This page describes how I deal with personal information. I may change it from time to time.
This page concerns you if you are a living person and any of these are true —
- you and I communicate with each other
- you are or were my client or an officer, shareholder, or partner of my client; or you work or worked for a client or a client’s shareholder or partner
- my client works with you or with a person or organisation that you work for
- you are a party to dispute resolution proceedings in which I am advising or have been appointed (or considered) as arbitrator or other neutral; or you work or worked for a party; or you are involved in the proceedings, for example as another tribunal member, counsel, witness, secretary, or person working for an institution administering the proceedings; or you are mentioned in the proceedings.
If any of this applies you, I could be handling personal information about you.
I am Éamonn CONLON, a solicitor, arbitrator and alternative dispute resolution practitioner. In my work, I —
- do legal work for clients
- serve as arbitrator, mediator, conciliator, adjudicator or other neutral in disputes
- operate and develop my practice
- write, lecture and do other professional activities related to law.
I refer to all this as my work.
In my work, I have to handle personal information, information that identifies living people. The General Data Protection Regulation (GDPR) has a name for someone who does that. I am a data controller.
The personal information I handle could include—
- your name, where you work, contact details like your telephone numbers and email addresses
- communications like letters, emails, texts, voicemails, and my notes of meetings and telephone calls
- information about your involvement and activities in contracts, disputes, or other matters relevant to my work
- if you are or work for a client, or are or work for a client’s shareholder or partner (or were or did any of these in the past): documents showing who you are, where you live, your date of birth, and your connection to my client.
Mostly from—
- you
- my clients and people and organisations that my clients work with
- institutions administering disputes I am appointed or being considered as arbitrator or other neutral, the parties to those disputes, and their counsel and witnesses
- other people and organisations that I work with on my work
- media reports and websites
- public and government records.
- to communicate with you
- to do my work: mostly to advise my clients, resolve disputes, and operate my practice
- to check for conflicts of interest in my work, current and future
- to confirm my clients’ identity and assess the risk of money laundering, terrorist financing, or other crimes
- to respond to competent authorities’ disclosure requirements, or make reports to them
- to take or defend proceedings or respond to complaints.
- Handling personal information is necessary for my legitimate interests and the legitimate interests of my clients and the parties to disputes in which I am appointed or being considered as arbitrator or other neutral. This justification does not apply if your interests or fundamental rights or freedoms override my interests and interests of my clients or disputants.
- My clients’ interests are in me completing the work they entrust to me.
- The interests of parties to disputes are in resolving their disputes.
- My interests are in doing my work and dealing with proceedings and complaints.
- Using personal information to check for conflicts of interest, confirm my clients’ identity, assess risk, and make disclosures or reports to authorities is necessary to comply with my legal obligations.
I may need to share personal information with—
- my clients
- people and organisations that I work with in my work
- those who read my arbitral awards or other decisions as arbitrator or other neutral
- courts, tribunals, public authorities, auditors, and regulators
- people helping me in my work
- another solicitor responsible for dealing with my practice if I die or am unable to continue in practice.
I use cloud services to store and back up personal information. I have contracts for this with companies in the European Economic Area (EEA) and in Canada, which the European Commission has decided has adequate data protection. Some of these companies store information on servers in the United States or other countries with lesser data protection and other safeguarding measures such as the EU-US Data Privacy Framework.
I might have to transfer your personal information outside the EEA—
- when necessary for establishing, exercising or defending legal claims in the course of my work involving clients, parties, counsel, arbitrators, institutions or others outside the EEA or
- to communicate with you or
- with your explicit consent or
- to perform a contract with you or in your interest.
If I transfer personal information outside the EEA (or the other countries that the European Commission has decided have adequate data protection) it might not have the same level of protection as in those countries.
Usually, no. But if I don’t get information I need, I might not be able to do my work.
- I keep information I obtain doing client work for 7 years after the work is finished.
- I keep copies of information about the identity of clients and client personnel for 5 years after completion of the transaction or end of the business relationship, whichever is later.
- I will keep your contact details and some details about the work I did for the rest of my career if I think I’ll need them to check conflicts in the future.
- When appointed as arbitrator or other neutral, I usually keep information for 4 months after the proceedings end.
- I keep accounting records for 7 years.
- I will keep your contact details for as long as we remain in contact.
No. I use appropriate technologies and procedures to help secure the confidentiality, integrity, and availability of information while I have it, and while I am sending it over the internet or in other ways. But no physical or electronic systems are entirely secure.
You have rights concerning personal information about you that I handle. They include—
- asking what personal information about you I handle
- accessing it
- asking me to correct it if it is incorrect
- asking me to delete it
- objecting to how I handle it, for example on the basis that your rights override the legitimate interests in handling it
- asking me to send a soft copy to someone else.
These rights do not always apply. For example, I might hold personal information that is protected by my or my clients’ legal privileges or confidentiality rights or duties. Your rights are explained further here. If you want to exercise them, please contact me here.
In the EU, you also have the right to make a complaint to the data protection authority where you live or work or where you believe an infringement of the GDPR occurred. Details for the Irish Data Protection Commission are here.