Privacy notice - clients | Eversheds Sutherland

15390854 - yellow color fireworks on floor and background15390854 - yellow color fireworks on floor and background

Privacy Notice: Clients

A client, prospective client, someone who has signed up to receive marketing communications from Eversheds Sutherland or just browsing the Eversheds Sutherland website

These conditions shall be effective as of 12 March 2023.  

0. INTRODUCTION:

EVERSHEDS SUTHERLAND NICEA, S.L.P., is an entity of Spanish nationality dedicated to legal advice, with registered office at Paseo de la Castellana nº 66 (CP 28046) Madrid, C.I.F. number B-85715357 and registered in the Mercantile Register of Madrid, Volume 26.767, Folio 60, Section 8, Page M-482319 (hereinafter, "EVS", "We" or the "Company").

In the provision of legal services, EVS processes data of its clients (the "Clients"), their employees and/or representatives and, in general, of all natural persons whose information is relevant to the provision of advice (hereinafter, the "Personal Data"). In order to protect the privacy of the individuals concerned, we have drafted this Privacy and Data Processing Policy (the "Policy"), which applies to all Personal Data that we process as a result of our professional relationship with each Client, whether provided by the Client, collected as a result of our interaction with the Client or through any other channel.

In general and unless otherwise indicated, EVS shall act as Data Controller in relation to data relating to its Clients, representatives and employees insofar as it processes Personal Data in order to manage the legal or commercial relationship with the same, to comply with obligations relating to tax legislation or the prevention of money laundering, and even when such personal data is processed for the ultimate purpose of providing services to its clients, since the processing carried out in these cases is subject to the code of ethics of the legal profession and must be carried out with the necessary professional independence, such as the representation of the Client in a negotiation, the issuing of a legal opinion, representation before public administrations and/or representation in litigation (as confirmed by the European Data Protection Committee in its Guidelines 07/2020). In these cases, the provisions of the following Paragraph 1 of this Policy shall apply.

Only and exceptionally when the specific content of the mandate received from a Client mainly concerns the processing of personal data (such as, for example, the performance of a due diligence on the employment situation of the Client's staff), EVS shall act as a Data Processor. In this case, the Client determines the purposes and means of the processing, for example in the case of the outsourcing of labour law advice, or in the data protection consultancy service itself. In these cases, it shall be expressly stated in the offer and/or order form that EVS shall act as Data Processor and the provisions of the following Section 2 of this Policy shall apply.

EVS currently has an appointed Data Protection Officer. To contact the EVS Data Protection Officer, please send an email to the following address: privacy@eversheds- sutherland.es

 

1. EVERSHEDS AS DATA CONTROLLER:

 
1.1.- COLLECTION, PROCESSING AND PURPOSES

The Personal Data will be incorporated into a file owned by EVS (data controller) located within the European Union and which will comply with the requirements of the applicable legislation.

We collect and process Personal Data to manage our contractual and commercial relationship with the Client (on the legal basis of the performance of the contract) as well as other purposes related to such performance (on the legal basis of the fulfilment of a legal obligation or an overriding legitimate interest). We also process Personal Data and in accordance with the prevailing legitimate interest in defending the interests of our Clients in accordance with the ethical and legal rules governing the practice of law.

We also process Personal Data to inform our Customers about the services we provide that we believe may be of interest to them. For current or recent Clients, the legitimacy for this processing is our legitimate interest in developing business. Otherwise, the basis for sending commercial and marketing communications will be the consent given to us (either verbally or in writing, through the exchange of business cards followed by a confirmation email or by connecting with us or our lawyers on professional social networks such as LinkedIn). Where processing is based on consent, consent may be revoked at any time and such revocation will take effect from the time we actually receive it.

We also process Personal Data for the identification of the beneficial owner and his or her personal circumstances in order to take appropriate risk-based measures to verify the identity of the beneficial owner prior to the establishment of business relationships or the execution of any transactions (based on the Legal obligation of Law 10/2010 of 28 April 2010 on the prevention of money laundering and terrorist financing (obliged subject)).

We also process Personal Data to maintain a relationship with the company you represent and/or in which the person whose data we hold works (based on EVS's overriding legitimate interest with respect to the processing of contact data in other companies and/or professionals) and to carry out all actions necessary for our business management (based on our legitimate interest in managing our business and/or in compliance with a legal obligation).

In general, the Personal Data of third parties will be processed on the basis of the legitimate interest consisting of the right of defence and the right to effective judicial protection contained in article 24 of the Spanish Constitution.

If you formally request a proposal for services, contract any service with us, or participate in any training or event that we organise, it is a contractual requirement that you provide us with the appropriate identification data. If you do not agree to this, we will unfortunately not be able to provide the requested service in such cases. We also need to request certain information in order to comply with our legal obligations (including those arising under anti-money laundering or fraud prevention legislation) and we will not be able to provide our services if we do not obtain the necessary information.

Personal Data will be retained for the duration of the contractual relationship with Us, and beyond that, for as long as We are obliged to retain such data and/or documentation on which it is contained (as is the case, for example, with data processed to comply with our obligations to prevent money laundering and/or data contained in official EVS correspondence). They shall also be retained beyond such contractual duration, but duly blocked, for the limitation periods required by applicable law.

In the event that Personal Data is processed with your consent for the purpose of sending commercial communications or is collected and processed by us on the legitimate basis of maintaining legal relations with Customers, we will process the data indefinitely until your consent is revoked or a right of objection is exercised, unless the data becomes inaccurate and/or irrelevant before then.

 
1.2.- TRANSFER AND/OR COMMUNICATION OF INFORMATION

We do not sell or otherwise disclose the information we collect. We may transfer your data to other companies within our group or the group of entities operating under the "Eversheds Sutherland" brand for the same purposes for which we collect or collect Personal Data, for reasons of business reorganisation or when there is a sale of the company, as well as to provide services in the most effective way possible. We also disclose data to the competent authorities if the disclosure is legally required (on the legal basis of the fulfilment of a legal obligation). In other cases, we will ask for your consent.

Other recipients of Personal Data will include, in addition, only those entities or persons who provide services to us in support of the services we provide, which entity or persons qualify as processors and include: (i) tax and account managers, (ii) experts, investigators and litigation support professionals, and (iii) web support and content hosting companies; as well as (iv) any other processors whose identity will be provided by appropriate means where appropriate. The court solicitors with whom we work will process the data as data controllers and in accordance with the Law

 
1.3.- RIGHTS OF THE DATA SUBJECTS OR DATA SUBJECTS CONCERNED

All individuals to whom the above data relates have rights in relation to their Personal Data. We offer a number of choices about what personal information we will collect, how we will use that information and how we will communicate with the individuals concerned.

At any time, any affected person may tell us that they no longer wish to receive marketing communications from us by email by clicking on the unsubscribe link contained in the marketing emails we send them or by contacting us as set out below.

You may also opt out of receiving marketing emails by email or post in the manner set out in clause 1.7 below.

All persons to whom the above data refer may contact us to exercise their rights of access, rectification, deletion, limitation of processing, opposition and portability of the Personal Data included in our files. To exercise these rights, you may choose any of the communication channels set out in clause 1.7.

Likewise, all persons to whom the Personal Data refer have the right to lodge a complaint with the Spanish Data Protection Agency or the corresponding supervisory authority, in the event that they consider that the processing of such data is in breach of the applicable data protection regulations.

 
1.4.- INTERNATIONAL DATA TRANSFERS AND AUTOMATED DECISIONS

Personal Data will only be disclosed to third parties or transferred to countries outside the European Union where this is necessary to fulfil an obligation owed to you or your company; or for the purpose of enabling us to engage the services of third parties to assist us in providing services to you. EVS will normally be entitled to do this by virtue of the performance of the relevant contract and this will normally be to one of the countries outside the European Union or European Economic Area where there are offices of the Eversheds Sutherland network, such as the United States, South Africa, Tunisia, Iraq, Jordan, Qatar, Saudi Arabia, United Arab Emirates, Singapore, Brunei State, China, Estonia, Russia or Switzerland. We do not transfer your personal data to any country outside the EU that does not have an equivalent level of protection, unless we have your consent or apply appropriate safeguards. In general, we have entered into international transfer contracts with all our partners in accordance with the standard contractual clauses approved by European Commission Decision 2021/914, as well as on the basis, where appropriate, of a prior international transfer impact assessment.

In general, Personal Data will not be subject to automated decisions.

 
1.5.- SECURITY MEASURES

We guarantee that we have adopted the legally required levels of security for the protection of Personal Data, and we have installed all the technical means and measures at our disposal to prevent the loss, misuse, alteration, unauthorised access and theft of the same.

 
1.6.- UPDATES TO OUR PRIVACY POLICY

This Privacy Policy may be updated periodically with three days' prior notice to reflect changes in our personal information practices. In the event that we wish it to apply to data subjects who do not subscribe to the new privacy policy, and provided that the conditions legally provided for in article 6.4 of the General Data Protection Regulation 609/2016 are met, we will publish a prominent notice or take any other appropriate action to notify you of any significant changes to our Policy. In any case we will always indicate at the top of the Policy when it was last updated.

 
1.7.- HOW CAN YOU CONTACT US?

All persons to whom the Personal Data refer are entitled to exercise the rights recognised to data subjects in accordance with applicable law by contacting us through the following channels: by sending a signed letter to the attention of "Customer Service Department" to our head office at the address indicated above or by e-mail to privacy@eversheds-sutherland.es.

 

2. EVERSHEDS AS DATA PROCESSOR

2.1.- COLLECTION AND PURPOSE

In order to provide the Services, EVS as data processor and acting for and on behalf of the Client─ may require access to personal data for which the Client or another entity for which the Client acts as data processor (such data controller being the "Controller") is responsible and which EVS shall process solely on its instructions (the "Personal Data"). This shall only apply where it is expressly stated in the relevant quotation and/or order form that EVS shall act as data processor, but shall in no case apply to data that EVS processes for the purpose of managing its contractual relationship with the Client.

Access to and processing of the Personal Data by EVS shall be carried out in compliance with the provisions of the Spanish personal data protection regulations in force from time to time and the European Data Protection Regulation 2016/679 of 27 April (the "GDPR"). Customer, in its capacity as controller of personal data, shall provide EVS with the categories, types of data and processing operations. In the absence of any indication by Customer in writing and/or in the relevant offer and/or order form, such order (the "Processing Order") shall be deemed to relate to the following categories of data subjects, types of data and processing operations and only insofar as they are relevant for the performance of the services contracted by Customer: 

 

Stakeholder categories

Types of Personal Data

Processing operations

Employees of the Client, legal representatives of the Client, clients, suppliers and collaborators of the Client.

Identification data, professional data, data relating to employment details and data relating to the Services.

Collection, structuring, storage, retrieval, consultation, collation, modification, extraction, interconnection, limitation, destruction and/or communication.

 

The nature of the processing shall be that of analysis of the Personal Data obtained and the duration of the processing shall be the same as the duration of the service contracted with EVS (the "Service" or the "Services").

In the event that the Client is acting as a processor of the Controller, when subcontracting such processing to EVS, the Client guarantees to have obtained sufficient authorisation from the said Controller.

 

2.2.- EVS' OBLIGATIONS AS DATA PROCESSOR

The data processor undertakes and will ensure that all employees are committed to:

  • process the Personal Data only for the purpose of providing the Services and in accordance with documented instructions issued by the Controller, including in relation to the transfer of Personal Data to third countries, unless the Processor is required to take any action under the law of the European Union or its Member States, in which case the Data Processor shall to the extent permitted by law, inform the Data Controller of such required action prior to taking such action. EVS shall not use the Personal Data for any purpose other than the provision of the Services.
  • where Article 30 of the GDPR applies, ensure that all processing activities carried out on behalf of the Data Controller are properly recorded in accordance with the GDPR;
  • not to communicate the Personal Data to third parties unless expressly authorised by the Data Controller;
  • ensure that persons authorised to access the Data are subject to obligations to respect the confidential nature of the Data, to comply with relevant security measures and that they are properly trained in this regard;
  • to the extent consistent with the nature of the Services, assist the Controller in facilitating the exercise by data subjects of their rights of access, rectification, erasure, restriction, data portability and objection to automated decisions;
  • to the extent consistent with the nature of the Services, support the Data Controller in the preparation of data protection impact assessments and other notifications and documents provided for in Articles 32 to 36 of the GDPR;
  • return or destroy the Personal Data, as well as deliver it to a new processor, as directed by the Data Controller, upon termination of the Services (it being understood that the Controller has elected destruction if it has not notified otherwise within 15 days of such termination of the Services), provided that the Data Processor may keep a blocked copy of the Data while liability for the Services may still arise; and
  • provide the Data Controller with the relevant documentation to demonstrate its compliance with its obligations under this Processing Charge, as well as to allow and assist in the performance of audits and inspections carried out by the Data Controller or any auditor authorised by the Data Controller (audits and inspections which shall be notified to the Controller at least 7 days in advance and which shall not allow access to data of other Controllers).
 
2.3.- SUBCONTRACTING

The Processor is hereby authorised to subcontract any part of the processing to the entities specified in the EC or otherwise notified, including as applicable from among those listed at the URL www.eversheds-sutherland.com/spainprivacy/suppliers which will include the company name and contact details of the Sub-processors. Any new Sub-Suppliers included in the file shall be deemed to be definitively approved by the Controller if the Controller does not object to their designation in accordance with article 28.2 of the GDPR within five days of the change. In any event, any Sub- responsible Party shall undertake to comply with at least the same obligations provided for in this Agreement and with any instructions from the Controller.

 
2.4.- INTERNATIONAL DATA TRANSFERS

The Processor may only transfer the Data outside the European Union or the European Economic Area with prior authorisation from the Controller, which authorisation shall be conditional upon appropriate legal safeguards (such as the granting of standard contractual clauses approved by the European Commission) being obtained and is hereby granted for any other international networks involved in the engagement of the Sub-processors specified in the EC.

 
2.5.- SECURITY MEASURES

The Controller shall take appropriate security measures to (a) ensure the confidentiality, integrity, availability and resilience of the processing systems and the Services; (b) restore availability and access to data as soon as possible in the event of any incident; (c) verify, assess and evaluate the effectiveness of the implemented measures on a regular basis; and (d) encrypt and pseudonymise personal data where possible.

The Processor shall notify the Controller, without undue delay, of any security breach affecting the Data, specifying to the extent possible its nature, the categories and approximate number of Data Subjects and records affected; the possible consequences of the breach and the relevant measures taken or proposed to be taken to address it.

 
2.6.- HOW CAN YOU CONTACT US?

The Controller may contact the Processor on any matter relating to this Processing Assignment via the Contact Details of the Processor designated in the EC. The e-mail address included therein shall be directed to any data protection officer appointed by the Processor.

 
2.7.- APPLICABLE LAW

The Processing Order is governed by Spanish law and any litigation or dispute shall be subject to the jurisdiction of the Courts and Tribunals of the city of Madrid.

© Eversheds Sutherland 2026. All rights reserved. Eversheds Sutherland is a provider of legal and other services operating through various separate and distinct legal entities. For further information about these entities and Eversheds Sutherlands' structure please see the Legal Notice page of this website.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client. For further information about these Eversheds Sutherland Entities and Eversheds Sutherlands’ structure please see the Legal Notices page of this website.