Law firms typically collect personal data subject to the GDPR in the following five contexts:
- Employee data. If a law firm has employees in the European Union, the human resource data that it collects about those employees is most likely subject to the GDPR. Such data may also be subject to national employment privacy regulations of the relevant Member State.
- Data about potential clients. Most law firms collect personal information about potential or prospective clients. Such data is typically used to target potential clients, plan pitches, tailor responses to requests for proposals, or send direct marketing. Personal data about prospective clients may be subject to the GDPR if it is processed in the context of an establishment in Europe (e.g., a European office of a law firm), or if the data is used to market to individuals located within Europe. Furthermore, direct marketing activities to potential or prospective clients in Europe may also fall under the application of the EU ePrivacy Directive 2002/58/EC, which imposes additional consent requirements.
- Data about the law firm’s clients. Most law firms collect personal information about their clients, or about individuals that work for their clients. Such data is typically used by a law firm for a variety of purposes including running conflicts, sending out invoices, collecting money owed to the law firm, transmitting marketing, and communicating with clients about projects and engagements. Personal data about existing clients may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm) or if the client (to the extent that the client is an individual, such as a private client) is located within Europe.
- Data received from clients to be used in a representation. Clients often transmit to their law firm personal data that is relevant to a particular matter or representation. For example, if a client retains a law firm to defend it in conjunction with a sexual harassment lawsuit brought by an employee, the client might transmit information about the employee, her supervisors, or her colleagues. Such data will be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm). It is also possible that if a private client (e.g., an individual as opposed to a corporation) that is located in Europe transmits information about themselves to be used in a representation, that data is also subject to the GDPR. So, for example, if a client provides personal information about a third person to their European attorney in relation to a potential crime, contract violation, or request for legal advice, that information would be governed by the GDPR.
- Data from other sources to be used in a representation. Attorneys often receive personal data from third parties that may be relevant to a particular representation. For example, in the United States an attorney may serve a document request on an opposing party or a subpoena on a third party that asks for personal data that may be relevant to litigation. Such data may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm).
 See, UK Information Commissioners Office, Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at ¶¶ 40-43. Note that while this guidance predated the GDPR, the application of the underlying principle as it impacts processing in the context of a lawyer’s establishment in Europe is consistent with the territorial scope of the GDPR.