Our Privacy Notice.
(Or how we look after your personal data.)

This Privacy Notice describes how we collect and use your Personal Data to uphold the EU General Data Protection Regulation (GDPR). It tells you what Personal Data we collect, why we need it, how we use it and how we keep it safe.


Key Terms

“Notice” means this Privacy Notice.

“Kepler Wolf”, “we”, “us” and “our” mean Kepler Wolf Limited.

“Kepler Wolf Personnel” means Kepler Wolf’s prospective, present and past partners, employees, consultants and agency staff, and the people connected to these people.

“Personal Data” means information about individuals (that includes you) and the data that can identify them.

“You” means individuals whose Personal Data we process including, but not limited to Kepler Wolf clients, Kepler Wolf client personnel, counter-parties, counter-party personnel, other solicitors/advisors, witnesses, suppliers, supplier personnel, job applicants and individuals to whom we send marketing communications.


Data Controller

Kepler Wolf is the Data Controller in relation to your Personal Data and is committed to protecting the privacy rights of individuals.


Data Protection Manager

Under the GDPR, we’re not required to appoint a Data Protection Officer and, after some analysis, we’ve decided it’s not appropriate to do so on a voluntary basis. We have, however, appointed a Data Protection Manager (“DPM”) who’s responsible for overseeing our compliance with the GDPR and any other applicable data protection legislation and regulation.

You can contact our DPM here: personaldata@keplerwolf.com.


How do you obtain my Personal Data?

It varies. Sometimes, we may obtain your Personal Data from you directly. But, more typically, we’ll obtain it from a third-party source. This includes: our clients/our clients’ personnel, agents and advisers, other law firms/advisers which represent you, the company you work for, other organisations/persons with who you have dealings, government agencies, credit reporting agencies, recruitment agencies, information or service providers and publicly available records.


What about the Personal Data I provide?

If you provide information to us about someone else (for example: one of your associates, directors or employees, or someone you have business dealings with) you must ensure that you’re entitled to share that information with us and that, without us needing to take any further steps, we may process that information in accordance with this Notice.


What Personal Data do you collect about me?

We collect and use different types of Personal Data about you – it varies depending on the circumstances and purpose of processing. Here are some illustrative examples:
– Personal Data about you: name, address, date of birth, marital status, nationality, race, gender, preferred language, job title, work life and restrictions and/or required accommodations, possibly about your family life
– Personal Data to contact you at work or home: name, address, telephone, and  e-mail addresses
– Personal Data which may identify you: photographs and video, passport and/or driving license details, electronic signatures
– Personal Data to process any payment we might need to make to you: bank account details, HMRC numbers and references (where applicable).


Why do you need to collect and use my Personal Data?

The primary reason is to provide legal advice and services to our clients. This may involve using your Personal Data in one of the following (non-exhaustive) ways:
– To contact you if you’re involved in a matter we are undertaking for a client, whether in your professional or personal capacity
– To carry out investigations, risk assessments and client due diligence
– To analyse the practices of your employer or other organisations and/or persons with whom you have dealings
– To review, draft and disclose correspondence and other documents, including  court documents
– To instruct third-parties on behalf of our clients
– For comparison/analytical purposes and to formulate legal opinions and  provide advice.


We may also process your Personal Data for business management purposes. This may involve using your Personal Data in one of the following (non-exhaustive) ways:
– To engage and contact suppliers
– To carry out internal reviews, investigations, audits
– To conduct business reporting and analytics
– To advertise and market the services that we provide
– To help measure performance and improve our services
– For recruitment purposes
– For regulatory and legislative compliance and related reporting
– For the prevention and detection of crime.


What’s your legal casee for processing my Personal Data?

Under the GDPR, we must identify a lawful basis for processing your Personal Data. This may vary according to the type of Personal Data processed and the person it relates to. Here are some reasons:

Fulfilling a contract with you
We’re entitled to process the Personal Data it takes to fulfil our contractual obligations with you. This is most likely if you’re our individual client or supplier/other individual with a direct contractual relationship.

Legitimate interests of Kepler Wolf or a third-party
We’ll process your Personal Data if it’s in our legitimate interests and/or the legitimate interests of a third-party; allowing us to function as an authorised and regulated provider of legal advice services.
Occurrences of when this is necessary can be broken down into these categories, including (but not limited to):
– Contacting individuals relevant to our work and our clients’ matters
– Reviewing documents and correspondence that have been disclosed to us, our clients and third-parties
– Reviewing and analysing all evidence available to us and our clients
– Adducing legal arguments, creating documents and correspondence
– Disclosing documents and correspondence to various parties to further our  clients’ objectives
– Instructing third-parties on behalf of our clients
– Receiving payment from our clients and third-parties, and to facilitate payments to and from our clients and third-parties
– In order to allow for all of the above, the secure management and storage of your Personal Data, within our IT environment and hard-copy filing systems.

We may also process your Personal Data if it’s in our legitimate business interests. This may include (but isn’t limited to):
– Engaging suppliers and supplier personnel
– Ensuring systems and premises are secure and running efficiently
– For regulatory and legislative compliance, and related auditing and reporting
– For insurance purposes
– For recruitment/hiring purposes
– For marketing purposes
– To facilitate, make and receive payments.


We don’t consider processing your Personal Data, on the basis that it’s within our legitimate interests, is unwarranted because of any prejudicial effect on your rights and freedoms or your legitimate interests.

Compliance with a legal obligation
Sometimes, we might process your Personal Data to comply with our legal obligations. This might include (but is not limited to):

– Tax and accounting purposes
– Conflict checking purposes, as required by the common law and our regulators
– To fulfil our compliance and other obligations under relevant legislation/regulation.


More information relating to legal bases for processing Personal Data can be found on the Information Commissioner’s website (see details below) or by contacting our DPM.

Special category and criminal records Personal Data
If we process your criminal record Personal Data or special category Personal Data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data or sexual orientation, we’ll obtain your explicit consent unless it isn’t required by law (if, for example, it’s processed for the purpose of exercising or defending legal claims) or the information is required to protect your health in an emergency. Where we’re processing Personal Data based on your consent, you have the right to withdraw that consent at any time.

Direct Marketing
We may use your contact details to send you marketing materials, provided we’re permitted to do so by law. You always have the right to unsubscribe from any marketing. Just contact us at: personaldata@keplerwolf.com.


Who receives my Personal Data?

We may disclose your Personal Data to third-parties (outside of Kepler Wolf and Kepler Wolf Personnel) but only when we have a legal basis to do. Recipients include (but are not limited to):
– Co-counsel, other solicitors/barristers/experts/foreign law firms who we instruct on your behalf or we may refer you to
– Our insurance brokers and underwriters
– Our bank, auditors and accountants
– Our outsourced IT providers and other suppliers
– HMRC
– The Solicitors Regulation Authority
– The Law Society;
– The Home Office and Passport Services
– Other side/other parties on any given matter (lay and solicitor).


How do we protect your Personal Data?

We’ve security arrangements in place to guard against unauthorised access, improper use, alteration, destruction or accidental loss of your Personal Data. We take appropriate organisational and technical security measures and have rules and procedures in place to ensure that any Personal Data we hold is not accessed by anyone unauthorised. We have in place, and abide by, a specific information security policy about the security standards used to protect your Personal Data.

When we use third-party organisations to process your Personal Data on our behalf, they must also have appropriate security arrangements, must comply with our contractual requirements and instructions, and must ensure compliance with the GDPR and any other relevant data protection legislation.


Is my Personal Data transferred to “third countries”?

In line with this Notice and the GDPR, we may transfer your Personal Data to organisations located in “third countries” (those outside of the EEA). When such transfers are necessary, we’ll ensure that your Personal Data is adequately protected. For example: we’ll use a contract with data protection provisions adopted by the European Commission or a relevant data protection authority. You can request a copy of these contracts from us.


How long will you retain my Personal Data?

We’ll retain your Personal Data for the time it takes to perform the specific purposes set out in this Notice. However, there may be occasions where we need to keep your Personal Data for a longer period, for example: if required by our legal and regulatory obligations or in order to ensure we have effective back-up systems. If this is necessary, we’ll ensure that it continues to be treated in line with this Notice, restrict access to any archived Data, and ensure that it is held securely and kept confidential.


What are my rights?

The GDPR generally gives you a right to access your Personal Data, to object to the processing of your Personal Data, to rectify, to erase, to restrict and to port your Personal Data.

We have Subject Access Request (“SAR”) procedures in place that you may be entitled to access. An SAR requires us to provide details of the Personal Data we hold and a description of how we process it. Any questions or requests should be put in writing to our DPM.

There are, however, exceptions to the rights of individuals. When we’re processing your Personal Data to provide legal advice to our clients, your rights may be limited. We always seek to be as transparent as possible but, in some instances, we may be restricted from even acknowledging that we process your Personal Data.


How do I complain?

If you’re unhappy with the information provided in this Notice, or have concerns about how we process your Personal Data, please contact the DPM. If you’re not satisfied with the response, apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted here:

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF www.ico.org.uk