Skip to content

Law firms typically collect personal data subject to the GDPR in the following five contexts:

  1. Employee data. If a law firm has employees in the European Union, the human resource data that it collects about those employees is most likely subject to the GDPR. Such data may also be subject to national employment privacy regulations of the relevant Member State.
  2. Data about potential clients. Most law firms collect personal information about potential or prospective clients. Such data is typically used to target potential clients, plan pitches, tailor responses to requests for proposals, or send direct marketing. Personal data about prospective clients may be subject to the GDPR if it is processed in the context of an establishment in Europe (e.g., a European office of a law firm), or if the data is used to market to individuals located within Europe. Furthermore, direct marketing activities to potential or prospective clients in Europe may also fall under the application of the EU ePrivacy Directive 2002/58/EC, which imposes additional consent requirements.
  3. Data about the law firm’s clients. Most law firms collect personal information about their clients, or about individuals that work for their clients. Such data is typically used by a law firm for a variety of purposes including running conflicts, sending out invoices, collecting money owed to the law firm, transmitting marketing, and communicating with clients about projects and engagements. Personal data about existing clients may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm) or if the client (to the extent that the client is an individual, such as a private client) is located within Europe.
  4. Data received from clients to be used in a representation. Clients often transmit to their law firm personal data that is relevant to a particular matter or representation. For example, if a client retains a law firm to defend it in conjunction with a sexual harassment lawsuit brought by an employee, the client might transmit information about the employee, her supervisors, or her colleagues. Such data will be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm). It is also possible that if a private client (e.g., an individual as opposed to a corporation) that is located in Europe transmits information about themselves to be used in a representation, that data is also subject to the GDPR. So, for example, if a client provides personal information about a third person to their European attorney in relation to a potential crime, contract violation, or request for legal advice, that information would be governed by the GDPR.[1]
  5. Data from other sources to be used in a representation. Attorneys often receive personal data from third parties that may be relevant to a particular representation. For example, in the United States an attorney may serve a document request on an opposing party or a subpoena on a third party that asks for personal data that may be relevant to litigation. Such data may be subject to the GDPR if it is processed in the context of a European establishment of the law firm (e.g., if the matter is handled out of a European office of the firm).

[1] See, UK Information Commissioners Office, Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at ¶¶ 40-43. Note that while this guidance predated the GDPR, the application of the underlying principle as it impacts processing in the context of a lawyer’s establishment in Europe is consistent with the territorial scope of the GDPR.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).