This Privacy + Cookie Notice describes how Scott+Scott will protect your personal information.
By Scott+Scott (we, us, our, the Firm), we mean Scott+Scott Attorneys at Law LLP, including its US subsidiaries, Scott+Scott MTL PLLC and Themis Law Firm PLLC, and its Amsterdam subsidiary, along with its UK-based affiliate, Scott+Scott UK LLP and its Germany-based affiliate, Scott+Scott Germany LLP.
This notice sets out how we will protect your personal information when it is shared with us in any way. We will protect your personal information when you:
This notice also sets out how we will protect your personal information when it is collected from organisations involved in litigation that we bring on behalf of our clients.
In addition to this notice, if you apply to join the Firm we will send you link to a Candidates Privacy Notice, followed by an Employee Privacy Notice if you are successful.
Where you contact us on behalf of an organisation, any information shared with us may not be classed as personal information, but we will also respect its privacy.
In any case, as lawyers, we are obliged to maintain the privacy of all non-public personal information shared with us while we act for our clients, but we extend this obligation to all information shared with us.
This notice was last updated on March 10, 2025, and as it may be updated from time to time, please check this website for any updates.
THIS WEBSITE
DATA PROTECTION PRINCIPLES
THE LEGALITY OF OUR PROCESSING
PERSONAL INFORMATION PROCESSING
PROCESSING SENSITIVE PERSONAL INFORMATION
PROCESSING FOR AI PURPOSES
PROCESSING FOR MARKETING
PROCESSING FOR PROFILING
INFORMATION RETENTION
INFORMATION SHARING
INTERNATIONAL TRANSFERS OF YOUR PERSONAL INFORMATION
SECURITY OF YOUR PERSONAL INFORMATION
YOUR RIGHTS OVER YOUR PERSONAL INFORMATION
HOW TO EXERCISE YOUR RIGHTS
THIS WEBSITE
We use Google’s ‘reCAPTCHA’ service to protect our websites from automated, malicious access attempts. This service notes your IP address, and your behavior on our websites, to distinguish you from malicious behavior by an online bot. The terms of use of their service are provided by Google at: here and their privacy policy at: here. We have no control over how Google protects your personal information.
We use cookies (and other technologies such as web beacons or pixels) to support the use of our websites. Cookies are small data files that are placed on your browser or device when you visit a website. These are widely used by websites to help the site work properly, remember visitors’ preferences, and, where the visitor gives consent, to gather data for marketing, advertising, or analytics purposes. There are two main types of cookie:
We need your consent before we save ‘additional cookies’ to your browser. When you first visit our websites we invite you to click ‘Accept All’ on our cookie banner so that we can save ‘additional cookies’ that help us to manage our website. If you click ‘Reject All’ we will save ‘necessary cookies’ but not save ‘additional cookies’ in your browser. As a result, some aspects of our websites might not work as intended.
If you click ‘Accept All’ to us saving ‘additional cookies’ in your browser, we will use them to monitor how you use our website, to make sure that it is operating as expected. We do not share or sell any information about your visit to our websites with any other third parties without your consent. We also do not track your online behavior across other websites or devices.
We also anonymise data about how you use our websites before sharing it with Google Analytics who will give us feedback on how our websites are performing. This feedback helps us to fine-tune our websites, making them easier for visitors to use. Google Analytics is unable to directly identify you from this data, and details of how Google safeguards this data is available at: here.
Our websites are not directed towards children, but we understand that they may be accessed by visitors aged under 18. If you are aged over 13, 14, 15 , or 16, depending on where you live, you can give consent to us saving ‘additional cookies’ on your computer just like an adult. Where our websites are accessed by a child aged under 13, we assume that consent for placing additional cookies’ is provided by their parent or guardian. We will not knowingly collect any other personal information from anyone aged under 18.
We retain data from cookies only as long as is necessary for us to provide services to you. Data from cookies, IP addresses, and devices processed by Google Analytics is retained for varying periods and may be deleted separately.
Access to data from cookies is restricted to us, our specialist advisors, and our website hosting partners. If you would like to know more about the cookies we store, please contact the Data Protection Officer (DPO) at their contact address below.
You can change your consent preferences at any time by clicking on the cookie icon at the bottom left corner of our websites, and making your preferences again.
You can also manage cookies through your browser settings. You can find our how to do this on the most popular browsers:
Our websites may also include links to other organisations’ websites, but as we do not have control over how they deal with your personal information, we recommend that you read the privacy notice of every website you visit.
When you click on a link in an advert on a third-party website that directs you to our website, we will treat your personal information exactly as we would if you visited our website directly. We will offer a choice of cookies, and will not process your personal information any differently to how it is described in this notice.
However, we will note the link that directed you to our website in order that we can assess the effectiveness of different types of adverts. However, we do not track your online behavior across other websites or devices. Also, please note that we do not have any control over how the third-party website on which the advert was placed processes your personal information.
DATA PROTECTION PRINCIPLES
Where your personal information allows you to be identified, in the US it is classified as ‘Personal Identifiable Information (PII)’. Where personal information allows you to be identified, and which also ‘relates to’ you, in the European Economic Area and the UK it is classified as ‘personal data’. However, where your personal information is anonymised, and you can no longer be identified from it, it is no longer personal information, neither PII nor ‘personal data’.
Under data protection laws we are considered the ‘Controller’ of any personal information that you share with us, because we are responsible for deciding why and how it is processed. We are responsible for protecting your personal information from when we first collect it, through to when we delete it as we no longer need to process it. We are also responsible for protecting your personal information when we share it with other organisations.
All members of staff of the Firm, including all consultants, contractors, and temporary staff are required to always protect personal information and maintain its confidentiality. Training and awareness is provided in security and data protection measures, and specialist staff are on call to provide expertise in data protection issues for all staff.
Where staff are prohibited from accessing information on a particular case due to a potential litigation conflict, information barriers are put in place to prevent access to the relevant information. Where personal information is subject to a legal protective order, data protection and security controls are put in place to comply with the order and protect the information’s confidentiality.
The Firm is audited in how it protects personal information, and remediation plans put in place where control weaknesses are found. The changing legal requirements for data protection mean that the Firm is constantly reviewing, revising, and improving its data protection controls.
The principles that guide how we process your personal information are derived from the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other US Federal and State laws, including the Federal Trade Commission’s (FTC) Fair Information Privacy Practices (FIPPs), together with guidance from data protection authorities across Europe and the US, and Bar Associations across the US, and the respective legal regulators in Europe.
We will always comply with the following principles, which means that your personal information will be:
THE LEGALITY OF OUR PROCESSING
We will only process your personal information when we have a legal purpose for doing so. We will not sell or trade your personal information to third parties without your consent.
Most commonly, we will process your personal information when:
Less commonly, we may also process your personal information when:
Where we cannot rely on other legal purposes, we may ask for consent to process your personal information. We will rarely need to ask for your consent, and you can withdraw consent at any time.
We will only process your personal information for the original legal purposes for which it was collected, and any later processing will be compatible with these original purposes. If we need to process your personal information for any purpose that is not compatible with the original purposes, we will inform you about our new lawful purpose before any new processing takes place.
PERSONAL INFORMATION PROCESSING
We collect personal information directly from you when:
We have a legitimate interest in processing this information to help us maintain our website.
We have a legitimate interest in processing this information to help us optimize our advertising.
We will process this information in order to respond to you, in advance of performing any contract for legal services for you.
We will process this information in order to perform a contract for legal services for you.
We will process this information in order to perform a contract for legal services for you.
We will process this information in order to perform a contract for legal services for you, your employer, or our client, while also complying with the law, and in our legitimate interests to pursue a legal action to sustain our business model.
We will process this information in order that you or your employer may perform a contract for services for us, and in our legitimate interests to manage our business.
We will also collect personal information about you from other sources, such as:
We will process this information in order to perform a contract for services for you, your employer, or our client, while also complying with the law and in the public interest, and in our legitimate interests to pursue a legal action to manage our business, and sustain our business model.
Where we collect your personal information from a third party, we will endeavour to notify you of its processing within a calendar month of its collection. However, there may be circumstances in which notification is prevented by law, or would involve a disproportionate effort, and so we may not be able to notify you. Where these circumstances apply, we will comply with the law.
If your personal information changes you should tell us without delay so that we can update our records.
PROCESSING SENSITIVE PERSONAL INFORMATION
Where we collect personal information from third parties, we may also collect sensitive personal information, that might also be considered ‘special category’ personal information, or information about protected classification characteristics. We would only collect this type of personal data as part of our legal obligations in a litigation action. This could include Social Security Numbers, credit card numbers, health details, biometric information, or political views.
In specialist actions, we may need to collect and process this type of data in order that we can fulfil our contract with you in pursuing an action. We will attempt to minimise our processing of this information, its sharing with others, and the length of time that we retain it. We will apply strict security measures over this type of information. When we are no longer required to process it, we will delete it.
We never sell or trade this type of biometric or sensitive personal information without your consent.
PROCESSING FOR AI PURPOSES
We may use information about our cases, or others’ cases, to create templates for use by the Firm. We may also use case information to fine-tune bespoke large language models for use as Artificial Intelligence (AI) tools. In all cases, we will remove personal information from the source material so that the resultant templates or AI tools do not pose a privacy risk to any individuals.
In addition, we may use public sources, or those with appropriate Creative Commons rights to develop templates or AI tools, and will always apply fair use or fair dealing principles in reasonable use of others’ intellectual property rights. Each instance will be assessed on its merits.
PROCESSING FOR MARKETING
We will not process your personal information in order to send you marketing communications. In addition, we will not share your personal information with any third party for marketing purposes. If you have registered to join an action that we are involved with, or download an online brochure, we may make you aware of other services we offer, or additional actions in the future that you may also wish to join. We will always do this in a way that is compliant with the law.
PROCESSING FOR PROFILING
We will not use your personal information to profile you except where this is needed to perform a contract with you, or comply with the law. In addition, we will not make important decisions about you based solely on automated processing of your personal information.
INFORMATION RETENTION
Where your personal information has been collected as part of an action, we will retain this information until any litigation is concluded, and then only for as long as the law requires or allows.
We will only retain your personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period, we consider:
At the end of the retention period, we will delete your personal information, in accordance with our Retention Policy, and all applicable laws and regulations. We will only retain this information for longer that this period to defend legal claims against us, and only if this is allowed by law. Any personal information retained after the end of the retention period will be stored in archives with restricted access.
INFORMATION SHARING
We may share your personal information with third parties that provide us specialist support services Each third party will be contractually obliged to protect your personal information to the same level as we provide. They must process your personal information only on our instructions, and cannot process it for any other purpose. We may also share your personal information with the courts or government agencies in order to comply with the law.
We may also share your personal information with third partes that also act as controllers of your personal information. These third parties will be responsible for protecting your personal information in compliance with the law. We do not sell or trade your personal information to third parties without your consent..
If you would like to know with whom we have shared your personal information, please contact the DPO.
INTERNATIONAL TRANSFERS OF YOUR PERSONAL INFORMATION
We may also share your personal information with specialist third parties that also operate outside Europe where the protections of the General Data Protection Regulation (GDPR) do not directly apply. When these third parties operate from countries that are considered in law to have the equivalent protections to that of the GDPR, such as Canada or Japan, your personal information is protected as if it were in Europe. Where the law considers the country not to have equivalent protections, such as in the US, the Firm protects your personal information through Standard Contractual Clauses (SCCs) authorised by the European Commission and the UK Government.
The Firm also shares personal information between its offices, in Europe and the US. We therefore have SCCs in place in order to protect any personal information of Europeans shared with the US. The level of protections over personal information the Firm has designed in the US are equivalent to those in Europe.
SECURITY OF YOUR PERSONAL INFORMATION
We use appropriate technical and organizational security measures to protect personal information from accidental or unauthorized disclosure, loss, alteration, or destruction. We protect personal information throughout its lifecycle; from the point of collection to the point of destruction.
Where information processing is carried out on our behalf by a third party, we ensure that they have appropriate security measures in place to protect personal information. We ensure that these protections are documented in legally binding contracts.
Despite these protections, information transferred over the internet is inherently insecure. It is therefore not possible to guarantee the security of your personal information transferred over the internet.
YOUR RIGHTS OVER YOUR PERSONAL INFORMATION
You have rights over how we use your personal information and you can exercise these rights at any time. You can do this easily by contacting our DPO by email, or in writing to the address at the end of this notice.
Once you ask us to exercise these rights we may need to request specific information from you, to help us confirm your identity and to clarify which rights you wish to exercise. Your rights vary by your resident country or state, so we will take into account these particular rights before responding to you.
We will acknowledge your request without delay, and will try to respond to all requests within one month. If we believe that it may take longer, we will inform you about this in advance. It is only if your request is considered to be clearly unfounded, repetitive or excessive, we may by law be able to refuse your request, or charge you a fee. Where the law prevents us completing your request in full, we will also explain this to you.
You have the right to:
HOW TO EXERCISE YOUR RIGHTS
If you have any questions about how we handle your personal information, or wish to complain about this, or wish to exercise any of your data protection rights please email the Firm’s Data Protection Officer at [email protected], or by writing to:
Data Protection Officer
Scott+Scott (UK) LLP
1 Chancery Lane
London WC2A 1LF
UK
If you are not satisfied with how we handle your complaint, you can also make a complaint to your local data protection authority. This is:
In the UK:
The Information Commissioner’s Office (ICO)
In the Netherlands:
The Autoriteit Persoonsgegevens (Dutch Data Protection Authority)
In Berlin:
The Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Commissioner for Data Protection and Freedom of Information)
In other German Bundesländer:
The local Bundesländer data protection authority.
In California:
The California Privacy Protection Agency (CPPA)
In other US States:
Usually your State Attorney General’s office.