Last Revised: April 2019
This policy informs you of important information about how Nutter McClennen & Fish LLP and Nutter Investment Advisors (together, “Nutter”) process personal data that Nutter collects. Personal data means data that relates to an identified living person or data that can be used to identify a living person.
Nutter collects and processes personal data about individuals through its business activity, its website, and other marketing activities. These individuals include Nutter’s individual clients and prospective clients, their representatives, visitors to Nutter’s offices, visitors to Nutter’s website, vendors, and other individuals.
This policy explains how and why we collect personal data.
Personal Data in Connection with Clients
As a law firm, Nutter must obtain certain information before it can accept someone as a client. For individual clients, this includes:
- Contact details
- Financial information
- Information to verify identity, such as passport
Many of Nutter’s clients are corporate entities. Data about those entities are not personal data. But we do process personal data about company employees, representatives, and other personal data clients provide to us, or allow us to collect on their behalf, including personal data that are relevant or necessary for us to provide legal advice.
Nutter also processes personal data to assist in building relationships. This includes name, contact information, and job title. This may also include education information, work history, and gender.
Nutter collects and uses this information to provide services to Nutter’s clients and for other legitimate business interests. For example, Nutter uses contact details to send communications, legal updates, and invitations to events. You can update your communication preferences by clicking on the link at the bottom of one of Nutter’s marketing emails or contacting firstname.lastname@example.org.
Personal Data Collection in Connection with Providing Legal Services
Nutter’s legal basis for processing personal data in connection with providing legal services is:
- To comply with legal obligations and professional responsibilities;
- To perform contracts; and
- To pursue legitimate interests, including delivering the best legal services to Nutter’s clients; keeping individuals informed of developments in the law; business development and general marketing; providing you with information on Nutter’s services and events; and building and maintaining a good working relationship with you.
Under some circumstances, Nutter collects personal data based on your consent. In those circumstances, Nutter will make it clear to you in advance that it is relying on you consent, such as when you sign up to Nutter’s mailing list.
Personal Data Collection in Connection with Prospective Clients
For prospective clients, or an employee or representative of a prospective client, Nutter will process personal data, including your name and contact details as well as details of any interactions you may have with Nutter.
Nutter may obtain this information directly from you, from your employer, or from publicly available sources (for example, from your employer’s website).
Nutter’s legal basis for processing personal data in connection with prospective clients is to take steps requested by you prior to entering into a contract with you; and to pursue Nutter’s legitimate interests in building Nutter’s business and developing a relationship with potential new clients.
Personal Data Collection in Connection with Visitors to Nutter’s Website
You may choose to provide Nutter with certain information about yourself during your visit to Nutter’s website (such as your name, contact details, job title, and company name) in order to join Nutter’s mailing list or to contact us.
Nutter also collects information automatically as disclosed in Nutter’s Cookie Notice, below.
Nutter’s legal basis for processing personal data in connection with visitors to Nutter’s website is to pursue Nutter’s legitimate interests in developing and growing our business and operating and improving our website.
Under some circumstances, Nutter collects personal data based on your consent. In those circumstances, Nutter will make it clear to you in advance that it is relying on your consent, such as when you sign up to Nutter’s mailing list.
Personal Data Collection in Connection with Visitors to Nutter’s Offices
When a person visits Nutter’s offices, Nutter keeps a record of name and contact information. This information is recorded for legitimate business purposes, and for health and safety purposes so that Nutter knows who is in the building in the event of an emergency.
Nutter’s legal basis for processing personal data in connection with visitors to Nutter’s website is to comply with Nutter’s legal obligations and to pursue its legitimate interests in ensuring the safety and security or Nutter’s employees and visitors.
Personal Data Collection in Connection with Vendors and Business Partners
Nutter processes personal data of vendors and business partners, including name and contact details. Nutter does this so that it can liaise about the services the vendors are providing to Nutter and to support and maintain the relationship. Nutter may also hold financial information in order to pay invoices.
Nutter’s legal basis for processing personal data in connection with vendors and business partners is to perform contracts and to pursue Nutter’s legitimate interests of managing and operating its business, including through use of vendors.
Personal Data Collection in Connection with Other Individuals
In the course of Nutter’s business operations or when providing legal services, Nutter is sometimes provided with personal data about individuals other than those described explicitly in this policy. Nutter can obtain this information from a number of different sources including clients, Nutter’s clients’ opponent or counterparties, the courts, tribunals, law enforcement authorities, or those seeking to do business with Nutter. For example, Nutter may process:
- Information about customers, employees, partners, shareholders, lawyers or agents of companies Nutter’s client may be interested in buying or selling;
- Information about customers, employees, partners, shareholders, lawyers or agents of companies or other entities with whom Nutter’s clients may seek to enter into contractual relationships;
- Information about customers, employees, partners, shareholders, lawyers or agents of companies or other entities involved in legal disputes with Nutter’s clients;
- Information about trustees, executors, heirs, beneficiaries, and others related to or friends and acquaintances with individuals for whom Nutter provides trusts and estate services; and
- Information about potential employees, partners, vendors, business partners, or their employees, partners, shareholders, or agents.
The primary reason Nutter processes this personal data is to provide legal or related services, to fulfill Nutter’s professional duties, and to comply with law and operate our business.
Nutter’s legal basis for processing personal data Nutter receives related to other individuals is to comply with Nutter’s legal obligations and meet its professional responsibilities; and to pursue Nutter’s legitimate interests of operating its business, providing client services, conducting marketing activities.
Other Uses of Personal Data
In addition to the uses described above, Nutter may use your personal data for the following purposes:
- Operating Nutter’s business, providing legal and related services, and managing your accounts;
- Contacting you in response to your requests or inquiries;
- Providing you with newsletters, articles, alerts and announcements, event invitations, and other marketing information that Nutter’s believes may be of interest to you;
- Conducting research, surveys, and similar inquiries to help Nutter understand trends and client needs;
- Analyzing your interactions with Nutter and improving Nutter’s products, services, programs, and other offerings;
- Preventing, investigating, or providing notice of fraud, unlawful or criminal activity, or unauthorized access to or use of personal data, Nutter’s website or data systems;
- Meeting legal obligations; and
Sharing of Personal Data in Connection with providing legal and related services:
Nutter may disclose personal data to third parties in order to perform services on your behalf. Nutter may disclose personal data to the following categories of third parties:
- Others involved in a matter on which Nutter is working, including courts, lawyers, counterparties, experts, mediators, opponents, other attorneys, and witnesses;
- Government authorities, including law enforcement, tax and regulatory agencies, and other governmental bodies;
- Insurers and third-party legal services providers; and
- Other service providers such as IT and telephony services, catering, document production, and postal and delivery services.
Disclosure of Personal Data for other Purposes
In addition to data Nutter may disclose when rendering legal and related services, Nutter may use or disclose your personal data to:
- Trusted third parties, who are bound by contractual obligations to keep personal data confidential, to support Nutter’s business, and to use personal data only for the purposes for which Nutter discloses personal data to those trusted third parties;
- Comply with any court order, subpoena, law, legal process, or to respond to any government or regulatory request, including requests related to laws outside of your country of residence;
- Carry out Nutter’s obligations and enforce Nutter’s rights arising from any contracts entered into between you and Nutter;
- Protect the rights, property, or safety of Nutter, its Partners, employees, customers, or others;
- Enforce Nutter’s terms and conditions;
- Permit Nutter to pursue available remedies and/or limit damages Nutter may sustain;
- Fulfill Nutter’s recordkeeping obligations and practices;
- Fulfill any other purpose disclosed by Nutter when you provide the information; and
- Comply with your instructions or, if allowed to do so, with your consent.
Nutter seeks to use reasonable organizational, technical, and administrative measures to protect personal data within our firm. No data transmission or storage system, however, can be guaranteed to be secure at all times. If you have reason to believe that your interaction with Nutter is no longer secure, please immediately notify Nutter in accordance with the “Contact Us” section below.
European Economic Area/European Union
If you are in the European Economic Area, or are otherwise a data subject covered by the European Union’s General Data Protection Regulation (“GDPR”) or similar laws in other countries, you have certain rights in relation to your personal information. Those rights may include the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information Nutter holds about you and to check that Nutter is lawfully processing it.
- Request correction of the personal information that Nutter holds about you. This enables you to have any incomplete or inaccurate data Nutter holds about you corrected, though Nutter may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal information. This enables you to ask Nutter to delete or remove personal information where there is no good reason for us continuing to process it. You may also have the right to ask Nutter to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where Nutter may have processed your information unlawfully or where Nutter is required to erase your personal information to comply with local law. We may not always be able to comply with your request of erasure, however, for specific legal reasons; if applicable, Nutter will notify you about these reasons at the time of your request.
- Object to processing of your personal information where Nutter is relying on a legitimate interest (or those of a third-party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it affects your fundamental rights and freedoms. In addition, you may have the right to object where Nutter is processing your personal information for direct marketing purposes. In some cases, Nutter may demonstrate that it has compelling legitimate grounds to process your information that override your rights and freedoms.
- Request restriction of processing of your personal information. This enables you to ask Nutter to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the accuracy of the data; (b) where Nutter’s use of the data is unlawful but you do not want Nutter to erase it; (c) where you need Nutter to hold the data even if Nutter no longer requires the data as you need it to establish, exercise, or defend legal claims; or (d) you have objected to Nutter’s use of your data but Nutter needs to verify whether it has overriding legitimate grounds to use the data.
- Request the transfer of your personal information to you or to a third party. This enables you, or a third party you have chosen, to seek to have your personal information provided in a structured, commonly used, machine-readable format. This right only applies to automated information that you initially provided consent for Nutter to use or where Nutter used the information to perform a contract with you.
- Withdraw consent at any time where Nutter is relying on consent to process your personal information. This will not, however, affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, Nutter may not be able to provide certain products or services to you. Nutter will advise you if this is the case when you withdraw your consent.
You will not have to pay a fee to exercise any of these rights. We may charge a reasonable fee or refuse to comply with your request, however, if your request is repetitive or excessive.
Nutter tries to respond to all legitimate requests in a timely manner. Occasionally it may take Nutter longer if your request is complex or you have made a number of requests. In this case, Nutter will notify you and keep you updated. Nutter may also need to contact you about your request to verify your identity, confirm certain information, or clarify the request before Nutter can fulfill the request.
If you are a European Union resident, or are otherwise a data subject covered by GDPR or a similar law and would like to exercise these rights, or if you have questions about your rights please contact Nutter at email@example.com.
GDPR Data Retention Notice
Nutter retains personal information pursuant to its records retention program, for as long as is necessary for the purposes set out in this policy, unless a longer period is required under applicable law or is needed to resolve disputes or protect Nutter’s legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.
The criteria used to determine the period for which personal information about you will be stored varies depending on the legal basis under which Nutter processes such personal data:
- Legitimate Interests: For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.
- Contractual Necessity: For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.
- Legal Obligation: For the duration of time that Nutter is legally obligated to keep the information.
- Consent: For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain personal data about you erased, as detailed above.
Nutter may need to preserve information if Nutter faces any threat of legal claim, which will require us to apply a “legal hold” to retain information beyond Nutter’s typical retention period. In that case, Nutter will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.
Transfers of Information Across Borders
As Nutter’s only offices are in the United States, all information you provide to us is stored and processed in the United States, which does not have data protection laws equivalent to those in force in the EEA.
California Privacy Rights
California Civil Code Section § 1798.83 permits California residents to request certain information regarding Nutter’s disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org.
Under California Civil Code Section 1798.83, separate legal entities are considered “third parties” and certain communications with Nutter’s affiliates might be viewed as promoting legal services. As such, Nutter may disclose personal information to affiliates of Nutter, which may use this information for all purposes outlined in this policy.
Nutter may periodically send you relevant alerts and newsletters by email. To help improve Nutter’s marketing activities, Nutter often receives a confirmation when you open an email or click on a link included in one of these emails, if your computer supports such capabilities. Instructions on how to unsubscribe from these alerts and newsletters are included in each email.
Cookies on Nutter’s websites are generally divided into the following categories:
- Essential Cookies: These cookies are strictly necessary to provide you with services available through Nutter’s services and to use some of their features, such as access to secure areas. Because these cookies are strictly necessary to deliver the website’s content and usability, you cannot refuse them without affecting how Nutter’s website functions.
- Performance and Functionality Cookies: These cookies are used to enhance the performance and functionality of Nutter’s website but are non-essential to their use. Without these cookies, however, certain functionality may become unavailable.
- Analytics and Customization Cookies: These cookies collect information that is used to help Nutter understand how its website is being used or how effective Nutter’s marketing campaigns are, or to help Nutter customize its website in order to enhance your experience.
- Targeting Cookies: These cookies record your visit to Nutter’s website, the pages you have visited, and the links you have followed to recognize you as a previous visitor and to track your activity on the website and other websites you visit. These Cookies qualify as persistent cookies because they remain on your device for Nutter to use during subsequent visits to Nutter’s website. You can delete these cookies via your browser settings. See below for further details on how you can control third-party targeting cookies.
How to Control Cookies
You can review your internet browser settings, typically under the sections "Help" or "Internet Options," to exercise choices you have for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the website.
The opt-outs described above are device- and browser-specific and may not work on all devices. If you choose to opt-out through any of these opt-out tools, this does not mean you will cease to see advertising. Rather, the ads you see will not be tailored to your interests.
Links to Other Sites
Nutter may change this policy from time to time at its sole discretion. Nutter encourages visitors to check this page for any changes to this policy.
If you have any questions or concerns about this policy or Nutter’s personal-information handling practices, please contact us at email@example.com or at the address below:
Nutter McClennen & Fish LLP
155 Seaport Blvd
Boston, MA 02210