King & Wood Mallesons (‘KWM”) values your privacy and is committed to protecting your personal data. The following Privacy Statement sets out how we collect and use your information, the rights you have in relation your information and the legal basis upon which we rely on to process your information.
Personal data includes any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
2. Data Controller - Who we are
KWM is an international law firm. It has offices in a number of locations across the world, principally in Asia, Australia, Europe and North America. Further details can be found on our website. Our contact details can be found in section 12 of this statement. When you engage us to provide services for you, we will let you know which KWM entity will be the “data controller” for your personal data.
3. Explaining the legal basis we rely upon to process your personal information
Data protection laws set out various grounds on which an organisation may lawfully collect and process your personal data. These include:
We can collect and process your data with your consent. For example, when we are processing sensitive or special personal data, such as information relating to your health or religious beliefs. In many circumstances, if we rely on your consent as our legal basis for processing your personal data, you have the right to withdraw that consent at any time.
In many circumstances, we require your personal data to comply with contractual obligations. For example, we collect your identity and contact information when we verify you as a new client. If you are unable to provide such information to us, we may not be able to perform the contract we have with you or your organisation or enter into a contract with you or your organisation.
If the law requires us to, we may need to collect and process your personal data. For example, we may require your personal data to comply with anti-money laundering legislation or laws relating to the provision of legal services. If you are unable to provide such information to us, we may not be able to perform the contract we have with you or your organisation or enter into a contract with you or your organisation.
In many situations, we require your personal data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact on your rights, freedoms or interests. For example, it may be in our legitimate interests to use your personal information for marketing purposes to assist us with the growth of our business.
Data protection laws do vary across the different jurisdictions in which KWM operates. For example, in Australia, organisations must not collect personal information unless the information is reasonably necessary for one or more of the organisation’s functions or activities, subject to some exceptions. Please contact us if you require details of the specific legal ground we are relying on to process your personal data.
4. Personal data that we collect - What, when & why
We may collect personal data from you in the course of our business, including when you engage our legal or other services, through your use of our website, when you contact or request information from us, or as a result of your relationship with our staff and clients.
The personal information that we process includes, but is not limited to:
- Contact information, such as your name, the company you work for, your title, position, your relationship to a person, your postal address, email address and phone number(s);
- Identification and background information provided by you or collected as part of our business acceptance processes, this may include your full name, photographic identification and gender;
- Financial information, such as bank account and payment card details;
- Technical information, such as information collected from your visits to our website;
- Information you provide to us for the purposes of attending meetings and KWM events, including dietary requirements;
- Personal information provided to us by or on behalf of our clients or generated by us in the course or providing services to them.
We collect your personal information for a number of reasons. These may be to:
- help us deliver our legal services;
- confirm your identity;
- develop and market new services;
- comply with any applicable law or court order;
- enforce our agreements with you;
- recruit new employees.
Online data collection – KWM website
Marketing Related Personal Data Processing
We may collect information from you online in a number of ways, such as through the use of our website. Certain sections of our website, including our blogs, invite you to request publications, newsletters and alerts, subscribe to receive invitations to events, seminars and webinars, take part in client surveys and to receive firm announcements. If you do so, we may collect your name, business email address, job title, organisation name and company address. We consider that the collection of this personal data is necessary to pursue our legitimate interests in a way which might reasonably be expected as part of operating and growing our business and which does not materially impact on your rights, freedom or interests.
In some of the jurisdictions in which KWM operates, you are required to complete an online job application form (via the careers section of the KWM website) which allows you to provide us with information relating to your education, employment history and similar matters. This allows our hiring team to make an informed decision as to whether to proceed with your application. We consider that the collection of this personal information is necessary to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests. We may also require your personal data to enter into a contract with you. We will not process any sensitive or special personal information unless we are able to do so under relevant legislation or with your explicit consent. View our privacy statement for prospective employees here.
Automated technologies or interactions
As you interact with our website, we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this data by using cookies, server logs and other similar technologies. We may also receive technical data if you visit other websites employing our cookies including, analytics providers such as Google based outside the EU; advertising networks based outside the EU; and search information providers based inside or outside the EU. We consider that the collection of this information is necessary to pursue our legitimate interests in a way which might reasonably be expected (eg. to analyse how our clients use our services, to develop our services and grow our business) and which does not materially impact your rights, freedom or interests. Please refer to our cookies policy for further information.
“Off-line” data collection
We use different methods to collect personal data from you and about you. These may be through direct interactions (such as when you provide us with your business card at a meeting or event), from third-party sources (such as tax authorities) or from publicly available sources.
KWM is primarily instructed by corporate entities, rather than individual clients. However, as part of these instructions from corporate entities, we process personal data relating to, but not limited to, our client’s workers, opponents or vendors. For example, if we are providing advice to a client relating to the acquisition of another company, we may process personal information relating to the purchaser’s employees as well as the seller’s employees. In circumstances such as these, you may provide us with the personal data of individuals who are not aware of the processing of their personal data. In these situations we may not have direct contact with individuals whose personal data we are processing. For the purposes of maintaining client confidentiality for example, it may not be appropriate for us to provide them with a privacy notice that sets out how we process their personal data. We consider that the processing of this information is necessary to pursue our legitimate interests in a way which is to be expected, to comply with our legal obligations and to perform our contractual obligations.
Anti-Money laundering, anti-terrorism, fraud and other background checks for new clients
There are laws and regulations that we are required to comply with when we take you on as a new client or open a new matter for you. In order to fulfil our legal obligations, we are obliged to verify the identity of new clients, and in some circumstances, existing clients. In some circumstances we may decline to, or may not be permitted to, proceed to act until such procedures have been completed. We consider that the legal basis for this processing is to perform contractual obligations and to comply with legal or regulatory obligations that we are subject to.
5. How we protect your data
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place appropriate technical, physical and managerial procedures to safeguard and protect your personal data. We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.
We limit access to your personal data to those employees, agents, contractors and other third parties on a “need to know” basis. We have procedures in place to identify and respond to data security breaches. We will notify you and any data protection authority of a breach where we are legally required to do so.
6. How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected, subject to satisfying any legal, accounting or reporting requirements.
KWM has a document retention and deletion policy. At the end of any retention period, your data will either be deleted completely or anonymised (for example, by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning).
In some circumstances, you can ask us to delete your data.
7. Who do we share your personal data with?
KWM may share your personal data with a number of third parties (who may act as “data processors” or “joint data controllers”) in the course of providing our services. These may include, but are not limited to:
- IT service providers;
- Various professional experts, including accountants and tax advisers;
- Document management services;
- Regulators or tax authorities.
We employ the services of third parties to assist us with website hosting. We use a company Oktopost to manage our social media communications across multiple channels (including Twitter, LinkedIn and Facebook). Oktopost processes and stores data on the Amazon Web Services (“AWS”) servers that it licenses. We have tracking scripts on our website that allow us to attribute web browsing activity and social media engagement with a contact record in our customer records management system, OnePlace.
In relation to the recruitment of new workers, KWM use a third party provider, PageUp for certain aspects our recruitment activities in some jurisdictions.
KWM requires that all third parties that act as “data processors” for us provide sufficient guarantees to implement appropriate technical and organisational measures, only process personal data for specified purposes and have committed themselves to confidentiality.
8. Where your data may be processed
To facilitate our global operations, KWM may transfer, store and process your information within our group of law firms around the world or with various parties as described in section 7. A list of countries in which we operate can be found on our website.
For those individuals residing in the European Economic Area (EEA), this may sometimes involve the transferring of your personal information out of the EEA. Laws in these countries may differ from the laws applicable to your country of residence. Where we transfer, store and process your data outside of the EEA we have ensured that appropriate safeguards are in place to provide an adequate level of data protection. This may be by way of an adequacy decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country or by way of an agreement containing EU Model Clauses (a set of clauses issued by the European Commission). Further information on these EU Model Clauses and the rights they provide to data subjects can be found on the European Commission website.
Please contact us if you require further information on the specific mechanism used by us when transferring your personal data outside of the EEA.
For those individuals residing in Japan, this may sometimes involve the transferring of your personal data out of Japan. We will not disclose personal data to a third party without obtaining your prior consent, except where otherwise permissible under the PIPA.
Personal data collected on KWM Website
The KWM website is hosted on Microsoft Azure servers in Mainland China and Hong Kong. We use a third party supplier, Avanade, who support the hosting and maintenance of the website application, Sitecore. Personal data that you provide us with on our website (such as a request for newsletters) is transferred directly to our Australian and Hong Kong customer records management system.
9. Direct marketing
There are several ways you can stop receiving direct marketing communications from us. Click the ‘unsubscribe’ or ‘opt-out’ link in any email communication that we send you, or email us at [email protected]. Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated. In relation to any third-party marketing, we will get your express opt-in consent before we share your personal data with any company outside KWM for any marketing purposes.
10. What are your rights over your personal data?
You have a number of rights in relation to the personal data that we hold about you. These rights are subject to certain exemptions and do differ across the jurisdictions in which KWM operates.
Request access to the personal data we hold about you
Subject to any applicable exceptions, we will provide you with a copy of your personal data within the timescales set out in relevant legislation. For EU residents, we will do this for no fee, in accordance with applicable legislation.
Right to rectification
If the information we hold about you is inaccurate, you have the right to have this information rectified.
Right to erasure / ‘Right to be forgotten’
You can ask us to delete or remove your information in certain circumstances. For EU residents, whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent. In cases where we are processing your personal data on the basis of our legitimate interests, you can ask us to stop processing your data for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data.
Right to data portability
In certain circumstances, you may have the right to obtain your personal data in a structured, commonly used and machine readable format and to reuse it elsewhere or ask us to transfer it to a third party of your choice.
Right to object
In certain circumstances, you have a right to object to processing being carried out by us. Where personal data is being processed for direct marketing purposes, you have a right to object at any time
Rights in relation to automated decision-making and profiling
In certain circumstances, you have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you.
To protect the confidentiality of your information, we will require you to verify your identity before proceeding with any request. If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
11. Links to third party websites
Our website may contain links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. If you follow a link to any third party website, please be aware that these websites have their own privacy notices or policies and we do not accept any responsibility or liability for their data processing activities.
12. Contact us
We hope this Privacy Statement has been helpful in setting out the way we handle your personal data and your rights to control it. This Privacy Statement sets out most of your rights under relevant laws, but not necessarily every right you have.
If you have any concerns, requests, complaints or questions that haven’t been covered, please contact our Group Privacy Officer who will be pleased to help you:
Email us on [email protected], or write to us at:
KWM Group Privacy Officer, KWM Europe LLP, King & Wood Mallesons, 11th Floor, 20 Fenchurch Street, London EC3M 3BY, United Kingdom
KWM Australia, Level 61, Governor Phillip Tower, 1 Farrer Place, Sydney NSW 2000, Australia
For those individuals residing in Japan:
King & Wood Mallesons, Gojinsha Tokyo Nagatacho Bldg 4F, 11-28, Nagatacho 1-chome, Chiyoda-ku, Tokyo, Japan | 100-0014 +81-3-3580-8680.
You have a right to make a complaint to the relevant data protection authority (“DPA”) at any time. We would appreciate the chance to understand your concerns in the first instance before your contact the DPA however.
Data Protection Authorities
United Kingdom: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Germany: Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit - Husarenstr. 30 - 53117 Bonn
Belgium: Commissie voor de bescherming van de persoonlijke levenssfeer, Rue de la Presse 35, 1000 Brussels
Spain: Agencia Espanola de Proteccion De Datos - C / Jorge Juan, 6. 28001 - Madrid
Italy: Garante per la Protezione dei Dati Personali, Piazza di Monte Citorio, 121 – 00186 Roma
Rest of World
Australia: Office of the Australian Information Commissioner (OAIC), GPO Box 5218, Sydney, NSW 2001
Hong Kong: Privacy Commissioner for Personal Data, 12/F, Sunlight Tower, 248 Queen’s Road East, Wanchai, Hong Kong
14. Changes to this Privacy Statement and your duty to inform us of any changes to your personal data
This Privacy Statement was last updated on 19 October 2018. Previous versions can be obtained by contacting us. Should any substantive or material change be made to this Privacy Statement, we will notify you.
It is important that the personal data that we hold about you is accurate and current. Please keep us informed if any of the personal data you have provided us with changes during your relationship with us.