7.1. In this clause , the following definitions shall apply:
‘client personal data’ means any personal data provided to us by you, or on your behalf, for the purpose of providing our services to you, pursuant to our engagement letter with you;
‘data protection legislation’ means all applicable privacy and data protection legislation and regulations including PECR, the GDPR and any applicable national laws, regulations and secondary legislation in the UK relating to the processing of personal data and the privacy of electronic communications, as amended, replaced or updated from time to time;
‘controller’, ‘data subject’, ‘personal data’, and ‘process’ shall have the meanings given to them in the data protection legislation;
‘UK GDPR’ means the Data Protection Act 2018 as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 which merge the previous requirements of the Data Protection Act with the requirements of the General Data Protection Regulation ((EU) 2016/679); and
‘PECR’ means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2426/2003).
7.2. We shall each be considered an independent data controller in relation to the client personal data. Each of us will comply with all requirements and obligations applicable to us under the data protection legislation in respect of the client personal data.
7.3. You shall only disclose client personal data to us where:
a) you have provided the necessary information to the relevant data subjects regarding its use (and you may use or refer to our privacy notice available at https://www.jrwca.com/privacy-policy for this purpose);
you have a lawful basis upon which to do so, which, in the absence of any other lawful basis, shall be with the relevant data subject’s consent; and
you have complied with the necessary requirements under the data protection legislation to enable you to do so.
7.4. Should you require any further details regarding our treatment of personal data, please contact our data protection officer.
7.5. We shall only process the client personal data:
a) in order to provide our services to you and perform any other obligations in accordance with our engagement with you;
b) in order to comply with our legal or regulatory obligations; and
c) where it is necessary for the purposes of our legitimate interests and those interests are not overridden by the data subjects’ own privacy rights. Our privacy notice (available at https://www.jrwca.com/privacy-policy) contains further details as to how we may process client personal data.
7.6. For the purpose of providing our services to you, we may disclose the client personal data to members of our firm’s network, our regulatory bodies or other third parties (for example, our professional advisors or service providers). We will only disclose client personal data to a third party (including a third party outside of the UK) provided that the transfer is undertaken in compliance with the data protection legislation.
7.7. We may disclose the client personal data to other third parties in the context of a possible sale, merger, restructuring or financing of or investment in our business. In this event we will take appropriate measures to ensure that the security of the client personal data continues to be ensured in accordance with data protection legislation. If a change happens to our business, then the new owners may use our client personal data in the same way as set out in these terms.
7.8. We shall maintain commercially reasonable and appropriate security measures, including administrative, physical and technical safeguards, to protect against unauthorised or unlawful processing of the client personal data and against accidental loss or destruction of, or damage to, the client personal data.
7.9. In respect of the client personal data, provided that we are legally permitted to do so, we shall promptly notify you in the event that:
(a) we receive a request, from or on behalf of a relevant data subject, to exercise their data subject rights under the data protection legislation or a complaint or any adverse correspondence in respect of our processing of their personal data;
(b) we are served with an information, enforcement or assessment notice (or any similar notices), or receive any other material communication in respect of our processing of the client personal data from the Information Commissioner’s Office or any other supervisory authority); or
(c) we reasonably believe that there has been any incident which resulted in the accidental or unauthorised access to, or destruction, loss, unauthorised disclosure or alteration of, the client personal data.
7.10. Upon the reasonable request of the other, we shall each co-operate with the other and take such reasonable commercial steps or provide such information as is necessary to enable each of us to comply with the data protection legislation in respect of the services provided to you in accordance with our engagement letter with you in relation to those services.