Dehns is committed to being transparent about how it collects and uses personal data and to meeting its data protection obligations under the General Data Protection Regulation (GDPR).
Dehns provides specialist services to its clients in the area of Intellectual Property and processes data in accordance with the professional obligations applicable to UK and European Patent and Trade Mark attorneys. The partners of Dehns therefore consider themselves to be Data Controllers in respect of all of the firm’s data processing activities.
In accordance with the requirements of the GDPR for Data Controllers, Dehns has implemented appropriate technical and organisational measures, including proportionate data protection policies, to ensure, and to be able to demonstrate, that processing is performed in accordance with that regulation. These measures, which will be regularly reviewed and updated where necessary, take account of the nature, scope, context and purposes of processing by Dehns as well as the risks, of varying likelihood and severity, for the rights and freedoms of data subjects.
Beyond the necessary levels applicable to the ancillary activities of any professional services firm (with numbers of partners, staff and offices similar to that of Dehns), the core activities of Dehns, which involve client and supplier bases made up almost entirely of other businesses, do not require the large scale, regular and systematic monitoring of individuals nor consist of the large scale processing of special (sensitive) categories of data or data relating to criminal convictions and offences. Consequently, the processing of personal data by Dehns is considered generally to be of low risk in relation to the rights and freedoms of relevant data subjects.
The Data Protection policies of Dehns cover areas including the following:
- Data protection principles
The Firm processes personal data in compliance with the following data protection principles:
- Processing personal data lawfully, fairly and in a transparent manner. The Firm tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices (see left).
- Collecting personal data only for specified, explicit and legitimate purposes and not further processing in a manner that is incompatible with those purposes.
- Processing personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
- Keeping accurate and, where necessary, up to date personal data and taking all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
- Keeping personal data in a form permitting the identification of individuals only for the period necessary for processing.
- Adopting appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.
- Being able to demonstrate compliance with the above principles.
- Data subject rights
A data subject has a number of rights. In certain circumstances, they can:
- request access to, and obtain a copy of, their data;
- request rectification of their data that is incorrect or incomplete;
- request deletion of their data;
- request restriction of the processing of their data;
- object to the processing of their data; and
- request the transfer of their data.
To ask the Firm to take any of these steps, the individual should send the request to firstname.lastname@example.org .
If a data subject believes that the Firm has not complied with their data protection rights, they can complain to the Information Commissioner.
- Data protection by design and by default
When developing applications and services that are based on the processing of personal data, the Firm will take into account the right to data protection at the development stage to ensure it is able to fulfil its data protection obligations.
Dehns is also implementing appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. This will apply to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
- Written contracts with Data Processors
Dehns will only appoint Data Processors (third parties who process personal data on behalf of the Firm) who can provide sufficient guarantees that the requirements of the GDPR will be met and the rights of data subjects protected. When a processor is used, a written contract will be in place which is compliant with the requirements of the GDPR.
- Security measures
The Firm takes the security of personal data seriously. The Firm has internal policies, controls and technical processes in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by authorised personnel in the proper performance of their duties.
Where the Firm engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
Dehns has achieved Cyber Essentials certification, demonstrating that we have appropriate cyber security measures in place.
- Record and report personal data breaches
If the Firm discovers that there has been a breach of personal data then, unless it is unlikely to pose a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The Firm will record all data breaches regardless of their effect.
If the breach is likely to result in a high risk of adversely affecting the rights and freedoms of individuals, it will also tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
- Data protection impact assessments
Where processing would result in a high risk to individual's rights and freedoms, the Firm will carry out a data protection impact assessment to determine the necessity and proportionality of processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
- Resources and training
Given the low risk nature and scale of its data processing activities, Dehns is not required to appoint a Data Processing Officer. However, Dehns will always ensure that it has sufficient personnel and resources to discharge its data protection obligations. In particular, Dehns will provide adequate training on relevant data protection matters to its partners and staff.