PRIVACY NOTICE
The website www.hfw.com is owned by HFW (Holman Fenwick Willian LLP).
We care about your privacy. This Privacy Notice explains how we collect and use your personal data. Please read it carefully. If you have any questions about this Privacy Notice, or if you want to enforce your rights, please contact HFW’s Global Privacy Officer, Sakina Chenot at privacy@hfw.com or +44 (0)20 7264 8169.
This section provides a brief summary. To find out more, please use the links on the left hand side of this page.
HFW is a law firm with offices and associated legal entities across the world. For a list of our offices and separate legal entities which may from time to time receive your personal data, please refer to the ‘Who we are’ tab. The controller of personal data collected through our Website is Holman Fenwick Willan LLP. If your personal data is collected offline, then whichever HFW entity collects it will be the controller of your personal data. Your personal data may also be shared between HFW’s offices and associated entities as necessary or appropriate. Don’t worry, we’ve put measures in place to keep your personal data safe whichever HFW entity processes it.
“Personal data” in this Privacy Notice has the same meaning as in the EU General Data Protection Regulation 2016/679/EU (GDPR). Essentially, it means information which is connected to a living individual who can be identified from that information, either by itself or when combined with other data likely to come into our possession. Personal data can include information collected by certain cookies or tracking technologies if it builds up a profile of you.
We collect and use personal data in order to carry out a business which provides legal services. Any other activities and processing which we carry out is to support this primary aim. Our purposes and lawful grounds for processing your personal data vary, depending on our relationship with you and on the activity in question. You can find out more information on this by clicking on the relevant links in the ‘What we collect and how we use it’ tab. We will never sell your personal data.
We will only keep your personal data for as long as necessary to fulfil the purposes for which we collected and continue to process it, and to satisfy any legal, accounting or reporting requirements.
Where applicable we respect your data protection rights, including to request access, rectification, restriction, deletion or “porting” of your data, and to object to our use of your data, including for marketing. We do not make decisions about you based on electronic profiling. You also have the right to complain to the applicable data protection Supervisory Authority (see the ‘Your Rights’ tab), but please contact us first so that we can address your concerns.
The controller of your personal data is Holman Fenwick Willan LLP (HFW).
If your personal data is collected offline, then whichever HFW group entity collects it will also be a controller of your personal data. Your personal data may be shared between our offices and associated entities as necessary or appropriate. Don’t worry, we’ve put measures in place to keep your personal data safe whichever HFW entity processes it.
Our offices and separate legal entities are as follows
- Holman Fenwick Willan LLP, the owner of this Website and the data controller of information gathered through it. It operates through the London, Brussels, Shanghai and Shenzhen offices. HFW is a limited liability partnership registered in England and Wales (with registered number OC343361) and is authorised and regulated by the Solicitors Regulation Authority. The firm’s registration number is 509977. HFW’s registered office is8 Bishopsgate, London EC2N 4BQ, United Kingdom. HFW is registered with the UK Information Commissioner’s Office, with registration number Z1842662.
- Our Paris office operates through Holman Fenwick Willan France LLP.
- Our Piraeus office operates through Holman Fenwick Willan International, Vassos, Exarchou & Partners Law Firm.
- Our Dubai office operates through Holman Fenwick Willan Middle East LLP.
- Our Singapore office operates through Holman Fenwick Willan Singapore LLP.
- Our Abu Dhabi office operates through Holman Fenwick Willan MEA LLP.
- Our Houston office operates through Holman Fenwick Willan USA LLP.
- Our Geneva office operates through Holman Fenwick Willan Switzerland LLP.
- Our Hong Kong office operates through Holman Fenwick Willan Hong Kong.
- Our Australian offices operate through Holman Fenwick Willan Australia.
- In Kuwait legal services are provided by Holman Fenwick Willan LLP in association with Attorney Rula Dajani.
- In Brazil legal services are provided by Costa, Albino & Rocha Sociedade de Advogados (CAR) in strategic cooperation with Holman Fenwick Willan LLP.
- In Monaco legal services are provided by HFW Monaco SARL.
- In the British Virgin Islands legal services are provided by HFW LXP BVI Ltd.
- In Saudi Arabia legal services are provided by Holman Fenwick Willan Law Firm.
If you have any questions or comments about this Privacy Notice, or if you wish to exercise your rights, please contact our Global Privacy Officer, Sakina Chenot, at anytime:
- By email: privacy@hfw.com
- By telephone: +44 (0)20 7264 8169
- By post: Sakina Chenot, Global Privacy Officer, HFW, 8 Bishopsgate, London EC2N 4BQ, United Kingdom
Please note that we can only respond to you once we have received your letter safely, and that our response may therefore be slower if you use post.
- Visitors to our Website. Please click here for more information on what personal data we process and how we use it.
- Client contacts. Please click here for more information on what personal data we process and how we use it.
- Business contacts. Please click here for more information on what personal data we process and how we use it.
- Third parties involved in client matters. Please click here for more information on what personal data we process and how we use it.
- Suppliers and service providers and their personnel. Please click here for more information on what personal data we process and how we use it.
- Visitors to our offices. Please click here for more information on what personal data we process and how we use it.
- Applicants for graduate recruitment opportunities with us. Please click here for our graduate recruitment privacy notice.
- Applicants for other opportunities with us. Please click here for our job applicant privacy notice
- Webinars. Please click here for our webinars privacy notice.
About cookies
Cookies are very small, simple text files that websites use to perform certain technical functions, which are stored on your computer. On this Website, we use cookies to count the number of visitors to the Website, to see which pages are most popular, and to see whether you are a new or returning visitor. We do not (and cannot) use cookies to identify you personally. By using our website you agree that we can set and use these cookies.
The cookies we use
Email tracking
If you register to receive our briefings, alerts or event invitations we use tracking technology to collect information about you through such emails in the following ways:
- Opening emails: if you open the email either by downloading images in the email or clicking in a link we log such activity on our database.
- View as web page: If you click on the “view it as a web page” link, a tracking code is passed in the link so that the web page is personalised in the same way as the email.
- Links to web pages: If you click on any web link, we pass a tracking code in the link to the web page which we use to log such activity on our database.
- Unsubscribe: If you click unsubscribe, we will automatically log this information on our database. If you unsubscribe from any email invitation or alert, we will continue to store your personal data on a ‘marketing suppression list’ in order to make sure that we respect your wishes in the future.
- Event RSVP buttons: In our event invitations and confirmations we provide buttons to allow you to accept, decline, cancel and register (if you are not the original recipient of the email) for that event. Clicking on these buttons will pass a tracking code so we can record your choice in our database to help us manage the event.
We do this to assess whether our emails are useful or interesting to you, and to tailor them accordingly. We also need to track whether you have accepted or rejected an event invitation, so that we can administer such events.
The personal data we collect from you may be transferred to, and stored at, a destination outside the UK/European Economic Area (“EEA”) depending upon where our client is based, which of our international network of offices is providing legal services, and where we use service providers located outside of the UK/EEA.
Transfers within the HFW group
Where personal data is transferred between HFW’s legal entities and offices to locations which the European Commission has not deemed to have ‘adequate’ protection, we have put in place Standard Contractual Clauses (Standard Contractual Clauses (SCC) (europa.eu)). These are specific contracts approved by the European Commission which give individuals’ personal data the same level of protection which would be available within the EEA. For a list of HFW’s offices and legal entities please see ‘who we are’.
Transfers to and from clients
The free flow of personal data between HFW and our clients is essential to our provision of legal services. Where personal data is transferred from:
- A UK/EEA based HFW entity/office to a client located in a country which the EU Commission deems does not provide “adequate” protection, we use the Standard Contractual Clauses: Standard Contractual Clauses (SCC) (europa.eu);
- A UK/EEA based client to a HFW entity/office located in a country which the EU Commission deems does not provide “adequate” protection, we use the Standard Contractual Clauses: Standard Contractual Clauses (SCC) (europa.eu);
- Additionally the UK Addendum will apply to the transfers (set out above) involving the flow of personal data from HFW/client in the UK to HFW/client in a country which the EU Commission deems does not provide “adequate” protection: international-data-transfer-addendum.pdf (ico.org.uk).
For further particulars/information on the arrangements set out above please Contact us.
Transfers to third parties
Where appropriate for certain client matters, we may use service providers located outside the EEA. For example a matter we are advising on may require advice from local lawyers or input from local experts. When we transfer personal data to such service providers it will usually be on an ad hoc basis, and in accordance with instructions from our clients.
Depending on the circumstances and the services we are providing we may also need to transfer personal data to other kinds of third parties, for example local regulators, parties involved in a transaction, or opponents in litigation, as necessary.
Where the recipient is located in a country which has not been deemed by the European Commission to have adequate laws in place to protect it, we transfer the personal data using one of the following measures:
- Where we use certain service providers on a recurring basis, we will seek to put in place Standard Contractual Clauses approved by the European Commission, which give personal data the same protection it has within the EEA. For more information on Standard Contractual Clauses, see Standard Contractual Clauses (SCC) (europa.eu).
- Where the transfer is on an ad hoc basis, to a service provider which we do not regularly use, we will only transfer the personal data if:
- The transfer is necessary for the establishment, exercise or defence of legal claims;
- We have the individual’s explicit consent;
- The transfer is necessary for the conclusion or performance of a contract in the interest of the individual concerned, and we are party to that contract; or
- The transfer is necessary in order to perform a contract between us and the individual concerned, or the implementation of pre-contractual measures taken at the individual’s request.
Please contact us if you would like further information on the specific mechanism used by us when transferring your personal data out of the EEA.
In order to prevent unauthorised access, distortion or disclosure of your personal data we have put in place appropriate physical, technical and organisational measures. Our service providers are required to do the same. Some of our security measures include:
- All data is managed and maintained in our secure data centres, which are accredited with the required security standards.
- We conduct an annual audit of our security controls using a third party CREST accredited security specialist. In addition, we conduct security self-assessments on a quarterly basis and report findings to our Risk Committee.
- Our finance department processes all other transaction types via an external cloud based provider which is compliant with all required security standards.
- Laptops and desktops are locked down and also kept secure by a documented suite of IT policies, including both our Information Security Policy and Computer Usage Policy. All mobile devices are encrypted.
- We have a full Business Continuity Plan in place and review it annually. It covers the restoration of the firm’s business activities in line with the SRA Code of Conduct.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to keep it safe, for example emails sent externally from HFW are encrypted using TLS.
Where you are using our IT services and we have given you (or you have chosen) a password to access certain parts of our Website, you are responsible for keeping this password confidential. Please do not share your password with anyone, except as required within your organisation.
We will make any legally-required disclosures of any breach of the security, confidentiality, or integrity of your electronically stored personal data to you either directly or by posting a clear notice on our Website without undue delay.
We only keep your personal data for as long as necessary to fulfil the purposes for which we collected and continue to process it, and to satisfy any legal, accounting or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you would like more information on our retention of the different aspects of your personal data please contact our Global Privacy Officer Sakina Chenot at privacy@hfw.com.
HFW may, from time to time, use artificial intelligence (AI) tools and products to enhance the quality and/or efficiency of its legal services or internal administrative processes and procedures.
These AI services may involve the processing of your personal data. In so far as is possible, and as required by law, we ensure that any third-party AI service providers we engage comply with applicable data protection and AI laws and we maintain appropriate technical safeguards and measures to protect your personal data and usage of AI technology.
For the avoidance of any doubt, AI is used by the firm to enhance the quality and efficiency of the firm’s services, and it does not replace the expertise of our legal professionals. Although the use of AI tools may support and inform the firm’s decision-making and advice, ultimate responsibility for, and oversight of, our work shall always remain with our experienced legal professionals and colleagues.
The GDPR provides individuals with a number of rights in relation to your personal data. These rights apply to processing of an individual’s personal data carried out by our offices in the UK and EEA and, in some circumstances, by our other group entities. Please see more information below on your rights and what we will require from you before we can respond to such requests.
- Right to object to direct marketing
You have the right to ask us not to process your personal data for marketing purposes, including profiling (eg. tracking your usage of our Website) to the extent that it is related to direct marketing. Within a reasonable time after receipt and consideration of your objection we will no longer process your personal data for direct marketing purposes. You can exercise your right to prevent such processing by ticking certain boxes on the forms we use to collect your personal data, or by contacting us at any time. - Access to Information
The GDPR gives you the right to find out whether we are processing your personal data and, where that is the case, to receive a copy of the personal data we process and information on:- why we are processing it;
- the categories of personal data we process about you;
- the recipients or categories of recipient to whom the personal data has been or will be disclosed;
- where possible, how long we plan to keep your personal data or the criteria we use to determine that period;
- information on your rights under the GDPR;
- information on where we received your personal data from if we did not receive it directly from you, and
- if we transfer your personal data outside of the EEA, details of the appropriate safeguards we have used to protect your personal data and uphold your personal data protection rights.
We will not charge you for complying with your request and providing you with a first copy. Any further copies may be subject to a reasonable administrative fee. Where your personal data is inseparable from the personal data of others, we reserve the right to redact or withhold it if it will infringe the rights of those third parties. We also reserve the right to withhold your personal data if permitted by relevant provisions in applicable local laws such as the UK’s Data Protection Act 2018.
- The right to withdraw your consent to the processing of your personal data
If we process your personal data on the grounds of your consent, you have the right to withdraw your consent at any time. This will not affect the legality of our processing of your personal data up until the point at which you withdraw your consent. Please also note that we may still need to process your personal data on other grounds, for example to fulfil a contract with you or as required by law. - The right to object to processing of your personal data
You have the right to object to our processing of your personal data if we are using the lawful grounds ‘legitimate interest’ or that the processing is in the public interest. When we receive your objection we will assess our legal grounds for processing and will stop processing the personal data if we cannot demonstrate compelling legitimate grounds to continue processing the personal data. - The right to request the restriction of your personal data
You have the right to ask us to restrict our processing of (ie. stop using) your personal data if you think that it is inaccurate, that we are processing it illegally, or that we no longer need it for the purposes for which it was collected. While we consider your request we will stop processing your personal data within a reasonable time from the date we receive your request. We will notify you of our decision and any justifications for continuing to process your personal data as soon as we can. - The right to request amendment or erasure of your personal data
You have the right to request the amendment of your personal data at any time if it is inaccurate. If it is incomplete, you have the right to have the information completed, taking into account the purposes of processing. You also have the right to require us to delete your personal data as soon as possible where one of the following applies:- the personal data is no longer necessary for the purposes for which they were collected or otherwise processed;
- you withdraw your consent to us processing your personal data and we have no other legal grounds for processing it;
- the personal data has been unlawfully processed;
- the personal data must be erased for compliance with a UK or EU legal obligation on us;
- the personal data relates to a child under 16.
- The right to personal data portability
You have the right to receive personal data which you have provided to us in a structured, commonly used and machine-readable format and have the right to transmit those personal data to another personal data controller, if we are processing it on the grounds that you have consented to that processing or because it was necessary in order to perform a contract with you, and if we have no other legal bases for processing it. This will not apply to most of our processing of your personal data, but we mention it for completeness. - The right to complain to the Supervisory Authority
If you feel that we have processed your personal data unfairly or unlawfully, you have the right to complain about us to the relevant Supervisory Authority, although please contact us first so that we can put things right.- In the UK the Supervisory Authority for personal data protection is the Information Commissioner’s Office. You can contact the Information Commissioner’s Office here or on +44 (0)303 123 1113.
- In France the Supervisory Authority is the Commission Nationale de l’Informatique et des Libertés (CNIL), which can be contacted here or on +33 (0)153 73 2222
- In Greece the Supervisory Authority is the Hellenic personal data Protection Authority (HDPA), which can be contacted at contact@dpa.gr or on +30 210 647 5600.
- In Belgium the Supervisory Authority is the Commission for the Protection of Privacy (CPP), which can be contacted at commission@privacycommission.be or on +32 (0)2 274 48 00.
How to exercise your rights
You can exercise your rights at any time by contacting our Global Privacy Officer, Sakina Chenot, at privacy@hfw.com.
Please include in your email:
- A clear statement on which rights you are seeking to enforce;
- A full description of the information or type of information that you are writing about; and
- Details which will confirm your identity, such as a scan of your passport or driving licence and a recent utility bill.
This is so that we can keep your personal data secure and respond to you as quickly as possible. If you are asking for a large range of personal data we may ask you to be more specific, so that we can manage your request as quickly and efficiently as possible.
No fee usually required
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Time limit to respond
We aim to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Our Website sometimes contains links to external files and websites. The fact that we link to a file or website is not an endorsement, authorisation or representation of our affiliation with it. We do not exercise control over third party files or websites.
These other websites may place their own cookies or other files on your computer, collect data or solicit personally identifiable information from you. Other websites follow different rules regarding the use or disclosure of the personally identifiable information you submit to them. We encourage you to read the privacy policies or statements of the other websites you visit.
Our legal and ancillary services and our Website are not aimed at persons under 16. If you are a parent or guardian and you become aware that your child has provided us with personal data without your consent, please contact us.
Except in the provision of our corporate and social responsibility projects (‘CSR Projects‘) or work experience schemes, which are governed by separate privacy notices, we do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data other than for our CSR Projects, we will delete such information from our files.
Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate and feasible, notified to you by email.
Please check back frequently to see any updates or changes to our Privacy Notice.
July 2020: The Visitors to our Offices section of the Privacy Notice has been updated.
August 2020: A webinars section has been added to the Privacy Notice.
February 2022: The “Who we are” section has been updated.
May 2023: The “Who we are” section has been updated.
June 2023: The “Who we are” section and “Contact us” sections have been updated.
November 2023: The “Who we are” section has been updated.
September 2024: The “Who are we” section has been updated.
Last updated: 1 September 2024.