1. Commitment to Personal Data Privacy
1.1. Conyers Dill & Pearman and its affiliated entities (collectively “Conyers”, “us” “our” and “we”) are committed to maintaining the security, confidentiality and privacy of Personal Data.
1.2. “Personal Data” means information associated with a specific identifiable individual (“Data Subject”) but does not include information about corporate or commercial entities.
1.3. This Personal Data Privacy Notice documents our commitment to protecting Personal Data and is supplementary to our Employee Personal Data Protection Policy.
1.4. All Conyers staff must conduct their business in compliance with the Conyers Personal Data Privacy Principles, as set out in this Personal Data Privacy Notice, and with all applicable Personal Data protection, privacy, secrecy, electronic communications and confidentiality laws and regulations, and any other applicable laws or regulations to the extent that they relate to Personal Data privacy (“Data Privacy Laws and Regulations” or “personal data privacy”).
2. Personal Data Privacy Principles
2.1. To ensure a consistent, accountable, global approach to data privacy compliance, Conyers has implemented the following set of Personal Data Privacy Principles which establish good data privacy practices, demonstrate compliance with Data Privacy Laws and Regulations and outline Conyers’ high-level commitments to handling and using the Personal Data it collects generates, holds and/or processes.
(a) Transparency: We will be clear and transparent as to how we collect and use Personal Data, including providing a Data Subject with a statement of how we use their data where required.
(b) Fair and lawful usage: We will only collect, process and store Personal Data lawfully and where we have legitimate reason to do so..
(c) Limited purposes: We will collect and process Personal Data for specified and lawful purposes, and will not use it for further, incompatible purposes without first taking all steps necessary under applicable Data Privacy Laws and Regulations.
(d) Data minimisation and adequacy: We will ensure collection, retention and processing of Personal Data is proportionate. We will strike an appropriate balance to ensure that we process sufficient data to carry on our business and achieve any specified lawful purpose, while making sure that we do not collect, retain or process excessive amounts of Personal Data.
(e) Data quality and accuracy: We will maintain appropriate standards of Personal Data quality and integrity, and we will implement policies in respect of Personal Data accuracy, including taking steps to avoid becoming out of date where appropriate.
(f) Data security and retention: We will retain Personal Data securely, implement appropriate Personal Data retention policies, and we will dispose of Personal Data securely when it is no longer required. We will ensure that appropriate processes are put in place so only Conyers staff with a business requirement to access such Personal Data are authorised and able to do so..
(g) Training and awareness: We will ensure that Conyers staff with access to Personal Data are trained appropriately on their obligations regarding that Personal Data.
(h) Data Subject’s rights: We will ensure that the Data Subject’s rights are observed in accordance with applicable Data Privacy Laws and Regulations, including any timelines established thereby.
(i) Third parties: Where we appoint a vendor or agent, we will require them to apply standards equivalent to the Conyers Personal Data Privacy Principles. We will only disclose Personal Data to governmental or judicial bodies or law enforcement or agencies or our regulators where this is allowed by applicable Data Privacy Laws and Regulations, or otherwise required by applicable laws and regulations.
(j) Data transfers: Where we voluntarily transfer Personal Data to another Conyers entity, third party or to another jurisdiction, we will ensure that the personal data transfer is lawful and that the recipient is required to apply the same, or equivalent, standards as the Conyers Personal Data Privacy Principles..
3.1. Conyers is responsible for Personal Data in its possession or control. We have designated an individual to be responsible for compliance with this Personal Data Privacy Notice and have adopted procedures to protect Personal Data, receive and respond to complaints, access requests and inquiries, train staff regarding policies and procedures and communicate our policies to a Data Subject as required. We will monitor ongoing developments in privacy legislation and make changes to this Personal Data Privacy Notice as required.
3.2. For the purposes of the European Union’s General Data Protection Regulation and the Cayman Islands’ Data Protection Law, Conyers collects and processes Personal Data and acts as a Data Controller. In delivering our services, Personal Data that is collected through our website or by any of our staff may be transferred between our servers and offices, including our data centre, which is located in Toronto, Canada. As such our various offices may act as joint Data Controllers of Personal Data. Our London office acts as our European Union representative. Further, where we use the services of third parties as Data Processors, whether as software as a service or for cloud server storage, we confirm their responsibilities as Data Processors.
4. What We Collect
4.1 In addition to Personal Data provided to us through our staff or website, we may also collect information that is publicly available. The Personal Data we may hold includes
(a) Contact information, including name, telephone number, address and email address;
(b Occupation and employer details;
(c) Identification documents (which may include gender, nationality, photograph, signature, date of birth, etc.) and numbers necessary to meet our legal obligations, such as those related to anti-money laundering and “know-your-customer” requirements;
(d) IP addresses; and
(e) Details related to marketing our services, including recording usage of our website and the mailing lists for which a Data Subject have subscribed or unsubscribed.
5.1. Conyers comes into the possession of Personal Data in order to provide professional services. Conyers only collects and processes Personal Data if it is lawful to do so, specifically where:
(a) it is required to fulfil a contract with a Data Subject;
(b) it is required for us to comply with the law;
(c) it is necessary for us to perform a task in the public interest;
(d) it is necessary for our legitimate interests, or the legitimate interests of a third party; or
(e) a Data Subject has provided us with their consent.
5.2. Personal Data may be used for the following purposes:
(a) to meet our regulatory, legal and professional obligations;
(b) to establish and manage our relationship with a Data Subject;
(c) to provide legal advice and services;
(d) to monitor and manage the performance of our business operations;
(e) to manage conflicts of interest;
(f) to analyse performance, and generate internal reports;
(g) to assess risks including legal and financial risks;
(h) to invoice and process payments;
(i) to process applications for employment;
(j) to monitor visitor traffic to and usage of the Conyers website;
(k) to market our services;
(l) to engage in business transactions;
(m) to prevent fraud;
(n) to undertake network and information security activities; and
(o) for any other purposes for which we have a Data Subject’s consent, or for which Conyers or its third parties have a legitimate interest.
5.3. Conyers collects and processes Personal Data in order to fulfil its contractual obligations with a Data Subject and to meet our applicable statutory obligations. If a Data Subject decides not to provide us with necessary Personal Data this may prevent us from meeting our legal obligations, and therefore prevent us from performing our services for a Data Subject.
6. Limits on Collection, Use, Retention and Disclosure of Personal Data
6.1. Conyers does not retain any more Data Subject Personal Data than we believe is necessary for any of the purposes set out in this Personal Data Privacy Notice or which is dictated by legal or professional requirements, and retain and destroy Personal Data in accordance with our Records and File Retention and Destruction Policy. We will destroy, erase or make anonymous documents or other records containing Personal Data as soon as it is reasonable to assume that the original purpose of obtaining and storing it is no longer being served by retention of the Personal Data or retention is no longer necessary for legal, business or professional purposes. We will take reasonable care when destroying Personal Data so as to prevent unauthorized access.
7. Transfer of Information
7.1. Transfers to Third Parties. Conyers may, from time to time, use third parties in the course of conducting its business. Conyers will use reasonable efforts to ensure that third parties are bound by the terms of this Personal Data Privacy Notice or a similar policy.
7.2. International Transfers. Data Subject Personal Data may be transferred to or accessed from countries that may not have data protection laws equivalent to those of a Data Subject country. Unless we have Data Subject consent to transfer Data Subject Personal Data, the transfer is necessary for the performance of a contract, for the establishment, exercise or defence of legal claims, or is otherwise permitted by applicable data protection and privacy laws, we will only transfer Data Subject Personal Data to a country considered to have an adequate level of protection. If such a country does not have equivalent privacy laws, Conyers will ensure it has the appropriate safeguards in place; such safeguards may include binding corporate policies and procedures, standard contractual data protection clauses approved by applicable supervisory authorities, an approved employee code of conduct, or an approved certification mechanism.
8. Data Subject’s Rights
8.1. Right to Access. A Data Subject has the right to request and obtain from us the details of Data Subject Personal Data and how it is processed, including the purposes of processing, whether it has been disclosed to third parties, and how long we intend to hold on to the data. Data Subject information will be provided upon written request and we reserve the right to request authentication of identity in the event of such a request.
8.2. Right to Withdraw Consent. Where a Data Subject has consented to us processing Data Subject Personal Data, the Data Subject has the right to withdraw that consent at any time. If we consider that the withdrawal of such consent will impede our ability to provide any service to the Data Subject we reserve the right to terminate our service in the event of such a withdrawal.
8.3. Right to Accuracy/Rectification. A Data Subject has the right to request that we rectify inaccurate Personal Data concerning the Data Subject.
8.4. Right to Object To or Restrict Processing. A Data Subject has the right to object to or request that we restrict processing their Personal Data if:
(a) they believe the Personal Data we hold about them is inaccurate;
(b) they believe the processing is unlawful but they oppose us erasing their Personal Data;
(c) we no longer need to process the Personal Data but they require it for the establishment, exercise or defence of legal claims; or
(d) they object to the grounds upon which we have determined that processing their data is legitimate.
We are required to comply with their request unless the processing is to meet the conditions of a contract, under a legal obligation, in order to protect the vital interests of an individual, or otherwise permitted under applicable law.
8.5. Right to Object to Processing for Direct Marketing. A Data Subject has the right at any time to object to the processing of their data for direct marketing purposes.
8.6. Right to Avoid Automated Decision Making. A Data Subject has the right not to be subject to a decision based solely on automated processing (i.e. a decision made without human involvement), including profiling, which produces legal or similarly significant effects concerning them, unless it is necessary for entering into, or the performance of, a contract between the Data Subject and Conyers.
8.7. Right to Data Portability. A Data Subject has the right to receive their Personal Data in a machine-readable format and the right to have that information transferred to another data controller, where technically feasible.
8.8. Right to Erasure/”Right to Be Forgotten”. A Data Subject has the right to request for us to erase their Personal Data. We will fulfil this request provided that there are no legal requirements for us to continue processing their Personal Data.
8.9. A Data Subject’s Right to Raise Concerns. Conyers has procedures in place to receive and respond to complaints or inquiries about our policies and practices relating to the handling of Personal Data. If a Data Subject has any questions or concerns about their Personal Data or how it is being used by Conyers, they can contact our Data Protection Officer at the address below. If we are unable to satisfactorily address their concerns, they have the right to communicate with the relevant supervisory authority.
9.1. A Data Subject is required to advise us of any changes that may impact the services we are providing. From time to time, they may be asked to verify or update their Personal Data.
10. Safeguarding Personal Data
10.1. Conyers protects the Personal Data in its custody or control by making reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification or disposal, in accordance with our information technology and security policies, which are reviewed and tested on a regular basis. Confidentiality and security are not assured when information is transmitted through e-mail or other wireless communication. Conyers will not be responsible for any loss or damage suffered as a result of a breach of security and/or confidentiality when information is transmitted by e-mail or wireless communication. We will take a Data Subject’s use of a particular mode of communication as permission for us to communicate with them using the same mode of communication unless otherwise instructed by the Data Subject.
11. Cookies and our Website
11.2. Cookies are small files that are downloaded onto a Data Subject’s computer to help improve their browsing experience and enable us to evaluate how people use our website. We currently use a session cookie and a persistent cookie. The session cookie is temporary and stored on their computer only for as long as they visit our website. The persistent cookie is uploaded to their computer only after they check the “Remember Me” box and enables them to store information to more quickly access password protected portions of our website.
11.3. Our website may from time to time contain links to third party websites. Conyers does not take responsibility for the privacy practices of any third party website. Please advise the Data Subject to read the policies of any third-party website they visit.
12. Contact Us
12.1. If a Data Subject has any questions about this Personal Data Privacy Notice or their Personal Data they may direct their inquiries in writing to the Data Protection Officer at [email protected] or write us at P.O. Box 666, Hamilton HM CX, Bermuda.
12.2. Conyers reserves the right to amend this Personal Data Privacy Notice from time to time without prior notice to Data Subjects. Please check our website periodically at www.conyers.com to see if any changes have been made.
Last updated April 2021.