Privacy notice

In summary...

We use your personal data to provide legal advice and related services (including marketing communications, where you have requested them), manage our business, recruit new staff, comply with our legal obligations, and improve and monitor the performance of our digital platforms
We may add your personal data to our global contact database managed by Eversheds Sutherland (International) LLP ("Eversheds Sutherland"), and used by the Eversheds Sutherland network of firms, especially if you're a client or prospective client
We have measures in place to safeguard your personal data when we transfer it outside the European Union
We take steps to minimise the amount of personal data we hold about you and to keep it secure
We delete your personal data when we no longer need it, and we have policies in place to govern when that is
You have a number of rights in relation to your personal data
We are happy to answer your questions about any of the above – please send them to datagovernance@eversheds-sutherland.com

For further details about how we process your personal data you can read the appropriate Privacy Notices below:

Who are you?

I am…

a client, prospective client, someone who has signed up to receive marketing communications from Eversheds Sutherland or just browsing the Eversheds Sutherland website

Last updated: May 2022

Quickly find what you’re looking for by clicking the links below:

About this notice
What types of personal data do we collect and where do we get it from?
What do we do with your personal data, and why?
Who do we share your personal data with, and why?
Where is your personal data transferred to?
How do we keep your personal data secure?
How long do we keep your personal data for?
What are your privacy rights and how can you exercise them?
Purposes for processing personal data
Purposes for processing special categories of personal data

About this notice

This Privacy Notice applies to the Eversheds Sutherland network of law firms except for the ES entities in Austria, Finland, Hungary, Ireland, Italy, Sweden and Switzerland, which have their own Privacy Notices that apply instead.

This notice explains how and why your personal data is processed by the Eversheds Sutherland network of law firms when we provide you with legal and related services, when you use our websites and other digital platforms, and when we send you marketing communications.

Eversheds Sutherland is a "controller" in relation to its use of your personal data. This is a legal term – it means that we make decisions about how and why we use your personal data and, because of this, we are responsible for making sure it is used in accordance with applicable data protection laws. The controller in respect of personal data processed in connection with the www.eversheds-sutherland.com website is Eversheds Sutherland (International) LLP. For the purposes of the other processing activities set out in this notice, the controller will be the relevant Eversheds Sutherland entity providing you and/or your organisation with legal services or any website or digital platform or sending you marketing communications. Click here for a list of the Eversheds Sutherland operating entities providing (or formerly providing) legal services and their contact details. (In limited circumstances, where we work with a consultant to provide you with legal advice, we and the consultant may be joint controllers of your personal data in relation to the consultant’s processing to provide legal advice to you. Where this is the case, it will be notified to you by the consultant. If you have any questions about our joint controllership with a consultant, or to exercise your rights in relation to personal data which is jointly controlled, please contact us as set out in this notice.)

In this notice, when we talk about personal data we mean any information that relates to an identifiable natural person – in this case, you.

You should read this notice, so you know what personal data we collect about you, what we do with it and how you can exercise your rights in connection with it. You should also read any other privacy notices that we give you, that might apply to our use of your personal data in specific circumstances from time to time. If you have any questions about this notice, please contact datagovernance@eversheds-sutherland.com .

What types of personal data do we collect and where do we get it from?

The personal information we process about you broadly falls into five main categories: (i) Contact Information; (ii) Identity and Other Regulatory Information; (iii) Matter and Billing Information; (iv) Marketing Preferences; and (v) Browsing and Device Usage Information.

We collect your personal information from various sources. The table below sets out the different types of personal information that we collect and the sources we collect it from.

Category	Types of personal data	Collected from
Contact Information	Name Address Telephone number Organisation details (e.g. your place of work, job title and organisation contact information)	You Publicly available resources
Identity and Other Regulatory Information	Date of birth Identification information (e.g. passport, utility bill and/or bank statement) Details of whether you are a politically exposed person (PEP)	You Third party systems used for our regulatory checks
Matter and Billing Information	Details relating to your matters or enquiries, including matter related communications with you Information about other people (e.g. your customers and/or staff) that you share with us in connection with your matters Information you provide to us when you come into an Eversheds Sutherland office (e.g. for a meeting) User IDs and passwords used by you in relation to our platforms and services You/your organisation’s billing, payment and banking details	You Advisors and other third parties working on your matters on our/your behalf, or those on the other side of the transaction or litigation
Marketing Preferences	Legal practice area interests Business industry sector interests Marketing communications preferences	You Publicly available information from online resources such as LinkedIn
Browsing and Device Usage Information	Information automatically generated through your use of our websites and other digital platforms IP address Information revealing the location of your electronic device	You and your use of our digital platforms

Please note that if you do not provide us with your Contact Information we may not be able to provide you with any information you request, and if you do not provide us with your Contact Information, Identity and Other Regulatory Information or certain Matter and Billing Information, we will not be able to act for you.

What do we do with your personal data, and why?

We use your personal data for a number of different purposes. We must always have a “lawful basis” (i.e. a reason, prescribed by law) for processing your personal data. The Personal data purposes table below sets out the purposes for which we process the different categories of your personal data and the corresponding lawful basis for that processing.

The purposes applicable to you will vary according to the relevant Eversheds Sutherland controller of your personal data (as explained in the introductory paragraph above). For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

We also process certain special categories of personal data (including details relating to your health when you visit our premises) and information relating to your criminal record where applicable, which require a higher standard of protection under applicable laws. For these special categories of personal data, different lawful bases apply. The Special categories of personal data purposes table below sets out the different purposes for which we process special categories of personal data about you and the relevant lawful basis on which we rely for that processing. The purposes applicable to you will vary according to the relevant Eversheds Sutherland controller of your personal data (as explained in the introductory paragraph above). For some processing activities, we consider that more than one legal basis may be relevant – depending on the circumstances. We also have policies in place explaining our procedures for ensuring compliance with applicable laws in connection with the processing of special categories of personal data.

Cookies and similar technologies

For more information regarding how we use cookies and similar technologies in connection with your use of our platforms, please read our Cookies Policy .

Who do we share your personal data with, and why?

Sometimes we share your personal data with third parties where permitted by law, including the following:

other companies in or branches or offices of the Eversheds Sutherland network of firms in connection with our business strategy and client targeting programmes and where necessary for us to provide you with multi-jurisdictional legal advice. For example, if you are a client or prospective client, we may add your personal data to our global client contact database which is available to lawyers across the Eversheds Sutherland network. You can find a list of the countries in which we operate here
barristers, other law firms and courts, as applicable in the context of the legal services we provide to you;
courts and other judicial or official bodies, where we are asked to respond to an order or other binding requests;
regulatory bodies and law enforcement agencies, where necessary for any investigations or to respond to enquiries in relation to our compliance with applicable law or regulations or in connection with criminal investigations, or where otherwise permitted or required by applicable law; and
professional advisors (such as third party law firms and accountants) and other third parties in connection with our legitimate business activities.

These organisations may use your personal data as a “controller” – they will have their own privacy notices which you should read, and they have their own responsibilities to comply with applicable data protection laws.

We also ask third party service providers to carry out certain business functions for us. These include:

IT support, cloud platform and data hosting providers who help us with the operation of our websites, mobile applications, data rooms, document and workflow management systems and other systems and applications;
third party debt recovery organisations where we need to recover any money owed to us;
marketing service providers, including companies who send out surveys and marketing communications on our behalf; and
survey providers who help collate client feedback for us.

We will have in place an agreement with our service providers which will restrict how they are able to process your personal data and impose appropriate security standards on them.

Where is your personal data transferred to?

Since Eversheds Sutherland is a network of different law firms operating globally, we will sometimes need to transfer your personal data to recipients in jurisdictions other than your own. Some of these jurisdictions may not provide the same level of protection to your personal data as provided in your jurisdiction. If we transfer your personal data outside the European Union or the United Kingdom, we will only make that transfer if:

that country ensures an adequate level of protection for your personal data;
the recipient or recipient country is subject to an approved certification mechanism or code of conduct with binding and enforceable commitments which amount to appropriate safeguards for your personal data; or
we have put in place appropriate safeguards to protect your personal data, such as a contract with the person or entity receiving your personal data which incorporates specific provisions as directed by the European Commission;
the transfer is permitted by applicable laws; or
you explicitly consent to the transfer;

If you would like to see a copy of any relevant safeguards used by us to protect the transfer of your personal data, please contact datagovernance@eversheds-sutherland.com .

How do we keep your personal data secure?

We will put in place appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

However please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping any passwords you use to access Eversheds Sutherland platforms safe.

How long do we keep your personal data for?

We will only retain your personal data for a limited period of time, and for no longer than is necessary for the purposes for which we are processing it for. This will depend on a number of factors, including:

any laws or regulations that we are required to follow;
whether we are in a legal or other type of dispute with each other or any third party;
the type of information that we hold about you; and
whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

What are your privacy rights and how can you exercise them?

Where our processing of your personal data is based on your consent (see Personal data purposes table below ), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.

Where our processing of your personal data is based on the legitimate interests lawful basis (see Personal data purposes table below ), you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

Where we are processing your personal data for direct marketing purposes, you have the right to object to that processing.

Depending on the circumstances, you may have the right to:

access your personal data and to be provided with certain information in relation to it, such as the purpose for which it is processed, the recipients or categories of recipient to whom it is disclosed and the period for which it will be stored;
require us to correct any inaccuracies in your personal data without undue delay;
require us to erase your personal data;
require us to restrict processing of your personal data;
receive the personal data which you have provided to us, in a machine readable format, where we are processing it on the basis of your consent or because it is necessary for your contract with us and where the processing is automated; and
object to a decision that we make which is based solely on automated processing of your personal data.

Please contact us at datagovernance@eversheds-sutherland.com if you would like to exercise any of your privacy rights.

We also encourage you to let us know if you have any concern about how we are processing your personal data so we can try to resolve your concerns. However, if you consider that we are in breach of our obligations under data protection laws, you are always entitled to submit a complaint with your data protection supervisory authority – for contact details see here .

Purposes for processing personal data

	Lawful basis
Purposes of processing	Your consent	To perform a contract with you	To comply with a legal obligation	For our legitimate interests
Providing Legal Advice and Related Services
Responding to your enquiries				(It is important that we can respond to your enquiries)
Establishing you/your organisation as a client on our systems
Providing you/your organisation with legal advice, training and other services and/or products you may have requested from us
Producing reports and narratives to cover how we have spent our time in relation to your matter(s)				(We need to be able to properly record and account for our service-related activities as part of our general business planning and management)
Taking payment from you in respect of our services
Hosting you at our offices and providing hospitality services				(We need to be able to host our clients and prospective clients effectively)
Sharing relevant know-how and solicited legal updates with you and sending you service-related communications				(As part of providing a high quality legal service, we need to keep our clients updated with the latest relevant legal developments)
Sending you electronic direct marketing communications
Analysing how our electronic marketing communications are used by you (including whether you open them and click through to access their contents)				(We need this information to ensure we are providing you with information that you are interested in)
Conducting surveys for benchmarking, continuous improvement and marketing purposes				(We need to collect your feedback in relation to our services, in order to resolve any problems or complaints and improve and innovate)
For our general record-keeping and client relationship management				(As a law firm, we need to store client related files so we can refer back to them)
Managing our business relationship with you resolving any complaints from or disputes with you				(We need to be able to try and maintain our position of being your trusted advisor and resolve any complaint or dispute you might raise with us)
Managing and administering the user accounts and profiles you have with us, collecting information about how you use them and your preferences and tailoring and improving our services accordingly				(We need to tailor our services in accordance with feedback and preferences)
Resolving any complaints from or disputes with you				(We need to be able to try and resolve any complaint or dispute you might raise with us)
Legal and Regulatory Compliance and Reporting
Performing identity, financial and credit searches, screening and checks against third party sources for anti-money laundering, identity verification, client conflicts and anti-trust purposes
Conducting client conflict checks (not required by law) to confirm we can provide services to you				(We need to make sure that it is appropriate for us to act for you, taking account of our other clients)
Monitoring our systems and processes to identify, record and prevent fraudulent, criminal and/or otherwise illegal activity				(We need to be able to monitor our systems in this way to help protect them, us and you from illegal activity)
Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
General Business Requirements
Managing, planning and delivering our global business and marketing strategies (including recording and reporting on our business development activities)				(As a global law firm, we need to implement effective business development and marketing strategies)
Purchasing, maintaining and claiming against our insurance policies				(It is in our interests to protect our business against specified losses)
Training our staff				(Sometimes, it is appropriate for us to use your personal information so that we can provide our staff with training to manage risk and improve the quality of our services)
Continuously reviewing and improving our products and services (including by seeking and obtaining your feedback) and developing new ones				(We have a legitimate interest in making sure that we are continuously improving our service offering)
Complying with instructions from our clients in relation to their regulatory obligations (including recording our telephone communications with you)				(Sometimes, we may need to record calls to our teams to assist with our clients’ regulatory obligations, and for training and quality purposes)
Obtaining legal advice, establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings)				(We must be able to establish and defend our legal rights and understand our obligations, and seek legal advice in connection with them)
Monitoring and producing statistical information regarding the use of our platforms, and analysing and improving their functionality				(We need to perform this routine monitoring to make sure our platforms work properly, analyse how they are used and improve them)
Managing the proposed sale, restructuring, transfer or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation				(We have a legitimate interest in being able to sell any part of our business)
Maintaining the security and integrity of our systems, platforms, premises and communications (and detecting and preventing actual or potential threats to the same)				(We need to make sure that our business processes are secure)
Managing, publicising and participating in corporate social responsibility initiatives				(We need to ensure our CSR initiatives are properly managed)

Purposes for processing special categories of personal data

Purposes of processing	Special category lawful basis We are permitted to process your personal data because…
Purposes of processing	You have given your explicit consent to the processing	It is necessary to protect somebody’s vital interests or they are incapable of giving consent	It is necessary for the establishment, exercise or defence of legal claims	It is necessary for reasons of substantial public interest
Hosting you at our offices and providing hospitality services	(for your dietary and access requirements)	(in case of accidents or emergencies at our offices)
Providing legal advice to our clients
Investigating, evaluating, demonstrating, monitoring, improving and reporting on our compliance with relevant legal and regulatory requirements (such as anti-money laundering and client verification checks)
Complying with (or assisting others’ compliance with) regulatory requirements involving steps being taken to establish the existence of any unlawful act, dishonesty, malpractice or other seriously improper conduct
Complying with our general regulatory and statutory obligations
Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities or sharing information (on a voluntary basis) with the same
Obtaining legal advice, establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings)

applying (or enquiring) to become an employee, partner, staff, contractor, consultant, temporary or agency worker at Eversheds Sutherland

Last updated: May 2022

Quickly find what you’re looking for by clicking the links below:

About this notice
Eversheds Sutherland’s data protection responsibilities
What types of personal data do we collect and where do we get it from?
What do we do with your personal data, and why?
Automated decision-making
Anonymised and aggregated data
Sensitive personal data (including criminal data)
Who do we share your personal data with, and why?
Where in the world is your personal data transferred to?
How do we keep your personal data secure?
How long do we keep your personal data for?
What are your rights in relation to your personal data and how can you exercise them?
Categories of personal data
Purposes for processing personal data
Purposes for processing sensitive personal data
Individuals' rights

About this notice

This Privacy Notice applies to the Eversheds Sutherland network of law firms except for the ES entities in Austria, Czech Republic, Finland, Hungary, Italy, Slovakia, Sweden and Switzerland, which their own Privacy Notices that apply instead.

This notice explains how and why Eversheds Sutherland uses personal data about individuals who apply (or enquire about applying) to become our employees, partners, staff, contractors, trainees, officers, consultants, work experience students, vacation scheme students, apprentices and temporary or agency workers (referred to as “ applicants ” or “ you ”). You should read this notice, so you know what we are doing with your personal data. Please also read any other privacy notices that we give you, that might apply to our use of your personal data in specific circumstances in the future. For example, if you are successful in your application you should read our HR Privacy Notice when you join us.

For the purposes of this notice, the controller will be the Eversheds Sutherland entity that you are applying for a role with (the controller is also referred to in this notice as “ Eversheds Sutherland ”, “ ES ” “ we ”, “ our ” and “ us ”). Click here for a list of the Eversheds Sutherland operating entities and their contact details.

This notice does not form part of any contract between us and you (including any contract of employment that may be offered or any other services contract).

Eversheds Sutherland’s data protection responsibilities

“ Personal data ” is any information that relates to an identifiable natural person. Your name, address, contact details, salary details and CV are all examples of your personal data, if they identify you.

The term “ process ” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.

Eversheds Sutherland is a “ controller ” of your personal data. This is a legal term – it means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure it is used in accordance with data protection laws.

What types of personal data do we collect and where do we get it from?

We collect many different types of personal data about you for lots of reasons. We cannot administer your application without your personal data. Where we don’t need your personal data, we will make this clear, for instance we will explain if any data fields in our application forms are optional and can be left blank.

Further details of the personal data we collect and where we get it from are set out at Schedule ‎1.

As you can see from the table at Schedule ‎1 , we collect your personal information from you directly and sometimes we obtain it from other people and organisations, including some public sources, such as publicly available directories and online resources, your emergency contacts, your use of Eversheds Sutherland provided assets, systems and platforms, your line manager and co-workers, your dependants and beneficiaries, third party benefits providers.

If any of the personal information you have given to us changes, such as your contact details, please inform us without delay by contacting recruitment@eversheds-sutherland.com.

What do we do with your personal data, and why?

We process your personal data for particular purposes in connection with your application or engagement with us, and in connection with the management and administration of recruitment activities and strategies.

We are required by law to always have a “lawful basis” (ie a reason or justification) for processing your personal data. There are six lawful bases for processing – they are set out in the law, and they are where:

the individual has given his or her consent to the processing;
the processing of the individual’s personal data is necessary to perform a contract with that individual or to take steps at the request of the individual before entering into a contract;
the processing is necessary to comply with a legal obligation to which we are subject;
the processing is necessary in order to protect the vital interests of an individual;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; and
the processing is necessary for our legitimate interests, provided those interests are not overridden by the individual’s interests, rights or freedoms.

The table at Schedule ‎2 sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

If you would like more information on any of the purposes for which we process your personal data, please contact the Risk team at datagovernance@eversheds-sutherland.com for more information.

Please note that:

where our processing is based on your consent, you can withdraw your consent at any time. If you do this, it won’t impact any processing we’ve done prior to that date.

where we process your personal data because it is necessary for our legitimate interests, you can object to our processing at any time. If you object, we will stop processing unless we can show you a compelling reason why the processing overrides your privacy rights or where the processing is for the establishment, exercise or defence of legal claims.

In addition, where we have indicated in Schedule ‎2 that our processing of your personal data is either:

necessary for us to comply with a legal obligation; or
necessary for us to take steps, at your request, to potentially enter into an employment contract with you, or to perform it,
and you choose not to provide the relevant personal data to us, we may not be able to enter into our contract of employment or engagement with you.

Automated decision-making

Sometimes, we may use your personal data for automated decision making (in other words, decision-making without any human involvement), for example when we set up automated alerts in our background checking processes.

If any of our automated decision-making has legal or other significant effects on you, we will only make those decisions if:

it is necessary for us to enter into or perform a contract with you; or
it is authorised by applicable law; or
we have your explicit consent.

Anonymised and aggregated data

We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand which of our practice groups attract the most applicants.

Sensitive personal data (including criminal data)

We are required by law to treat certain categories of personal data with even more care than usual. These are called special categories of personal data – and in this notice, we refer to them as “ sensitive personal data ”. For these categories of personal data, different lawful bases apply.

The table at Schedule ‎3 sets out the different purposes for which we process your sensitive personal data and the relevant lawful basis on which we rely for that processing. For some processing activities, we consider that more than one legal basis may be relevant – depending on the circumstances.

Who do we share your personal data with, and why?

Sometimes we need to disclose your personal data to other people.

Inside the Eversheds Sutherland network

We are part of the Eversheds Sutherland network of law firms. Therefore, we may share your personal data with other entities in the Eversheds Sutherland network for our general recruitment analysis and workforce management purposes.

Access rights between members of the Eversheds Sutherland network are limited and granted only on a need to know basis, depending – for example – jurisdictions, departments, job functions and roles.

Where any Eversheds Sutherland entities process your personal data on our behalf (as our processor), we will make sure that they have appropriate security standards in place to make sure your personal data is protected and we will enter into a written contract imposing appropriate security standards on them.

Outside the Eversheds Sutherland network

From time to time we may ask third parties to carry out certain business functions for us, such as the administration of our payroll and our IT support. These third parties will process your personal data on our behalf (as our processor). We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to other people, we will make sure that they have appropriate security standards in place to make sure your personal data is protected and we will enter into a written contract imposing appropriate security standards on them. Examples of these third party service providers include service providers and/or sub-contractors, include our outsourced payroll, HR and marketing service providers, and our IT systems software and maintenance, back up, and server hosting providers.

In certain circumstances, we will also disclose your personal data to third parties who will receive it as controllers of your personal data in their own right for the purposes set out above, in particular:

if we transfer, purchase, reorganise, merge or sell any part of our business or the business of a third party, and we disclose or transfer your personal data to the prospective seller, buyer or other third party involved in a business transfer, reorganisation or merger arrangement (and their advisors); and
if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, clients or others.

We have set out below a list of the categories of recipients with whom we are likely to share your personal data:

consultants and professional advisors including legal advisors and accountants;
recruitment agencies appointed by us or you;
courts, court-appointed persons/entities, receivers and liquidators;
business partners and joint ventures;
trade associations and professional bodies;
insurers; and
governmental departments, statutory and regulatory bodies.

Where in the world is your personal data transferred to?

As we are an international network of law firms operating under a single brand, we may transfer your personal data to recipients that are established in jurisdictions other than your own. The data protection laws in these jurisdictions may not provide the same level of protection to your personal data as provided to it in your jurisdiction.

If you are employed or engaged by an Eversheds Sutherland entity in the United Kingdom or European Union and any disclosures of personal data referred to above require us to transfer your personal data from within the European Union to outside the European Economic Area, or from within the United Kingdom to outside the United Kingdom, we will only make that transfer if:

the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient. Please contact our Data Protection Office at datagovernance@eversheds-sutherland.com if you wish to obtain a copy of these;
the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
you explicitly consent to the transfer.

How do we keep your personal data secure?

We will take specific steps (as required by applicable data protection laws) to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

How long do we keep your personal data for?

If you are our employee we will keep your personal data during the period of your employment and then, after your employment with us ends, for as long as is necessary in connection with both our and your legal rights and obligations. This may mean that we keep some types of personal data for longer than others.

We will only retain your personal data for a limited period of time. This will depend on a number of factors, including:

any laws or regulations that we are required to follow;
whether we are in a legal or other type of dispute with each other or any third party;
the type of information that we hold about you; and
whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

Please contact our Data Protection Office at datagovernance@eversheds-sutherland.com to request a copy of our Data Retention Policy.

What are your rights in relation to your personal data and how can you exercise them?

You may have certain legal rights in relation to your personal data, particularly where the Eversheds Sutherland entity you are applying to is based in the United Kingdom or European Union which are summarised at Schedule 4, in relation to any personal data about you which we hold.

Where our processing of your personal data is based on your consent (see Schedule ‎2), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.

Where our processing of your personal data is necessary for our legitimate interests (see Schedule ‎2), you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

If you wish to exercise any of these rights please contact dataprotectionoffice@everhseds-sutherland.com in the first instance.

If you are based in the European Union or United Kingdom or you are applying for a position with an ES entity based in the European Union or United Kingdom, you also have the right to lodge a complaint with the relevant data protection supervisory authority – for contact details see here.

Updates to this notice

We may update this notice from time to time to reflect changes to the type of personal data that we process and/or the way in which it is processed. We will update you on material changes to this notice by email and we will publish revised versions of this notice on www.eversheds-sutherland.com.

Where can you find out more?

If you have any queries about how Eversheds Sutherland process your personal data, please contact the Risk team at datagovernance@eversheds-sutherland.com.

SCHEDULE ‎1

Categories of personal data

The table below sets out the different categories of personal data we collect and where we get it from (we’ve sorted them into groups, to make it more clear for you). As you can see, we collect your personal information from you directly and sometimes we obtain it from other people and organisations, including some public sources, such as publicly available directories and online resources, your emergency contacts, your use of Eversheds Sutherland provided assets, systems and platforms, your line manager and co-workers, your dependants and beneficiaries, third party benefits providers.

Types of personal data	Collected from
a) Contact Information
Name(s) Address(es) Email address(es) Contact details including mobile telephone number(s)	You
b) Personal Information
Date of birth Gender Next of kin or other dependants Marital or relationship status Lifestyle and social circumstances Emergency contact information If successful: Previous and offered salary, compensation and other benefits National insurance number and tax codes Bank account details	You Recruitment consultants and agencies Your previous employers
c) Identity and Background Information
LinkedIn profile and other available professional background information about you online Career history, experience and skills Passport information Driving licence information Psychometric test results Right to work, residency and/or other visa information (where unrelated to your race or ethnicity) Curriculum Vitae (CV) or resume Details of education, qualifications, results and certificates and other evidence of the same Image or photographs Application form Evaluative notes and decisions from job interviews Preferences relating to job location and salary Conflicts of interests (including where related to family networks) Background checks relating to credit history and criminal records (see also Sensitive Personal Data below)	You Recruitment consultants and agencies Your previous employers Publicly available information from online resources
d) Sensitive Personal Data (see section ‎5 for further information)
Racial or ethnic origin (including your nationality and visa information) Political opinions Religious or philosophical beliefs Trade union membership Data concerning physical and/or mental health (including occupational health requirements, accident reports, day-to-day health concerns such as diabetes or epilepsy conditions which we should be aware of, dietary requirements, allergies, drug and alcohol test results and reasons for any short term or long term absence) Sexual orientation Information relating to actual or suspected criminal convictions and offences	You Your emergency contact(s) Your use of Eversheds Sutherland security control systems
e)Recruitment Administration, Performance and Grievance Information
Offered terms and conditions of employment Working preferences and feedback in relation to Eversheds Sutherland and our staff Preference in relation to our use of your personal data Interview notes and associated feedback Complaints, grievance and employment tribunal information	You
f)Asset, Systems and Platform Usage and Communications Information
User IDs and password information IP addresses and device identifiers Relevant records of calls, telephone/video interviews, messages and/or internet or other data traffic and communications Access logs and usage records from application systems and other Eversheds Sutherland provided applications and technologies	You Your use of Eversheds Sutherland assets, systems and platforms
g)Security, Location and Access Information
Information captured or recorded by electronic card access systems, CCTV and other security control systems	You Your use of Eversheds Sutherland security control systems

SCHEDULE ‎2

Purposes for processing personal data

The table below sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

	Lawful basis We are permitted to process your personal data because...
Purposes of processing	You have given your consent to the processing (Please also see section ‎10.2)	It is necessary to perform your employment contract	It is necessary for us to comply with a legal obligation	It is necessary for our legitimate interests or those of third parties (Please also see section ‎10.3)	It is necessary to protect your vital interests (or those of someone else)
New joiner activities
Developing, operating and collecting feedback on recruitment activities and employee selection processes
Administering your application for a job with us and considering your suitability for the relevant role
Obtaining, considering and verifying your employment references and employment history
Reviewing and confirming your right to work
Conducting verification and vetting, including criminal background checks and credit checks where required by law (Note: Sensitive Personal Data, please also see Schedule ‎3)
Conducting background checks, credit checks, verification and vetting which are not required by law but needed by us to assess your suitability for your role (Note: May involve Sensitive Personal Data, please also see Schedule ‎3)
Making a job offer to you and entering into a contract of employment with you
Identifying and assessing our strategic business direction, resourcing needs and areas for development
Analysing recruitment and retention objectives, processes and employee turnover rates
Communicating with you and providing you with information in connection with your application or engagement with us from time to time
General staff administration, including workforce management and facilities operations
Managing our health and safety compliance obligations (Note: Sensitive Personal Data, please also see Schedule ‎3)
Determining whether any adjustments are necessary to enable you to carry out a role (Note: Sensitive Personal Data, please also see Schedule ‎3)
Considering your suitability for existing and future vacancies
Handling grievances and complaints, including investigating issues, considering appropriate resolution and mitigating actions and reviewing outcomes
Responding to feedback from you or your recruitment agent
Security and governance
Monitoring the security of Eversheds Sutherland’s physical premises and systems, networks and applications
Identifying and authenticating applicants and other individuals (Note: Sensitive Personal Data, please also see Schedule ‎3)
Identifying, investigating and mitigating suspected misuse of Eversheds Sutherland’s assets, systems and platforms (Note: Sensitive Personal Data, please also see Schedule ‎3)
Ensuring compliance with Eversheds Sutherland policies and procedures (Note: Sensitive Personal Data, please also see Schedule ‎3)
Legal and regulatory compliance and responsibilities
Managing and administering our equal opportunities reporting (Note: Sensitive Personal Data, please also see Schedule ‎3)
Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities (Note: Sensitive Personal Data, please also see Schedule ‎3)
Responding to non-binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities
Complying with disclosure orders arising in civil proceedings (Note: Sensitive Personal Data, please also see Schedule ‎3)
Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting Eversheds Sutherland’s compliance with relevant legal and regulatory requirements (Note: Sensitive Personal Data, please also see Schedule ‎3)
Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting Eversheds Sutherland’s compliance with best practice and good governance responsibilities
Eversheds Sutherland business operations
Implementing, adapting and enhancing systems and processes to develop or improve our business and/or our recruitment process
Managing, planning and delivering events, projects and initiatives in connection with our global business, Finance, Sales, HR, IT, Marketing and other strategies (for example arranging partner and practice group conferences)
Supporting our diversity programmes and targets (Note: Sensitive Personal Data, please also see Schedule 3)
Supporting, updating and maintaining our technology infrastructure
Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of another business
Analysing recruitment-related objectives and results
Collecting feedback in relation to our recruitment and HR activities and processes for continuous improvement purposes

SCHEDULE ‎3

Purposes for processing sensitive personal data

The table below sets out the different purposes for which we process your sensitive personal data and the relevant lawful basis on which we rely for that processing. For some processing activities, we consider that more than one legal basis may be relevant – depending on the circumstances.

	Sensitive Information - lawful basis We are permitted to process your personal data because...
Purposes of processing	You have given your explicit consent to the processing	It is necessary for your/our obligations and rights in the field of employment and social security and social protection law	It is necessary to protect the vital interests of the data subject or another person you or they are physically or legally incapable of giving consent	It is necessary for our establishment, exercise or defence of legal claims	It is necessary for reasons of substantial public interest	It is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee
Recruitment and workforce planning
Conducting verification and vetting, including criminal background checks and credit checks where required by law
Conducting background checks, verification and vetting which are not required by law but needed by us to assess your suitability for your role
General application management and administration
Managing our health and safety compliance obligations
Determining whether any adjustments are necessary to enable you to carry out a role
Security and governance
Identifying and authenticating Applicants and other individuals
Identifying, investigating and mitigating suspected misuse of our assets, systems and platform
Legal and regulatory compliance and responsibilities
Managing and administering our equal opportunities reporting
Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities or sharing information (on a voluntary basis) with the same
Responding to non-binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities
Complying with disclosure orders arising in civil proceedings
Investigating, evaluating, demonstrating, monitoring, improving and reporting on our compliance with relevant legal and regulatory requirements
Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting our compliance with best practice and good governance responsibilities
Day-to-day business operations
Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of or by another business

SCHEDULE ‎4

Individuals' rights

Your right	What does it mean?	Limitations and conditions of your right
Right of access	Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).	If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, eg privacy and confidentiality rights of other staff.
Right to data portability	Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.	If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (ie not for paper records). It covers only the personal data that has been provided to us by you.
Rights in relation to inaccurate personal or incomplete data	You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number, immigration status.	Please always check first whether there are any available self-help tools to correct the personal data we process about you. This right only applies to your own personal data. When exercising this right, please be as specific as possible.
Right to object to or restrict our data processing	Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.	As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.
Right to erasure	Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), eg where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.	We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
Right to withdrawal of consent	As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.	If you withdraw your consent, this will only take effect for future processing.

someone else (such as a customer of an Eversheds Sutherland client, supplier or press contact etc)

Last updated: July 2023

Quickly find what you’re looking for by clicking the links below:

About this notice
What types of personal data do we collect and where do we get it from?
What do we do with your personal data, and why?
Who do we share your personal data with, and why?
Where is your personal data transferred to?
How do we keep your personal data secure?
How long do we keep your personal data for?
What are your privacy rights and how can you exercise them?
Purposes for processing personal data
Purposes for processing special categories of personal data

About this notice

This notice explains how and why Eversheds Sutherland use your personal data in connection with our legal advice and related services and our general business operations. You should read this notice if you are not an Eversheds Sutherland client but you are dealing with us in relation to any service that we provide, where you are providing us with a service or where you are a different type of third party whether or not in communication with us.

For the purposes of this notice, the controller will be the relevant ES entity providing the services which are relevant to your matter with us, or if you are a supplier, the relevant ES entity that you are contracting with (or looking to contract with) or for some other types of third party the ES entity which is providing advice to its client. Click here for a list of the Eversheds Sutherland operating entities and their contact details. (In limited circumstances, where we work with a consultant to provide legal advice, we and the consultant may be joint controllers of your personal data in relation to the consultant’s processing to provide legal advice. Where this is the case, it will be notified to you by the consultant, to the extent that you have contact with the consultant. If you have any questions about our joint controllership with a consultant, or to exercise your rights in relation to personal data which is jointly controlled, please contact us as set out in this notice.)

In this notice, when we talk about personal data we mean any information that relates to an identifiable natural person – in this case, you.

What types of personal data do we collect and where do we get it from?

The personal information we process about you broadly falls into four main categories: (i) Contact Information; (ii) Identity and Other Regulatory Information; (iii) Matter Information; (iv) Browsing and Device Usage Information; and in some limited cases (v) other publicly available information.

Where necessary and lawful for the purposes set out below, we collect your personal information from various sources. The table below sets out the different types of personal information that we collect and the sources we collect it from.

Category	Types of personal data	Collected from
Contact Information	Name Address Telephone number Organisation details (e.g. your place of work, job title and organisation contact information)	Our clients You Publicly available resources such as LinkedIn and Google
Identity and Other Regulatory Information	Date of birth Identification information (e.g. passport, utility bill and/or bank statement)	You Third party systems used for our regulatory checks
Matter Information	Details relating to client matters, enquiries and other dealings with us or our clients (including matter related communications with you and other information about you in connection with such matters)	Our clients You Third parties also working on your matter
Browsing and Device Usage Information	Information automatically generated through your use of our websites and other digital platforms IP address Information revealing the location of your electronic device	You and your use of our digital platforms
Other publicly available information	Names Addresses Dates of birth other personal special category and criminal convictions data which is lawfully available to us	Official government department lists (e.g. sanctions list) which are publicly available

Please note that if you do not provide us with your Contact Information we may not be able to provide you with any information you request, and if you are a supplier or prospective supplier and you do not provide us with your Contact Information, Identity and Other Regulatory Information or Matter Information, we may not be able to enter into a contract with you.

What do we do with your personal data, and why?

We use your personal data for a number of different purposes. We must always have a “lawful basis” (i.e. a reason, prescribed by law) for processing your personal data. The Personal data table below sets out the purposes for which we process the different categories of your personal data and the corresponding lawful basis for that processing. The purposes applicable to you will vary according to the relevant Eversheds Sutherland controller of your personal data (as explained in the introductory paragraph above). For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

We also process certain special categories of personal data , which require a higher standard of protection under applicable laws. For these special categories of personal data , different lawful bases apply. We only process this type of information about you where it is necessary for the establishment, exercise or defence of a legal claim or where it is necessary for reasons of substantial public interest, for example we process racial or ethnic origin, political opinions, religious, cultural or philosophical beliefs, health, sex life or orientation and criminal convictions data in relation to individuals on official government department lists (e.g. sanctions lists) which are publicly available on the basis that this is necessary for reasons of substantial public interest for preventing or detecting unlawful acts.

We may also process certain information relating to criminal convictions and offences where applicable, which require a higher standard of protection under applicable laws. We also have policies in place explaining our procedures for ensuring compliance with applicable laws in connection with the processing of special categories of personal data.

Cookies and similar technologies

For more information regarding how we use cookies and similar technologies in connection with your use of our platforms, please read our Cookies Policy .

Who do we share your personal data with, and why?

Sometimes we share your personal data with third parties where permitted by law, including the following:

other companies in or branches or offices of the Eversheds Sutherland network of firms where necessary in connection with the legal matters we are instructed on or with our business operations. You can find a list of the countries in which we operate on our Contact Us page ;
our clients, barristers, other law firms and courts, service providers and the courts as applicable in the context of the legal services we provide to our clients;
courts and other judicial or official bodies, where we are asked to respond to an order or other binding requests;
regulatory bodies and law enforcement agencies, where necessary for any investigations or to respond to enquiries in relation to our compliance with applicable law or regulations or in connection with criminal investigations, or where otherwise permitted or required by applicable law; and
professional advisors (such as third party law firms and accountants) and third parties in connection with our legitimate business activities.

These organisations will also use your personal data as a “controller” – they will have their own privacy notices which you should read, and they have their own responsibilities to comply with applicable data protection laws.

We also ask third party service providers to carry out certain business functions for us. These include IT support, cloud platform and data hosting providers who help us with the operation of our websites, mobile applications, data rooms, document and workflow management systems and other systems and applications. We will have in place an agreement with our service providers which will restrict how they are able to process your personal data and impose appropriate security standards on them.

Where is your personal data transferred to?

the recipient country ensures an adequate level of protection for your personal data; or
the recipient or recipient country is subject to an approved certification mechanism or code of conduct with binding and enforceable commitments which amount to appropriate safeguards for your personal data; or we have put in place appropriate safeguards to protect your personal data, such as a contract with the person or entity receiving your personal data which incorporates specific provisions as directed by the European Commission; or
the transfer is permitted by applicable laws; or
you explicitly consent to the transfer.

If you would like to see a copy of any relevant safeguards used by us to protect the transfer of your personal data, please contact datagovernance@eversheds-sutherland.com .

How do we keep your personal data secure?

We will put in place appropriate security measures to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

How long do we keep your personal data for?

any laws or regulations that we are required to follow;
whether we are in a legal or other type of dispute with each other or any third party;
the type of information that we hold about you; and
whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

What are your privacy rights and how can you exercise them?

Where our processing of your personal data is based on your consent , you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.

Where our processing of your personal data is based on the legitimate interests lawful basis, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

Depending on the circumstances, you may have the right to:

access your personal data and to be provided with certain information in relation to it, such as the purpose for which it is processed, the recipients or categories of recipient to whom it is disclosed and the period for which it will be stored;
require us to correct any inaccuracies in your personal data without undue delay;
require us to erase your personal data;
require us to restrict processing of your personal data;
receive the personal data which you have provided to us, in a machine readable format, where we are processing it on the basis of your consent or because it is necessary for your contract with us and where the processing is automated; and
object to a decision that we make which is based solely on automated processing of your personal data.

Please contact us at datagovernance@eversheds-sutherland.com if you would like to exercise any of your privacy rights.

Purposes for processing personal data

	Lawful basis
Purposes of processing	Your consent	To perform a contract with you	To comply with a legal obligation	For our legitimate interests
Matter Related Purposes
Responding to your enquiries				(It is important that we can respond to your enquiries)
Resolving any complaints from or disputes with you				(We need to be able to try and resolve any complaint or dispute you might raise with us)
Performing identity checks (including those against third party sources) for identity verification purposes				(We need to verify the identities of people we deal with)
Carrying out various tasks and services in connection with our clients’ matters which may involve you (eg arranging for monies due to you to be paid, sending you documents in relation to a court case or consulting and further processing documents which relate to you, or providing information about you which is on official government department lists (e.g. sanctions lists) which are publicly available to our clients)				(We need to be able to carry out the tasks required in connection the provision of legal advice to our clients and other related services)
Legal and Regulatory Compliance and Reporting
Monitoring our systems and processes to identify, record, and prevent fraudulent, criminal and/or otherwise illegal activity				(We need to be able to monitor our systems in this way to help protect them, us and you from illegal activity)
Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law
Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)
Purchasing, maintaining and claiming against our insurance policies				(It' ss in our interests to protect our business against specified losses)
Training our staff				(Sometimes, it is appropriate for us to use your personal information so that we can provide our staff with training to manage risk and improve the quality of our services)
Continuously reviewing and improving our products and services (including by seeking and obtaining your feedback) and developing new ones				(We have a legitimate interest in making sure that we are continuously improving our service offering)
Complying with instructions from our clients in relation to their regulatory obligations (including recording our telephone communications with you)				(Sometimes, we need to record calls to our teams to assist with our clients’ regulatory obligations, and for training and quality purposes)
General Business Requirements
Obtaining legal advice, and establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings)				(We must be able to establish and defend our legal rights and understand our obligations, and seek legal advice in connection with them)
Monitoring and producing statistical information regarding the use of our platforms, and analysing and improving their functionality				(We need to perform this limited routine monitoring to make sure our platforms work properly)
Managing the proposed sale, restructuring, transfer or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation				(We have a legitimate interest in being able to sell any part of our business)
Maintaining the security and integrity of our systems, platforms, premises and communications (and detecting and preventing actual or potential threats to the same)				(We need to make sure our that our business processes are secure)

applying for or considering applying for a training contract, vacation scheme, apprenticeship or other work experience at Eversheds Sutherland

Ths Privacy Notice applies to the Eversheds Sutherland (International) LLP only.

Last updated: May 2022

Quickly find what you’re looking for by clicking the links below:

What is this document and why should you read it?
Eversheds Sutherland’s data protection responsibilities
What types of personal data do we collect and where do we get it from?
What do we do with your personal data, and why?
Sensitive personal data (including criminal data)
Who do we share your personal data with, and why?
Where in the world is your personal data transferred to?
How do we keep your personal data secure?
How long do we keep your personal data for?
What are your rights in relation to your personal data and how can you exercise them?
Updates to this notice
Where can you find out more?

What is this document and why should you read it?

This notice explains how and why Eversheds Sutherland uses personal data about individuals who apply (or enquire about applying) to become our trainees, vacation scheme students, apprentices and/or other work experience students (referred to as “ applicants ” or “ you ”). For the purposes of this notice, the controller will be the Eversheds Sutherland entity that you are applying for a role with (the controller is also referred to in this notice as “ Eversheds Sutherland ”, “ ES ” “ we ”, “ our ” and “ us ”).

You should read this notice, so you know what we are doing with your personal data. Please also read any other privacy notices that we give you, that might apply to our use of your personal data in specific circumstances in the future. For example, if you are successful in your application you should read our HR Privacy Notice when you join us.

This notice does not form part of any contract between us and you (including any contract of employment that may be offered or any other services contract).

Eversheds Sutherland’s data protection responsibilities

The term “ process ” means any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.

Eversheds Sutherland is a " controller " of your personal data. This is a legal term – it means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure it is used in accordance with data protection laws.

What types of personal data do we collect and where do we get it from?

Further details of the personal data we collect and where we get it from are set out at Schedule 1 .

As you can see from the table at Schedule 1 , we collect your personal information from you directly and sometimes we obtain it from other people and organisations, including some public sources, such as publicly available directories and online resources, your emergency contacts, your use of Eversheds Sutherland provided assets, systems and platforms, your line manager and co-workers, your dependants and beneficiaries, third party benefits providers.

If any of the personal information you have given to us changes, such as your contact details, please inform us without delay by contacting gradrec@eversheds-sutherland.com.

What do we do with your personal data, and why?

We are required by law to always have a “lawful basis” (i.e. a reason or justification) for processing your personal data. There are six lawful bases for processing – they are set out in the law, and they are where:

the individual has given his or her consent to the processing;
the processing of the individual’s personal data is necessary to perform a contract with that individual or to take steps at the request of the individual before entering into a contract;
the processing is necessary to comply with a legal obligation to which we are subject;
the processing is necessary in order to protect the vital interests of an individual;
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us; and
the processing is necessary for our legitimate interests, provided those interests are not overridden by the individual’s interests, rights or freedoms.

The table at Schedule 2 sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

If you would like more information on any of the purposes for which we process your personal data, please contact the Risk team at datagovernance@eversheds-sutherland.com for more information.

Please note that:

where our processing is based on your consent, you can withdraw your consent at any time. If you do this, it won’t impact any processing we’ve done prior to that date.
where we process your personal data because it is necessary for our legitimate interests, you can object to our processing at any time. If you object, we will stop processing unless we can show you a compelling reason why the processing overrides your privacy rights or where the processing is for the establishment, exercise or defence of legal claims.

In addition, where we have indicated in Schedule 2 that our processing of your personal data is either:

necessary for us to comply with a legal obligation; or
necessary for us to take steps, at your request, to potentially enter into an employment contract with you, or to perform it, and you choose not to provide the relevant personal data to us, we may not be able to enter into our contract of employment or engagement with you.

Anonymised and aggregated data

We may also convert your personal data into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports, and to support our contextual recruitment and diversity initiatives.

Sensitive personal data (including criminal data)

The table at Schedule 3 sets out the different purposes for which we process your sensitive personal data and the relevant lawful basis on which we rely for that processing. For some processing activities, we consider that more than one legal basis may be relevant – depending on the circumstances.

Who do we share your personal data with, and why?

Sometimes we need to disclose your personal data to other people.

Inside the Eversheds Sutherland network

Outside the Eversheds Sutherland network

if we transfer, purchase, reorganise, merge or sell any part of our business or the business of a third party, and we disclose or transfer your personal data to the prospective seller, buyer or other third party involved in a business transfer, reorganisation or merger arrangement (and their advisors); and
if we need to disclose your personal data in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, clients or others.

We have set out below a list of the categories of recipients with whom we are likely to share your personal data:

consultants and professional advisors including legal advisors and accountants;
recruitment agencies appointed by us or you;
courts, court-appointed persons/entities, receivers and liquidators;
business partners and joint ventures;
trade associations and professional bodies;
insurers; and
governmental departments, statutory and regulatory bodies.

Where in the world is your personal data transferred to?

If you are employed or engaged by an Eversheds Sutherland entity in the European Union or United Kingdom and any disclosures of personal data referred to above require us to transfer your personal data from within to outside the European Economic Area or United Kingdom, we will only make that transfer if:

the country to which the personal data is to be transferred ensures an adequate level of protection for personal data;
we have put in place appropriate safeguards to protect your personal data, such as an appropriate contract with the recipient. Please contact our Data Protection Office at datagovernance@eversheds-sutherland.com if you wish to obtain a copy of these;
the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
you explicitly consent to the transfer.

How do we keep your personal data secure?

We will take specific steps (as required by applicable data protection laws) to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

How long do we keep your personal data for?

We will only retain your personal data for a limited period of time. This will depend on a number of factors, including:

any laws or regulations that we are required to follow;
whether we are in a legal or other type of dispute with each other or any third party;
the type of information that we hold about you; and
whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

Please contact our Data Protection Office at datagovernance@eversheds-sutherland.com to request a copy of our Data Retention Policy.

What are your rights in relation to your personal data and how can you exercise them?

You may have certain legal rights in relation to your personal data, particularly where the Eversheds Sutherland entity you are applying to is based in the United Kingdom or European Union which are summarised at Schedule 4 , in relation to any personal data about you which we hold.

Where our processing of your personal data is based on your consent (see Schedule 2 ), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.

Where our processing of your personal data is necessary for our legitimate interests (see Schedule 2 ), you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

If you wish to exercise any of these rights please contact dataprotectionoffice@everhseds-sutherland.com in the first instance.

If you are based in the United Kingdom or European Union or you are applying for a position with an ES entity based in the European Union or United Kingdom, you also have the right to lodge a complaint with the relevant data protection supervisory authority – for contact details see here .

Updates to this notice

Where can you find out more?

If you have any queries about how Eversheds Sutherland process your personal data, please contact the Risk team at datagovernance@eversheds-sutherland.com .

Schedule 1 – Categories of personal data

Type of personal data	Collected from
a) Contact Information
Name(s) Address(es) Email address(es) Contact details including mobile telephone number(s)	You
b) Personal Information
Date of birth Gender Next of kin or other dependants Marital or relationship status Lifestyle and social circumstances Stage in education, further education and/or employment Emergency contact information If successful: previous and offered salary, compensation and other benefits, national insurance number and tax codes and bank account details	You Recruitment consultants and agencies Your previous employers
c) Identity and Background Information
LinkedIn profile and other available professional background information about you online Career history, experience and skills Passport information Driving licence information Psychometric test results Right to work, residency and/or other visa information (where unrelated to your race or ethnicity) Curriculum Vitae (CV) or resume Details of education, qualifications, results and certificates and other evidence of the same Images and/or video footage Application form Evaluative notes and decisions from job interviews Preferences relating to job location and salary Conflicts of interests (including where related to family networks) Background checks relating to credit history and criminal records (see also Sensitive Personal Data below)	You Recruitment consultants and agencies Your previous employers Publicly available information from online resources
d) Sensitive Personal Data (see section 5 for further information)
Racial or ethnic origin (including your nationality and visa information) Religious or philosophical beliefs Data concerning physical and/or mental health (including occupational health requirements, accident reports, day-to-day health concerns such as diabetes or epilepsy conditions which we should be aware of, dietary requirements, allergies, drug and alcohol test results and reasons for any short term or long term absence) Sexual orientation Information relating to actual or suspected criminal convictions and offences	You Your emergency contact(s) Your use of Eversheds Sutherland security control systems
e) Recruitment Administration, Performance and Grievance Information
Offered terms and conditions of employment Working preferences and feedback in relation to Eversheds Sutherland and our staff Preference in relation to our use of your personal data Interview notes and associated feedback Complaints, grievance and employment tribunal information	You
f) Asset, Systems and Platform Usage and Communications Information
User IDs and password information IP addresses and device identifiers Relevant records of calls, telephone and/or video interviews, messages and/or internet or other data traffic and communications Access logs and usage records from application systems and other Eversheds Sutherland provided applications and technologies	You Your use of Eversheds Sutherland assets, systems and platforms
g) Security, Location and Access Information
Information captured or recorded by electronic card access systems, CCTV and other security control systems	You Your use of Eversheds Sutherland security control systems

Schedule 2 – Purposes for processing personal data

The table below sets out the different purposes for which we process your personal data and the relevant lawful basis on which we rely for that processing.

For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

Where our processing is necessary for our legitimate interests, those interests are the purposes listed below.

	Lawful basis We are permitted to process your personal data because…
Purposes of processing	1. You have given your consent to the processing (Please also see section 10.2)	2. It is necessary to perform a contract with you or because you have asked us to before entering into a contract	3. It is necessary for us to comply with a legal obligation	4. It is necessary for our legitimate interests or those of third parties (Please also see section 10.3)	5. It is necessary to protect your vital interests (or those of someone else)
Recruitment activities
Sending you communications regarding our recruitment events, application deadlines and other recruitment related activities and processes
Communicating with you and providing you with information in connection with our vacancies, our recruitment events and processes and/or your applications or engagement with us from time to time
Administering your application for a job with us and considering your suitability for the relevant role
Considering your suitability for existing and future vacancies
Organising and conducting interviews by telephone, video and/or face-to-face
Communicating with or providing feedback to you and/or your recruitment agent
Obtaining, considering and verifying your employment references and employment history
Reviewing and confirming your right to work
Conducting verification and vetting, including criminal background checks and credit checks where required by law ( Note : Sensitive Personal Data, please also see Schedule 3 )
Conducting background and credit checks, verification and vetting which are not required by law but needed by us to assess your suitability for your role ( Note : May involve Sensitive Personal Data, please also see Schedule 3 )
New joiner activities
Making a job offer to you and entering into a contract of employment with you
Managing, administering and carrying out the systems, processes and tasks needed to facilitate the commencement and duration of your role with us
Determining whether any adjustments are necessary to enable you to carry out a role ( Note : Sensitive Personal Data, please also see Schedule 3 )
Security and governance
Monitoring, maintaining and improving the security of Eversheds Sutherland’s physical premises and systems, networks and applications
Identifying and authenticating applicants and other individuals ( Note : Sensitive Personal Data, please also see Schedule 3 )
Identifying, investigating and mitigating suspected misuse of Eversheds Sutherland’s assets, systems and platforms ( Note : Sensitive Personal Data, please also see Schedule 3 )
Ensuring compliance with Eversheds Sutherland policies and procedures ( Note : Sensitive Personal Data, please also see Schedule 3 )
Legal and regulatory compliance and responsibilities
Looking after the welfare of our staff ( Note : Sensitive Personal Data, please also see Schedule 3 )
Managing our health and safety compliance obligations (Note: Sensitive Personal Data, please also see Schedule 3 )
Managing and administering our equal opportunities reporting ( Note : Sensitive Personal Data, please also see Schedule 3 )
Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities ( Note : Sensitive Personal Data, please also see Schedule 3 )
Responding to non-binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities
Complying with disclosure orders arising in civil proceedings ( Note : Sensitive Personal Data, please also see Schedule 3 )
Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting Eversheds Sutherland’s compliance with relevant legal and regulatory requirements ( Note : Sensitive Personal Data, please also see Schedule 3 )
Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting Eversheds Sutherland’s compliance with relevant legal and regulatory requirements ( Note : Sensitive Personal Data, please also see Schedule 3 )
Eversheds Sutherland business operations
Decision-making in relation to the long term prospects of our vacation scheme students, work experience students, trainees and apprentices and more general promotion and succession planning
Developing, operating and collecting feedback on recruitment activities and employee selection processes
Analysing recruitment and retention objectives, processes and staff turnover rates
Handling grievances and complaints, including investigating issues, considering appropriate resolution and mitigating actions and reviewing outcomes
General staff administration, including workforce management and facilities operations
Identifying and assessing our strategic business direction, resourcing needs and areas for development
Implementing, adapting and enhancing systems and processes to develop or improve our business and/or our recruitment process
Managing, planning and delivering events, projects and initiatives in connection with our global business, Finance, Sales, HR, IT, Marketing and other strategies (for example arranging partner and practice group conferences)
Supporting our diversity programmes and targets ( Note : Sensitive Personal Data, please also see Schedule 3 )
Supporting, updating and maintaining our technology infrastructure
Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of another business
Analysing recruitment-related objectives and results
Collecting feedback in relation to our recruitment and HR activities and processes for continuous improvement purposes

Schedule 3 – Purposes for processing sensitive personal data

	Sensitive Information - lawful basis We are permitted to process your personal data because…
Purposes of processing	You have given your explicit consent to the processing	It is necessary for your/our obligations and rights in the field of employment and social security and social protection law	It is necessary to protect the vital interests of the data subject or another person you or they are physically or legally incapable of giving consent	It is necessary for our establishment, exercise or defence of legal claims	It is necessary for reasons of substantial public interest	It is necessary for preventive or occupational medicine, for the assessment of the working capacity of the employee
Recruitment and workforce planning
Conducting verification and vetting, including criminal background checks and credit checks where required by law
Conducting background checks, verification and vetting which are not required by law but needed by us to assess your suitability for your role
General application management and administration
Managing our health and safety compliance obligations
Determining whether any adjustments are necessary to enable you to carry out a role
Security and governance
Identifying and authenticating Applicants and other individuals
Identifying, investigating and mitigating suspected misuse of our assets, systems and platform
Legal and regulatory compliance and responsibilities
Managing and administering our equal opportunities reporting
Reviewing and confirming your right to work Responding to binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities or sharing information (on a voluntary basis) with the same
Responding to non-binding requests or search warrants or orders from courts, governmental, regulatory and/or enforcement bodies and authorities
Complying with disclosure orders arising in civil proceedings
Investigating, evaluating, demonstrating, monitoring, improving and reporting on our compliance with relevant legal and regulatory requirements
Investigating, evaluating, demonstrating, monitoring, improving, reporting on and meeting our compliance with best practice and good governance responsibilities
Day-to-day business operations
Supporting the sale, transfer or merging of part or all of our business or assets, or in connection with the acquisition of or by another business

Schedule 4 – Individuals’ rights

Your right	What does it mean?	Limitations and conditions of your right
Right of access	Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “ data subject access request ”).	If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, eg privacy and confidentiality rights of other staff.
Right to data portability	Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.	If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations. This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (ie not for paper records). It covers only the personal data that has been provided to us by you.
Rights in relation to inaccurate personal or incomplete data	You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details, telephone number, immigration status.	Please always check first whether there are any available self-help tools to correct the personal data we process about you. This right only applies to your own personal data. When exercising this right, please be as specific as possible.
Right to object to or restrict our data processing	Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal data.	As stated above, this right applies where our processing of your personal data is necessary for our legitimate interests. You can also object to our processing of your personal data for direct marketing purposes.
Right to erasure	Subject to certain conditions, you are entitled to have your personal data erased (also known as the “ right to be forgotten ”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.	We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
Right to withdrawal of consent	As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.	If you withdraw your consent, this will only take effect for future processing.

Translations

Other Privacy Notices

The following offices have their own Privacy Notice(s) which apply instead of the relevant Privacy Notices above. Please follow the link below for a copy of those Privacy Notices:-

Austria	Client Privacy Notice Third Party Privacy Notice Recruitment Privacy Notice
Czech Republic	Recruitment Privacy Notice
Finland	Client Privacy Notice Third Party Privacy Notice Recruitment Privacy Notice
Hungary	Client Privacy Notice Third Party Privacy Notice Recruitment Privacy Notice
Ireland	Client Privacy Notice Third Party Privacy Notice
Italy	Client Privacy Notice Third Party Privacy Notice Recruitment Privacy Notice
Slovakia	Recruitment Privacy Notice
Sweden	Client Privacy Notice Third Party Privacy Notice Recruitment Privacy Notice
Switzerland	Client and Third Party Privacy Notice Recruitment Privacy Notice

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.

Our global pages

Privacy notice

In summary...

Who are you?

About this notice

What types of personal data do we collect and where do we get it from?

What do we do with your personal data, and why?

Who do we share your personal data with, and why?

Where is your personal data transferred to?

How do we keep your personal data secure?

How long do we keep your personal data for?

What are your privacy rights and how can you exercise them?

Purposes for processing personal data

Purposes for processing special categories of personal data

About this notice

Eversheds Sutherland’s data protection responsibilities

What types of personal data do we collect and where do we get it from?

What do we do with your personal data, and why?

Automated decision-making

Anonymised and aggregated data

Sensitive personal data (including criminal data)

Who do we share your personal data with, and why?

Where in the world is your personal data transferred to?

How do we keep your personal data secure?

How long do we keep your personal data for?

What are your rights in relation to your personal data and how can you exercise them?

Updates to this notice

Where can you find out more?

SCHEDULE ‎1

Categories of personal data

SCHEDULE ‎2

Purposes for processing personal data

SCHEDULE ‎3

Purposes for processing sensitive personal data

SCHEDULE ‎4

Individuals' rights

About this notice

What types of personal data do we collect and where do we get it from?

What do we do with your personal data, and why?

Who do we share your personal data with, and why?

Where is your personal data transferred to?

How do we keep your personal data secure?

How long do we keep your personal data for?

What are your privacy rights and how can you exercise them?

Purposes for processing personal data

What is this document and why should you read it?

Eversheds Sutherland’s data protection responsibilities

What types of personal data do we collect and where do we get it from?

What do we do with your personal data, and why?

Anonymised and aggregated data

Sensitive personal data (including criminal data)

Who do we share your personal data with, and why?

Where in the world is your personal data transferred to?

How do we keep your personal data secure?

How long do we keep your personal data for?

What are your rights in relation to your personal data and how can you exercise them?

Updates to this notice

Where can you find out more?

Schedule 1 – Categories of personal data

Schedule 3 – Purposes for processing sensitive personal data

Schedule 4 – Individuals’ rights

Translations

Other Privacy Notices