Information Collected by Law Firms & GDPR Considerations

What kinds of info do regulation companies gather that could be topic to the GDPR?

Legislation companies sometimes gather private information topic to the GDPR within the following 5 contexts:

Worker information. If a regulation agency has staff within the European Union, the human useful resource information that it collects about these staff is almost certainly topic to the GDPR. Such information can also be topic to nationwide employment privateness laws of the related Member State.

Knowledge about potential purchasers. Most regulation companies gather private details about potential or potential purchasers. Such information is usually used to focus on potential purchasers, plan pitches, tailor responses to requests for proposals, or ship direct advertising and marketing. Private information about potential purchasers could also be topic to the GDPR whether it is processed within the context of an institution in Europe (e.g., a European workplace of a regulation agency), or if the info is used to market to people positioned inside Europe. Moreover, direct advertising and marketing actions to potential or potential purchasers in Europe can also fall below the applying of the EU ePrivacy Directive 2002/58/EC, which imposes extra consent necessities.

Knowledge in regards to the regulation agency’s purchasers. Most regulation companies gather private details about their purchasers, or about people that work for his or her purchasers. Such information is usually utilized by a regulation agency for quite a lot of functions together with working conflicts, sending out invoices, accumulating cash owed to the regulation agency, transmitting advertising and marketing, and speaking with purchasers about initiatives and engagements. Private information about current purchasers could also be topic to the GDPR whether it is processed within the context of a European institution of the regulation agency (e.g., if the matter is dealt with out of a European workplace of the agency) or if the shopper (to the extent that the shopper is a person, corresponding to a non-public shopper) is positioned inside Europe.

Knowledge obtained from purchasers for use in a illustration. Purchasers usually transmit to their regulation agency private information that’s related to a specific matter or illustration. For instance, if a shopper retains a regulation agency to defend it along side a sexual harassment lawsuit introduced by an worker, the shopper would possibly transmit details about the worker, her supervisors, or her colleagues. Such information can be topic to the GDPR whether it is processed within the context of a European institution of the regulation agency (e.g., if the matter is dealt with out of a European workplace of the agency). It’s also attainable that if a non-public shopper (e.g., a person versus an organization) that’s positioned in Europe transmits details about themselves for use in a illustration, that information can be topic to the GDPR. So, for instance, if a shopper gives private details about a 3rd particular person to their European lawyer in relation to a possible crime, contract violation, or request for authorized recommendation, that info could be ruled by the GDPR.[1]

Knowledge from different sources for use in a illustration. Attorneys usually obtain private information from third events that could be related to a specific illustration. For instance, in the USA an lawyer could serve a doc request on an opposing get together or a subpoena on a 3rd get together that asks for private information that could be related to litigation. Such information could also be topic to the GDPR whether it is processed within the context of a European institution of the regulation agency (e.g., if the matter is dealt with out of a European workplace of the agency).

Are regulation companies thought of “processors” or “controllers” of the non-public information that they obtain from purchasers as a part of a illustration?

It relies upon.

Many legal professionals (and purchasers) incorrectly assume that attorneys have to be processors as a result of they’re service suppliers of their purchasers. In some conditions, a service supplier has a job in figuring out the needs and technique of processing; when that happens the service supplier is, like its shopper, thought of a “controller” or a “joint controller.”

The Article 29 Working Social gathering took the place that if a service supplier has a “conventional position {and professional} experience” that required it to find out the aim and technique of processing, that unbiased experience may convert the service supplier right into a controller. They particularly famous that in conditions through which a “barrister represents his/her shopper in court docket, and in relation to this mission, processes private information associated to the shopper’s case” the barrister is a controller.[2] Their logic seems to be that the instruction {that a} shopper gives to their lawyer is just not essentially to course of information, however, relatively, to characterize the shopper’s curiosity earlier than a court docket. As a result of the processing of information is an ancillary perform that’s wholly (or partially) decided by the lawyer unbiased from the shopper, the attorneys’ processing must be conceptualized as that of a controller.

The UK ICO – the supervisory authority for the UK – reached an analogous conclusion within the context of discussing whether or not a solicitor could be a processor or a controller. The ICO advised {that a} solicitor/lawyer must be thought of a controller within the following conditions:

Advising purchasers as to authorized rights vis-a-vis information topics. An lawyer must be thought of a controller when she or he receives private information a few third get together as a way to advise the shopper regarding its rights vis-a-vis the third-party information (e.g., a shopper shares private information a few former salesman that stole shopper info).[3]

The view of the ICO was echoed by The Bar Council of England and Wales, which said in a memorandum that “[f]or the avoidance of doubt, self-employed barristers are information controllers of their shopper’s information. They don’t seem to be information processors.”[5]

In Germany, the nationwide Council of Knowledge Safety Commissioners (Datenschutzkonferenz) have taken an analogous strategy and confirmed that attorneys are performing as controllers when processing private information of their purchasers.[6]

The steerage of the Article 29 Working Social gathering, the UK ICO, the UK Bar Council, and the German Council of Knowledge Safety Commissioners leaves open the chance that in some conditions an lawyer may, nevertheless, act as a processor and never a controller. For instance, if a shopper retained a regulation agency for the specific function of processing information (e.g., conducting doc evaluate or internet hosting a doc room), and offered particular route and management concerning how the info was to be processed (e.g., the shopper chosen or permitted the kind of software program that might be used throughout a doc evaluate and the way the paperwork could be saved and processed) an argument may very well be made that the lawyer is, in reality, functioning as a processor and never as a controller. Even in conditions through which it seems that a shopper has offered particular instructions and retains a big diploma of management, a regulation agency should still discover itself performing as a controller with regard to information whether it is required to course of information outdoors of these shopper directions as a way to adjust to regulatory or skilled obligations.[7] For instance, an argument may very well be made {that a} regulation agency acts as a controller of information whether it is required to (i) perform inner conflicts and different regulatory checks on new shopper issues or to undertake applicable shopper due diligence in accordance with anti-money laundering legal guidelines; (ii) topic to duties of confidentiality and privilege, cooperate with regulators and different public authorities (together with by responding to regulatory requests for info; endeavor inner investigations and complying with reporting and different skilled obligations), or (iii) disclose private information over a shopper’s objection to a court docket throughout the course of litigation.

If a regulation agency is a controller of the non-public information that it receives from a shopper as a part of a illustration is it a “separate controller” or a “joint controller?”

A joint controller is outlined inside the GDPR as “two or extra controllers” that “collectively decide the needs and technique of processing.”[8]

There’s appreciable ambiguity surrounding what it means to “collectively decide” the aim and technique of processing. Whereas regulatory authorities haven’t provided steerage as as to whether the time period does, or doesn’t, apply to attorneys/solicitors/barristers after they carry out providers on behalf of a shopper, the Article 29 Working Social gathering has advised within the context of barristers that they could view a joint controller relationship as unlikely, referring to them as “unbiased” controllers.[9] Equally the UK ICO – the supervisory authority for the UK – additionally implied as a part of a dialogue of information topic rights that lawyer solicitors will not be joint controllers by stating {that a} shopper and a solicitor “every have their very own information controller obligations.”[10]

One of many defining sensible traits of joint controllers is that they allocate “their respective obligations for compliance” with the GDPR between and amongst themselves.[11] Put otherwise, when two corporations are separate controllers, every firm is chargeable for independently fulfilling all the necessities imposed by the GDPR. When two corporations are joint controllers, the businesses can agree by contract to allocate and distribute these obligations in order that the entities when considered collectively deal with all the GDPR obligations, but when the entities had been considered in isolation one, or each, is likely to be out-of-compliance. As a sensible matter, subsequently, whether or not a regulation agency and its shopper are separate controllers or joint controllers could also be decided by whether or not the regulation agency is relying upon its shopper to fulfill an obligation of the GDPR on the regulation agency’s behalf, or whether or not the shopper is relying upon the regulation agency to fulfill an obligation of the GDPR on its behalf. For instance, if the regulation agency’s processing of private info is premised upon the shopper having a lawful function, or the regulation agency intends to depend upon a report of processing stored by a shopper (e.g., the regulation agency doesn’t intend to maintain its personal report of processing), the regulation agency and shopper could also be performing as joint controllers. Conversely if the regulation agency’s processing of private info is premised upon its personal lawful function (e.g., the regulation agency’s reliable curiosity in representing its shopper), and the regulation agency has processes in place to conform in its personal regard to the obligations of the GDPR (e.g., sustaining its personal report of processing) its actions could be per these of a separate controller.

Are barristers and solicitors “separate controllers” or “joint controllers?”

A joint controller is outlined inside the GDPR as “two or extra controllers” that “collectively decide the needs and technique of processing.”[12]

There’s appreciable ambiguity surrounding what it means to “collectively decide” the aim and technique of processing. Authorized skilled organizations in some international locations have indicated that barristers and solicitors hardly ever perform as joint controllers when concerned within the illustration of a matter. For instance, The Bar Council within the UK has taken the next place:

Article 26 applies solely the place “two or extra controllers decide the aim and technique of processing”. Aside from in distinctive circumstances, this won’t be the case in relation to a barrister and their instructing solicitor regarding a typical set of directions or a typical temporary. As an alternative, the barrister will (and can be professionally obligated to) kind their very own opinion as how the non-public information must be used, hand and the place it must be saved, and as to the interval for which it must be retained. The barrister and the solicitor will subsequently be processing a pool of information “independently of one another”, and won’t be joint controllers.”[13]

Whereas conditions through which a barrister and a solicitor could also be joint controllers “are prone to be uncommon” they’re, nevertheless, not inconceivable.[14] For instance, it could be attainable that if a barrister or a solicitor are collectively concerned within the “drafting of letters or witness statements,” they kind a joint controller relationship. Even in that state of affairs, nevertheless, if one of many events may have independence regarding the use, retention, or deletion of the info a joint controller relationship is unlikely to kind. [15]

Are regulation companies thought of “processors” or “controllers” of the non-public information that they gather from third events as a part of a illustration of a shopper?

A regulation agency will almost certainly be thought of a controller when processing private information from third events as a part of a illustration of a shopper (e.g., when accumulating info from a witness).

Whereas it’s theoretically attainable {that a} regulation agency could perform as a processor by accumulating private information from a 3rd get together on behalf of a shopper, in most conditions through which regulation companies are retained the agency determines (both independently or collectively with its shopper) the kind of information that must be collected, how it will likely be used, and the way it will likely be processed. That stage of management would seemingly be considered by most supervisory authorities as indicating {that a} regulation agency is functioning as a controller.

[1] See, UK Info Commissioners Workplace, Knowledge Controllers and Knowledge Processors: What the Distinction Is and What the Governance Implications Are (2014) at ¶¶ 40-43. Observe that whereas this steerage predated the GDPR, the applying of the underlying precept because it impacts processing within the context of a lawyer’s institution in Europe is per the territorial scope of the GDPR.

[2] Article 29 Knowledge Safety Working Social gathering, WP169: Opinion 1/2010 on the ideas of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010).

[3] UK ICO, “Knowledge Controllers and Knowledge Processors: What the Distinction Is and What the Governance Implications Are” at 12-13.

[4]Id.

[5]See Memorandum issued by UK Bar Council on April 2018 (final considered eight October 2020).

[6]See Datenschutzkonferenz, Kurzpapier Nr. 13, Auftragsverarbeitung, Artwork. 28 DS-GVO (16 January 2018), p.4.

[7] For instance, whereas a barrister that’s on secondment at a solicitor’s agency would possibly in some occasion be thought of a processor of the solicitor, The Bar Council of the UK has cautioned that the barrister should still must “train their independence” both to carry out their work or to adjust to their obligations below their skilled code of conduct. Because of this, even whereas below secondument a barrister should still be thought of a “information controller.” See Memorandum issued by UK Bar Council on April 2018 (final considered eight October 2020).

[8] GDPR, Artwork. 26(1).

[9] Article 29 Knowledge Safety Working Social gathering, WP169: Opinion 1/2010 on the ideas of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010) (emphasis added).

[10] UK ICO, “Knowledge Controllers and Knowledge Processors: What the Distinction Is and What the Governance Implications Are” at 13.

[11] GDPR, Artwork. 26(1).

[12] GDPR, Artwork. 26(1).

[13] See Memorandum issued by UK Bar Council on Might 2018 (final considered eight October 2020).

[14] Id. at ¶ 7.

[15] Id.