Privacy notice - third parties | Eversheds Sutherland

15390854 - yellow color fireworks on floor and background15390854 - yellow color fireworks on floor and background

Privacy Notice: Third Parties

For a customer of an Eversheds Sutherland client, a supplier or a press contact, etc.

Last updated: February 2025

Quick links

Use the links below to go straight to the information you need.

About this notice

This privacy notice applies to the processing of personal data by the Eversheds Sutherland Limited network of law firms (referred to collectively as “Eversheds Sutherland Limited”, “we”, “us” or “our”) except for the ES entities in Austria, Belgium, Finland, Hungary, Ireland, Italy, Sweden, Switzerland, Konexo Malaysia and Konexo Singapore which have their own Privacy Notices that apply instead. More information about the Eversheds Sutherland Limited network of law firms can be found here.  

We are committed to protecting the privacy of your data and respecting your associated rights. This notice explains how and why Eversheds Sutherland Limited use your personal data in connection with our legal advice and related services and our general business operations. You should read this notice if you are not an Eversheds Sutherland Limited client but you are dealing with us in relation to any service that we provide; where you are providing us with a or offering to provide us with a product or service, where you are attending a seminar or other event we are hosting; or where you are any other type of third party in communication or dealing with us.  There may be circumstances when your personal data is provided to us by a third party because you are the subject of, or your data is otherwise included in, legal advice we are asked to provide to that third party client (for example, we may be advising on a dispute which you are party to, or you may be the subject of an investigation we are conducting for a client).  References in this notice to “you” or “your” are references to individuals whose personal data we process in connection with our legal advice and related services and our general business operations.  References to our “customers”, “suppliers” or “third parties” includes their employees or other staff whose personal data we process.

Eversheds Sutherland (International) LLP  and its controlled, managed or affiliated firms are independent is a "controllers" in relation to its their use of your personal data.  For the purposes of applicable data protection laws, in particular the General Data Protection Regulation, the UKGDPR and the Data Protection Act 2018, your data will be controlled by the Eversheds Sutherland Limited entity that you or your organization has instructed or that is providing services to or communicating with you or your organization.

The term “controller” is a legal term – it means that we make decisions about how and why we use your personal data and, because of this, we are responsible for making sure it is used in accordance with applicable data protection laws. The controller in respect of personal data processed in connection with the www.eversheds-sutherland.com website is Eversheds Sutherland (International) LLP. For the purposes of this notice, the controller will be the relevant ES entity you or your organization are dealing with or have communications with, or if you are a supplier, the relevant ES entity that you or your organization are contracting with (or looking to contract with). Click here for a list of the Eversheds Sutherland operating entities and their contact details. 

In limited circumstances, where we work with a consultant to provide legal advice on a matter that you or your organization may be involved in or be a party to, we and the consultant may be joint controllers of your personal data in relation to the consultant’s processing to provide legal advice on that matter. Where this is the case, it will be notified to you or your organization by the consultant, to the extent that you have contact with the consultant. If you have any questions about our joint controllership with a consultant, or to exercise your rights in relation to personal data which is jointly controlled, please contact us as set out in this privacy notice.

In this notice, when we talk about personal data we mean any information that relates to an identifiable natural person – in this case, you.

You should read this privacy notice, so you know what personal data we collect about you, what we do with it and how you can exercise your rights in connection with it. You should also read any other privacy notices that we give you, that might apply to our use of your personal data in specific circumstances from time to time; as well as our website terms of use, cookie policy and legal notice. If you have any questions about this privacy notice, please contact dataprotectionoffice@eversheds-sutherland.com.

What types of personal data do we collect and where do we get it from?

The personal information we process about you broadly falls into four main categories: (i) contact information; (ii) Identity and other regulatory information; (iii) matter, Financial, and Payment information; and (iv) browsing and device usage Information.

We collect your personal information from various sources. The table below sets out the different types of personal information that we collect and the sources we collect it from.

 
Category Types of personal data Collected from 
Contact Information
  • Name
  • Address
  • Telephone number
  • Organization details (e.g. your place of work, job title and organization contact information)
  • Our clients
  • You or someone within your organization
  • Publicly available resources such as LinkedIn and Google
     
Identity and Other Regulatory Information
  • Date of birth
  • Identification information (e.g. passport, utility bill and/or bank statement)
  • You or someone within your organization
  • Third party systems used for our regulatory checks
Matter, Financial and Payment Information
  • Details relating to your or your organization’s communications, enquiries, involvement or other dealings with us or our clients and their matters
  • User IDs and passwords used by you in relation to our platforms and services
  • You/your organization’s billing, payment and banking details
 
  • Our clients
  • You or someone within your organization
  • Third parties also involved in those dealings, enquiries or communications
Browsing and Device Usage Information
  • Information automatically generated through your use of our websites and other digital platforms
  • IP address
  • Login data
  • Browser type and version
  • Information revealing the location and type of your electronic device
     
  • You and your use of our digital platforms

Please note that if you do not provide us with your contact information we may not be able to provide you with any information you request, and if you are a supplier or prospective supplier and you do not provide us with certain other information, we may not be able to enter into a contract with you.

Information about other people

If you provide information to us about any person other than yourself, including but not limited to your employees, colleagues and staff, counterparties, advisers, suppliers or third parties, you should ensure that they understand how their information will be used by us, and that they are aware that it is being disclosed to us and to allow us, and our third party service providers, to use it, in accordance with this privacy notice.

Special category and criminal record data

We may also process certain special categories of personal data in the course of our dealings with you, we may be required to process sensitive personal information relating to you (that is, information about your racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life and sexual orientation or details of criminal offences, or genetic or biometric data). We only process this type of information about you where you have given explicit consent, it is necessary for the establishment, exercise or defence of a legal claim or where it is necessary for reasons of substantial public interest. We may also process  information relating to your criminal record where applicable. These types of data require a higher standard of protection under data protection laws and additional lawful bases apply. 

The special categories of personal data purposes table below sets out the different purposes for which we process special categories of your personal data and the relevant lawful basis on which we rely for that processing. The purposes applicable to you will vary according to the relevant Eversheds Sutherland Limited controller of your personal data (as explained in the introductory paragraph above). For some processing activities, we consider that more than one legal basis may be relevant – depending on the circumstances. We also have policies in place explaining our procedures for ensuring compliance with applicable laws in connection with the processing of special categories of personal data.

What do we do with your personal data, and why?

We use your personal data for a number of different purposes. We will always have a “lawful basis” (i.e. a reason, prescribed by law) for processing your personal data. The personal data table below sets out the purposes for which we process the different categories of your personal data and the corresponding lawful basis for that processing. The purposes applicable to you will vary according to the relevant Eversheds Sutherland controller of your personal data (as explained in the introductory paragraph above). For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

Cookies and similar technologies

For more information regarding how we use cookies and similar technologies in connection with your use of our platforms, please read our Cookies Policy.

Who do we share your personal data with, and why?

Sometimes we share your personal data with third parties where permitted by law, including the following:

  • other entities in or branches or offices of Eversheds Sutherland Limited where necessary in connection with the legal matters we are instructed on or with our business operations. You can find a list of the countries in which we operate here;
  • our clients, barristers, other law firms (or legal consultants) mediators, experts, translators, couriers and other legal or professional specialists,  , service providers and the courts as applicable in the context of the legal services we provide to our clients;
  • courts and other judicial or official bodies, where we are asked to respond to an order or other binding requests;
  • regulatory bodies, government officials and law enforcement agencies, where necessary for any investigations or to respond to enquiries in relation to our compliance with applicable law or regulations or in connection with criminal investigations, or where otherwise permitted or required by applicable law;
  • to other individuals within your organization or the client organization who are involved in instructing us on a matter you are involved in, for example where we have obtained your personal data in the course of providing legal services to any of our clients, we may disclose it to that client, and where permitted by law, to others for the purpose of providing those services;
  • if we buy or sell any business or assets or assign or novate our rights and obligations, in which case we may disclose your personal data to the prospective seller or buyer or assignee;   and
  • professional advisors (such as third party law firms, auditors and accountants) and third parties in connection with our legitimate business activities;
  • or where it is reasonably necessary for the establishment, exercise or defense of a legal or equitable claim, or for the purposes of a confidential alternative dispute resolution process;.

These organizations may also use your personal data as a “controller” – they will have their own privacy notices which you should read, and they have their own responsibilities to comply with applicable data protection laws.

We also ask third party service providers outside of Eversheds Sutherland Limited to carry out certain business functions for us. These include: 

  • IT support, cloud platform, service centers, back office support and data hosting providers who help us with the operation of our websites, mobile applications, data rooms, document and workflow management systems and other systems and applications and systems support and security;
  • third party debt recovery organizations where we need to recover any money owed to us;
  • survey providers who help collate feedback for us to enable us to review and analyse our performance and to improve and promote our services; and
  • third party companies providing services for money laundering and terrorist financing checks, credit risk reduction and other fraud and crime prevention purposes and companies providing similar services, including financial institutions, credit reference agencies and regulatory bodies with whom such personal data is shared.
We will have in place an agreement with our service providers which will restrict how they are able to process your personal data on our behalf and in accordance with our instructions and we impose appropriate security standards on them.

Where is your personal data transferred to?

Since Eversheds Sutherland Limited is a network of different law firms operating globally, we will sometimes need to transfer your personal data to recipients in jurisdictions other than your own. Some of these jurisdictions may not provide the same level of protection to your personal data as provided in your jurisdiction. If we transfer your personal data outside the European Union or the United Kingdom, we will only make that transfer if:

  • the recipient country ensures an adequate level of protection for your personal data, akin to the protection afforded to your data in its own territory; or
  • the recipient or recipient country is subject to an approved certification mechanism or code of conduct with binding and enforceable commitments which amount to appropriate safeguards for your personal data; or we have put in place appropriate safeguards to protect your personal data, such as a contract with the person or entity receiving your personal data which incorporates specific provisions as directed by the European Commission; or
  • the transfer is permitted by applicable laws; or
  • you explicitly consent to the transfer.

If you would like to see a copy of any relevant safeguards used by us to protect the transfer of your personal data, please contact datagovernance@eversheds-sutherland.com.

How do we keep your personal data secure?

We will put in place appropriate security measures to protect your personal data from unlawful unauthorized or accidental processing including access, loss, destruction, disclosure, alteration or damage.  We also have a robust process for dealing with any potential data breaches and will make the necessary notifications to you or the appropriate regulator in circumstances that require us to do so.

However, please note that, in relation to any personal data you submit to us online, we cannot guarantee the security of data sent to us in this way. Transmission of data over the internet is at your own risk. You are responsible for keeping any passwords safe which you use to access Eversheds Sutherland platforms.

How long do we keep your personal data for?

We will only retain your personal data for a limited period of time, and for no longer than is necessary for the purposes for which we are processing it for. This will depend on a number of factors, including:

  • any laws or regulations that we are required to follow;
  • whether we are in a legal or other type of dispute with each other or any third party;
  • the type of information that we hold about you; and
  • whether we are asked by you or a regulatory authority to keep your personal data for a valid reason.

At the end of the applicable retention period, your personal data will be securely destroyed in accordance with applicable laws and regulations.

What are your privacy rights and how can you exercise them?

Where our processing of your personal data is based on your consent (see purposes for processing personal data table below), you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know.

Where our processing of your personal data is based on the legitimate interests lawful basis consent (see purposes for processing personal data table below), you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

Depending on the circumstances, you may have the right to:

  • access your personal data and to be provided with certain information in relation to it, such as the purpose for which it is processed, the recipients or categories of recipient to whom it is disclosed and the period for which it will be stored (there are exceptions to this right, so we may deny requests for access in circumstances where providing you with the information would reveal personal data about another individual or put us in breach of other legal and regulatory obligations);
  • require us to correct any inaccuracies in your personal data without undue delay (we encourage you to notify us if any of the personal data we may hold about you has changed.  We will not be responsible for any loss or damage caused as a result of the processing of inaccurate, false or incomplete personal data that you have shared with us);
  • require us to erase your personal data;
  • require us to restrict processing of your personal data;
  • receive the personal data which you have provided to us, in a machine readable format, where we are processing it on the basis of your consent or because it is necessary for your contract with us and where the processing is automated; and
  • object to a decision that we make which is based solely on automated processing of your personal data.
     

These rights are not absolute and may not always apply to you, in all circumstances. Please contact us at datagovernance@eversheds-sutherland.com if you would like to exercise any of your privacy rights.

We also encourage you to let us know if you have any concern about how we are processing your personal data so we can try to resolve your concerns. However, if you consider that we are in breach of our obligations under data protection laws, you are always entitled to submit a complaint with your data protection supervisory authority – for contact details see here.

Purposes for processing personal data

  Lawful basis
Purposes of processing  Your consent To perform a contract with you To comply with a legal obligation For our legitimate interests

Matter Related Purposes
Responding to your enquiries      

Yes (It is important that we can respond to your enquiries)
Resolving any complaints from or disputes with you     Yes  
Performing identity checks (including those against third party sources) for identity verification purposes     Yes Yes (We need to verify the identities of people we deal with and ensure we do not deal with the proceeds of crime or assist in any other unlawful or fraudulent activities such as terrorism)
Carrying out various tasks and services in connection with our clients’ matters which may involve you (eg arranging for monies due to you to be paid, sending you documents in relation to a court case or consulting and further processing documents which relate to you, or providing information about you which  is on official government department lists (e.g. sanctions lists) which are publicly available to our clients    Yes   Yes (We need to be able to carry out the tasks required in connection the provision of legal advice to our clients and other related services) 

Legal and Regulatory Compliance and Reporting
Monitoring our systems and processes to identify, record, and prevent fraudulent, criminal and/or otherwise illegal activity     Yes Yes (We need to be able to monitor our systems in this way to help protect them, us and you from illegal activity)
Complying with instructions, orders and requests from law enforcement agencies, any court or otherwise as required by law     Yes  
Complying with our general regulatory and statutory obligations (including our responsibilities under codes of conduct and anti-bribery laws)       Yes  
Purchasing, maintaining and claiming against our insurance policies       Yes Yes (It is in our interests to protect our business against specified losses) 
Training our staff      Yes Yes (Sometimes, it is appropriate for us to use your personal information so that we can provide our staff with training to manage risk and improve the quality of our services) 
Continuously reviewing and improving our products and services (including by seeking and obtaining your feedback) and developing new ones        Yes (We have a legitimate interest in making sure that we are continuously improving our service offering) 
Complying with instructions from our clients in relation to their regulatory obligations (including recording our telephone communications with you)        Yes (Sometimes, we need to record calls to our teams to assist with our clients’ regulatory obligations, and for training and quality purposes) 

General Business Requirements
Obtaining legal advice, and establishing, defending and enforcing our legal rights and obligations in connection with, any legal proceedings (including prospective legal proceedings)       Yes (We must be able to establish and defend our legal rights and understand our obligations, and seek legal advice in connection with them)
Monitoring and producing statistical information regarding the use of our platforms, and analysing and improving their functionality       Yes (We need to perform this limited routine monitoring to make sure our platforms work properly) 
Managing the proposed sale, restructuring, transfer or merging of any or all part(s) of our business, including to respond to queries from the prospective buyer or merging organisation       Yes Yes (We have a legitimate interest in being able to sell any part of our business)
Maintaining the security and integrity of our systems, platforms, premises and communications (and detecting and preventing actual or potential threats to the same)    Yes    Yes (We need to make sure our that our business processes are secure)
Managing supplier relationships and conducting procurement activities, including onboarding suppliers, carrying out due diligence checks, managing contracts, and facilitating the purchase of goods and services.
   Yes  Yes  Yes (We have a legitimate interest in ensuring effective supplier engagement, procurement operations, and risk management) 

 

© Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed or affiliated firms and the members of Eversheds Sutherland (Europe) Limited and Eversheds Sutherland (Africa) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global entity. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website. For information on Konexo please also see the Legal Notices page of this website.