personal Data you would like to see.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your Personal Data which we hold free of charge. If your Personal Data is incomplete, you can ask us to complete it by adding more details. If you would like to do this, please:

• email, call or write to us (see "How to contact us")
• let us have enough information to identify you, and
• let us know the Personal Data that is incorrect and what it should be replaced or supplemented with.

Right to ask us to stop contacting you with direct marketing

You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

• See "How can you contact us" above
• You can review and update your contact details and preferences or unsubscribe from our communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com.

Rights in relation to automated decision making

We do not make any automated decisions about you so this right does not apply.

Right to prevent processing of personal data

You may request that we stop or limit processing your personal data temporarily if:

• you do not think that your Personal Data is accurate. We will start processing again once we have checked whether or not it is accurate;
• the processing is unlawful but you do not want us to erase your Personal Data;
• we no longer need the Personal Data for our processing, but you need the Personal Data to establish, exercise or defend legal claims; or
• you have objected to processing because you believe that your interests should override our legitimate interests.

Copies of your Personal Data (data portability)

You may ask for an electronic copy of your Personal Data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.

Right to erasure

You can ask us to erase your Personal Data where:

• you do not believe that we need your Personal Data in order to process it for the purposes set out in this Privacy Notice;
• if you had given us consent to process your Personal Data, you withdraw that consent and we cannot otherwise legally process your Personal Data;
• you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
• your Personal Data has been processed unlawfully or have not been erased when it should have been.

Right to withdraw consent

The circumstances in which we rely on consent are minimal but if the lawful basis for processing is based upon the provision of your consent, you are able to withdraw your previously given consent to the processing of the Personal Data at any time without giving reasons.

If you want to withdraw your consent:

• contact us by email, telephone or in writing (see "How can you contact us" above)
• give us enough information so that we can identify you and if necessary, let us know which consent you would like to withdraw.

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. Similarly, you may complain to the competent supervisory authority.

Data Protection Authority, Rue de la Presse 35, 1000 Brussels, Belgium. http://www.privacycommission.be.

February 2024

Gowling WLG Canada policy on the collection, use and disclosure of personal information ("Privacy policy")

Gowling WLG (Canada) LLP ("Gowling WLG Canada", "we", "us" and "our") is an independent entity. This is the Privacy Policy of Gowling WLG Canada, which describes how it processes Personal Information. Other Gowling WLG group entities are present in different countries and have separate privacy policies that explain their practices. Click here for more information.

Consistent with our obligations as professionals, we are dedicated to maintaining high standards of confidentiality and security. Gowling WLG Canada follows certain privacy principles to help ensure the confidentiality of the Personal Information we hold.

This Privacy Policy informs you of how we collect, use and disclose Personal Information.

Personal information

In this Privacy Policy, "Personal Information" means any information provided to or collected by Gowling WLG Canada about an identifiable individual, or an individual whose identity may be inferred or determined from the information. This Privacy Policy applies regardless of how Personal Information is recorded (for example, electronically, or on paper). This Privacy Policy does not cover any information about more than one individual where the identity of the individuals is not known and cannot be inferred from the information ("Aggregated Information"). Gowling WLG Canada retains the right to use Aggregated Information in any way that it reasonably determines is appropriate. This Privacy Policy also does not apply to information about companies or other legal entities.

Accountability

Gowling WLG Canada takes the protection of Personal Information seriously. Our obligations as legal professionals are governed, in part, by rules of professional conduct which impose duties and obligations regarding the confidentiality of the information provided to Gowling WLG Canada by its clients. We require all professionals, staff, other employees, contractors and agents who provide services in connection with our delivery of legal and other services to our clients to comply with these obligations.

What information do we collect?

We may collect Personal Information : (1) for the purpose of determining whether Gowling WLG Canada will enter into a professional relationship; (2) in the course of a professional relationship, or (3) when we otherwise collect Personal Information, for example, when you provide us with information about yourself, or someone else associated with your need for legal services. We hold this information in strict confidence and do not reveal it to anyone unless expressly or implicitly authorized by the person or organization concerned or where permitted or required by applicable law.

In the course of our relationship with you, Gowling WLG Canada will need to collect, use, and sometimes disclose different types of Personal Information for various purposes associated with the services we provide as directed by you or your organization. Given the nature of our services, it is impractical to list all of types of Personal Information that may be collected, used or disclosed. However, the Personal Information we collect may include:

• your full name;
• contact information, such as your address, telephone number, e-mail address, or job titles;
• information to help establish your identity;
• information regarding your legal requirements, situation, and interests;
• whether you have subscribed to, or unsubscribed from, any our mailing lists, or accepted any of our invitations;
• information regarding your organization or other organizations, including information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, sellers, business partners, and customers of clients;
• Information regarding your preferences, for example, if you attend one of our events and we collect data relating to your dietary needs;
• your payment information; and
• any other Personal Information that you voluntarily choose to provide to us.

In some cases, we collect Personal Information from third parties such as clients to whom we provide legal services, regulatory and legal authorities, other organisations with whom we or you have dealings, such as government agencies, credit reporting agencies, recruitment agencies, information or service providers, and from publicly available records. We may also collect information from public sources in the context of an investigation or proceedings related to the legal services we are providing to one of our clients.

How do we use and disclose Personal Information?

Gowling WLG Canada uses and discloses Personal Information for the purposes set out in this Privacy Policy. Under no circumstances will Gowling WLG Canada sell any Personal Information it has obtained.

Gowling WLG Canada may use and disclose Personal Information for the following purposes:

• Establishing your identity and compliance with "Know Your Client" and anti-money laundering requirements and other legal obligations. This may require you to provide name, address, employment/business information, and/or other legally mandated forms of identification;
• Billing: which will include the collection, use and disclosure of names, addresses, banking, financial details and/or payment information;
• Provision and development of services/products, such as the provision of legal advice or the conduct of litigation, arbitration, or other legal proceedings, which will include any Personal Information necessary to provide the services requested by you or your organization;
• Analytics: we may also use and analyze the Personal Information provided to us to offer you additional services or products, as well as to track and manage your consent preferences, event reservations and any unsubscribe requests. You may, at any time, advise Gowling WLG Canada that you do not wish to receive such information from us;
• Internal record keeping and to analyse and help us manage the provision of our legal services;
• Answering your questions, and/or providing you with information or materials you have asked to receive;
• To conduct market research;
• Marketing our own services and products to you by email or other means if you have subscribed to one our mailing lists;
• To keep your information and preferences accurate. For example, from time to time, we may ask you (by email or otherwise) to review your contact details and mailing list preferences and update them as necessary;
• To meet our high quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes;
• To ensure regulatory compliance - for example to conduct conflict checks before we start work and to erect information barriers to restrict access to certain information;
• To permit us or our clients to pursue available remedies or limit any damages that we or our clients may sustain;
• To detect help prevent fraud or other illegal activities;
• To meet our insurance requirements;
• To help ensure security and for crime prevention; for example, we may have CCTV cameras installed on our premises and data is captured on cameras for security purposes;
• Any purpose which is permitted or required by applicable law; and
• To carry out any other purpose which is disclosed to you and to which you consent.

The marketing email messages sent by Gowling WLG Canada will give you the opportunity to update your contact details and mailing list preferences or unsubscribe from our mailing lists altogether. Please note that Gowling WLG (UK) LLP and its affiliates and Gowling WLG (Canada) LLP are separate entities and operate separate mailing lists.

If you no longer wish to receive marketing emails from Gowling WLG Canada, please follow the unsubscribe link in one of our marketing email messages. You may also contact us using the contact information below, and ask us to update your preferences or unsubscribe from any marketing lists.

Gowling WLG Canada may share Personal Information with other Gowling WLG group entities for the purposes set out in this Privacy Policy. You can learn more about other Gowling WLG entities by visiting: Legal Information.

Gowling WLG Canada allows certain authorized third party providers to track and store certain information about visitors to our websites (including domain names, IP addresses and page views as described below).

Gowling WLG Canada may also disclose Personal Information to organizations that perform services for us. Personal Information will only be provided to such organizations if they agree by way of contract to provide appropriate protection for such information.

Personal Information may also be subject to transfer to another organization in the event of corporate transaction such as a merger, or change of ownership. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including determining whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.

Lastly, we may disclose your Personal Information for any other purpose to which you consent.

Limiting collection, use, disclosure and retention of personal information

Gowling WLG Canada may collect Personal Information in many forms (for example, hard/soft copy, electronically, facsimile, telephone conversations/recordings, email, etc.), but will only do so by lawful means and only for necessary purposes that have been disclosed to you, are described in this Privacy Policy, or are permitted or required by applicable law.

Personal Information collected in any form will only be retained by Gowling WLG Canada so long as it is required: a) for the purpose for which it was collected and those purposes set out in this Privacy Policy; b) to be retained by law; or c) to address any issues that may arise at a later date. When Personal Information is no longer required for these identified purposes, Gowling WLG Canada uses secure procedures to destroy, delete, erase or convert the Personal Information into an anonymous form.

Our websites and cookies

In general, you can use our websites without giving us any Personal Information. If you are one of our anonymous visitors, please bear in mind that we may still record certain analytical information and as further set out in this section.

Gowling WLG Canada may use cookies, web beacons/pixel tags, log files and other technologies to collect certain information about visitors to our websites, and recipients of our newsletters, invitations and other communications. Find out more about the Gowling WLG "Cookies" policy.

When you visit our websites, we may collect information about your visit including your IP address, your geographic region (as determined from IP address), clickstream through our website, the date and time or your visit, information about your device and network such as the browser you use and its configuration, your connection speed, the pages you view or search for on our website, what links you click, what you download, our page response times, any download or other errors, the length of your visit, and whether the emails we send are opened.

We may use this information to improve the functionality of our website, to tailor or improve the content that we may send or show you, and for analytical purposes to understand how visitors interact with our website, messages and the information we provide.

Consent

Your provision of Personal Information to Gowling WLG Canada means that you agree and consent to our collection, use and disclosure of your Personal Information under this Privacy Policy. If you do not agree with these terms, do not provide any Personal Information to us. However, while providing some Personal Information is optional, certain services can only be offered if you provide Personal Information to us and we may not be able to offer you certain services if you choose not provide us with any required Personal Information.

Consent may be given in different ways such as: a) expressly by signing a document, agreeing through electronic means or verbally; or b) implicitly by providing the Personal Information voluntarily.

There may be circumstances where you have provided Personal Information for one purpose, and Gowling WLG Canada later needs to use that information for a different purpose. In such circumstances, Gowling WLG Canada will seek your consent to use the information for the new purpose unless the law permits or requires us to use the information for that new purpose.

Please note that there are circumstances where the collection, use and/or disclosure of Personal Information may be justified or permitted without consent, or where Gowling WLG Canada may or must disclose information without consent, in accordance with applicable law.

You have the right to revoke your consent to the collection, use and disclosure of your Personal Information at any time. However, revocation of your consent may prevent us from providing services or products to you; in such circumstances, we will discuss with you the reason we need your Personal Information and why the revocation of your consent affects our ability to provide our services or products to you.

Storage and security

Gowling WLG Canada has taken steps to maintain physical, procedural and technical security for Personal Information.

Gowling WLG Canada holds Personal Information principally in the cities in which it has offices or production facilities and nearby municipalities where off-site storage facilities may be located, and such information may be accessed by those individuals that need to know such information in order that Gowling WLG Canada may provide our services.

Personal Information may be stored outside of the jurisdiction in which you live, if a third party provider or other entity to whom we disclose Personal Information in accordance with this Privacy Policy is located outside of that jurisdiction. In such cases, Personal Information may be subject to the local laws of the jurisdictions within which it is collected, used, disclosed and/or stored, and may be accessed by governmental and law enforcement authorities in those jurisdictions.

Accuracy and access

Gowling WLG Canada endeavours to ensure that any Personal Information provided and in its possession is as accurate, current and complete as necessary for the purposes for which we use that information.

You have a right to request access to your Personal Information and to request a correction to it if you believe it is inaccurate. In the event that you believe that your Personal Information is not accurate or you wish access to your Personal Information, you may make a request using the contact information provided below.

We endeavor to provide timely access to your Personal Information. However, we may require you to verify your identity to our satisfaction prior to doing so. Further, there may be circumstances where access cannot be granted. For example, we will not grant access where doing so would lead to the disclosure of Personal Information of another individual and that individual refuses to provide consent to the disclosure, or where the information is subject to privilege or other legal restrictions. In such cases you will be notified of the reason why it is not possible to grant access to your Personal Information.

Amendment of our practices and this Privacy Policy

This Privacy Policy is in effect as of May 25, 2018. Gowling WLG Canada will from time to time review and revise its privacy practices and this Privacy Policy. In the event of any amendment, an appropriate notice will be posted on our website.

Your continued access to and/or use of our website or provision of Personal Information to us after any such changes constitutes your acceptance of, and agreement to this Privacy Policy, as revised. Please periodically review this Privacy Policy so that you know what Personal Information we collect, how we use it, and with whom we may share it.

Contact us

If you ever have any questions, complaints or concerns regarding this Privacy Policy, any Personal Information you have submitted to Gowling WLG Canada, or if you would like to:

• access Personal Information that you have already provided so that you can correct or update it, or request that it be deleted, or
• report any violation of this Privacy Policy

you may contact Gowling WLG Canada's Chief Privacy Officer, or the Gowling WLG Canada professionals with whom you have a relationship.

You may contact Gowling WLG's Canada Chief Privacy Officer by email at chiefprivacyofficer.ca@gowlingwlg.com, or by mail at:

Gowling WLG (Canada) LLP
1 First Canadian Place
100 King Street West
Suite 1600
Toronto, Ontario
Canada M5X 1G5
ATTN: Chief Privacy Officer

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients, or where you apply for a job or work placement or provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

Your information will be treated securely and in strict confidence, in line with ISO27001 standards.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

• About us
• Useful words and phrases
• What information do we collect?
• Why do we process your personal data?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Gowling WLG (UK) LLP (Gowling WLG UK) is an independent entity and part of the Gowling WLG group. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and who your data controller is.

Each country has different Data Protection Laws. In China, the major general laws include:

• The Decision of the Standing Committee of the National People's Congress on Strengthening Network Information Protection.
• The Cybersecurity Law of the PRC
• The Consumer Rights and Interests Protection Law of the PRC

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your Rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us.

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our China office, please write to us at: Gowling WLG, Suites 3404 & 3405B, Teem Tower, 208 Tianhe Road, 510620, Guangzhou, China.

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful Words and Phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• your name,
• address,
• phone number,
• email address,
• date of birth and other identity documentation that we need to collect to comply with legal and regulatory requirements

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, attend one of our events or seminars or raise any complaint.

We will also collect information that you share with us to help us understand your situation, your hobbies and preferences and to represent your best interests when you instruct us/become a contact or client of Gowling WLG (UK), or as a result of your relationship with one or more of our clients, where you supply us with services, or where you apply for a job or work placement.

Sensitive personal data

If we ask you to provide us with your sensitive personal data, we will explain why we need that data and how we intend to use it and your rights. If necessary we will ask you for your consent first.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Laws

Why do we process personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

We collect your information so that we can:

• Deliver Legal Services - Provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive;
• Comply with our Legal and Regulatory obligations - such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business information, and/or other legally mandated forms of identification;
• Carry out administration - Bill for our work, carry out searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you, to carry out recruitment activities if you are applying for a job or placement with us, to analyse and help us manage our practice, to maintain and update our records.
• Carry out Business Development and Marketing - to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business. You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com
• If you have consented to receive marketing materials from us, you can opt out at any time. See 'Your Rights' for further information. You can also manage your preferences by sending a message to iaadmin@gowlingwlg.com
• Maintain Quality Standards - to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes;
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints;
• Keep people and buildings safe -to help ensure security and for crime prevention; we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras;
• To monitor our website usage to improve our services - please see our cookies policy which explains what cookies are and why we use them.

How is processing your data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you have agreed to enter with Gowling WLG UK. For example, because you are using Gowling WLG UK for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services and by retaining us you agree that we may do so.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

Legitimate interest

Processing your Personal Data is also legal if it is based on our 'legitimate interests'. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records
• To ensure regulatory compliance - for example that conflict checks are carried out before we start work and to erect information barriers to restrict access to certain information
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations
• To permit us to pursue available remedies or limit any damages that we may sustain
• To permit us to manage and respond to any complaints
• To liaise with representatives of clients of corporates and other business clients
• To market our services
• To carry out recruitment and administer work experience and work placement activities

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Sensitive Personal Data

In certain circumstances, we may process your sensitive personal data for the following reasons and subject to the following exceptions:

• Consent
  For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
  Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
  The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Laws. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
  We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG offices, group entities and affiliates;
• Service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services;
• Providers of certain business support tasks to Gowling WLG UK including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving and storage;
• Providers of business development and marketing support services, in order to provide event and marketing support;
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, in the event that we are required to make a disclosure under various legislation and regulation or where we have a legal, regulatory or professional obligation to do so or are required to protect the safety or rights of our clients, staff or others;
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.
• If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of China

In the context of its global practice, Gowling WLG UK transfers personal data between its offices, the free flow of information being essential for the efficient conduct of its International business. A number of our offices and affiliates are located outside China.

Any transfer of your Personal Data from Gowling WLG UK entities in China to Gowling WLG UK entities in any country outside, will be subject to a mechanism that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information. For European data protection law purposes, the European Commission considers that Canada's federal privacy law offers adequate levels of protection to safeguard your privacy rights.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

Gowling WLG is committed to its Information and Cyber security programme, ensuring that adequate security controls are in place to protect information and data from being accessed, corrupted, lost or stolen. The firm aligns to ISO27001 standards - an international information security standard which is widely recognised as an indication of best practice in information security and informational risk management. If you have any particular concerns about your information, please contact us (see 'How to contact us?' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. Similarly, you may complain to the competent supervisory authority.

Contact the CAC (Cyberspace Administration of China)

November 2019

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients or our volunteering programme, or where you apply for a job or work placement with us or our clients, or provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events, including webinars and other digital events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

Your information will be treated securely and in strict confidence, in line with industry best practice.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

• About us
• Useful words and phrases
• What information do we collect?
• Why do we process your personal data?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Gowling WLG (UK) LLP (Gowling WLG UK) is an independent entity and part of the Gowling WLG group. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and who your data controller is.

Each country has different data protection laws. In Dubai, in the Dubai International Financial Centre (DIFC) (a free zone where our Dubai office is located), the DIFC Data Protection Law N°5 of 2020 and Data Protection Regulations apply.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us .

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our Dubai Office please write to us at Gowling WLG, Office 1701, Level 17, ICD Brookfield Place, Dubai International Financial Centre, PO Box 506503, Dubai, UAE or email reception.dubai@gowlingwlg.com or you may submit a complaint to the Commissioner of Data Protection at commissioner@dp.difc.ae.

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful words and phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

Personal data	This means any information referring to an identified or identifiable natural person. This will include information such as telephone numbers, names, addresses, e-mail addresses, photographs, voice recordings. It will also include expressions of opinion about data subjects (and their own expressions of opinion/intentions). It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.
Sensitive personal data or special categories of data	This means any personal data (directly or indirectly) relating to: racial or ethnic origin; communal origin; political opinions or affiliations ; religious or philosophical beliefs or beliefs of a similar nature; criminal record; trade union membership; physical or mental health or condition; sexual life; genetic data; biometric data for the purpose of uniquely identifying you.
Processing	This means any operations performed on personal data, including: collecting, obtaining, recording, retrieving, reviewing, consulting, storing or holding it; organising, adapting or altering it; disclosing, transmitting, disseminating or otherwise making it available; and aligning, blocking, restricting, erasing or destroying it.
Data subject	This means the identified or identifiable natural person to whom the Personal Data relates.
Data controller	This means any person who alone or jointly with others determines the purposes and means of the processing of Personal Data.
Data processor	This means any person who processes the Personal Data on behalf of the data controller.

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• Identity and contact data; such as your name, address, phone number, email address, date of birth, company you work for and your position.
• Financial data, such as payment related information (for example, for billing purposes).
• Identification and background information provided by you or collected as part of our on-boarding process. We will process identification and background information as part of our onboarding process including anti-money laundering, conflict, reputational and financial checks, and to fulfil any other legal or regulatory requirements which apply to us.
• Video images/photographs/audio; in connection with identification checks, CCTV, providing/receiving training, remote meetings.
• Reception registration and/or visitor security pass where you attend our offices i.e. for legal services, insight day, consultancy support, an event or to provide IT support.
• Any other information relating to you or third parties which you give us so we may provide you with our service.

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, wish to attend, or have attended, one of our events or seminars, attend one of our voluntary programmes or raise any complaint, enquiry or information request with us.

We will also collect information that you share with us to help us understand your situation, your hobbies and preferences and to represent your best interests when you instruct us/become a contact or client of Gowling WLG (UK) LLP, or as a result of your relationship with one or more of our clients, where you supply us or our clients with services, or where you apply for work experience, insight scheme or a job or work placement with us or our clients.

We will also collect personal data where you are representing your organisation for example as part of procurement or tender. Where you provide third party technical support we may process your data where you provide us with technical support remotely by connecting to our systems or services.

Special category personal data personal data

If we ask you to provide us with your special category personal data, we will explain why we need that data and how we intend to use it and your rights. If necessary, we will ask you for your consent first.

You may provide us with yours or a third party's special category personal data where it is necessary in connection with services we provide, such as information about a person's physical or mental health, alleged criminal activities.

You may provide us with your special category personal data such as your health data to inform us of any dietary requirements or reasonable adjustments required where you are attending one of our offices or events.

We may need to process your special categories of personal data if processing is necessary to comply with laws that apply to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on their behalf and have agreed that you can. In addition, where you give us personal data belonging to someone else, you must ensure that you have the necessary grounds, consents or authorisations to provide it to us. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Children's data

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children where it is necessary in connection to legal services we provide to our clients or in connection with our Probono initiatives.

We may also process children's data in connection with our HR and CSR programmes such as our Insight scheme. Children's personal data processed in connection with our Insight Scheme is usually limited to name, contact details, school/college name and CV.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Law.

Why do we process your personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

We collect your information so that we can:

• Deliver Legal Services - to provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive.
• Comply with our Legal and Regulatory obligations - such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business information and financial information, and/or other legally mandated forms of identification.
• Carry out administration - to bill for our work, carry out searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you; to carry out recruitment activities if you are applying for a job or work placement with us or our clients; to analyse and help us manage our practice; to maintain and update our records.
• Carry out Business Development and Marketing - to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business.
• You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages, by completing our online form or by emailing us at data.enquiry@gowlingwlg.com. See 'Your Rights' for further information.
• Maintain Quality Standards - to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes.
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints that we may receive.
• Keep people and buildings safe - to help ensure security and for crime prevention, we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras.
• To monitor our website usage to improve our services - please see our cookies policy which explains what cookies are and why we use them.

How is processing your personal data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you have agreed to enter with Gowling WLG (UK) LLP. For example, because you are using Gowling WLG (UK) LLP for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services and by retaining us you agree that we may do so.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

If necessary for the performance of a task

If the processing is necessary for the performance of a task carried out in the interests of the DIFC, or in the exercise of the DIFCA, the DFSA, the Court and the Registrars' functions or powers vested in the Data Controller or in a Third Party to whom the data are disclosed.

Legitimate interest

Processing your Personal Data is also legal if it is based on our ‘legitimate interests’ which are not overridden by your data protection interests or fundamental rights and freedoms. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records.
• To ensure regulatory compliance - for example that conflict checks are carried out before we start work and to erect information barriers to restrict access to certain information and to comply with all aspects of our regulatory obligations.
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations.
• To permit us to pursue available remedies or limit any damages that we may sustain.
• To permit us to manage and respond to any complaints.
• To liaise with representatives of clients of corporates and other business clients.
• To market our services.
• To carry out recruitment and administer work experience and work placement activities.

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Special Category Personal Data

In certain circumstances, we may process your special category personal data for the following reasons and subject to the following exceptions:

• Consent
• For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
• Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
• The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Law. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
• We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG (UK) LLP offices, group entities, subsidiaries and affiliates, partnerships operating under the Gowling brand.
• Third party service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services.
• Third party service providers of certain business support tasks to Gowling WLG (UK) LLP including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving, recruitment agencies and storage.
• Charities and organisations in connection with our volunteering programmes.
• External inspectors or auditors.
• Providers of business development and marketing support services, in order to provide event and marketing support.
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, such as the UAE Legal Affairs Department of the Ministry of Justice, the Dubai International Financial Centre Authorities (DIFCA) and the Dubai Financial Services Authority (DFSA) in the United Arab Emirates, the DIFC Registrar, the Solicitors Regulation Authority (SRA), HMRC, Health & Safety Executive and National Crime Agency (NCA). This may be (i) in the event that we are required to make a disclosure under various legislation and regulation; or (ii) where we have a legal, regulatory or professional obligation to do so; or (iii) where we are required to protect the safety or rights or our clients, staff or others; (iv) or to exercise, establish or defend our legal rights.
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.

If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of the DIFC

In the context of its global practice, Gowling WLG (UK) LLP and affiliated businesses or subsidiaries transfers Personal Data between its offices, the free flow of information being essential for the efficient conduct of its international business. A number of our offices and affiliates are located outside the DIFC.

Any transfer of your Personal Data from Gowling WLG (UK) LLP entities and affiliated businesses or subsidiaries in the DIFC to Gowling WLG (UK) LLP and affiliated businesses or subsidiaries entities in any country outside, will be subject to a mechanism that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach, and if necessary we will gather your written consent first.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

We have strong information security management systems in place to safeguard your personal information. Our practices are aligned with internationally recognised standards for information security and risk management, demonstrating our commitment to protecting data through robust controls, continuous monitoring, and a culture of security awareness across the organisation.

If you have any particular concerns about your information, please contact us (see 'How to contact us' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Type of work/data	Minimum Retention Period
Original documentation	Permanently, or until returned to you
File documentation	Six years
CDD documentation	Six years after the end of the client relationship
Contracts with suppliers/third parties	Six years after expiry of contract
Complaints, correspondence and data relating to complaints	Six years following closure of the complaint
Professional negligence claims, correspondence and data relating to PII claims	Six years following conclusion of the claim
Applications/CVs/interview records for jobs-unsuccessful	Twelve months after notifying unsuccessful candidates (unless we have obtained express consent from the candidate to hold for longer)

Your rights

As a data subject, you have the right to:

• Withdraw consent

  Where the basis for processing your Personal Data is consent, you may withdraw your consent at any time by completing our online form.

• Access, rectification and erasure of Personal Data

You have the right to obtain from us upon request, without charge, and within one (1) month of the request:

• confirmation in writing as to whether or not your Personal Data is being Processed, including information regarding the purposes of the Processing, the categories of Personal Data concerned, and the Recipients or categories of Recipients to whom the Personal Data are disclosed;
• a copy of your Personal Data undergoing Processing, provided in an appropriate format, including but not limited to electronic form or hard copy format; and
• the rectification of your Personal Data unless it is not technically feasible to do so.

 

• Object to Processing

You have the right to:

• Object at any time on reasonable grounds relating to your particular situation to the processing of your Personal Data.
• Be informed before your Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object such disclosures or uses.

 

• Restriction of processing

In certain circumstances, you have the right to request that we restrict the processing of your Personal Data.

• Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible.

You may also complain to the DIFC Commissioner of Data Protection: commissioner@dp.difc.ae.

• How to exercise your data protection rights

If you would like to contact us to request to exercise your data protection rights please contact us on data.enquiry@gowlingwlg.com or write to us at The Compliance team, Gowling WLG (UK) LLP, Two Snowhill, Birmingham, West Midlands, B4 6WR, England.

If you would like to contact the Dubai office directly, please see 'How to contact us' section above.

August 2025

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients or our volunteering programme, or where you apply for a job or work placement with us or our clients, or provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events, including webinars and other digital events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

• About us
• Useful words and phrases
• What information do we collect?
• Why do we process your personal data?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Our services from our office in France are provided by Gowling WLG (France) AARPI which is an Association d'Avocats à Responsabilité Professionnelle Individuelle - AARPI at the Paris Bar. Gowling WLG (France) AARPI is a party to a transnational agreement with Gowling WLG (UK) LLP and is more generally part of the Gowling WLG group. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and more details about your data controller: Gowling WLG (France) AARPI.

Each country has different Data Protection Laws. In France, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679 as complemented by the Law No. 78-17 of 6 January 1978 as amended generally known as the loi Informatique et Libertés applies.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your Rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us.

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our Paris office, please write to us at Gowling WLG (France), AARPI, 38 Avenue de l'Opera 75002, Paris, France or you may submit a complaint to the Commission Nationale de l'Informatique et des Libertés (CNIL).

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful Words and Phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• Identity and contact data; such as your name,
• address,
• phone number,
• email address,
• date of birth, company you work for and your position financial data; such as payment related information,
• identification and background information provided by you or collected as part of our on-boarding process. We will process identification and background information as part of our onboarding process including anti-money laundering, conflict, reputational and financial checks, and to fulfil any other legal or regulatory requirements which apply to us,
• Video images/photographs/audio; in connection with identification checks, CCTV, providing/receiving training, remote meetings,
• Location data; reception registration and/or visitor security pass where you attend our offices ie for legal services, insight day, consultancy support, an event or to provide IT support,
• Financial information i.e. for billing purposes,
• any other information relating to you or third parties which you give us so we may provide you with our service.

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, wish to attend, or have attended, one of our events or seminars, attend one of our voluntary programmes or raise any complaint, enquiry or information request with us.

We will also collect information that you share with us to help us understand your situation, your hobbies and preferences and to represent your best interests when you instruct us/become a contact or client of Gowling WLG (France), AARPI , or as a result of your relationship with one or more of our clients, where you supply us or our clients with services, or where you apply for work experience, insight scheme or a  job or work placement with us or our clients.

We will also collect personal data where you are representing your organisation for example as part of procurement or tender. Where you provide third party technical support we may process your data where you provide us with technical support remotely by connecting to our systems or services.

Special category personal data personal data

 If we ask you to provide us with your special category personal data, we will explain why we need that data and how we intend to use it and your rights. If necessary, we will ask you for your consent first.

You may provide us with your or a third party's special category personal data where it is necessary in connection with services we provide, such as information about a person's physical or mental health, alleged criminal activities.

You may provide us with your special category personal data such as your health data to inform us of any dietary requirements or reasonable adjustments required where you are attending one of our offices or events.

We may need to process your special categories of personal data if processing is necessary to comply with laws that apply to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on their behalf and have agreed that you can. In addition, where you give us personal data belonging to someone else, you must ensure that you have the necessary grounds, consents or authorisations to provide it to us. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Children's data

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children where it is necessary in connection to legal services we provide to our clients or in connection with our Probono initiatives.

We may also process children's data in connection with our HR and CSR programmes such as our Insight scheme. Children's personal data processed in connection with our Insight Scheme is usually limited to name, contact details, school/college name and CV.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers, and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Laws.

Why do we process personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

We collect your information so that we can:

• Deliver Legal Services - Provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive;
• Comply with our Legal and Regulatory obligations - such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business and financial information, and/or other legally mandated forms of identification;
• Carry out administration - Bill for our work, keep accounting records, carry out searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you, manage any panel relationship; to carry out recruitment activities if you are applying for a job or work placement with us or our clients; to analyse and help us manage our practice; to maintain and update our records.
• Carry out Business Development and Marketing - to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business. You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com
• If you have consented to receive marketing materials from us, you can opt out at any time. See 'Your Rights' for further information. You can also manage your preferences by sending a message to iaadmin@gowlingwlg.com
• Maintain Quality Standards - to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes;
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints that we may receive;
• Keep people and buildings safe -to help ensure security and for crime prevention; we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras;
• To monitor our website usage to improve our services - please see our cookies policy which explains what cookies are and why we use them.

How is processing your data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you (as an individual) have agreed to enter with Gowling WLG (France), AARPI . For example, because you are using Gowling WLG (France), AARPI  for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services and by retaining us you agree that we may do so.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

Legitimate interest

Processing your Personal Data is also legal if it is based on our 'legitimate interests' which are not overridden by your data protection interests or fundamental rights and freedoms. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records
• To take steps aimed at facilitating regulatory compliance - for example that conflict checks are carried out before we start work and to erect information barriers to restrict access to certain information
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations
• To permit us to pursue available remedies or limit any damages that we may sustain
• To permit us to manage and respond to any complaints
• To liaise with representatives of clients of corporates and other business clients
• To market our services
• To carry out recruitment and administer work experience and work placement activities

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Special Category Personal Data

In certain circumstances, we may process your special category personal data for the following reasons and subject to the following exceptions:

• Consent
  For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
  Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
  The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Laws. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
  We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG offices, group entities, subsidiaries and affiliates, partnerships operating under the Gowling brand;
• Third party service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services;
• Third party service providers of certain business support tasks to Gowling WLG (France) AARPI and/or Gowling WLG (UK) LLP including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving, recruitment agencies and storage;
• Charities and organisations in connection with our volunteering programmes
• External inspectors or auditors
• Providers of business development and marketing support services, in order to provide event and marketing support;
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, such as the Ordre des avocats de Paris. This may be (i) in the event that we are required to make a disclosure under various legislation and regulation; or (ii) where we have a legal, regulatory or professional obligation to do so; or (iii) where we are required to protect the safety or rights or our clients, staff or others; (iv) or to exercise, establish or defend our legal rights;
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.
• If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of the UK and EEA

In the context of its global practice, Gowling WLG (France), AARPI  and affiliated businesses or subsidiaries transfer Personal Data between their offices, the free flow of information being essential for the efficient conduct of its International business. A number of our offices and affiliates are located outside the European Economic Area, including in the United Kingdom and Canada. Where we transfer personal data outside the EEA, to a country without adequacy regulation, we implement the third-country-transfer standard contractual clauses approved by the European Commission to require that personal data remains protected. We also implement saidstandard contractual clauses or an alternative transfer mechanism with our third party service providers and partners where there is an international transfer of personal data to a country for which no adequacy decision of the European Commission avails. Any transfer of your personal data outside of the EEA to a third party or another office of ours will be subject to appropriate data protection safeguards that protect your data privacy rights.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information. For UK and European data protection law purposes, the European Commission and the ICO considers that Canada's federal private-sector privacy law offers adequate levels of protection to safeguard your privacy rights.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

Gowling WLG (UK) LLP is committed to its Information and Cyber security programme, ensuring that adequate security controls are in place to protect information and data from being accessed, corrupted, lost or stolen.  The firm's non-UK offices are aligned to ISO 27001 with centrally managed services provided in Birmingham and London certified to ISO 27001. This certification is an international information security standard which is widely recognised as an indication of best practice in information security and information risk management.

The firm's centrally managed IT services are also certified to the Cyber Essentials Plus scheme – this is a UK Government backed scheme that will help to protect the organisation against a whole range of the most common cyber-attacks.

If you have queries regarding these certifications or particular concerns about your information, please contact us (see 'How to contact us?' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Archived personal data will be deleted or anonymised within the year following the end of the applicable retention period.

Your rights

As a data subject, you have the following rights under the Data Protection Laws:

• the right of access to Personal Data relating to you;
• the right to correct or update any mistakes in your information;
• the right to object to our processing of your personal data in certain circumstances such as where we are processing it for our legitimate interests
• the right to ask us to stop contacting you with direct marketing (opt-out/unsubscribe);
• rights in relation to know details of any automated decision making;  
• the right to restrict or prevent your Personal Data being processed;
• the right to have your Personal Data ported to another data controller (e.g. if you decide to contract with a different service provider);
•  the right to withdraw your consent where we are processing your personal data based on consent ;
• the right to erasure where you believe we have no good reason to continue processing it;
• right to lodge a complaint with a data protection authority;
• right to define directives in respect of the processing of personal data after your death.

These rights are explained in more detail below, but if you have any comments, concerns or complaints about the use of your Personal Data by us, please contact us (please refer to section "How to contact us").

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to access Personal Data relating to you

You may ask to see what Personal Data we hold about you and be provided with:

• a copy of your personal data;
• details of the purpose for which it is being or is to be processed;
• details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers;
• the period for which it is held (or the criteria we use to determine how long it is held);
• any information available about the source of that data; and
• whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the Personal Data easily, please provide us as much information as possible about the type of Personal Data you would like to see.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your Personal Data which we hold free of charge. If your Personal Data is incomplete, you can ask us to complete it by adding more details. If you would like to do this, please:

• email, call or write to us (see "How to contact us")
• let us have enough information to identify you, and
• let us know the Personal Data that is incorrect and what it should be replaced or supplemented with.

Right to ask us to stop contacting you with direct marketing

You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

• See "How can you contact us" above
• You can review and update your contact details and preferences or unsubscribe from our communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com

Rights in relation to automated decision making

We do not make any automated decisions about you so this right does not apply.

Right to prevent processing of personal data

You may request that we stop or limit processing your personal data temporarily if:

• you do not think that your Personal Data is accurate. We will start processing again once we have checked whether or not it is accurate;
• the processing is unlawful but you do not want us to erase your Personal Data;
• we no longer need the Personal Data for our processing, but you need the Personal Data to establish, exercise or defend legal claims; or
• you have objected to processing because you believe that your interests should override our legitimate interests.

Copies of your Personal Data (data portability)

You may ask for an electronic copy of your Personal Data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party

Right to erasure

You can ask us to erase your Personal Data where:

• you do not believe that we need your Personal Data in order to process it for the purposes set out in this Privacy Notice;
• if you had given us consent to process your Personal Data, you withdraw that consent and we cannot otherwise legally process your Personal Data;
• you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
• your Personal Data has been processed unlawfully or have not been erased when it should have been.

Right to withdraw consent

The circumstances in which we rely on consent are minimal but if the lawful basis for processing is based upon the provision of your consent, you are able to withdraw your previously given consent to the processing of the Personal Data at any time without giving reasons.

If you want to withdraw your consent:

• contact us by email, telephone or in writing (see "How can you contact us" above)
• give us enough information so that we can identify you and if necessary, let us know which consent you would like to withdraw.

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. Similarly, you may complain to your lead supervisory authority.

Contact the Commission Nationale de l'Informatique et des Libertés (CNIL) www.cnil.fr

Instructions for after your death

You can communicate your instructions, revocable at any time, regarding the conservation, erasure, communication of your personal data after your death by designating a person in charge of their execution:

• for general instructions, you may address them to a trusted digital third party certified by the CNIL;
• for specific directives, you may address them directly to the firm.

March 2024

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients, or where you apply for a job or work placement or provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events, including webinars and other digital events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

• About us
• Useful words and phrases
• What information do we collect?
• Why do we process your personal data?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Gowling WLG (UK) LLP (Gowling WLG UK) is an independent entity. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and who your data controller is.

Each country has different Data Protection Laws. In Germany, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679, and the Federal Data Protection Act 2017 apply.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your Rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us.

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our Munich office, please write to us at Prannerstrasse 15, 80333 , Munich, Germany.

If you wish to contact our Stuttgart office, please write to us at Heilbronner Strasse 190, 70191 Stuttgart, Germany.

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful Words and Phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

Personal data	This means any information from which a living individual can be identified. This will include information such as telephone numbers, names, addresses, e-mail addresses, photographs, voice recordings. It will also include expressions of opinion about data subjects (and their own expressions of opinion/intentions). It will also cover information which on its own does not identify someone but which would identify them if put together with other information which we have or are likely to have in the future.
Sensitive personal data or special categories of data	This means any information relating to: racial or ethnic origin; political opinions or affiliations ; religious or philosophical beliefs or beliefs of a similar nature; trade union membership; physical or mental health or condition; sexual life; sexual orientation or genetic data or biometric data
Processing	This covers virtually anything anyone can do with personal data, including: obtaining, collecting, recording, retrieving, reviewing, consulting, storing, using or holding it; organising, structuring, adapting or altering it; disclosing by transmission, disseminating or otherwise making it available; and aligning, combining, restricting, blocking, erasing or destroying it.
Data subject	The person to whom the Personal Data relates.
Supervisory authority	The authority responsible for implementing, overseeing and enforcing the Data Protection Laws.
Data controller	This means any person who determines the purposes for which, and the manner in which, any Personal Data are processed.
Data processor	This means any person who processes the Personal Data on behalf of the data controller.
Data protection laws	This means the laws which govern the handling of data - the list of laws listed at the top of this Privacy Notice.

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• your name,
• address,
• phone number,
• email address,
• date of birth and other identity documentation that we need to collect to comply with legal and regulatory requirements

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, attend one of our events or seminars or raise any complaint. We will also collect information that you share with us to help us understand your situation, your hobbies and preferences and to represent your best interests when you instruct us/become a contact or client of Gowling WLG UK, or as a result of your relationship with one or more of our clients, where you supply us with services, or where you apply for a job or work placement.

Sensitive personal data

If we ask you to provide us with your sensitive personal data, we will explain why we need that data and how we intend to use it and your rights.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Laws.

Why do we process personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail)

We collect your information so that we can:

• Deliver Legal Services - Provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive;
• Comply with our Legal and Regulatory obligations – such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business and financial information, and/or other legally mandated forms of identification;
• Carry out administration - Bill for our work, carry searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you, to carry out recruitment activities if you are applying for a job or work placement with us; to analyse and help us manage our practice, to maintain and update our records.
• Carry out Business Development and Marketing – to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business. You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com
• If you have consented to receive marketing materials from us, you can opt out at any time. See 'Your Rights' for further information. You can also manage your preferences by sending a message to iaadmin@gowlingwlg.com
• Maintain Quality Standards – to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes;
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints;
• Keep people and buildings safe -to help ensure security and for crime prevention; we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras;
• To monitor our website usage to improve our services – please see our cookies policy which explains what cookies are and why we use them.

How is processing your data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you have agreed to enter with Gowling WLG UK. For example, because you are using Gowling WLG UK for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

Legitimate interest

Processing your Personal Data is also legal if it is based on our 'legitimate interests'. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records
• To ensure regulatory compliance - for example that conflict checks are carried out before we start work, to erect information barriers to restrict access to certain information and to comply with all aspects of our regulatory obligations
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations
• To permit us to pursue available remedies or limit any damages that we may sustain
• To permit us to manage and respond to any complaints
• To liaise with representatives of clients of corporates and other business clients
• To market our services
• To carry out recruitment and administer work experience and work placement activities

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Sensitive Personal Data

In certain circumstances, we may process your sensitive personal data for the following reasons and subject to the following exceptions:

• Consent
  For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
  Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
  The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Laws. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
  We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG offices, group entities and affiliates;
• Service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services;
• Providers of certain business support tasks to Gowling WLG UK including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving and storage;
• Providers of business development and marketing support services, in order to provide event and marketing support;
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, in the event that we are required to make a disclosure under various legislation and regulation or where we have a legal, regulatory or professional obligation to do so or are required to protect the safety or rights or our clients, staff or others;
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.
• If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of the UK/EEA

In the context of its global practice, Gowling WLG UK transfers Personal Data between its offices, the free flow of information being essential for the efficient conduct of its International business. A number of our offices and affiliates are located outside the European Economic Area. Transfers from Gowling WLG UK entities in the EEA to Gowling WLG UK entities in any country outside the EEA that is not deemed to offer an adequate level protection according to the European Commission shall be governed by a data transfer agreement containing model clauses offering an adequate level protection according to the European Commission, that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach, unless we inform you that another appropriate safeguard has been put in place.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information. For European data protection law purposes, the European Commission considers that Canada's federal privacy law offers adequate levels of protection to safeguard your privacy rights.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

Gowling WLG UK is committed to its Information and Cyber security programme, ensuring that adequate security controls are in place to protect information and data from being accessed, corrupted, lost or stolen. Our Germany offices align to ISO27001 standards - an international information security standard which is widely recognised as an indication of best practice in information security and informational risk management. If you have any particular concerns about your information, please contact us (see 'How to contact us?' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Type of work/data	Retention Period
Job applications	2 months
Court litigation documents	3 years; up to 30 years
Trade or business letters received	6 years
Annual reports	10 years
Accounts and records	10 years

Your rights

As a data subject, you have the following rights under the Data Protection Laws:

• the right of access to Personal Data relating to you;
• the right to correct any mistakes in your information;
• the right to object to the processing of your Personal Data for direct marketing purposes;
• the right to object to our processing based grounds of our legitimate interests
• rights in relation to automated decision making;
• the right to restrict or prevent your Personal Data being processed;
• the right to have your Personal Data ported to another data controller (e.g. if you decide to contract with a different service provider);
• the right to erasure; and
• the right to withdraw previously given consent

These rights are explained in more detail below, but if you have any comments, concerns or complaints about the use of your Personal Data by us, please contact us (please refer to section "How to contact us").

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to access Personal Data relating to you

You may ask to see what Personal Data we hold about you and be provided with:

• a copy;
• details of the purpose for which it is being or is to be processed;
• details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers;
• the period for which it is held (or the criteria we use to determine how long it is held);
• any information available about the source of that data; and
• whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the Personal Data easily, please provide us as much information as possible about the type of Personal Data you would like to see.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your Personal Data which we hold free of charge. If your Personal Data is incomplete, you can ask us to complete it by adding more details. If you would like to do this, please:

• email, call or write to us (see "How to contact us")
• let us have enough information to identify you, and
• let us know the Personal Data that is incorrect and what it should be replaced or supplemented with or how they should be completed.

Right to object to the processing of your Personal Data for direct marketing purposes

You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

• See "How can you contact us" above
• You can review and update your contact details and preferences or unsubscribe from our communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com.

Right to object

You can object, on grounds relating to your particular situation, to our processing of Personal Data if our basis of processing is for the purpose of legitimate interests. We will only process your Personal Data further if there are compelling legitimate reasons for the processing, which outweigh your interests, rights and freedoms or if the processing serves to assert, exercise or defend legal claims.

Rights in relation to automated decision making

We do not make any automated decisions about you so this right does not apply.

Right to restrict or prevent processing of personal data

You may request that we stop or limit processing your personal data temporarily if:

• you do not think that your Personal Data is accurate. We will start processing again once we have checked whether or not it is accurate;
• the processing is unlawful but you do not want us to erase your Personal Data;
• we no longer need the Personal Data for our processing, but you need the Personal Data to establish, exercise or defend legal claims; or
• you have objected to processing because you believe that your interests should override our legitimate interests and it has not yet been determined whether this is the case. We will continue processing as soon as it is certain that our legitimate interests outweigh your interests.

Copies of your Personal Data (data portability)

You may ask for an electronic copy of your Personal Data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.

Right to erasure

You can ask us to erase your Personal Data where:

• you do not believe that we need your Personal Data in order to process it for the purposes set out in this Privacy Notice;
• if you had given us consent to process your Personal Data and you withdraw that consent;
• you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
• your Personal Data has been processed unlawfully or have not been erased when it should have been.

Right to withdraw consent

The circumstances in which we rely on consent are minimal but if the lawful basis for processing is based upon the provision of your consent, you are able to withdraw your previously given consent to the processing of the Personal Data at any time without giving reasons.

If you want to withdraw your consent:

• contact us by email, telephone or in writing (see "How can you contact us" above)
• give us enough information so that we can identify you and if necessary, let us know which consent you would like to withdraw.

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. Similarly, you may complain to the responsible supervisory authority.

The supervisory authority responsible for our office in Munich is the Bavarian State Office for Data Protection: Contact the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA) www.lda.bayern.de

The supervisory authority responsible for our office in Stuttgart is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg at www.baden-wuerttemberg.datenschutz.de

The supervisory authority responsible for our office in Frankfurt is the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) at https://datenschutz.hessen.de

The addresses of all German supervisory authorities as well as the links to their websites can be found at https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

January 2021

Kurzzusammenfassung

Wir verarbeiten Ihre Daten, um Ihnen juristische und sonstige Dienstleistungen zur Verfügung zu stellen. Möglicherweise verarbeiten wir Ihre Daten auch aufgrund Ihrer Beziehung zu einem oder mehreren unserer Mandanten, oder wenn Sie sich auf eine Stelle oder ein Praktikum bei uns bewerben oder uns Dienstleistungen erbringen. Außerdem erheben wir personenbezogene Informationen, wenn Sie uns kontaktieren, einen unserer Newsletter abonnieren oder an einem unserer Seminare oder einer unserer Veranstaltungen, einschließlich Webinare und andere digitale Veranstaltungen, teilnehmen.

In dieser Beziehung spielen auch andere Dienstleister eine wichtige Rolle, wenn wir sie damit beauftragen, uns bei sonstigen professionellen Dienstleistungen und administrativen Vorgaben zu unterstützen. Wir arbeiten mit ihnen zusammen, um eine effiziente Unternehmensunterstützung zu gewährleisten, beispielsweise in den Bereichen Sicherheit, Lieferung, Technologie, Zahlungsabwicklung, Versicherungen, Unterstützung bei Rechtsstreitigkeiten sowie Archivierung und Sicherung.

Ihre Informationen werden gemäß der ISO27001-Norm sicher und streng vertraulich behandelt.

In dieser Erklärung wird erläutert, welche Daten wir warum verarbeiten, die rechtliche Grundlage dafür sowie Ihre Rechte. Um so transparent wie möglich zu sein, werden wir diese Datenschutzerklärung fortlaufend aktualisieren.

• Über uns
• Nützliche Begriffe und Ausdrücke
• Welche Informationen erheben wir?
• Warum verarbeiten wir Ihre personenbezogenen Daten?
• Auf welcher rechtlichen Grundlage werden Ihre personenbezogenen Daten verarbeitet?
• Wer wird Zugriff auf Ihre personenbezogenen Daten haben?
• Wann werden wir Ihre personenbezogenen Daten löschen?
• Ihre Rechte

Über uns

Gowling WLG (UK) LLP (Gowling WLG UK) ist eine eigenständige Gesellschaft und Teil der Gowling-WLG-Gruppe. Weitere Gesellschaften der Gowling-WLG-Gruppe sind in anderen Staaten tätig. Unsere Handhabung Ihrer Daten unterscheidet sich von Staat zu Staat, weswegen jede unserer Gesellschaften ein gesonderter 'Verantwortlicher für die Datenverarbeitung'. ist Der Verantwortliche für die Datenverarbeitung ist für die Verarbeitung Ihrer personenbezogenen Daten gemäß den Datenschutzgesetzen verantwortlich.

Auf unserer Seite mit rechtlichen Hinweisen finden Sie Informationen zur Struktur von Gowling WLG, den Gesellschaften unserer Gruppe und darüber, wer Ihr Verantwortlicher für die Datenverarbeitung ist.

Jeder Staat hat unterschiedliche Datenschutzgesetze. In Deutschland gelten die Datenschutz-Grundverordnung (DSGVO) (Verordnung (EU) 2016/679) sowie das Bundesdatenschutzgesetz (BDSG) 2017.

Wir nehmen den Schutz Ihrer Daten sehr ernst und bitten Sie, diese Datenschutzerklärung aufmerksam zu lesen, da sie wichtige Informationen enthält über:

• Ihre Rechte
• Die personenbezogenen Daten, die wir von Ihnen erheben, und für welche Zwecke wir sie erheben
• Was wir mit Ihren Daten machen und
• Mit wem Ihre Informationen geteilt werden

Wenn Sie zusätzliche Hilfe benötigen

Wenn Sie diese Erklärung in einem anderen Format haben möchten (z. B. Audio, Großdruck, Braille), kontaktieren Sie uns bitte.

Wie Sie uns kontaktieren können

Bitte kontaktieren Sie uns, wenn Sie Fragen haben zu dieser Datenschutzerklärung oder den Informationen, die wir über Sie gespeichert haben.

Wenn Sie unser Büro in München kontaktieren möchten, wenden Sie sich bitte schriftlich an Gowling WLG, Prannerstraße 15, 80333 München, Deutschland.

Wenn Sie unser Büro in Stuttgart kontaktieren möchten, wenden Sie sich bitte schriftlich an Gowling WLG, Heilbronner Straße 190, 70191 Stuttgart, Deutschland.

Änderungen der Datenschutzerklärung

Wir können diese Datenschutzerklärung bei Veranlassung ändern. Sie sollten diese Datenschutzerklärung gelegentlich überprüfen, um sicherzustellen, dass Ihnen die aktuellste Version bekannt ist.

Nützliche Begriffe und Ausdrücke

Bitte machen Sie sich mit den folgenden Begriffen und Ausdrücken vertraut, da diese in den Datenschutzgesetzen eine besondere Bedeutung haben und in der gesamten Datenschutzerklärung verwendet werden:

Personenbezogene daten	Dies bezeichnet jegliche personenbezogenen Informationen, anhand derer eine lebende Person identifiziert werden kann. Dies umfasst Angaben wie beispielsweise Telefonnummern, Namen, Adressen, E-Mail-Adressen, Fotos, Sprachaufnahmen. Dies umfasst auch Meinungsäußerungen zu betroffenen Personen (sowie deren eigene Meinungsäußerungen/Absichten). Dies umfasst auch Informationen, die für sich allein keine Identifizierung einer Person zulassen, jedoch in Kombination mit anderen Informationen, die uns vorliegen oder uns wahrscheinlich in Zukunft vorliegen werden sie identifizieren könnte.
Sensible personenbezogene daten oder besondere kategorien personenbezogener daten	Dies bezeichnet jegliche Informationen bezüglich: rassischer oder ethnischer Herkunft politischer Meinungen und Zugehörigkeiten religiöser oder weltanschaulicher oder ähnlicher Überzeugungen Gewerkschaftszugehörigkeiten des geistigen oder körperlichen Gesundheitszustands des Sexuallebens und der sexuellen Orientierung; oder genetischer oder biometrischer Daten
Verarbeitung	Dies umfasst praktisch alles, was mit personenbezogenen Daten geschehen kann, einschließlich: deren Erhebung, Erfassung, Abruf, Überprüfung, Abfrage, Auslesung, Speicherung, Verwendung oder Verwaltung; deren Organisation, Ordnung, Abgleich, Verknüpfung, Anpassung oder Veränderung; Offenlegung, Verbreitung oder anderweitige Form der Bereitstellung; sowie derenEinschränkung, Löschung oder Vernichtung
Betroffene Person	Die Person, auf die sich die personenbezogenen Daten beziehen.
Aufsichtsbehörde	Die Behörde, die für die Implementierung, Überwachung und Durchsetzung der Datenschutzgesetze zuständig ist.
Verantwortlicher für die Datenverarbeitung	Dies bezeichnet jegliche Personen, die Zwecke und die Art und Weise der Verarbeitung personenbezogener Daten festlegen.
Auftragsverarbeiter	Dies bezeichnet jegliche Personen, die im Auftrag des Verantwortlichen für die Datenverarbeitung personenbezogene Daten verarbeiten.
Datenschutzgesetze	Dies bezeichnet die Gesetze, die den Umgang mit Daten regeln – die Auflistung der Gesetze finden Sie am Anfang dieser Datenschutzerklärung.

Welche Informationen erheben wir?

Personenbezogene Daten, die von Ihnen zur Verfügung gestellt werden

Um Ihnen unsere Dienstleistungen anbieten zu können, können wir personenbezogene Daten von Ihnen erheben, einschließlich:

• Ihres Namens,
• Ihrer Adresse,
• Ihrer Telefonnummer,
• Ihrer E-Mail-Adresse,
• Ihres Geburtsdatums und sonstiger Identitätsangaben, die wir für die Einhaltung gesetzlicher und aufsichtsrechtlicher Anforderungen benötigen

Außerdem werden wir personenbezogene Daten erheben, wenn Sie uns kontaktieren, uns Feedback senden, einen unserer Newsletter abonnieren, eines unserer Seminare oder eine unserer Veranstaltungen besuchen oder eine Beschwerde einreichen.

Ferner erheben wir Informationen, die Sie mit uns teilen, um Ihre Situation sowie Ihre Hobbies und Vorlieben zu verstehen und Ihre Interessen vertreten zu können, wenn Sie uns beauftragen bzw. ein Kontakt oder Mandant von Gowling WLG UK werden, oder aufgrund Ihrer Beziehung zu einem oder mehreren unserer Mandanten, wenn Sie Dienstleistungen uns erbringen oder wenn Sie sich auf eine Stelle oder ein Praktikum bewerben.

Sensible personenbezogene Daten

Wenn wir Sie darum bitten, uns sensible personenbezogene Daten zur Verfügung zu stellen, werden wir erläutern, warum wir diese Daten benötigen, was wir mit ihnen zu tun beabsichtigen und welche Rechte Sie haben.

Personenbezogene Daten anderer Personen

Wenn Sie Informationen im Auftrag einer anderen Person an uns weitergeben, bestätigen Sie, dass die andere Person Sie dazu bestimmt hat, in ihrem Auftrag zu handeln, und Ihnen gestattet hat, dies zu tun. In einigen Fällen erheben wir personenbezogene Daten, die Sie betreffen, von anderen Personen, einschließlich Mandanten, denen wir Rechtsdienstleistungen erbringen. Wir können beispielsweise Informationen einholen über Geschäftsführer, Angestellte oder Mitarbeiter unserer Mandanten oder sonstiger Parteien, Zeugen, Begünstigter, Gegenparteien, verbundener Parteien, Interessenträger, Geschäftspartner, Investoren, Gesellschafter, Wertpapierinhaber, Käufer sowie Kunden von Mandanten.

Von Dritten zur Verfügung gestellte personenbezogene Daten

Wir erheben personenbezogene Daten direkt von Ihnen, von Mandanten oder Bevollmächtigten und wie sonst nach geltendem Recht zulässig oder erforderlich. Bisweilen werden wir auch personenbezogene Informationen von Dritten, wie beispielsweise Aufsichts- und Justizbehörden, erheben, sowie sonstigen Organisationen, mit denen Sie in Beziehung stehen oder die ein rechtliches Interesse an solchen Daten haben, Regierungsbehörden, Auskunfteien, Finanzinstituten, Personalagenturen und sonstigen Personen, die mit Personalbeschaffung im Zusammenhang stehen, Informationsanbietern oder Dienstleistern, Akquisiteuren und Empfehlern sowie aus öffentlich zugänglichen Registern.

Möglicherweise holen wir von Dritten Informationen über Sie ein, um Ihre Identität zu verifizieren und um Prüfungen zur Geldwäsche- und Terrorismusbekämpfung, Sanktionsprüfungen und sonstige Hintergrund- und Bonitätsprüfungen durchzuführen. Bei der Durchführung dieser Prüfungen können von Ihnen zur Verfügung gestellte personenbezogene Informationen an diesen Dritten weitergegeben werden, der diese Informationen möglicherweise dokumentiert. Sämtliche von Ihnen zur Verfügung gestellten Informationen werden sicher und streng gemäß den Datenschutzgesetzen behandelt.

Warum verarbeiten wir personenbezogene Daten?

Wir verwenden Ihre personenbezogenen Daten für die Zwecke, die nachfolgend in diesem Abschnitt aufgelistet sind. Wir sind aufgrund einer bestimmten Rechtsgrundlage dazu berechtigt (siehe Abschnitt "auf welcher rechtlichen Grundlage erfolgt die Verarbeitung Ihrer Daten" für weitere Einzelheiten).

Wir erheben Ihre Informationen, damit wir:

• Rechtsdienstleistungen erbringen können – juristische und sonstige Dienstleistungen und Produkte gemäß Ihrem Auftrag anbieten, Ihre Fragen beantworten und Ihnen Informationen und Materialien liefern, um die Sie gebeten haben;
• Unsere gesetzlichen und aufsichtsrechtlichen Pflichten erfüllen können – wie beispielsweise die Feststellung Ihrer Identität zur Erfüllung von Vorschriften zur Geldwäschebekämpfung und unserer sonstigen gesetzlichen und aufsichtsrechtlichen Pflichten, aufgrund derer Sie verpflichtet sein können, Ihren Namen, Ihre Adresse, Ihre Beschäftigungs-/Geschäftsverhältnisse und finanziellen Informationen und/oder sonstige gesetzlich vorgeschriebener Identifikationsmerkmale anzugeben;
• Verwaltungstätigkeiten durchführen können – unsere Leistungen abrechnen, Recherchen und Prüfungen durchführen, interne Unterlagen führen, was die Erhebung von Namen, Adressen, Bankdetails, finanzieller Informationen und der Kreditwürdigkeit umfasst; unsere Beziehung zu Ihnen aufzubauen und zu pflegen, Personalanwerbemaßnahmen durchführen, wenn Sie sich bei uns um eine Stelle oder ein Praktikum bewerben; unsere Tätigkeit analysieren und verwalten, unsere Unterlagen führen und aktualisieren.
• Geschäftsentwicklung und Marketing durchführen können – Marktrecherchen durchführen; unsere eigenen Produkte und Dienstleistungen an Sie vermarkten, auch – soweit im Rahmen des geltenden Rechts zulässig – per E-Mail und anderweitig, und Ihre Informationen und Vorlieben korrekt halten. Wir können die personenbezogenen Daten, die uns zur Verfügung gestellt wurden, auch für die Nachverfolgung und Verwaltung Ihrer Zustimmungen, Veranstaltungsreservierungen und etwaigen Abbestellungen verwenden. Bei Veranlassung möchten wir Ihnen evtl. rechtliche Änderungen, Newsletter, Pressemitteilungen, Informationen zu unseren Veranstaltungen und Rechtsdienstleistungen sowie sonstige Mitteilungen schicken, die für Sie und/oder Ihr Unternehmen interessant sein könnten. Ihre Kontaktdaten und Einstellungen können Sie jederzeit überprüfen und aktualisieren oder unsere Marketingmitteilungen abbestellen, indem Sie auf die Links in unseren E-Marketing-Nachrichten klicken oder eine E-Mail senden an iaadmin@gowlingwlg.com
• Wenn Sie dem Erhalt von Marketingmaterial von uns zugestimmt haben, können Sie sich jederzeit davon abmelden. Weitere Informationen finden Sie unter Ihre Rechte. Sie können Ihre Einstellungen auch verwalten, indem Sie eine E-Mail senden an iaadmin@gowlingwlg.com
• Qualitätsstandards aufrechterhalten können – hohen Qualitäts- und professionellen Standards gerecht werden sowie Zertifizierungen und Zulassungen erhalten und aufrechterhalten, was Prüfungen unserer internen Abläufe beinhalten könnte;
• Ansprüche verwalten können – verfügbare Abhilfemaßnahmen verfolgen oder Schäden begrenzen, die wir oder unsere Mandanten erleiden könnten, und zu Feedback oder Beschwerden Stellung nehmen;
• Menschen und Gebäude schützen können – Sicherheit gewährleisten und Kriminalität verhindern; an den Eingängen zu unseren Büroräumen können Überwachungskameras installiert sein, und es können Videoüberwachungsdaten von Kameras erfasst werden;
• die Nutzung unserer Webseite überwachen können, um unsere Leistungen zu verbessern – in unserer Cookie-Richtlinie können Sie nachlesen, was Cookies sind und warum wir sie verwenden.

Auf welcher rechtlichen Grundlage erfolgt die Verarbeitung Ihrer Daten?

Wir dürfen Ihre personenbezogenen Daten aus folgenden Gründen und aufgrund der folgenden rechtlichen Grundlagen verarbeiten:

Einwilligung

Wenn Sie eingewilligt haben – beispielsweise, wenn Sie eine E-Mail-Verteilerliste abonniert haben, mit der wir Sie über bedeutende rechtliche Änderungen unterrichten, Informationen zu Updates/Veranstaltungen oder sonstige Informationen schicken, die für Sie interessant sein könnten.

Vertrag

Wenn dies für die Erfüllung des Vertrags, den Sie mit Gowling WLG UK abgeschlossen haben, erforderlich ist. Wenn Sie beispielsweise eine Rechtsberatung von Gowling WLG UK in Anspruch nehmen, müssen wir Ihre personenbezogenen Daten verarbeiten, um unsere Rechtsberatungsdienstleistungen angemessen erbringen und unsere Leistungen abrechnen zu können.

Rechtliche Verpflichtung

Wenn wir rechtlich verpflichtet sind, Ihre Daten zum Zwecke der Einhaltung geltender Gesetze zu verarbeiten, z. B. wenn wir unsere Mandanten gemäß den Vorschriften zur Geldwäschebekämpfung, die in vielen Ländern gelten, identifizieren und gemäß den Gesundheits- und Sicherheitsvorschriften Unterlagen anlegen und führen müssen. Außerdem haben wir Verpflichtungen im Rahmen der Finanz- und Steuervorschriften sowie Meldepflichten an die Steuerbehörden.

Berechtigtes Interesse

Die Verarbeitung Ihrer personenbezogenen Daten ist außerdem rechtmäßig, wenn sie auf Grundlage unseres "berechtigten Interesses" erfolgt. Für die Verarbeitung auf dieser Grundlage haben wir die Auswirkungen auf Ihre Interessen und Rechte berücksichtigt und angemessene Sicherheitsvorkehrungen getroffen, um sicherzustellen, dass Ihre Privatsphäre so weit wie möglich gewahrt wird.

Nachfolgend finden Sie Beispiele für die Zwecke, für die wir Ihre personenbezogenen Daten auf dieser Grundlage verarbeiten werden:

• Mandantenverwaltung – damit wir interne Unterlagen führen können
• um die Einhaltung gesetzlicher Bestimmungen sicherzustellen – beispielsweise, dass wir Konfliktchecks durchführen, bevor wir mit unserer Arbeit beginnen, und Informationsschranken einrichten, um den Zugriff auf bestimmte Informationen einzuschränken
• um bestimmte Qualitätsstandards der von uns erbrachten professionellen Dienstleistungen aufrechterhalten und Qualitätszulassungen erlangen und aufrechterhalten zu können
• um verfügbare Abhilfemaßnahmen verfolgen oder Schäden, die wir erleiden könnten, begrenzen zu können
• um Beschwerden verwalten und dazu Stellung nehmen zu können
• um mit Vertretern unserer Firmen- und sonstiger Geschäftsmandanten zusammenarbeiten zu können
• für die Vermarktung unserer Dienstleistungen
• für Personalanwerbung und die Verwaltung von Praktika und Referendarausbildungen

Bitte beachten Sie, dass Sie das Recht haben, der Verarbeitung Ihrer Daten für jedes der oben genannten berechtigten Interessen zu widersprechen.

Sensible personenbezogene Daten

Unter bestimmten Umständen können wir Ihre sensiblen personenbezogenen Daten aus folgenden Gründen und mit folgenden Ausnahmen verarbeiten:

• Einwilligung
  Wenn Sie beispielsweise in die Verarbeitung Ihrer Gesundheitsinformationen ausdrücklich eingewilligt haben, damit wir Sie rechtlich beraten können.
• Lebenswichtige Interessen
  Weil wir Ihre lebenswichtigen Interessen schützen müssen, z. B. müssen wir Ihre medizinischen/gesundheitlichen Informationen verarbeiten, um unsere Gesundheits- und Sicherheitsvorkehrungen befolgen zu können, wenn Sie an einer Veranstaltung teilnehmen oder unsere Büroräume besuchen, was uns wiederum dabei helfen könnte, Ihr Leben zu schützen.
• Offensichtlich öffentlich gemachte personenbezogene Daten
  Die Daten, die Sie offensichtlich öffentlich gemacht wurden und nur, wenn dies für unsere Zwecke erforderlich und gemäß den geltenden Datenschutzgesetzen zulässig ist. Beispielsweise, wenn wir Sie darum bitten, uns Ihre Ernährungsbedürfnisse mitzuteilen, wenn Sie an einer Veranstaltungen in unseren Büroräumen teilnehmen. Wir gehen dann davon aus, dass Sie diese Daten offensichtlich an unsere Organisation öffentlich gemacht haben, um uns zu helfen, Ihre Gesundheit und Sicherheit sicherzustellen. Wir werden diese Information vertraulich behandeln und nur den Personen zugänglich machen, die sie benötigen.
• Rechtsansprüche
  Wir machen Rechtsansprüche geltend, üben diese aus oder verteidigen diesen für Sie als Mandanten oder in unserem eigenen Namen.

Wer hat Zugriff auf Ihre personenbezogenen Daten?

Im Rahmen der Erbringung unserer Dienstleistungen und der Durchführung unseres Geschäftsbetriebs können wir Ihre personenbezogenen Daten weitergeben an:

• andere Büros, Gesellschaften und verbundene Unternehmen von Gowling WLG;
• Dienstleister, die wir mit der Unterstützung bei der Erbringung juristischer oder sonstiger Dienstleistungen und Produkte und den damit verbundenen administrativen Vorgaben beauftragen, z. B. andere professionelle Berater;
• Anbieter bestimmter Unternehmensunterstützungsmaßnahmen an Gowling WLG UK, einschließlich in den Bereichen Sicherheit, Lieferung, Technologie, Recherche, Bankgeschäfte, Zahlungsabwicklung, Versicherungen, Unterstützung bei Rechtsstreitigkeiten, Übersetzung, Bonitätsprüfung, Archivierung und Sicherung;
• Anbieter von Dienstleistungen zur Geschäftsentwicklung und Marketingunterstützung für die Unterstützung bei Veranstaltungen und beim Marketing;
• Justiz- und Aufsichtsbehörden einschließlich Gerichten oder öffentlichen Behörden, die eine Offenlegung verlangen, wenn gemäß verschiedenen Gesetzen und Bestimmungen eine Offenlegung von uns verlangt wird oder wir gesetzlich, aufsichtsrechtlich oder beruflich dazu verpflichtet sind, um die Sicherheit oder die Rechte unserer Mandanten, unseres Personals oder sonstiger Personen zu schützen;
• Personenbezogene Daten können auch an eine andere Organisation übermittelt werden im Falle einer Unternehmenstransaktion wie beispielsweise eines Zusammenschlusses, einer Fusion oder Übernahme oder eines Inhaberwechsels unserer Kanzlei. Dies wird nur dann geschehen, wenn die Parteien eine Vereinbarung geschlossen haben, gemäß derer die Erhebung, Nutzung und Weitergabe der Informationen auf die Zwecke beschränkt ist, die mit der Unternehmenstransaktion zusammenhängen, einschließlich einer Festlegung, ob mit der Unternehmenstransaktion fortgefahren werden soll, und die von den Parteien für die Durchführung und Vervollständigung der Unternehmenstransaktion verwendet werden.
• Personen, an die wir gemäß Ihrem Auftrag im Rahmen der Erbringung juristischer Dienstleistungen Informationen weitergeben sollen, z. B. eine Partei, die an einem Rechtsanspruch oder einer Transaktion beteiligt ist;
• Wenn Sie mehr über die Parteien wissen möchten, mit denen wir personenbezogene Daten teilen, kontaktieren Sie uns bitte.

Internationaler Datentransfer zwischen unseren Büros

Transfer Ihrer Informationen außerhalb des EWR

Im Rahmen ihrer globalen Tätigkeit übermittelt Gowling WLG UK personenbezogene Daten zwischen ihren Büros, da der freie Informationsfluss für die effiziente Durchführung ihrer internationalen Geschäfte unerlässlich ist. Einige unserer Büros und verbundenen Unternehmen befinden sich außerhalb des Europäischen Wirtschaftsraums. Übermittlungen von Unternehmen von Gowling WLG UK im EWR an Unternehmen von Gowling WLG UK in ein Land außerhalb des EWR, das laut der Europäischen Kommission keinen adäquaten Schutz bietet, unterliegt einer Datenübermittlungsvereinbarung, die Modellklauseln enthält, die laut der Europäischen Kommission adäquaten Schutz bieten, Ihre Persönlichkeitsrechte schützen und Ihnen für den unwahrscheinlichen Fall eines Sicherheitsverstoßes Abhilfemaßnahmen zur Verfügung stellen, es sei denn, wir teilen Ihnen mit, dass ein anderer angemessener Schutz eingerichtet wurde.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") ist eine unabhängige Gesellschaft. Gowling WLG Canada hat eine separate Datenschutzerklärung, in der beschrieben ist, wie personenbezogene Daten verarbeitet werden. Für die Zwecke des europäischen Datenschutzes ist die Europäische Kommission der Ansicht, dass das kanadische bundesstaatliche Datenschutzrecht adäquaten Schutz Ihrer Persönlichkeitsrechte bietet.

Wenn Sie uns beauftragen und es erforderlich ist, werden wir Informationen mit Kanzleien in anderen Rechtsräumen austauschen.

Wie wir Ihre Daten schützen

Gowling WLG ist ihrem Informations- und Cybersicherheitsprogramm verpflichtet, das sicherstellt, dass adäquate Sicherheitskontrollen greifen, um Informationen und Daten vor unbefugtem Zugriff, Beschädigung, Verlust oder Diebstahl zu schützen. Die Kanzlei richtet sich nach der ISO27001-Norm – einer internationalen Norm für Informationssicherheit, die allgemein als Best Practice im Bereich Informationssicherheit und Informationsrisikomanagement anerkannt ist. Wenn Sie im Hinblick auf Ihre Informationen bestimmte Bedenken haben, kontaktieren Sie uns bitte (siehe 'Wie Sie uns kontaktieren können' oben).

Wann löschen wir Ihre Daten?

Wir bewahren Ihre personenbezogenen Daten gemäß unseren internen Richtlinien, Vertragsbedingungen und in den Fällen, in denen wir gesetzlich, aufsichtsrechtlich oder beruflich dazu verpflichtet sind, auf. Unsere standardmäßigen Aufbewahrungszeiträume unterscheiden sich je nach Land, in dem Ihre Dienstleistungen erbracht werden. In jedem Fall löschen wir Daten, sobald deren Aufbewahrung nicht mehr erforderlich ist.

Art der Arbeit/Daten	Aufbewahrungszeitraum
Bewerbungen	zwei Monate
Dokumente für gerichtsverfahren	drei Jahre; bis zu 30 Jahren
Handels- oder geschäftsbriefe, die wir erhalten	sechs Jahre
Geschäftsberichte	10 Jahre
Bücher und unterlagen	10 Jahre

Ihre Rechte

Als betroffene Person haben Sie gemäß den Datenschutzgesetzen folgende Rechte:

• ein Auskunftsrecht über personenbezogene Daten, die Sie betreffen;
• das Recht auf Berichtigung von Fehlern in Ihren Informationen;
• das Recht, einer Verarbeitung Ihrer personenbezogenen Daten zu Zwecken des Direktmarketings zu widersprechen;
• Rechte in Bezug auf automatisierte Entscheidungsfindung;
• das Recht, die Verarbeitung Ihrer personenbezogenen Daten einzuschränken oder zu verhindern;
• das Recht, eine zuvor erteilte Einwilligung in die Datenverarbeitung zu widerrufen;
• das Recht, einer aufgrund unserer überwiegenden Interessen erfolgten Datenverarbeitung zu widersprechen;
• das Recht, Ihre Daten an einen anderen Verantwortlichen für die Datenverarbeitung zu übertragen (z. B. wenn Sie sich entschließen, mit einem anderen Dienstleister zusammenzuarbeiten); und
• das Recht auf Löschung.

Diese Rechte sind nachfolgend näher erläutert; wenn Sie jedoch Anmerkungen, Bedenken oder Beschwerden bezüglich der Verwendung Ihrer personenbezogenen Daten durch uns haben, kontaktieren Sie uns bitte (siehe Abschnitt "Wie Sie uns kontaktieren können").

Wir werden binnen eines Monats ab Erhalt Ihrer Anfrage auf sämtliche Rechte eingehen, die Sie geltend machen. Bei besonders komplexen Anfragen antworten wir innerhalb von drei Monaten.

Bitte beachten Sie, dass es Ausnahmen gibt, die bezüglich einiger Rechte gelten und die wir gemäß den Datenschutzgesetze anwenden werden.

Auskunftsrecht über personenbezogene Daten, die Sie betreffen

Sie können darum bitten, Ihre personenbezogenen Daten, die bei uns gespeichert sind, einzusehen, und erhalten:

• eine Kopie;
• Einzelheiten über den Zweck der aktuellen oder zukünftigen Verarbeitung;
• Einzelheiten zu den Empfängern oder Empfängerklassen, an die Ihre Daten weitergegeben werden (könnten), und auch, ob diese im Ausland ansässig sind und welche Schutzmechanismen für diese Übermittlungen ins Ausland greifen;
• den Zeitraum, in dem Ihre Daten gespeichert werden (bzw. die Kriterien, nach denen wir diesen festlegen);
• sämtliche Informationen, die bezüglich der Quelle dieser Daten verfügbar sind; und
• eine Auskunft darüber, ob wir automatisierte Entscheidungsfindung durchführen oder Profile erstellen, und in den Fällen, in denen wir dies tun, über die angewandte Logik und das angestrebte Ergebnis dieser Entscheidung oder Profilerstellung.

Damit wir die personenbezogenen Daten leichter finden können, stellen Sie uns bitte so viele Informationen wie möglich über die Art der personenbezogenen Daten, die Sie einsehen möchten, zur Verfügung.

Recht auf Berichtigung von Fehlern in Ihren Informationen

Sie können von uns kostenfrei die Berichtigung jeglicher Fehler in Ihren personenbezogenen Daten, die bei uns gespeichert sind, bzw. deren Vervollständigung verlangen. Wenn Sie dies tun möchten, gehen Sie bitte folgendermaßen vor:

• kontaktieren Sie uns per E-Mail, telefonisch oder schriftlich (siehe "Wie Sie uns kontaktieren können")
• geben Sie uns ausreichend Informationen, damit wir Sie identifizieren können, und
• teilen Sie uns die personenbezogenen Daten mit, die fehlerhaft sind, und womit sie ersetzt werden sollen bzw. wie sie vervollständigt werden sollen.

Recht, einer Verarbeitung Ihrer personenbezogenen Daten zu Zwecken des Direktmarketing zu widersprechen

Sie können von uns verlangen, Sie nicht mehr zu Zwecken des Direktmarketings zu kontaktieren. Wenn Sie dies tun möchten, gehen Sie bitte folgendermaßen vor:

• siehe "Wie Sie uns kontaktieren können" oben
• Ihre Kontaktdaten und Einstellungen können Sie jederzeit überprüfen und aktualisieren oder unsere Mitteilungen abbestellen, indem Sie auf die Links in unseren E-Marketing-Nachrichten klicken oder eine E-Mail senden an iaadmin@gowlingwlg.com.

Rechte in Bezug auf automatisierte Entscheidungsfindung

Wir treffen keine automatisierten Entscheidung in Bezug auf Sie; dieses Recht findet daher keine Anwendung.

Recht, die Verarbeitung personenbezogener Daten einzuschränken oder zu verhindern

Sie können beantragen, dass die Verarbeitung Ihrer personenbezogenen Daten eingeschränkt wird, wenn:

• Sie der Ansicht sind, dass Ihre personenbezogenen Daten nicht korrekt sind. Wir werden die Verarbeitung fortführen, sobald wir die Korrektheit überprüft haben;
• die Verarbeitung unrechtmäßig ist, Sie aber nicht möchten, dass wir Ihre personenbezogenen Daten löschen;
• wir die personenbezogenen Daten nicht mehr für unsere Verarbeitung benötigen, Sie jedoch die personenbezogenen Daten benötigen, zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen; oder
• Sie der Verarbeitung widersprochen haben, weil Sie der Ansicht sind, dass Ihre Interessen über unseren berechtigten Interessen stehen und noch nicht feststeht, ob dies zutrifft. Wir werden die Verarbeitung fortführen, sobald feststeht, dass unsere berechtigten Interessen gegenüber Ihren Interessen überwiegen.

Recht, eine zuvor erteilte Einwilligung in die Datenverarbeitung zu widerrufen

Sie haben das Recht, eine zuvor erteilte Einwilligung in die Verarbeitung Ihrer personenbezogenen Daten jederzeit ohne Angaben von Gründen zu widerrufen. Durch Ihren Widerruf wird die zuvor aufgrund Ihrer erteilten Einwilligung vorgenommene Datenverarbeitung nicht unzulässig.

Wenn Sie Ihre Einwilligung widerrufen möchten,

• kontaktieren Sie uns per E-Mail, telefonisch oder schriftlich (siehe "Wie Sie uns kontaktieren können")
• geben Sie uns ausreichend Informationen, damit wir Sie identifizieren können, und
• teilen Sie uns ggf. mit, welche Einwilligung Sie widerrufen möchten.

Recht, einer aufgrund berechtigter Interessen erfolgten Datenverarbeitung zu widersprechen

Sie haben das Recht, aus Gründen, die sich aus ihrer besonderen Situation ergeben, jederzeit gegen die Verarbeitung Sie betreffender personenbezogener Daten, die aufgrund überwiegender berechtigter Interessen von uns erfolgt, Widerspruch einzulegen. Wir verarbeiten Ihre personenbezogenen Daten dann nur noch weiter, wenn zwingende schutzwürdige Gründe für die Verarbeitung bestehen, die Ihre Interessen, Rechte und Freiheiten überwiegen oder wenn die Verarbeitung der Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen dient. Das Bestehen dieser Gründe weisen wir Ihnen nach.

Wenn Sie der Datenverarbeitung aufgrund berechtigter Interessen widersprechen möchten,

• kontaktieren Sie uns per E-Mail, telefonisch oder schriftlich (siehe "Wie Sie uns kontaktieren können")
• geben Sie uns ausreichend Informationen, damit wir Sie identifizieren können, und
• teilen Sie uns ggf. mit, welcher Datenverarbeitung aufgrund berechtigter Interessen Sie widersprechen möchten.

Recht auf Datenübertragung (Datenportabilität)

Sie können eine elektronische Kopie Ihrer personenbezogenen Daten anfordern, die bei uns elektronisch gespeichert sind und die wir verarbeiten, wenn wir einen Vertrag mit Ihnen geschlossen haben. Sie können uns auch darum bitten, diese direkt an einen Dritten zu übermitteln.

Recht auf Löschung

Sie können um Löschung Ihrer personenbezogenen Daten bitten, wenn:

• Sie der Ansicht sind, dass wir Ihre personenbezogenen Daten nicht benötigen, um sie für die Zwecke gemäß dieser Datenschutzerklärung zu verarbeiten;
• Sie in die Verarbeitung Ihrer personenbezogenen Daten eingewilligt hatten, Sie diese Einwilligung widerrufen;
• Sie der Verarbeitung widersprechen und wir keine berechtigten Interessen haben, die bedeuten, dass wir die Verarbeitung Ihrer Daten fortsetzen können; oder
• Ihre personenbezogenen Daten unrechtmäßig verarbeitet oder nicht gelöscht wurden, wenn dies erforderlich gewesen wäre.

Recht auf Beschwerde bei einer Aufsichtsbehörde

Es ist wichtig, dass Sie diese Datenschutzerklärung lesen und uns so schnell wie möglich informieren, falls Sie der Meinung sind, dass wir Ihre Daten nicht gemäß dieser Erklärung verarbeiten oder verarbeitet haben. Ebenso können Sie eine Beschwerde an die zuständige Aufsichtsbehörde richten.

Die für unser Büro in München zuständige Aufsichtsbehörde ist das Bayerische Landesamt für Datenschutzaufsicht (BayLDA), www.lda.bayern.de.

Die für unser Büro in Stuttgart zuständige Aufsichtsbehörde ist der Landesbeauftragte für den Datenschutz und die Informationsfreiheit in Baden-Württemberg (LfDI), www.baden-wuerttemberg.datenschutz.de.

Die für unser Büro in Frankfurt is Hessischer Beauftragter für Datenschutz und Informationsfreiheit (HBDI), www.datenschutz.hessen.de

Die Anschriften aller deutschen Aufsichtsbehörden sowie die Links zu deren Websites finden Sie unter https://www.bfdi.bund.de/DE/Service/Anschriften/Laender/Laender-node.html.

January 2021

Key summary

We process your data in order to provide legal services and other services to you. We may also process your data as a result of your relationship with one or more of our clients or our volunteering programme, or where you apply for a job or work placement with us or our clients, or where you provide us with services. We also collect personal information when you contact us, subscribe to one of our mailing lists or attend one of our seminars or events, including webinars and other digital events.

Other service providers play an important role in this relationship as we instruct them to assist with other professional services and administrative requirements. We liaise with them to ensure efficiency in business support tasks such as security, delivery, technology, payment, insurance, litigation support and archiving and storage.

Your information will be treated securely and in strict confidence, in line with our ISO27001 accreditation.

This notice explains what data we process, why, how it is legal and your rights. In order to do our best to be transparent, this privacy notice will be updated on an ongoing basis.

We also have produced a video notice to tell you the relevant points of what we do with your personal data.

 

• About us
• Useful words and phrases
• What information do we collect?
• Why do we process your personal data?
• How is processing your personal data lawful?
• Who will have access to your personal data?
• When will we delete your data?
• Your rights

About us

Gowling WLG (UK) LLP is an independent entity and part of the Gowling WLG group. Other Gowling WLG group entities operate in different countries. We decide what to do with your data in a different way in each country and so each of our entities is a separate 'data controller'. The data controller is responsible for the processing of your personal data according to the data protection laws.

Please see the legal information page for information on the Gowling WLG structure, our group entities, and who your data controller is.

Each country has different Data Protection Laws. In the UK, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply.

We take your privacy very seriously and we ask that you read this Privacy Notice carefully as it contains important information on:

• Your Rights
• The personal data we collect about you and why we collect the data;
• What we do with your data, and
• Who your information will be shared with.

If you need extra help

If you would like this notice in another format (for example: audio, large print, braille) please contact us.

How you can contact us

Please contact us if you have any questions about this Privacy Notice or the information we hold about you.

If you wish to contact our UK offices, please send an email to data.enquiry@gowlingwlg.com or write to us at Gowling WLG (UK) LLP, Two Snowhill, Birmingham, B4 6WR or you may submit a complaint to the Information Commissioner's Office (ICO).

Changes to the Privacy Notice

We may change this Privacy Notice from time to time. You should check this Privacy Notice occasionally to ensure you are aware of the most recent version.

Useful Words and Phrases

Please familiarise yourself with the following words and phrases as they have particular meanings in the Data Protection Laws and are used throughout this Privacy Notice:

What information do we collect?

Personal data provided by you

To provide you with our services, we may collect your information including:

• Identity and contact data ; such as your name, address, phone number, email address, date of birth, company you work for and your position,
• financial data; such as payment related information
• identification and background information provided by you or collected as part of our on-boarding process. We will process identification and background information as part of our onboarding process including anti-money laundering, conflict, reputational and financial checks, and to fulfil any other legal or regulatory requirements which apply to us.
• Video images/photographs/audio; in connection with identification checks, CCTV, providing/receiving training, remote meetings
• Location data; reception registration and/or visitor security pass where you attend our offices i.e. for legal services, insight day, consultancy support, an event or to provide IT support
• Financial information i.e. for billing purposes
• any other information relating to you or third parties which you give us so we may provide you with our service

We will also collect Personal Data when you contact us, send feedback, subscribe to one of our mailing lists, wish to attend, or have attended, one of our events or seminars, attend one of our voluntary programmes or raise any complaint, enquiry or information request with us.

We will also collect information that you share with us to help us understand your situation, your preferences and to represent your best interests when you instruct us/become a client of Gowling WLG (UK) LLP, or as a result of your relationship with one or more of our clients, where you supply us or our clients with services, or where you apply for work experience, insight scheme or a job or work placement with us or our clients.

We will also collect personal data where you are representing your organisation for example as part of procurement or tender. Where you provide third party technical support we may process your data where you provide us with technical support remotely by connecting to our systems or services.

Special category personal data

If we ask you to provide us with your special category personal data, we will explain why we need that data and how we intend to use it and your rights. If necessary, we will ask you for your consent first.

You may provide us with yours or a third party's special category personal data where it is necessary in connection with services we provide, such as information about a person's physical or mental health, alleged criminal activities.

You may provide us with your special category personal data such as your health data to inform us of any dietary requirements or reasonable adjustments required where you are attending one of our offices or events.

We may need to process your special categories of personal data if processing is necessary to comply with laws that apply to us in relation to anti-money laundering or counter-terrorist financing obligations or the prevention, detection or prosecution of any crime.

Personal data about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on their behalf and have agreed that you can. In addition, where you give us personal data belonging to someone else, you must ensure that you have the necessary grounds, consents or authorisations to provide it to us. In some cases, we may obtain Personal Data regarding you from other persons, including clients to whom we provide legal services. For example, we may obtain information regarding directors, officers, or employees of our clients or other parties, witnesses, beneficiaries, adverse parties, related parties, parties in interest, business partners, investors, shareholders, security holders, buyers, business partners, and customers of clients.

Children's data

We do not provide services directly to children or proactively collect their personal information. However, we are sometimes given information about children where it is necessary in connection to legal services we provide to our clients or in connection with our Probono initiatives.

We may also process children's data in connection with our HR and CSR programmes such as our Insight scheme. Children's personal data processed in connection with our Insight Scheme is usually limited to name, contact details, school/college name and CV.

Personal data provided by third parties

We will collect Personal Data directly from you, from clients or from authorised representatives and as otherwise permitted or required by applicable law. At times, we will also collect personal information from third parties such as regulatory and legal authorities, other organisations with whom you have dealings or who have a legal interest in such data, government agencies, credit reporting agencies, financial institutions, recruitment agencies and other people connected to recruitment, information or service providers, introducers and referrers and from publicly available records.

We may obtain information about you from third parties in order to verify your identity, carry out anti-money laundering, anti-terrorism, sanctions screening and other background and credit checks. In performing these checks, personal information provided by you may be disclosed to that third party which may keep a record of that information. All information provided by you will be treated securely and strictly in accordance with the Data Protection Laws.

Why do we process personal data?

We use your Personal Data for the following purposes listed in this section. We are allowed to do so on certain legal bases (please see section 'How is processing your data lawful' for further detail).

We collect your information so that we can:

• Deliver Legal Services - Provide legal and other services and products as instructed by you, answer your queries and provide you with information or materials you have asked to receive;
• Comply with our Legal and Regulatory obligations - such as establishing your identity in order to comply with anti-money laundering regulations and our other legal and regulatory obligations which may require you to provide name, address, employment/business and financial information, and/or other legally mandated forms of identification;
• Carry out administration - Bill for our work, carry out searches and checks, maintain internal records, which will include the collection of names, addresses, banking, financial details and creditworthiness; to maintain and develop our relationship with you; to carry out recruitment activities if you are applying for a job or work placement with us or our clients; to analyse and help us manage our practice; to maintain and update our records.
• Carry out Business Development and Marketing - to carry out market research; market our own products and services to you, including as may be permitted by the applicable law, by email or other means and to keep your information and preferences accurate. We may also use and analyse the Personal Data provided to us to track and manage your consent preferences, event reservations and any unsubscribe requests. From time to time, we may wish to send you legal updates; newsletters; press releases; information about our events and the legal services we provide and other communications that we think will be of interest to you and/or your business. You can review and update your contact details and preferences or unsubscribe from our e-marketing communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com
• If you have consented to receive marketing materials from us, you can opt out at any time. See 'Your Rights' for further information. You can also manage your preferences by sending a message to iaadmin@gowlingwlg.com
• Maintain Quality Standards - to meet high standards of quality and professional standards, and to obtain and maintain certification and accreditations which may involve audits of our internal processes;
• Manage Claims - pursue available remedies or limit any damages that we or our clients may sustain and to respond to any feedback or complaints that we may receive;
• Keep people and buildings safe -to help ensure security and for crime prevention; we may have CCTV cameras installed at the entrances to our premises and CCTV data is captured on cameras;
• To monitor our website usage to improve our services - please see our cookies policy which explains what cookies are and why we use them.

How is processing your data lawful?

We are allowed to process your Personal Data for the following reasons and on the following legal basis:

Consent

Where you have given consent - for example, where you have subscribed to a mailing list for us to send you legal alerts, information regarding updates/events or other information which may be of interest to you.

Contract

Where it is necessary for the performance of the contract you have agreed to enter with Gowling WLG (UK) LLP. For example, because you are using Gowling WLG (UK) LLP for legal advice, we are required to process your Personal Data for the purposes of performing our legal advice services appropriately and billing our services and by retaining us you agree that we may do so.

Legal obligation

Where we are subject to legal obligations to process your data for the purposes of compliance with applicable laws; for example, we are required to identify our clients in accordance with the anti-money laundering regulations in many countries and are required to gather and maintain records in compliance with health and safety legislation. We also have obligations pursuant to financial and tax legislation and reporting obligations in respect of tax administration.

Legitimate interest

Processing your Personal Data is also legal if it is based on our 'legitimate interests' which are not overridden by your data protection interests or fundamental rights and freedoms. To process on this basis, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible.

The following are examples of the purposes for which we will process your Personal Data on this basis:

• Client administration - to enable us to maintain internal records
• To ensure regulatory compliance - for example that conflict checks are carried out before we start work and to erect information barriers to restrict access to certain information and to comply with all aspects of our regulatory obligations
• To enable us to maintain specific standards of quality in the professional services we provide and to obtain and maintain quality accreditations
• To permit us to pursue available remedies or limit any damages that we may sustain
• To permit us to manage and respond to any complaints
• To liaise with representatives of clients of corporates and other business clients
• To market our services
• To carry out recruitment and administer work experience and work placement activities

Please be aware that you have the right to object to the processing of your data for any of the legitimate interests identified.

Special Category Personal Data

In certain circumstances, we may process your special category personal data for the following reasons and subject to the following exceptions:

• Consent
  For example, you have given your explicit consent for us to process your health information for the purpose of providing you with legal advice.
• Vital Interests
  Because it is necessary for us to protect your vital interest e.g. It is necessary for us to process your medical/health information, for the purposes of following our health and safety procedures if you are attending an event or visiting our buildings, which in turn could assist us if we are required to protect your life.
• Manifestly public personal data
  The data has been manifestly made public and only when it is necessary for our purposes and permitted by the applicable Data Protection Laws. For example, we ask you to provide your dietary requirements when you attend an event at our offices. We consider that you have made this data manifestly public to our organisation to help us protect you and to ensure your health and safety. We will keep this information confidential and restrict it to only those who need to know.
• Legal claims
  We are establishing or defending a legal claim for you as a client or in our own right.

Who will have access to your personal data?

In the course of providing our services and operating our business, we may disclose your Personal Data to:

• Other Gowling WLG (UK) LLP offices, group entities, subsidiaries and affiliates, partnerships operating under the Gowling brand ;
• Third party service providers whom we instruct to assist with the provision of legal or other services and products such as other professional advisors, and the administrative requirements associated with those services;
• Third party service providers of certain business support tasks to Gowling WLG (UK) LLP including security, delivery, technology, research, banking, payment, insurance, litigation support, translation, credit checking, archiving, recruitment agencies and storage;
• Charities and organisations in connection with our volunteering programmes
• External inspectors or auditors
• Providers of business development and marketing support services, in order to provide event and marketing support;
• Legal and or regulatory authorities including courts or public authorities who may compel disclosure, such as the Solicitors Regulation Authority (SRA), HMRC, Health & Safety Executive and National Crime Agency (NCA). This may be (i) in the event that we are required to make a disclosure under various legislation and regulation; or (ii) where we have a legal, regulatory or professional obligation to do so; or (iii) where we are required to protect the safety or rights or our clients, staff or others; (iv) or to exercise, establish or defend our legal rights;
• Personal Data may also be subject to transfer to another organisation in the event of corporate transaction such as a merger, combination or acquisition, or change of ownership of our firm. This will occur only if the parties have entered into an agreement under which the collection, use and disclosure of the information is restricted to those purposes that relate to the business transaction, including a determination whether or not to proceed with the business transaction, and is used by the parties to carry out and complete the business transaction.
• Persons whom you instruct us to disclose your information to in the course of providing legal services, for example a party involved in a legal claim or transaction.
• If you wish to know more about the parties with whom we share Personal Data, please contact us.

International transfers of data between our offices

Transfers of your information out of the UK and EEA

In the context of its global practice, Gowling WLG (UK) LLP and affiliated businesses or subsidiaries transfers Personal Data between its offices, the free flow of information being essential for the efficient conduct of its International business. A number of our offices and affiliates are located outside the European Economic Area. Where we transfer personal data outside the UK and EEA, to a country without adequacy regulation, we implement the EC and UK standard contractual clauses to require that personal data remains protected. We also implement EC and UK standard contractual clauses or an alternative transfer mechanism with our third party service providers and partners where there is an international transfer of personal data to a country without adequacy regulations. Any transfer of your personal data outside of the UK or EEA to a third party or another office of ours will be subject to appropriate data protection safeguards that protect your data privacy rights.

Gowling WLG (Canada) LLP ("Gowling WLG Canada") is an independent entity. Gowling WLG Canada has a separate privacy notice which describes how it processes personal information. For UK and European data protection law purposes, the European Commission and the ICO considers that Canada's federal privacy law offers adequate levels of protection to safeguard your privacy rights.

If you instruct us and if it is necessary, we will exchange information with law firms located in other jurisdictions.

How we keep your data secure

We have robust information security management systems in place to protect your personal information and are ISO27001 accredited. ISO27001 is an international information security standard which is widely recognised as an indication of best practice in information security and information risk management.

If you have any particular concerns about your information, please contact us (see 'How to contact us?' above).

When will we delete your data?

We retain personal data in line with our internal policies, contractual terms and where necessary for us to meet our legal, regulatory and professional obligations. Our default retention periods will differ, depending on the country which is providing your services. In any case, the criteria that we apply is to delete data when it is no longer necessary for us to hold it.

Your rights

As a data subject, you have the following rights under the Data Protection Laws:

• the right of access to Personal Data relating to you;
• the right to correct or update any mistakes in your information;
• the right to object to our processing of your personal data in certain circumstances such as where we are processing it for our legitimate interests
• the right to ask us to stop contacting you with direct marketing (opt-out/unsubscribe);
• rights in relation to know details of any automated decision making;
• the right to restrict or prevent your Personal Data being processed;
• the right to have your Personal Data ported to another data controller (e.g. if you decide to contract with a different service provider);
• the right to withdraw your consent where we are processing your personal data based on consent ;
• the right to erasure where you believe we have no good reason to continue processing it;
• right to lodge a complaint with a data protection authority.

These rights are explained in more detail below, but if you have any comments, concerns or complaints about the use of your Personal Data by us, please contact us (please refer to section "How to contact us").

We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months.

Please be aware that there are exceptions and exemptions that apply to some of the rights which we will apply in accordance with the Data Protection Laws.

Right to access Personal Data relating to you

You may ask to see what Personal Data we hold about you and be provided with:

• a copy of your personal data;
• details of the purpose for which it is being or is to be processed;
• details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers;
• the period for which it is held (or the criteria we use to determine how long it is held);
• any information available about the source of that data; and
• whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling.

To help us find the Personal Data easily, please provide us as much information as possible about the type of Personal Data you would like to see.

Right to correct any mistakes in your information

You can require us to correct any mistakes in your Personal Data which we hold free of charge. If your Personal Data is incomplete, you can ask us to complete it by adding more details. If you would like to do this, please:

• email, call or write to us (see "How to contact us")
• let us have enough information to identify you, and
• let us know the Personal Data that is incorrect and what it should be replaced or supplemented with.

Right to ask us to stop contacting you with direct marketing

You can ask us to stop contacting you for direct marketing purposes. If you would like to do this, please:

• See "How can you contact us" above
• You can review and update your contact details and preferences or unsubscribe from our communications at any time via the links in our e-marketing messages or by e-mailing us at iaadmin@gowlingwlg.com.

Rights in relation to automated decision making

We do not make any automated decisions about you so this right does not apply.

Right to prevent processing of personal data

You may request that we stop or limit processing your personal data temporarily if:

• you do not think that your Personal Data is accurate. We will start processing again once we have checked whether or not it is accurate;
• the processing is unlawful but you do not want us to erase your Personal Data;
• we no longer need the Personal Data for our processing, but you need the Personal Data to establish, exercise or defend legal claims; or
• you have objected to processing because you believe that your interests should override our legitimate interests.

Copies of your Personal Data (data portability)

You may ask for an electronic copy of your Personal Data which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.

Right to erasure

You can ask us to erase your Personal Data where:

• you do not believe that we need your Personal Data in order to process it for the purposes set out in this Privacy Notice;
• if you had given us consent to process your Personal Data, you withdraw that consent and we cannot otherwise legally process your Personal Data;
• you object to our processing and we do not have any legitimate interests that mean we can continue to process your data; or
• your Personal Data has been processed unlawfully or have not been erased when it should have been.

Right to withdraw consent

The circumstances in which we rely on consent are minimal but if the lawful basis for processing is based upon the provision of your consent, you are able to withdraw your previously given consent to the processing of the Personal Data at any time without giving reasons.

If you want to withdraw your consent:

• contact us by email, telephone or in writing (see "How can you contact us" above)
• give us enough information so that we can identify you and if necessary, let us know which consent you would like to withdraw.

Complaints to the regulator

It is important that you ensure you have read this Privacy Notice - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. Similarly, you may complain to the competent supervisory authority.

Contact the Information Commissioner's Office. Information about how to do this is available on his website at www.ico.org.uk.

February 2024