Basically all is said and done about GDPR now and 25 May 2018 is the day lawyers, and not just privacy attorneys at that, have marked in their calendars as an important date for many of their clients. However, amidst all the hustle and bustle with the new EU legislation and the yet-to-be- finished Polish regulations, have law firms paid sufficient attention to their own compliance? To what degree, if at all, should law firms prepare for GDPR?

Getting GDPR-ready

First of all, law firms must ensure compliance with GDPR in the same way as any other businesses that process personal data. Law firms engage in personal data processing in relation to their own staff as well as for marketing purposes (personal data of other lawyers or former or current clients). In addition, law firms process their clients’ personal data to provide them with legal services, and process personal data supplied to them by their clients for the purpose of rendering legal assistance, such as particulars of employees, counterparties, or harmed parties. Each of these processing modes will be governed by slightly different rules and require different records and procedures.

One of the primary issues for a law firm is to identify its relations with entities with whom it deals by transmitting or accepting personal data so that it could ensure the relationships are compliant with the new law. This will help the firm determine the scope of its compliance duties.

Law firm – a processor or a controller?

Law firms surely “receive” large amount of personal data from their clients, such as client data or particulars of clients’ employees, counterparties, corporate officers, etc. A question then arises about the role of the law firm (lawyer) in relation to such a client. Is it/he/she a processor (i.e. processes the data on behalf of the client and, as such, must enter into a personal data processing contract with the client) or an administrator of the data?

Judging by what has been said on this topic so far, the answer is not so obvious.

Lawyers, whether operating solo or in partnerships, are engaged in the business of providing legal advice. As part of this business, they act jointly with their clients and on their behalf.

In our opinion, the more convincing argument is that personal data provided to a lawyer are processed by the lawyer in her own name and it is the lawyer that determines the purpose of this processing, i.e. to provide legal assistance in accordance with the law and applicable codes of conduct.

A lawyer’s engagement is about providing legal services. In course of those services, the lawyer independently chooses the purposes for which and the scope within which any client-supplied personal data will be processed to best serve her case management strategy. A lawyer’s engagement does not typically involve the client instructing the lawyer to conduct any specific personal data activities. Naturally, such cases may happen, but they will be very rare and will rather fall outside legal advisory as such.

In course of its legal advisory business, a law firm processes certain personal data of its clients, i.e. of clients themselves in the case of individuals or of their representatives in the case of undertakings. This is data supplied by the data subjects themselves. In addition, the law firm very often processes third party personal data supplied by its clients for the purposes of its legal assistance.

In our view, with respect to both the former and the latter kind of data, the law firm is a controller and not a processor.

Thus, the law firm must comply with all GDPR duties incumbent on controllers, whatever the source of data it processes.

You are a controller because you decide

That approach is endorsed also by the UK regulator Information Commissioner in a report published by Information Commissioner’s Office, which you can read here. IC says that the fact that an organisation contracts or employs another organisation to provide a service to it does not conclusively determine the role of that other organisation; its role depends on the facts of the case and the responsibilities related to the processing. According to IC, one example of such a situation is a lawyer. A lawyer independently determines the content of his advice while the client would not ask the lawyer to amend or correct it. Also, lawyers have their own professional responsibilities in terms of record keeping, the confidentiality of communications and so forth. According to IC, this points towards lawyers and similar professional service providers being data controllers in their own right.

In Polish legal literature, a similar view is taken by the authors of a monograph on data processing in law firms. They say that “a data  processor acts entirely on instructions of the data controller, and this cannot be reconciled with the role of a professional counsel” (Bezpieczeństwo danych i IT w kancelarii prawnej radcowskiej/adwokackiej/notarialnej/ komorniczej. Czyli jak bezpiecznie przechowywać dane w kancelarii prawnej, Prof. D. Szostek (ed.)).

We agree with the above view: lawyers are controllers of the personal data processed in course of their legal services.

If contrary were the case, it would mean that the client would be contractually entitled to give the lawyer data processing instructions while the lawyer would not be able to process any personal data without such instructions. The data processing contract would also have to provide for: client’s right of auditing the firm, the need for consent for further data transfers (e.g. to substitute attorneys), and the duty to remove or return the data on completion of the service.

Therefore, it does not seem to be a correct practice to send your law firm a data processing contract for signature with the expectation that the firm will become the data processor. Law firms have the right to refuse to sign such contracts.

None of those obligations of processors may apply to qualified lawyers and, by implication, to their partnerships.

Inconsistent case practice of Polish regulator

In the past, the Polish personal data regulator GIODO took a doubtful position on the role of qualified lawyers (adwokat and radca prawny) in data processing. In its decision of 2005 (ref. GI-DEC-DS-233/05), GIODO held that a law firm may not be considered a data controller. However, the authority says in the very same decision that a law firm is a data recipient for the purposes of Article 7(6) of the Data Protection Act. And according to that statutory definition, a recipient does not include a data processor or a person authorised to process personal data.

As such, GIODO’s position leads to an inherently contradictory conclusion that a law firm is neither a data controller, nor a data processor nor a person authorised to process data on behalf of a controller.

New law – new order

Work is pending on legislation that will make amendments to ensure implementation of GDPR. Pursuant to Article 8 of the proposed law, the Advocate Profession Act is supposed to be amended so that it will expressly provide that an advocate (adwokat) is the controller of any personal data processed in pursuit of his profession. The same amendments is expected to be made to the act regulating the profession of legal counsel (radca prawny).

If the law is enacted in its current wording, it seems the role of adwokat and radca prawny with respect to data processing will be determined.

Practical consequences

A law firm must implement GDPR, i.e. must ensure compliance with all data safety requirements and determine how to implement the fundamental data processing rules. As such, it should also take measures to implement the transparency principle, including the disclosure duty provided in Article 14 GDPR. It is exactly the duty that gives rise to greatest controversies in relation to the legal profession. Under Article 14 GDPR,  where personal data have not been obtained from the data subject, the controller must give the data subject information on the source of data and make further disclosures specified in GDPR. For obvious reasons, this is something qualified lawyers may not do.

However, we believe Article 14 duties are waived with respect to advocates because advocates fall within the exclusion under Article 14(5) GDPR, including where it provides for an exclusion with respect to personal data which must remain confidential subject to an obligation of professional secrecy. Qualified lawyers are bound by professional secrecy obligations with respect to personal data processed in course of their professional services, in which case the disclosure duties will not apply.

In summary, in our opinion advocates and legal counsel (whether operating solo or in partnerships) should be treated as data controllers. As such, they must all implement GDPR and comply with all the GDPR duties incumbent on controllers.