Last updated: 15 October 2020
The websites at cms.law and cms-lawnow.com (our “Websites”) are owned and operated by CMS Legal Services EEIG, for the benefit of all CMS Member Firms and their connected businesses (the “CMS Offices”).
Please see the Legal Information page for information about CMS Offices that operate in each country, including information as to the identities and contact details of the relevant entities, or in some cases a link to where contact details can be found.
CMS Legal Services EEIG is a controller of Personal Information (as defined below) collected on the Websites. Where CMS Legal Services EEIG shares Personal Information with the CMS Offices, the CMS Offices are also controllers. Please see "Sharing within CMS and to service providers" below for more information on how CMS Legal Services EEIG shares Personal Information collected on the Websites with the CMS Offices.
CMS Legal Services EEIG is a European Economic Interest Grouping that coordinates CMS Member Firms. It has its head office at: Neue Mainzer Straße 2–4, 60311 Frankfurt, Germany. The contact email address for CMS EEIG is: email@example.com. Its contact telephone number is: +49 69 717 010, its Ust-ID is: DE 257 695 176 and it is registered on Handelsregister A in Frankfurt am Main with the registration number: HRA 44853.
CMS Legal Services EEIG provides no client services. Such services are solely provided by CMS Offices in their respective jurisdictions.
In this Privacy Notice, references to “we”, “us” or “our” means CMS Legal Services EEIG and/or the CMS Offices. References to “you” and “your” are to users of our Websites.
In this Privacy Notice “Personal Information” is information relating to you, which can be used to personally identify you (either directly or indirectly).
This Privacy Notice:
- describes how we collect, use and otherwise handle Personal Information that you provide or make available to us, or that we collect from you, when you use our Websites,
- explains the circumstances in which we may transfer this to others; and
- explains about the rights that you have in relation to this Personal Information.
Our Privacy Notice must be read together with any other legal notices or terms and conditions provided or made available to you on other pages of our Websites or when you download one of our apps.
As CMS is an international legal practice, operating from multiple jurisdictions, various country-specific requirements may apply to your use of our Websites. You can view country-specific privacy information as part of this Privacy Notice here.
1. Personal Information that we collect
The types of information that we may collect from you, depending on how you use our Websites is:
- your name;
- your email address;
- your address (business and personal);
- your landline and mobile telephone numbers (business and personal);
- any information that you choose to provide to us when filling out a contact form on our Websites;
- your opinions, when you choose to complete one of our surveys;
- your IP address, login details for Law-Now and or RegZone and other technical information which tells us about how you use our Websites;
- your geographic location (country/territory where you are living and/or working);
- your job title, role and the name of your employer;
- the industry sector in which you work;
- the country or countries, industry sector(s) and area(s) of law in respect of which you wish to receive Law-Now/RegZone communications (where you have registered on the Law-Now/RegZone subscription portals); and
- the content of your C.V. and covering letter (where you apply for a vacancy with us on our Websites).
2. How we use your Personal Information
Contact Forms- we may collect your Personal Information, which you choose to provide when you fill in forms on our Websites, including the information set out in a.-e. above. We may use this Personal Information to respond to your queries, and/or provide the services and/or information that you have requested.
Law-Now/RegZone - if you choose to subscribe to the Law-Now and/or RegZone portal(s), we use Personal Information that you provide during the subscription process to set-up and maintain your Law-Now/RegZone account and to send you relevant Law-Now/RegZone content by email. This will consist of information on legal and business issues that are relevant to your preferences. We will also tell you about our events and seminars. Within RegZone, you have the option to receive invitations to our events. If you want to receive such invitations you can let us know by ticking the relevant box on the subscription form.
Your agreement to the use of your Personal Information for these purposes is optional. If you decide not to subscribe to Law-Now and/or RegZone, we will not send you Law-Now and/or RegZone communications, but your use of our Websites will remain otherwise unaffected. You can change your Law-Now/Regzone preferences at any time by logging into your account.
Law-Now/RegZone opt-out - you are entitled to opt-out from receipt of Law-Now/RegZone communications at any time. You can do so by visiting the Manage Your Lawnow or Manage Your Regzone preference management pages and deselecting all email options. You can also use the “unsubscribe” option included in all Law-Now/RegZone e-mails. Alternatively, you can email the Law-Now/RegZone support team who will process the “unsubscribe” requests for you. When you unsubscribe we will keep a record of this, and once your request has been processed, you will stop receiving Law-Now/RegZone emails. You can still use our Websites once you have unsubscribed.
Recruitment - if you apply for a graduate opportunity in the U.K. you will be directed to our dedicated graduate recruitment website and when you apply for any other vacancy that is handled by our U.K. recruitment team you will be directed to our U.K. recruitment team’s application portal. In each case you will be provided with specific information about how your Personal Information will be handled in connection with your application at the time that you submit your Personal Information.
For vacancies handled by recruitment teams in other countries, we do not use the graduate recruitment website or application portal referred to above. Instead, we either ask you to contact us directly by email or we request that you upload a copy of your C.V. and covering letter so that we can consider your suitability for the role.
Surveys – we may ask you if you would like to provide us with feedback on our services and/or events by completing a survey. This is optional. We use feedback from surveys to evaluate our performance and to help improve our future services and/or events.
Events – if you wish to attend one of our events, we will ask you to complete a registration form. The registration form will contain an explanation of how we handle your Personal Information in connection with the relevant event.
Newsletters and publications – we will only send to you publications or newsletters when you have provided us with your general consent or have expressed specific interest to us in a certain type of information or legal area. We also process your data in order to provide you with tailored and relevant marketing, updates and invitations including, with your consent, how you access and use our emails (cf. D.1 for more information.).
Our Business Purposes - we may also use your Personal Information for our business purposes as follows:
- to manage our business;
- to communicate with you;
- to enable corporate transactions to take place;
- for record keeping, statistical analysis, internal reporting and research purposes;
- to ensure network and information security;
- to notify you about changes to our services;
- to investigate any complaint you make;
- to provide evidence in any dispute or anticipated dispute between you and us;
- to analyse how our Websites are being used;
- to customise various aspects of our Websites to improve your experience;
- to host, maintain and otherwise support the operation of our Websites;
- for the detection and prevention of fraud and other criminal offences;
- for risk management purposes;
- for business and disaster recovery (e.g. to create back-ups);
- for document retention/storage purposes;
- for database management purposes;
- to protect the rights, property, and/or safety of CMS, its personnel and others; and
- to ensure the quality of the services we provide to our users.
In addition, we may use your Personal Information for further specific purposes made clear at the point of collection on particular pages of our Websites or when you download one of our apps.
If you choose not to provide Personal Information requested by us, we may not be able to provide you with the information and/or services you have requested or otherwise fulfil the purpose(s) for which we have asked for the Personal Information. Aside from this, your visit to our Websites will remain unaffected.
3. Legal grounds for collection and use of Personal Information
We ask for your consent to process your Personal Information in relation to Law-Now and RegZone and in some cases for recruitment purposes (where this is made clear to you at the point where you provide your information). In other cases, we process your personal information where we need to do so:
- to comply with our legal and regulatory obligations;
- for our legitimate interests in:
- responding to your queries;
- providing services and/or (marketing) information to you;
- organising events;
- carrying out surveys in order to obtain feedback on our services and/or events;
- recruiting personnel (except in cases where we ask for your consent as mentioned above); and
- our internal business purposes, as set out in 2. above.
You can object to processing based on our legitimate interests at any time by contacting us here. See also “Your Rights – The right to object” below.
We consider that the risk to your data protection rights in connection with Personal Information that we process on the basis of our legitimate interests is not excessive or overly intrusive. We have also put in place protections for your rights by ensuring proper retention periods and security controls.
If you would like to find out more about the legal grounds on which we process your Personal Information for a particular purpose you can contact us here.
We are using Matomo for basic application and user statistics. Matomo is locally stored on our servers, does not place any cookie, does not transfers any data to third parties and does not track any personal information. Your visitor IP address is only retrieved on country level.
6. Information from other sources
Where permissible under applicable local laws, we may combine information that you have provided to us with other information that we already hold about you and which we have collected for a compatible purpose.
Some of the functionality on our Websites involves us cooperating and sharing your Personal Information with, third parties. We have carefully selected these third parties and taken steps to ensure that when we share your Personal Information with them, it is adequately protected. Details about how we process Personal Information on our Websites in conjunction with third parties is set out below:
1. Online marketing - Concep mailer and GoToMeeting
In order to provide you with tailored marketing, publications and information about our services, and invitation to events, we are using "Concep mailer" provided by Concep Group Ltd, London, United Kingdom. Concep Group is bound by a processing agreement with CMS. All user information, contact information and analytics are hosted by Concep Group on Amazon servers in the EU and can be shared with local CMS systems.
Concep allows us to track deliverability, opt outs, clicks on links and downloads of stored materials in order to optimise our mailing campaigns. If you do not like emails and their use to be tracked any longer, please let us know via firstname.lastname@example.org. Where possible we are anonymising IP addresses. Concep Group encrypts emails during transmission.
GoToMeeting is a serviced webinar platform, which is provided by Logmein Corp and services in Europe by LogMeIn Ireland Ltd, Dublin, Ireland. Content and any personal data are processed for providing the webinar service. LogMeIn is bound by a data processing agreement with CMS, which satisfies the EU Standard Contractual Clauses. We are using your personal data to track registration, participation and the quality of the webinars. To protect communications, your data is end-to-end encrypted while it's being transferred between your device and the servers of GoToMeeting. Details of technical security can be found on LogMeIn "Trust and security center".
2. Google Tag Manager, Freespee and Ceros
Google Tag Manager
Google Tag Manager is a tag management system provided by Google that we use on our Websites. The Google Tag Manager allows us to add code and other snippets such as pixels to our Websites . Google is only processing your IP address as a processor and according to the EU Standard Contractual Clauses.
Where a telephone call is triggered through our Websites by the user clicking on the telephone icon, Freespee collects the following information about the user making the call: telephone number, IP address or other device address or ID, geographic location of the user, web browser and/or device type, the web pages or sites visited just before or just after visiting our Websites, the pages or other content the user views or interacts with, and the dates and times of the user’s visit. Freespee then shares this information with us.
We use feedback provided to us by Freespee to help us analyse the effectiveness of our marketing campaigns, including by checking if a user who clicks on the telephone icon actually places a call to the lawyer whose number he/she has clicked on. For more information about how Freespee processes Personal Information, please view the Freespee Privacy Notice at: https://www.freespee.com/privacy-policy/.
Ceros studio is a service provided by Ceros Crowd Fusion, Ltd. to publish website content in a magazine style and to allow website customised user experience; for that purpose, the system tracks user IPs. Ceros is only processing your IP address as a processor and according to the EU Standard Contractual Clauses.
Cookies may be used to enable our analytics dashboard so that we can see how our web audience is engaging with content. If so, this is all aggregated and at no point will we see analytics on individual IP address level. To make the service fully work and help us with analytics, you need to allow for analytics cookies in your "cookies preference settings".
3. Sharing within CMS and to service providers
CMS Legal Services EEIG shares your Personal Information with CMS Offices:
- if you ask us do so in an online form;
- if you tick the relevant box on Law-Now or RegZone, in order to receive information about services and events provided by CMS Offices; or
- where we need to do so in order to provide the services or information that you have requested or to organise and/or manage an event that you have registered to attend.
When a CMS Office would like to use your Personal Information for a new purpose, they will let you know about this first.
We also share your Personal Information with our third-party service providers based in- and outside of the European Economic Area (“EEA”) (see Section E "International Transfers"), who act on our behalf to:
- provide support services in relation to our Websites for the purposes of: hosting and maintaining our Websites; providing data storage; assisting us with database management, and in order to assist us with related tasks or processes;
- send out our surveys and record and process the results; and
- manage the invitation and registration process for our events.
All of our service providers are bound by written contract to process Personal Information provided to them only for the purpose of providing the specific service to us and to maintain appropriate security measures to protect your Personal Information.
4. Sharing with other third parties
We share your Personal Information with:
- our accountants, auditors, lawyers or similar advisers when we ask them to provide us with professional advice;
- any other third party if we are under a duty to disclose or share your Personal Information in order to comply with any legal obligation;
- any other third party for the purposes of acting in accordance with the requirements of a court, tribunal, regulator or government agency, for example, complying with a search warrant or court order; or
- investors and other relevant third parties in in the event of an actual potential sale or other corporate transaction related to CMS.
Our Websites provide sharing buttons that you can click on in order to share content from our Websites on social media channels, e.g., Facebook. We do not use these buttons to share your Personal Information with social media providers. When you click on a sharing button the relevant social media provider will gather Personal Information directly from you. Please read the privacy notice of any social media provider with which you intend to share content before clicking on the corresponding sharing button.
The transfer of your Personal Information to and between CMS Firms as described in this Privacy Notice, may involve your Personal Information being sent outside of the EEA, to locations that may not provide the same level of protection as those where you first provided the information.
However, we will only transfer your Personal Information outside of the EEA:
- where the transfer is to a place that is regarded by the European Commission as providing adequate protection for your Personal Information; or
- where we have put in place appropriate safeguards to ensure that your Personal Information is protected (for example where both parties involved in the transfer have signed standard data protection clauses adopted by the European Commission);or
- the above does not apply but we are still legally permitted to do so, for example if the transfer is necessary for the establishment, exercise or defence of legal claims.
Full details of the locations of the CMS Offices are listed here.
You can request further detail about the safeguards that we have in place in respect of transfers of Personal Information outside of the EEA and where applicable a copy of the standard data protection clauses that we have in place, by contacting us here.
It is our policy to retain your Personal Information for the length of time required for the specific purpose or purposes for which it was collected. However, we may be obliged to store some Personal Information for a longer period of time, taking into account factors including:
- legal obligation(s) under applicable law to retain data for a certain period of time;
- statute of limitations under applicable law(s);
- (potential) disputes and
- guidelines issued by relevant data protection authorities.
Whilst we continue to process your Personal Information, we will ensure that it is treated in accordance with this Privacy Notice. Otherwise, we securely erase your information once this is no longer needed.
If you would like to find out how long we keep your Personal Information for a particular purpose you can contact us here.
For more information on how long cookies are stored, please refer to our Cookie Notice.
Our Websites are hosted on servers in the EEA. We employ appropriate security measures to help protect your Personal Information and guard against access by unauthorised persons. Information storage is on secure computers in a locked and certified information centre and information is encrypted wherever possible. We undergo periodic reviews of our security policies and procedures to ensure that our systems are secure and protected. However, as the transmission of information via the Internet is not completely secure we cannot guarantee the security of your information transmitted to our Websites.
We acknowledge that the information you provide may be confidential. We do not sell, rent, distribute or otherwise make Personal Information commercially available to any third party, except that we may share information with our service providers for the purposes set out in this Privacy Notice. We will maintain the confidentiality of and protect your information in accordance with our Privacy Notice and all applicable laws.
The following section explains your rights. The various rights are not absolute and each is subject to certain exceptions or qualifications. We will grant your request only to the extent that it follows from our assessment of your request that we are allowed and required to do so under data protection laws. Nothing in this Privacy Notice is intended to provide you with rights beyond or in addition to your rights as a data subject under data protection laws.
What does this mean?
1.The right to be informed
You have the right to be provided with clear, transparent and easily understandable information about how we use your Personal Information and your rights. This is why we are providing you with the information in this Privacy Notice.
2. The right of access
You have the right to obtain a copy of your Personal Information (if we are processing it), and certain other information (similar to that provided in this Privacy Notice) about how it is used.
This is so you are aware and can check that we are using your information in accordance with data protection law.
We can refuse to provide information where to do so may reveal Personal Information about another person or would otherwise negatively impact another person's rights.
3. The right to rectification
You can ask us to take reasonable measures to correct your Personal Information if it is inaccurate or incomplete. E.g. if we have a wrong name or address of you.
4. The right to erasure
This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your Personal Information where there’s no compelling reason for us to keep using it or its use is unlawful. This is not a general right to erasure; there are exceptions, e.g. where we need to use your Personal Information in defence of a legal claim.
5. The right to restrict processing
You have rights to ‘block’ or suppress further use of your Personal Information when we are assessing a request for rectification or as an alternative to erasure. When processing is restricted, we can still store your Personal Information, but may not use it further. We keep lists of people who have asked for further use of their Personal Information to be ‘blocked’ to make sure the restriction is respected in future.
6. The right to data portability
You have rights to obtain and reuse certain Personal Information for your own purposes across different organisations.
7. The right to object
You have the right to object to certain types of processing, on grounds relating to your particular situation, at any time insofar as that processing takes place for the purposes of legitimate interests pursued by us or by a third party. We will be allowed to continue to process your Personal Information if we can demonstrate “compelling legitimate grounds for the processing which override your interests, rights and freedoms” or we need this for the establishment, exercise or defence of legal claims.
If you wish to request further information or exercise any of the above rights, or if you are unhappy with how we have handled your Personal Information, contact us here: email@example.com. Please provide as much information as possible to help us identify the information you are requesting, the action you are wanting us to take and why you believe this action should be taken.
Before assessing your request, we may request additional information in order to identify you. If you do not provide the requested information and, as a result we are not in a position to identify you, we may refuse to action your request.
We will generally respond to your request within one month of receipt of your request. We can extend this period by an additional two months if this is necessary taking into account the complexity and number of requests that you have submitted.
We will not charge you for such communications or actions we take, unless:
you request additional copies of your Personal Information undergoing processing, in which case we may charge for our reasonable administrative costs, or
you submit manifestly unfounded or excessive requests, in particular because of their repetitive character, in which case we may either: (a) charge for our reasonable administrative costs; or (b) refuse to act on the request.
If you are not satisfied with our response to your complaint or believe our processing of your Personal Information does not comply with data protection law, you can make a complaint to the relevant EU data protection authority where you are located. The contact details for each EU data protection authority can be found here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
We may make minor changes to our Privacy Notice. When we make these changes we will publish the updated Notice on our Websites. If we make any significant changes, we will take additional steps to inform you of these.
CMS Woodhouse Lorente Ludlow delivers its services in Mexico through its office in Mexico City at Paseo de la Reforma 115, 19 floor, tel. +52 55 26230552.
The current Policy of Treatment of Personal Information is available for download below:
CMS Carey & Allende provides client services in Chile through its office in Santiago at Av. Costanera Sur 2730, 10th floor, Las Condes, Santiago. telephone: (+56) 22 485 20 00. When visiting our website, you are not required to provide any personal information unless you decide to fill-in and send us a “contact form. In such case, and when applicable, we will differentiate between personal and non-personal data and retain that information in order to process your inquiries or requests.
Additionally, you may decide to communicate with us when you apply for a job through our Job Opportunities on Careers sections where, with the aim of being able to contact you back, you will be prompted to enter your name and email address and accept the terms of our website disclaimer. Unless otherwise required by law, CMS Chile will not share your personal information with third parties nor will we include your personal data in our distribution bases without your express consent. Your data will be used exclusively to communicate with you.
CMS Rodríguez-Azuero delivers its services in Colombia through its office in Bogotá at Calle 75 No. 3-53, tel. +57 1 321 8910.
The current Policy of Treatment of Personal Information is available for download below:
Download here the personal data policy of CMS Francis Lefebvre Avocats.
The following privacy statement applies to the legal service provision of CMS Derks Star Busmann N.V. Furthermore, CMS Derks Star Busmann N.V. provides (communication) services relating to newsletters and events, the so-called Client Services. To this service provision, the following privacy statement applies.
6. South Africa
CMS provides client services in South Africa through the locally registered companies CMS RM Partners Incorporated (Registration Number: 2018/243548/21) and CMS RM Partners (Proprietary) Limited (registration number: 2018/221212/07) (collectively referred to as "CMS South Africa"). CMS South Africa is located at 5th Floor, 85 Grayston Drive, Sandton, 2196.
CMS recognises the importance of protecting your privacy in respect of your Personal Information in terms of the Protection of Personal Information Act No 4 of 2013 ("POPI") when using our Websites.
By using our Websites, you agree to CMS, its directors, consultants, employees, agents and subcontractors, affiliates and/or third parties to process (which will include collecting, using and disclosing) your Personal Information for the purposes stated in this Privacy Notice. Please do not use our Websites if you do not agree with the processing activities described in this Privacy Notice.
CMS will not use your Personal Information for any purposes not mentioned in this Privacy Notice without your consent.
If you have any questions, concerns or complaints regarding CMS' processing of your Personal Information in terms of this Privacy Notice, please email us at firstname.lastname@example.org.
If you are not satisfied with our response to your complaint or believe our processing of your Personal Information does not comply with POPI, you have the right to lodge a complaint with the Information Regulator. The Information Regulator can be contacted as follows:
The Information Regulator (South Africa)
33 Hoofd Street
Forum III, 3rd Floor Braampark
P.O Box 31533
Braamfontein, Johannesburg, 2017
Mr Marks Thibela
Chief Executive Officer
Tel No. +27 (0) 10 023 5207, Cell No. +27 (0) 82 746 4173
1. What information about you do we collect and use?
We use and collect:
- information about your device each time you use an App, which we use to help build user profiles and track your usage of our Apps. For example, your mobile number, information about the device type, brand and model that you are using and information about your operating systems;
- other information about you in order to build user profiles and track your usage of the Apps using the Google Firebase platform is: your age ( within the six categories: 18-24, 25-34, 35-44, 45-54, 55-64, and 65+), the country where you reside, the time when you first accessed the App, your gender, your interests broadly stated (e.g. Arts & Entertainment, Games, Sports) derived from information that Google holds based on your activity in relation to other Apps that you may have downloaded, whether or not you are a new user, the version of the App you are using and the store from which the App was downloaded and installed. You can prevent Google Firebase from collecting this information about you by disabling your device advertising ID via your device settings;
- other information you provide when you download or register to use our Apps, send us feedback, post material, contact us, sign up to a service, or report a problem with the App; and
- account details you may have provided to us as part of the user registration process.
2. How are we using that information?
When you use a CMS Mobile App we collect 1. Information about you, information about your usage of the App and device information to:
- allow you to use the App;
- create a user profile so that we can track and analyse your use of the App and to allow us to see if you viewed our Google advertising campaign before choosing to download the App;
- administer, maintain and improve the App;
- customise the App to your preferences;
- carry out surveys and market research;
- handle enquiries, concerns or complaints that you submit through the App;
- keep the App secure;
- notify you about changes to the App; and
- carry out research and statistical analysis.
For more information about how we handle your information in connection with this App please find the relevant heading below:
3. We rely on the legal bases described below to process your personal information in connection with Apps:
- We process your personal information in accordance with our legitimate interests in operating, maintaining and improving our Apps; keeping the Apps secure; record keeping; research, reporting and statistics; data security; ensuring the quality of the Apps and services provided through or in connection with it; investigating and responding to queries and complaints; fraud detection and prevention; risk management; and protecting our rights, property and safety (and that of others). You can object to processing carried out on the basis of our legitimate interests at any time by contacting us here;
- we process your personal information, if we need to, for the establishment, exercise or defence of legal claims or proceedings; and
- we process your personal information, if we need to, to comply with any legal obligations that apply to us.
4. We share your personal information collected on the Apps:
- with Google who provide profiling, tracking and analytics services to us using the Google Firebase platform (please see 1. What information about you do we collect and use? for more information on Google Firebase);
- with members of the related CMS lawyers and legal teams where you have agreed to this, as part of app registration so that they can contact you and if required, provide legal services to you in connection with the Apps ( and subject to terms and conditions of engagement);
- our App maintenance and support teams and App developers whose responsibilities include monitoring App performance, including recording when and how our Apps crash and/or if there are bugs that need to be addressed;
- and with other third parties as explained in Section D of this privacy notice.
The performance of services by our third-party service provider(s) may be subject to a separate privacy statement provided to you by the relevant third party. You should read any such statement carefully.
5. We protect your personal information when we transfer it overseas:
When we use Google Firebase, Google may transfer your personal information to its data centres in the U.S. Singapore and Taiwan. We have “Model Clauses” agreements in place with Google which contain contractual provisions that have been approved by the European Commission for the purposes of ensuring that your personal data is adequately protected when it is transferred to these locations.
Some of the CMS firms are located outside of the European Economic Area (Please see Section E "International Transfers").