Category Archive: Intellectual Property

Sintons again recognised for capability across the board by Chambers 2022

Sintons has again been hailed as one of the leading law firms in the North of England in newly-released rankings from Chambers and Partners UK.

The firm, consistently praised for its strength and capability throughout the business, again wins recognition for its legal expertise, deep experience and first-rate levels of client service.

Practice areas across the business win recognition as leaders in their field, with healthcare again being confirmed as one of the key advisors nationally for its work with growing numbers of NHS Trusts, organisations, professionals and healthcare businesses across the UK.

Chambers and Partners 2022, published today, also highlights 17 of Sintons’ lawyers as being stand-out names in their specialism, many of whom are recognised in the legal marketplace as being leading figures regionally and nationally.

The rankings come only weeks after Sintons won similar praise across the board from Legal 500, which also recognised the wide-ranging expertise, legal capability and service excellence the firm delivers to its clients.

Both Chambers and Legal 500 are independent publications which assess and rank law firms and lawyers throughout the UK, based on interviews, examples of work, and client and peer testimonials.

“For over 125 years, Sintons has built a well-deserved reputation as a first-rate legal advisor delivering outstanding levels of service to its clients, and those values have remained at the heart of the firm since our foundation in 1896,” says managing partner Christopher Welch.

“That these key features are consistently highlighted by independent legal publications like Chambers and Partners, and recently Legal 500 too, is a huge endorsement of what we do here at Sintons. Businesses, families and individuals put their trust in us to deliver an outstanding legal and personal service and that is what we deliver.

“Chambers again confirms our strength across the whole Sintons business, with capability and talent running throughout the firm, and a shared commitment by everyone here to continue to build Sintons so it can be the best it can be. We are all delighted to again have our efforts recognised in this way.”

IP team praised for quality of client service and legal advice

SintonsIntellectual Property (IP) team has been hailed as being “extremely helpful and responsive” delivering “sound and valuable advice”.

Legal 500 2022 notes the firm’s strength in the protection, development and commercialisation of new and emerging technologies through new business startups and spinouts.

It is particularly strong in healthcare, Legal 500 says, through which it can leverage the support of Sintons’ nationally renowned healthcare team.

Head of IP Pippa Aitken and Karen Simms are noted for their work in IP, with Karen being hailed as “extremely friendly, helpful and rigorous”.

Graeme Ritzema is a key individual in litigious matters, Legal 500 says.

Client testimonials cited by Legal 500 2022 point to Sintons’ capability and client service as being stand out factors. One said Sintons is an “extremely helpful and responsive firm. They have acted swiftly on our behalf and we feel they have given us sound and valuable advice”.

Christopher Welch, managing partner of Sintons, says: “Our IP team works with businesses and entrepreneurs from the very earliest stages of their journey, while also assisting large established organisations in IP matters they may not yet have considered, supporting them to protect their assets and to exploit the commercial value of their creations.

“Our expertise in this field is well known, alongside our commitment to client service, and to win acknowledgement from Legal 500 is rightful recognition of the work of our team.”

Sintons once again wins praise from Legal 500 2022

Law firm Sintons has again maintained its reputation as one of the leading law firms in the North of England in newly-released rankings from Legal 500, winning plaudits for its strength and expertise across the firm.

Legal 500 2022, released today, renews its praise of Sintons and confirms them as being a go-to legal provider in the region in many key practice areas.

The independent publication – which ranks law firms and lawyers across the North, compiled as a result of examples of work, interviews and client and peer testimonials – names eight of Sintons’ lawyers as leading individuals, three as next generation partners and a further six as rising stars. One of its lawyers also secures the highly coveted accolade of being named in the Legal 500 Hall of Fame, in recognition of consistent achievement throughout their career.

The latest Legal 500 rankings add further to the long-standing reputation of Sintons – winner of five awards at the most recent Northern Law Awards, including overall Law Firm of the Year – as a leading player in the North of England, with national reach and capability in many of its departments.

The leading individuals at Sintons, as identified by Legal 500, are:

The next generation partners, as identified by Legal 500, are:

The lawyer named as member of the Legal 500 Hall of Fame is:

The rising stars at the firm are:

Christopher Welch, managing partner of Sintons, said: “We are very proud of the reputation we have built during our 125 year history as being a law firm which consistently offers legal excellence and an outstanding service to our clients, and for these two factors to again be recognised by Legal 500 as being a staple of Sintons’ offering is very pleasing.

We are delighted to maintain our position as one of the leading law firms in the North of England, with strength, capability and experience running throughout our practice areas.”

‘We’re proud to have helped make Sintons the firm it is’

As Sintons celebrates its 125th anniversary, some of its team share their thoughts and experiences of being part of the firm and playing their role in its growth. From those who have been at Sintons for over 30 years to those who have joined more recently, here they discuss what makes the firm stand out in the competitive legal marketplace, while also being a great place to work.

Amanda Maskery, partner and head of NHS healthcare

“I have been at Sintons now for nearly 20 years and during that time I have progressed from trainee to partner level and more recently to head of our fast-growing NHS Healthcare team. Many of my clients have been with Sintons for years and grown with me and I think a large part of that is because we have built such strong and trusting relationships with them.

The firm has grown significantly since I first started working here – it has doubled in size.  However, the same culture, values and traditions are still imbedded which means whilst the firm changed in size, it still embraces the supportive nurturing culture you only find at Sintons which cascades from the top down.

As I began life as a trainee at Sintons, it’s fantastic to be able to support others in progressing and achieving their goals. We have a strong team and great dynamic and that is evident to our young lawyers who bring with them a refreshing approach to the Sintons culture.”

Leah Greenwell, solicitor apprentice

“Starting my career, it was important to find a firm with local roots and a reputation for providing high quality training. The first-class levels of service Sintons provide is testament to the standard of training they deliver, and there was no question which firm I wanted my career to start in.

Sintons have always focused on ensuring that my development is put first and have laid the foundations for a successful career as a solicitor. Being a full service firm has given me the opportunity to experience all areas of law and has exposed me to a variety of high value and complex work. I look forward to what the future holds for me at Sintons.

Although the marketplace is competitive, Sintons longstanding history and their presence, both locally and nationally, will always place them at the forefront.”

Anne Smith, secretary

“I started at Sintons in 1986 and this year in November will have been here for 35 years.

I still remember my first day like it was yesterday. Everyone was so friendly and welcoming, and it is still like that today – almost like a second family to me.

“I have mainly worked in private client and worked for lots of fee earners and partners. In 2000 I started working for Steve Freeman who then went on to become a Partner and Head of the Private Client Department. I have now worked for him for 21 years this year and I can honestly say it has been a pleasure and an honour to work for such a lovely man – we have a great working relationship. I also work with the rest of the Family Department and work for such lovely fee earners.

I am also very proud to say that my daughter Emma also works for Sintons in the Conveyancing Department and she also loves her job and the team she works with.

I have seen many changes over the years but one thing remains constant – Sintons is a great place to work. I have made lifelong friends here and they will remain so.”

Emelie Vardon, solicitor

“Sintons’ heritage was very important to me when choosing to join Sintons. I came here as a trainee solicitor in 2017 and making the right choice for my future career was crucial. Knowing Sintons’ reputation and history, I couldn’t have made a better decision.

This is such a great place to work with a warm and welcoming environment. Following the completion of my training contract in 2019, I joined our developing Wills, Trusts and Estate Disputes team. Under Emma Saunders’ excellent leadership and support, my first year as a qualified solicitor has been excellent groundwork for my future career in this specialist area of law.

As a full-service law firm, I consider that Sintons is well-placed in the competitive market.”

Mark Dobbin, partner and head of real estate

“I joined Sintons as a trainee in September 1997. At the time the firm consisted of about 80-90 people. We were operating from an office in Portland Terrace in Jesmond, it was like a rabbit warren for a new starter as it was multiple old terraced houses converted and joined on different floors.

The main changes have been the massive growth in size and expertise, plus multiple office moves until finally landing at the Cube. When I qualified in 1999 myself and the partner at the time (Andrew Walker) were the Sintons commercial property department. Since then we have grown significantly.

Sintons has always been and remains a great place to work, we have an excellent team in Real Estate and will continue to succeed because of the efforts of our staff.”

Pippa Aitken, senior associate

“Sintons was much smaller when I joined in 1998. It was a friendly, family firm renowned for its reputation in private client and personal injury work. There was no dedicated corporate and commercial department.

“I was the only trainee and was sent on all sorts of weird and wonderful jobs – witnessing wills, attending infant settlements and the odd trip to the bank for the accounts department!

Sintons has become a lot more sophisticated in its working procedures and there is a much faster pace of life with emails being the most popular form of communication. I have seen some great lawyers leave and some great lawyers arrive but everyone soon seems to inherit the ‘old’ Sintons sense of fun, respect and teamwork.

Sintons is in a great place going forward. Virtual working has opened up some great opportunities to spread our wings and engage with clients even better than before.”

Sarah Smith, partner and head of licensing

“The firm has almost doubled in size since I started in  2005. The range of services offered by the firm has expanded quite significantly since then too, making the firm much more attractive to commercial clients.

When I first came to Sintons, I headed up the department with Lucy Winskell (now chair of NELEP and Pro Vice-Chancellor of Northumbria University). Since her departure I have headed it up myself. In spite of that, the department has grown in its client base and the amount of work we deal with on an annual basis.

With the growth in size and services we continue to see, I think Sintons are very well placed in the market to take advantage of opportunities going forward.”

Astrid Stevenson, secretary

“I joined Sintons on 21 October, 1997, and will have been here for 25 years this year.

I think when I started there were only about 80 people working at Sintons. We were based in Portland Terrace then moved to Osborne Terrace. We didn’t have open plan working like we have now, we had little rooms with approximately 3 secretaries in each room. I shared a room with Anne Smith from the first day I arrived and we have been firm friends ever since. Fee earners all had their own office. Basically, it was like a rabbit warren.

The staffing levels were very much smaller then, as I say about 80 staff then and now we have more than double that number. The computer system (Word Perfect 5.1) and equipment were top of the range for the time, and I think that has carried on until this day, our IT department have the latest of everything and are basically top notch.

Since I started 25 years ago, the firm has changed and has always moved forward with the times.  When I started there were no female partners. Hilary Parker and Karen Simms became the first, which was a very welcome breakthrough for Sintons.

We were like one big happy family with lots of social events, which thankfully still happen to this day, keeping the ethos of Sintons going.

I think if I didn’t enjoy working here I wouldn’t be celebrating my 25th years this year at Sintons. I’ve worked for the head of dispute resolution Angus Ashman for 24 of those years, and I think we work well together because we work as a team.

This is a very nice place to work, the people are all friendly and If anyone needs help with anything there is always someone there to help. I always think we are only as good as the tools we work with and I must say Sintons do provide all the best equipment and people and it makes the job so much easier if you have things like that in place.”

Sintons’ development – reflections from the Chairman

Sintons’ chairman, Alan Dawson, is one of the firm’s longest-serving people, having joined in 1980. Here, he shares his thoughts on some of the biggest changes and advances he has seen in the past 41 years.

Technology

When I joined in 1980, we used manual typewriters, although thankfully electric typewriters had recently become available. There were no screens at that time, but over the years we added one-line screens to the typewriters, then that went up to three or four lines. It was the early 1990s before we introduced computers.

There were no colour photocopiers so all of the plans we copied were in black and white. We would have to go over them with coloured pens to make them the same as the original.

The introduction of fax in the 80s was a game changer, everything before then was done by Telex or telegram if we needed ‘instant’ communication. The only problem was that due to the paper fax machines used at that time, the print would fade – we’d go back to the file six months later and the sheet would be completely blank! We had to remember to photocopy the fax when they came in for use in our records.

With property completions, all bank-to-bank transfers involved getting an actual cheque from the bank, and then going to the office of the other solicitor in the transaction to inspect the deeds and then complete the deal. Fridays, the traditional completion day, were often spent going between solicitors’ offices in Newcastle.

When mobile phones were introduced, we had one mobile for the firm to use, we didn’t have one each. It was one of the brick-like phones with a huge battery, but it was a huge novelty.

Thankfully things have moved on hugely, and Sintons now has a first-rate technology and IT infrastructure, which enables us to offer a very efficient service to our clients while keeping their data fully secure.

Size of the firm

Back in 1980, we had about 36 people – now we have around 170.

We really started to grow from the mid to late 90s, and in 1998 we moved our offices from Portland Terrace in Jesmond to bigger premises in Osborne Terrace, which comprised three and a half houses next to each other with an overspill office further down the road. We imagined that would give us room to grow for the next 15 years – but within the next two or three years, it was already too small.

We came to The Cube in 2004 and at first didn’t use the top floor of our four-floor building, although within the next couple of years we had expanded into there.

Over the years, we have added many outstanding lawyers to our team, both through recruitment from other firms as well as training young people-in house. Our commitment to supporting aspiring lawyers through their training contract has been unfaltering – I joined as an articled clerk (or trainee, as it’s now known) and have progressed through the ranks.

As the firm has grown then so too has our back-office and support functions developed. We didn’t have the infrastructure we have now, so no HR, IT or marketing department.

Our accounts system was all manual, the cashier had to write everything by hand. There was one card per client, so if you had to borrow it, then they couldn’t make any more entries for that client until you returned it.

Our HR function was our office manager, who kept a record of who was off and the reasons for their absence – reading it now, some of the reasons are quite amusing!

Law firms weren’t allowed to advertise at all until the late 1980s, so the only kind of marketing we could do was through the Yellow Pages. Now, we operate at the very forefront of the sector, adopting digital way before many of our competitors, and that early investment is helping us to stay ahead in the marketplace.

Practice areas

In the 1980s when I joined, Sintons had a very significant insurance litigation practice which acted for four or five of the major national insurers. The revenue from that area of the business probably accounted for two thirds of our entire income. However, in the early 1990s, we recognised that reliance on a few large clients or a particular work stream was not the best way to develop the firm and could make us vulnerable. We therefore made concerted efforts to radically change our business model and to further grow the other practice areas we had operated in for many years, including private client, corporate and commercial and real estate, and they proved to be areas of strong development for us. They continue to be key areas of the business for us and will be central to our ongoing progress as a firm.

We also moved into claimant personal injury work, which really took off in the late 90s and early 2000s. More recently, we have developed our national reputation as specialists in catastrophic and serious personal injury work with a thriving specialist neurotrauma department which handles life-changing brain and spinal cord injury work.

National reach

In the early days, we were more of a regional firm with clients mainly across the North East, and some in the wider North. Occasionally, clients moved to elsewhere in England which helped us to reach out nationally on a small scale, but we didn’t have much of a national reach.

However, as we grew as a firm, we started to work on a more national basis and now on an international basis as well. The improvement of technology was also an important factor in enabling us to communicate with people wherever they were by phone or fax, but more recently by mobile phone, email or even video calling which has proved so important during the pandemic.

Through our efforts to grow individual areas of the business – which in many instances have demonstrated substantial growth over the course of a number of years, underpinned by the hard work of our people – we have been able to add outstanding new lawyers to the team, whether they have moved to Sintons from elsewhere or have been trained in-house.

Now, we have a number of areas of the business which are regarded in the highest terms nationally, including our healthcare team, which has grown its presence over the past 10 to 15 years to become a national leader in its field.

We continue to receive growing numbers of instructions from across the UK and wider afield in almost all areas of the business, as our capability and reputation as a firm builds further still.

Building on our heritage to create a strong future

1896 marked a year of historic new beginnings and breakthroughs.

The year that saw the first modern Olympic Games held in Athens;

The introduction of the X-ray;

The development of the first Ford vehicle, the Quadricycle.

And in such a landmark year as 1896, with events taking place which went on to change history, it is fitting that this was the year when Sintons was founded and the foundations laid for the firm that it would become.

Having been founded as Sutton Cheshire & Thompson on February 8, 1896, to serve the people of Newcastle, the firm then merged with John H. Sintons & Co in 1971 – later becoming Sintons – and has grown into one of the leading law firms in the North of England, acting for ever-increasing numbers of business and private clients both regionally and across the UK.

Over the past 125 years, Sintons has developed a reputation for the quality of its advice, and crucially, the deep and trusting relationships it builds with its clients borne out of the outstanding service it delivers to them.

There are so many momentous events and developments which have taken place over such a long period of time and the world has changed, and continues to change, beyond recognition.

However, throughout that period Sintons has been working alongside individuals, families, businesses and organisations for 125 years, adapting and changing to meet new challenges and will continue to do so for the years to come.

As a law firm for changing times, Sintons continues to evolve, as it has done since 1896, to ensure it stays at the forefront of the legal market and in the best possible position to deliver excellence to its clients.

“Over the past 125 years, we have continually shown we are innovators, we are leaders. We have never been afraid to take bold decisions,” says Christopher Welch, managing partner of Sintons.

“A great example of this is when we invested in our head office, The Cube, in 2004. We were moving to an area of the city which was largely undeveloped and were, largely, surrounded by the old Scottish and Newcastle plant. Looking around us now, this is a thriving, fast-growing and sought-after area, which is the site of huge investment from both business and academia. We had the foresight to buy into these brave future plans and the ambition to want to become part of it.

“In these changing times, we will continue to evolve and develop, as we have done throughout our history, to ensure that at all times we are delivering the very best service to all our clients while also building and investing in the firm from within.

“We have stood the test of time for 125 years and are committed to ensuring Sintons maintains the reputation and presence that has been built so carefully into the future.”

For Christopher, who joined Sintons in 2003, the main differentiator between Sintons and its competitors is its unfaltering commitment to clients.

While continuing to attract new clients nationally, the firm is rightly proud of its longstanding client base, which includes many who have been with Sintons through multiple generations of their family or business ownership.

“The firm’s absolute priority from day one has been our clients and ensuring they receive the highest standards of legal and personal service. Our reputation is built on those foundations, which were laid by our previous generations of Sintons’ lawyers, and is one we are proud to continue to develop further,” says Christopher.

“At Sintons, we care about what we do, how we do it and we never forget that the clients we are working with are depending on us for, often, some of the most momentous decisions of their lives. As a firm, we recognise both the privilege and the responsibility that goes with this, it is fundamental to how we work and to our values as a business.

“Our clients are the front, back and centre of everything we do. We’ve been there for them whenever they’ve needed us for 125 years and that will continue to be the case as we move forward.”

And building further on its reputation for leading the way in the legal marketplace, Sintons continues to innovate to stand out from the crowd.

Having carried out a full rebrand in early 2020, to give the firm a fresh yet timeless identity, Sintons continues to invest in its future.

“Our rebrand was a significant step for the firm,” says Christopher. “Our branding represents the firm that we are; bold, innovative and providing clear and confident advice to our clients – a firm that stands out from the crowd.

“The use of technology to better serve our clients has always been an essential part of our growth strategy. Our founding partners would be aghast at the thought that we were able to have virtually all our colleagues working remotely – with some as far away as the Cayman Islands and Texas – without any impact on client service.

“By investing heavily in our website and online presence, we have created a resource which is available to clients wherever they are in the UK or indeed the world, giving them immediate access to information and support in ways which weren’t available before.

“The legal sector isn’t always the first to embrace change, but we are rightfully proud of the reputation we have built for standing out in that respect. For 125 years, we have taken bold moves, we have never shied away from making investment to equip the business for the long-term, and we have shown foresight and innovation to make the firm what it is today.

“This is a landmark anniversary for us, and in uncertain times, the investment we have made for many years in our infrastructure, development of our people and strategic recruitment means we remain confident in our future and the service we can continue to provide to our clients and to the regional community of which we are a fundamental part.

“These truly are changing times – but with 125 years behind us then we must be doing something right!  We know that our business will continue to evolve, with further investments in technology and infrastructure changing how and where we work. However, as we move forward, what is clear is that Sintons will always be right there, by the side of our clients, as we have been since 1896.”

Law firm Sintons is marking its 125th anniversary

Since its foundation in 1896, Sintons has grown to become one of the leading law firms in the North of England with a client base which extends across the whole UK.

It has become known as a key advisor to businesses and individuals acting on major, complex matters, regionally, nationally and internationally.

In many of its practice areas, including business, healthcare, private client and neurotrauma, Sintons is regarded as one of the UK’s leading specialist advisors.

Sintons has built a well-deserved reputation for delivering expert legal advice and outstanding service to every client, which is at the heart of the trusting and long-lasting relationships it has built during the past 125 years.

Testament to the quality of service provided is the fact that many of the firm’s clients have been with Sintons for decades, with the firm routinely being trusted to advise multiple generations of families and business owners.

Now, in its 125th year, and despite the ongoing challenges being presented by the COVID-19 pandemic, Sintons remains confident in its future as the firm continues to develop and grow.

The firm can trace its roots back to the formation of Sutton Cheshire & Thompson on February 8, 1896, which merged with John H. Sinton & Co in 1971 to become Sinton & Co, and later Sintons.

The expansion of the amalgamated firm has seen it move offices a number of times in order to house its growing number of employees, moving from Portland Terrace in Jesmond to bigger premises in Osborne Terrace which were soon outgrown, resulting in the relocation in 2004 to its current purpose-built home, The Cube, opposite St James’ Park in Newcastle. A second site was added with the opening of a consulting office in York two years ago to help the firm service its increasing demand for work from around Yorkshire.

The move in 2004 acted as a springboard in the development of Sintons, with many people not having realised how big the firm had grown and heralded a period of strong growth across the firm as a whole, with legal talent continually added to build its expertise and capability further still.

This has been backed by continued investment in its IT infrastructure, digital offering and people, to ensure Sintons is well positioned for the future.

“We are very proud of the reputation we have built over the past 125 years, which has seen us become known on a national scale as a law firm of the highest capability which is absolutely dedicated to its clients,” says Christopher Welch, managing partner of Sintons.

“We have never been afraid to be leaders and to take bold decisions, which have frequently put us at the very forefront of the legal sector. We were, for example, building our online presence and digital business development platforms way ahead of our competitors and long before it was something that was embraced widely within the legal sector.

“Going forward, we are in a strong position, having built on the heritage and legacy of Sintons over the past 125 years to create a law firm with a national reach, regarded in the highest terms for the quality of both our legal and personal client service.

“This is a very significant milestone for us as a business, and while we reach it during some of the most challenging economic conditions in the country’s history, we remain confident in the future of Sintons.”

IP specialist hailed as go-to advisor

A specialist IP lawyer at Sintons has been confirmed as one of the leaders in her field in the North of England.

Pippa Aitken is a highly-regarded specialist in intellectual property, advising businesses across the UK on their rights and how to protect and commercially exploit them.

In recognition of her work, senior associate Pippa has been named as an Associate to Watch by Chambers 2021, which confirms her as a leading lawyer in her field while also recognising her future potential.

“Pippa is always really responsive and takes the time to understand what we need. She is all-round brilliant,” cites one testimonial in the independent Chambers publication.

Pippa has, for many years, been known as a leading IP advisor and has led the development of Sintons’ specialist IP practice. The firm has become known as a key name in this area of law, supporting major public and private sector clients with matters including trademarks, licensing agreements, commercial contracts and Software as a Service (SaaS) agreements.

Sintons’ IP team forms part of its corporate and commercial department, which won Team of the Year at the Northern Law Awards 2019.

Karen Simms, head of corporate and commercial at Sintons, says: “For many years, Pippa has been widely regarded as a go-to IP advisor, and has built longstanding relationships with clients across the country during that time. To see her expertise and potential in this field independently recognised by Chambers is fantastic.

“Our IP specialism is well known, and Pippa’s outstanding work has helped develop our reputation as a leading name in this area. IP is a hugely important factor for businesses and protection of such valuable assets is vital, particularly in such a challenging economic climate, and we are pleased to be helping so many clients to do so.”

Sintons’ Employment Seminar – Managing the End of Furlough

Sintons’ Employment team, in partnership with Reed HR, have recorded the following complimentary online employment law seminar.

This seminar focuses on how to manage the end of furlough & potential restructuring.

Please click on the play button in the bottom left corner of the below image to start viewing.

To follow the full size slides the team are using throughout the presentation, please click here prior to commencing watching.

 

COVID-19 Q&A | Sintons | Intellectual Property

During these unprecedented times, where the situation is changing on a daily basis, we are aware that individuals and business owners will have many questions and uncertainties about how these developments impact on them.

Here, through a series of Q&A with expert lawyers from across our firm, Sintons hopes to be able to answer some of those pressing questions, and provide some certainty and clarity for people who are unsure how to proceed.

We will bring you a question and answer per day for the next few weeks.

Q – I have a business which is currently closed but is building a strong following and I am confident we will recover well after Coronavirus. I have never considered protecting my IP or anything like that. Should I take this opportunity to do so?

A – Protecting your intellectual property (“IP”) is vitally important for any business. Protecting IP prevents third parties (who may be competitors) from stealing your ideas, designs and know-how for their own profit, providing important business asset protection. Ideally, you should have an IP strategy from the outset of any new business venture and review it regularly but IP protection can often be overlooked whilst focusing on business growth.

While COVID-19 is causing great uncertainty for many businesses, it does also allow opportunities to focus your time on areas of the business such as IP protection.

Protection of IP is protection of your brand, which can be the largest valuation piece in your business’ portfolio. The importance of brand protection has arguably been heightened by the current COVID-19 pandemic as businesses are under increasing pressure to adapt to the climate and seek customers ahead of their competitors.

Businesses across the globe are becoming increasingly aware of the danger of IP infringement and the risk that such infringement poses to the continuity of their business. This is applicable regardless of the size and nature of the business in question. If a third party is able to copy or steal certain IP that underpins the core value of the products or services a business provides, it is unquestionably going to have a negative impact on the ability for that business to grow and develop.

IP is used to describe a range of legal rights that attach to certain types of ideas or information, including designs, business names, website content and products. Every business will have some form of IP, even if it is just a trading name.

When looking at protecting your IP, there are 2 key points to initially consider:

  • Identifying any potential IP rights that may apply – there may be more than one IP right that applies, so it is important to have an overarching view of the potential IP rights that could apply to your business.
  • Identifying who owns the IP rights – this is not always straightforward.

Identifying potential IP rights – some IP rights must be registered with the relevant IP registration authority in order to legally subsist whilst others arise automatically by operation of law and are not registrable. The main IP rights in the UK are as follows:

  1. Trade marks (registered and unregistered) – trade marks may include a brand name, trading name or logos. Registration of any trademark is necessary in order to ensure protection
  2. Designs (registered and unregistered) – designs may include the shape of products, packaging or patterns. It is important to ensure that you have a record of who created the design and when it was created. You may also like to consider registering any novel designs at the Intellectual Property Office
  3. Registered patents – patents cover inventions. Applying for patent protection can be difficult to obtain and is costly but it is vital to protect future commercialisation so it can be worth the upfront investment
  4. Copyright – copyright may include writing, art, photography and web content. As copyright is created automatically, it is important that there is an appropriate record kept of all such work created so that the author of the work and the date created is clear. This is a good discipline to maintain from the start of any new business venture.

Registered rights are generally deemed to be ‘monopoly rights’ to the extent that they allow the owner to prevent others from using the IP without permission.

Once IP rights subsist in law, the unauthorised use of the IP by a third party will generally amount to a breach or infringement of the respective IP right. Such breach or infringement will usually allow the owner of the IP right to bring a claim against the infringing party and seek an injunction to prevent future use of the IP and to recover compensation and costs in connection with the infringement.

Businesses should be aware of the implications of Brexit on IP rights and the validity of EU rights in the UK post-transition period.

Ownership of IP rights – once you have identified any potential IP rights, you also need to identify who owns such rights to ensure the business can continue to make use of such IP. Issues to consider include:

  • Use of external designers, consultants and freelancers – for example, if a third party has designed a logo for your business, it is possible that the third party has retained ownership of the IP attached to the logo. This will depend on the terms of your agreement so it is vital that you check the terms carefully
  • Employees – if you are an employer, it is important to check that all employment contracts and policies make it clear that any IP created by the employee during their employment with you is owned by the business
  • Business owners – if you have incorporated, it is important that all IP created by the business owners is captured and properly assigned to the company. It is worth addressing this at the outset, especially if you have future plans to sell the business.

Confidential Information – it is important to remember that confidential information is not a form on IP under English law so you will need to ensure you have appropriate confidentiality undertakings in place to protect your trade secrets.

* For advice on this or any other intellectual property matter, please contact Chloe Dinsdale, senior associate in the corporate and commercial team at Sintons, on chloe.dinsdale@sintons.co.uk or 0191 226 3652.

Brexit 2020 – What does this mean if you own an EU Trade Mark?

Following the decisions of the UK and EU Parliaments to approve the EU Withdrawal Agreement, the UK left the EU at 11pm on 31 January 2020.

The Agreement provides for a transition period until 31 December 2020 during which there will be no change to the law or practice of the law in relation to Intellectual property.

With regards to trade marks, from 1 January 2021, a European Trade Mark (“EUTM”) will no longer protect trade marks in the UK. On 1 January 2021, the UK Intellectual Property Office will create a comparable UK trade mark for all right holders with an existing EUTM. You will not need to pay for your equivalent UK trade mark and you will keep the original EUTM filing date.

Existing EUTMs will still protect trade marks in EU member states. UK businesses can still apply to the EU Intellectual Property Office for an EUTM.

There will be no changes to UK-registered trade marks as a result of the UK leaving the EU.

If you have an EUTM application that’s still pending on 1 January 2021, you’ll be able to apply to register a comparable UK trade mark in the 9 months after 1 January 2021.

If you need any advice on managing your intellectual property portfolio please contact Pippa Aitken on 0191 2267878 or email pippa.aitken@sintons.co.uk.

European Data Flows: Does your business need a European Representative after Exit from the European Union?

As Brexit continues to frustrate us all, and its implications remain an uncertainty for many businesses, the ICO have issued guidance to help prepare businesses for life post-Brexit.

Following our departure from the EU, the UK will become a “third country” for the purposes of the GDPR unless we are given “adequacy” status by the EU. This will only happen if the EU are content that the UK’s data protection legislation reaches the standard set by EU Regulations. Whilst it may seem obvious to many that this has already been achieved by our adoption of the GDPR and ratification of the Data Protection Act 2018, we must still achieve adequacy and this is something we don’t presently have.

This means that businesses which offer goods or services to, or which monitor the behaviour of, individuals in the EEA, despite not having a branch or office in that county, are still required to comply with the EU GDPR. To do this, these businesses will be required to appoint a European Representative.

This representative will work on behalf of your business and may be either an individual or organisation. As per guidance from the European Data Protection Board (Guidelines 03/2018), this representative should be located in the EEA at the place where most of your data subjects are resident. However, if there is an even spread of individuals located across several countries, the representative should still be easily accessible to them.

You must make the appointment of your representative in writing, setting out the terms of your relationship. In practice, this can take the form of a service contract with the individual or organisation. Within this appointment, the representative must be authorised in writing to act on your behalf regarding compliance with the GDPR as they may be required to deal with any supervisory authorities or data subjects in this position.

When processing personal data, you should give details of you representative to the individual to which the data relates. This can be done by including their details in the upfront information you give to the individual or by including them in a privacy policy. You should also include the representative’s name on your website, or another easily accessible place, for any supervisory authorities.

There are a limited number of exceptions to this, including where the data you are processing is occasional and low risk to the individuals, but it would be better to seek advice on these exceptions before processing the data to ensure that all regulations are being complied with.

If you think that this will affect your business or organisation, please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 2263699 for further information.

Primary Care Networks – Template Data Sharing Agreement

As part of the Primary Care Network (“PCN”) suite of documentation, NHS England and GPC England have now issued a template Data Sharing Agreement (“Agreement”) and associated guidance: you can view the guidance by clicking here.

The Agreement is merely a suggested template and is not mandatory. Unfortunately, one size does not fit all when it comes to PCN arrangements. Whilst it is helpful to have a template document so that PCNs do not have to each develop their own agreement, as stated in the guidance, the template is not a substitute for legal advice. There are certain legal issues that members of a PCN will need to address prior to finalising and signing their data sharing agreement including the following:

  • Joint Data Controllers or Data Controller and Data Processor? – the Agreement assumes that the PCN members are joint data controllers but what if this is not the case? Depending on the members of the PCN or how the Directed Enhanced Service (“DES”) is being provided by its members, the relationship between all members may not be one of joint data controllers for all purposes. Where any controller and processor relationships exist, additional drafting will be required to comply with the requirements of the General Data Protection Regulation (2016/679) (“GDPR”). The Information Commissioner’s Office (“ICO”) has some useful guidance on the difference between data controllers and data processors to assist members in their determination of the relationship between the parties.
  • Appointment of Third Party Processors – where a member is acting as a data controller and is appointing any third party to process Personal Data on its behalf, GDPR requires there to be a written contract in place between the data controller and processor and prescribes certain provisions which are required to be in the contract.  The onus is on the member (as data controller) to ensure that an appropriate contract is in place. The Agreement places an additional obligation on each member to ensure this compliance.  The ICO has also published a useful controller and processor contracts checklist which can assist you here to ensure that any such contracts are compliant.
  • Privacy Notices – it is also important that each member reviews its privacy notice to ensure it continues to comply with GDPR following creation of the PCN. The Agreement places an additional obligation on each member to ensure that this is done.
  • Accession of a new party, voluntary exit and expulsion – headings have been included for these clauses in the Agreement but no drafting is provided as this will depend on the specifics of each PCN. The Network Agreement should already deal with these issues and it is important that these two documents work together so that where any party joins or leaves the PCN, they should also be added or removed from the Agreement. The process for doing to will depend on the mechanism agreed between the members of the PCN.
  • Documenting the sharing of Personal Data – Schedule 1 to the Agreement provides for various information in relation to the sharing of Personal Data to be included in the Agreement. This includes matters such as the legal basis for processing Personal Data.  Although you are required to document the legal basis for processing Personal Data as well as the separate condition for processing special category data (which includes medical records), you do not have to do so in a legally binding contract.  The PCN may wish to consider documenting some of the information to be provided in Schedule 1 in a different way.
  • Liability and Indemnity – there is no indemnity included in the Agreement and members are advised to take independent legal advice in relation to any liability and indemnity provisions required. This will to some extent depend on what (if any) liability and indemnity provisions have been agreed in the Network Agreement but given the potential fines associated with a serious data breach, members should consider having appropriate provisions and protections in the Agreement.
  • Transfers outside the UK/EU – on current drafting, you will be required to seek written consent from other members before transferring personal data outside the EU. This applies whether we are “in” or “out” of the EU.  It doesn’t however make any provision for the mechanisms for transferring data even with consent from other members.  Data protection laws are prescriptive in what must be done to enable a transfer across borders and this should be detailed in this Agreement if this is to be a feature in your processing activities.

If you would like to discuss further the legal issues arising from the template Data Sharing Agreement, please do not hesitate to contact Louise Weatherhead or another member of the Healthcare Team at Sintons LLP.

ICO exercises GDPR sanctions with a £183 million fine for British Airways

We are starting to see the first wave of sanctions under the GDPR legislation coming through with British Airways coming under the spotlight of the ICO.  Despite many data breaches hitting the headlines over the last 12 months, most of these cases were enforced under the old Data Protection Act 1998 which limited the powers of the ICO to fine large organisations to a maximum of £500,000.

In the current case, British Airways suffered a data breach in September 2018 when users to their website were diverted to a fraudulent one and this gave hackers the ability to harvest customers personal information.  Approximately 500,000 customers details were compromised which the ICO say was due to poor IT security arrangements at the company.  The ICO have served notice on BA of its intention to fine the company £183.39M for its infringements under GDPR and BA is no doubt compiling its response to this fine to see if it can be mitigated in any way.

It is clear that information regulators across Europe will exercise their powers to their fullest potential in cases where organisations have not taken steps to respond to their obligations under GDPR.  One may have a degree of sympathy for BA, who suffered this breach 4 months after the implementation of the GDPR, but the message from the ICO is clear.  Businesses should have already been working towards a position in the 12 months leading up to 28 May 2018 to ensure that their systems were sufficiently robust to deal with cyber- attacks.   Those organisations who are latecomers to the party, particularly those dealing in large scale personal data or smaller scale sensitive personal data will be significantly exposed when (not if), they suffer a data breach in the post GDPR era.

If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team.

Parents: Beware of the Tik Tok app

Since August last year, Tik Tok has now overtaken Instagram, YouTube, Spotify and Snapchat as the top free music video app in the App Store.  It is targeted at children and teenagers and combines lip-syncing, built in video effects and social media.

It was developed in China and its lure is that it allows users to create video clips, edit them and add special effects.  Users can also watch clips of others that have been uploaded onto the site.

Why should parents be wary of this?  As the user makes lip-syncing videos to their favourite songs this may include some mature language and sexual content in the songs that are popular on the app and there is no way to filter this content.

What’s more, there are only two privacy settings: private and public.  The default on this app is set at public and it’s often the case that videos have been uploaded before parents are even aware that such settings should be changed.

The most alarming aspect of this app is that it can allow strangers to direct message your children when the privacy setting is set at public.   An incident was reported in the news (ABC News) where a father of a 7 year old (who is also a police officer) was warning parents after his daughter was contacted by a predator on Musical.ly (Musical.ly rebranded itself as Tik Tok and followers were moved over after updating the app).

The app has been banned in Indonesia because it contains negative videos that are deemed to be a bad influence on young people and there is a call in India for the app to be banned with claims that it is leading to cultural degradation.

Parents should carefully monitor the apps that their children use.  This comes as no surprise.  But, in addition to a parental permission block on new apps, parents should also ask their children to educate them on any new apps they want to download.  You can then do some research to maximise the privacy settings on the app to make it safe for their children to use.

For parents of older children and teens, reminding their children that their online activity (even under a fake username) could damage their reputation.

I hope that this privacy blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 if you require any further information.

GDPR Blog: Update on SARs made to GP and Care practices

The ability for individuals to request personal information that is held about them is one of the cornerstones of the GDPR and its principle of transparency.

Subject Access Requests (or SARs), may be made by a data subject to any organisation to obtain personal data held about them.  SARs may be made electronically, in writing or verbally.  There was nothing particularly contentious about this but it has become apparent in the time since GDPR was implemented, that this mechanism has been used by many law firms and claims management companies to seek medical records from GP and other care and rehabilitation practices, free of charge.

Historically, these records were requested under the Access to Medical Records Act 1990 and the old Data Protection Act 1998, and GP’s could levy fees which were fixed by tariff depending upon whether records were provided in hard copy or electronically.  The introduction of the GDPR, however, has led to many requests for medical records to be made under this new legislation, essentially providing records free of charge, much to the consternation of practices and care professionals in the health sector.

Some challenges have been made by practices to this application of the GDPR but with limited success.   Their plight was weakened significantly by guidance issued by the British Medical Association (BMA) in August 2018 and followed up with the report “Access to Health Records” in January 2019.  This established that requests made by patients or their representatives using the SAR mechanism were “purpose-blind” and were a valid exercise of a patient’s rights.  The BMA followed existing case law which pre-dated GDPR in permitting SARs in cases supporting a legal claim and clarified the position that a request made for this purpose would not place a limit or reduce a patients’ right to access personal data held about them.

From a client’s perspective, there was a hope that the ICO would deliver some guidance to benefit the health sector and restore some equilibrium to this process.  The ICO have now responded and made the position clear but this has been to the detriment of the medical practices who are most affected.

Guidance issued on the 7 March 2019 now confirms that, despite the significant rise in SARs since the GDPR came into effect and the administrative impact and increased workload this has created for GP surgeries and care practitioners, claimant solicitors and other agents may validly obtain medical records of their client patients under the SAR procedure.  The ICO offer some practical advice as to how SARs may be dealt with, namely:

  • To offer patients online access to their health records where possible. The government is committed to increasing access to online patient records in GP surgeries and to explore ways in which the health sector can deliver access to patient information online or at their surgery;
  • To provide an SAR response electronically, subject to adequate safeguards such as encryption;
  • limit the scope of any requests made to those records that are relevant – electronic data may make it easier to narrow the search criteria to that required;
  • To only provide the records once. Any repeat requests may be charged for; and
  • To ensure that the requisite form of authority has been received before release of records to a claimant firm can be made.

As a reminder, requests made by insurance companies for access to patient records should be handled under a separate framework, the Access to Medical Reports Act 1988, which exists for the insurance industry’s access to tailored medical reports and is used to assess claims.  This provides for GP and care practices to charge a fixed fee to gain access to patient information and is widely accepted in the insurance sector.

Whilst this is not the news that many practices wanted to hear, it may at least focus the attention away from the validity of SARs and towards more efficient and economical handling of the requests when they are received.

If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk, on Twitter @LNWdataprotect or by telephone on 0191 226 3699

GDPR Blog: Legal advice relating to Consent should be revisited

In the scramble to achieve data protection compliance last year, some lawyers assessed their clients businesses and identified consent as the lawful basis on which to process personal data under the GDPR.  In many cases, this was the obvious choice and maintained the status quo, as many companies were already using consent to acquire personal data and it was a fair assumption that this would continue, albeit with more stringent conditions.  This was then recorded in the suite of data protection documents that were required under the GDPR’s transparency and accountability principles (see Blog 9 for further information).

Consent is only one example of a lawful basis for processing data and there are others, such as “legitimate interest” or “performance of a contract” which may be relied upon instead, if certain criteria can be met.  The GDPR raises the bar to a higher standard for consent and requires businesses to review how they obtain, record and manage that consent.

Nearly one year on since the implementation of the GDPR, and consent is now widely considered at the least preferred option due to its unstable nature.  Primarily this is because it may be withdrawn at any time.  Given the substantial publicity surrounding the GDPR last year, many, if not most people, are now aware of their enhanced rights where others process personal data about them.  Some businesses may not have the IT infrastructure, resource or know-how to deal with a retraction of someone’s consent and significant efforts may be required to respond to this request.

This was particularly the case in the marketing sector where companies did not have the ability to use the performance of a contract as a legal basis for processing data.  What has emerged since last May is that the lawful basis of “legitimate interests” offers the most flexible solution to those businesses seeking to process customer or employee personal data.  This would apply to an insurance company processing an individual’s claims information, or a bank processing data for fraud protection purposes but may be applied more widely for any business who can demonstrate that they have a legitimate need to use the personal data and that the privacy rights of the individual or “data subject”, have not been adversely affected.   If there are some concerns about this, then preparing a LIA or Legitimate Interests Assessment document should be prepared.  This is similar to a risk assessment and identifies the privacy risks to the individual and records the technical and organisational measures implemented to mitigate these risks.

Something to be aware of is that you may be more constrained in avoiding the consent basis if you are processing special category data (SCD) such as health, biometric, political, religious and other types of sensitive data.  The requirements here are more stringent and don’t have the flexibility of utilising the legitimate interests mechanism for processing.  Unless you are processing SCD for employees, then businesses will usually need to seek explicit consent from data subjects for this category of data.

If your privacy notices still reflect consent as the lawful basis to process personal data then you should contact your lawyer (preferably the one who drafted the documents) and speak to them about whether it is more appropriate for these documents to be redrafted.

If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk, on Twitter @LNWdataprotect or by telephone on 0191 226 3699

Protecting your assets essential in a competitive marketplace

As the craft beer industry becomes increasingly crowded, it is likely we will see a rise in disputes involving trading names as local producers and retailers seek to gain a competitive advantage in the market.

The recent dispute over the Yellow Belly ale is one case in point. The case centred around Yellow Belly, brewed by Derbyshire-based Buxton Brewery and Sweden’s Omnipollo, and the claim from rival Batemans Brewery that its name was too similar to its Yella Belly Gold brand.

Batemans claimed a breach of its trade mark on the basis of the similarity in names. As a result, production of Yellow Belly is set to end in the near future.

This again helps to highlight why it is so important to protect your intellectual property, and therefore your business, from challenges from competitors. A significant investment of time and often money is involved in developing your brand identity and logo, so is certainly worth protecting, and also clarifying whether you are free to use it at as early a stage as possible.

A registered trade mark is a valuable commercial asset and gives the owner an exclusive right to use that mark in relation to the goods or services listed in it. However, it is important to choose a trade mark that is acceptable to the Intellectual Property Office – a trade mark can be refused and can be challenged post-registration if it is a mark that has passed into the common language and has become a household name, is descriptive or is devoid of distinctive character.

It is vital to take legal advice if there is any doubt over the registration of your trade mark and whether you are free to carry out your activities without coming into conflict with the legal rights of others. Equally, be certain to seek advice if you feel your rights are being infringed by a competitor.

It is your business and your brand – make sure you know your rights and protect them where necessary.

Pippa Aitken is Head of IP at Sintons. Contact her on 0191 226 7842 or pippa.aitken@sintons.co.uk.

GDPR and a No-Deal Brexit

Current GDPR guidelines and the cross border transfer of personal data

If feels like we have only just completed our compliance programme in relation to GDPR and data protection legislation in general.  In relation to cross border transfers of personal data, these were, in large, limited to EEA (essentially EU) countries where you could rely upon similar laws and protections being in place, thanks to the GDPR’s reach across Europe.

Some businesses may have recognised that some of their contracts involved transferring personal data outside of the EEA in which case, additional measures were taken, often in the form of an agreement with the data recipient(s) or authorisation from the ICO (or other European regulatory data protection body).  Once that task was accomplished, you moved on to other, more pressing routine matters, or so you thought.

The transfer of personal data after a no-deal Brexit

At 23.00 hrs (GMT) on 29 March 2019 EU law will no longer apply in the UK if there is a no withdrawal agreement, no revocation of the Article 50 withdrawal notice and no extension of the Article 50 period.

This will have wide-reaching consequences for businesses in general, but in data protection terms, businesses that rely on the transfer of personal data between the UK and the EEA will be affected.  Measures that have already been implemented for transferring data to non-EEA countries will not change so transfer mechanisms adopted for these countries will largely stay the same and no further need be taken at this stage.

With a no-deal Brexit, the UK government have stated that it will permit personal data to flow from the UK to EEA countries but the transfer of data from the EEA to the UK will be affected.  This is because the UK will become designated a “third country” that is, a non-EU country, and we will be subject to the same restrictions on international data exports from the EU which apply to all other non-EU countries.

On the basis that the UK has demonstrated its commitment to the principles of the GDPR by enshrining it in the UK Data Protection Act 2018, it is reasonable to assume that we are well positioned to achieve adequacy status as our protections for the transfer of data are parallel to that of our European neighbours.  This does not, however, prevent amendment to this law over time.  We will need to wait and see if adequacy decision follows the outcome of our Brexit negotiations, thereby maintaining the status quo.

The UK are pushing for a designation that actually goes beyond the current adequacy arrangements, seeking an “adequacy plus” determination, but these arrangements don’t happen overnight and usually follow a rather long, drawn out procedural process.  As such, it is unlikely that such a designation will be achieved by the end of March.

This leaves us with a rather complicated process for achieving the same ends.  The possible solutions will vary from one business to another although the range of solutions will increase the more reach and data heavy the business.  A “one size fits all” approach will not work here and guidance should be sought for the most suitable mechanism for your business to adopt.

The data export solutions available to make transfers to and from the EU and UK are as follows:-

  • Adequacy Decision the European Commission considers that our data protection laws provide an “adequate” level of protection for EU nationals;
  • Standard Contractual Clauses (SCC) issued by the European Commission. Non-negotiable clauses for businesses involved in the transfer of data (sender and receiver of personal data);
  • Binding Corporate Rules (BCR) used for companies with branches in other countries where internal overseas transfers of personal data are made within a corporate group and must be approved by the ICO;
  • Approved Codes of Conduct prepared by the business and approved by the ICO and the European Data Protection Board (EDPB). Breaches of the Code may result in significant fines aligned with GDPR enforcement powers;
  • Approved Certification Mechanism prepared by a business establishing appropriate safeguards where the receiving party makes binding and enforceable commitments to apply the appropriate safeguards including those in relation to data subjects’ rights;
  • Privacy Shield is used for transfers to the US who have signed up to this certification scheme. If this framework in place then organisation deemed to have an “adequacy finding.”

If your business operates in Europe (and this includes third party suppliers or processors with whom you share personal data) then you will need to comply with both the UK and EU data protection regimes and may need to appoint a representative for both jurisdictions.  This would be a requirement where you offer goods or services to individuals in the EEA and where the data processed is regular, high-risk and/or involves special category (sensitive) data or criminal offence data on a large scale.

There are some general exceptions to using one of the above solutions, and these are called “derogations” under data protection legislation.  These are circumstances where, for example, the transfer is necessary for the performance of a contract with the data subject or where explicit and informed consent has been given by the individual.  But if one of these exceptions can’t be satisfied then the default position is that one of the transfer instruments must be adopted.

As there is a general shift away from relying on consent of the individual due to its precarious nature (it is easily revoked) this presents yet another barrier to the data flow procedure for organisations when dealing with international transfers.

What can UK businesses do at this point to prepare for a no-deal Brexit?

The ICO suggests a number of actions that can be implemented to prepare for a no-deal Brexit.  These are:

Louise Weatherhead is a Solicitor in the Corporate and Commercial team at Sintons. If you have any questions about this article, you can contact her on 0191 226 3699 or Louise.Weatherhead@sintons.co.uk.

Vicarious Liability and Data Protection Breaches

The Court of Appeal has this month handed down a landmark decision holding an employer vicariously liable for the intentional leak of payroll data by a disgruntled employee.

In Various Claimants v Wm Morrisons Supermarkets Plc, the Court of Appeal has upheld the earlier decision of the High Court, which found the supermarket chain vicariously liable for the leak, by an employee, of the personal details of around 100,000 Morrisons employees.

The employee responsible for the leak was a senior IT manager, who, following disciplinary action taken against him, decided to release the names, addresses, bank account details, NI numbers and salaries of other Morrisons employees online.

The employee used his private computer to make the unauthorised disclosure outside of working hours and did so with the specific intention of harming his employer. He was subsequently convicted of fraud, securing unauthorised access to computer material and disclosing personal data, and jailed for eight years in 2015.

As a result, more than 5,500 employees brought claims for breach of statutory duty in relation to the Data Protection Act 1998 (DPA) (the legislation pre-dating the GDPR, then in force), the misuse of private information and breach of confidence.

In the earlier decision, the High Court found one breach of the DPA by Morrisons, namely that they had failed to organise the deletion of the data from the employee’s computer. However, it was held that this failure did not lead to any loss, and that the purpose of the rule was to prevent the inadvertent retention of data rather than deliberate misuse.

When considering the issue of vicarious liability, the High Court had to determine whether the employee’s actions had been in the course of his employment. To do this, they had to assess whether his release of the data was sufficiently connected to his authorised duties as a senior IT manager. They determined that, as he had been provided with access to the data for legitimate reasons, in this case to carry out an audit; the breach formed part of a continuing sequence of events and thus there was connection enough between the breach and his authorised duties.

Morrisons disagreed with this decision and sought permission to appeal as they felt that they were “completely innocent in respect of this data event”. This was granted and last week, the Court of Appeal unanimously upheld the High Court’s decision and found that Morrisons were vicariously liable for the actions of their employee despite taking preventative steps and bearing no criminal responsibility, with the judges stating that they found Morrisons’ arguments “unconvincing”.

While Morrisons have signalled their intent to appeal this decision in the Supreme Court, the decision as it stands should serve as a stark warning to employers that they may be held vicariously liable for the illegal actions of their employees, and that insuring against such eventualities is vital.

Sintons announced as sponsor of Newcastle Startup Week 2019

A high-profile North East event which helps and inspires hundreds of people each year to start or grow their businesses has secured law firm Sintons as a new premium sponsor.

Newcastle Startup Week will return next year for a third time, with its two previous five-day festivals each attracting over 600 people from across the UK and as far afield as the US.

The 2019 event is predicted to be the biggest yet, with a host of inspirational speakers already secured and interest expressed from across the world.

The event – which will kick off on May 13 in the Boiler Shop, George and Robert Stephenson’s refurbished former workshop, in a nod to Newcastle’s history of leading the world with its innovation – will this year be supported by law firm Sintons, a leading advisor to startup businesses.

Specialist lawyers at Sintons have a wealth of experience in advising businesses on the full spectrum of legal issues they will experience in the journey from pre-startup to scaleup and beyond. The team, which collectively offers over 220 years of experience, has supported businesses throughout the North East and across the UK to achieve their ambitions.

The firm has been rated as one of the best in the North of England for many years, and its recent work in startup circles includes being named as a partner of the new Tuspark Eagle Lab co-working space in Newcastle – as part of a globally-esteemed network for startup tech businesses. Sintons lawyers Lucy Cook and Luke Philpott are actively engaged in the startup community with Lucy recently designing and delivering interactive workshops and legal clinics for emerging entrepreneurs at local universities and Luke Philpott regularly taking part in panel events since relocating from Manchester earlier this year.

Sintons’ sponsorship of Newcastle Startup Week, founded and run by ‘SuperConnector’ Paul Lancaster’s business Plan Digital, is the latest endorsement of the team’s capability in this field and will see them working alongside the Plan Digital team and other sponsors including Blu Sky Chartered Accountants to deliver highly engaging, informative and practical content.

Karen Simms, head of corporate and commercial at Sintons, said: “As a leading advisor to businesses at all stages of their journey, our team has the knowledge and experience to help startups identify and deal with important legal issues, in a strategic and cost effective way. Specialists in our teams regularly advise startups on structuring their business, negotiating key contracts, protecting their IP, preparing their terms of business, engaging with their employees, securing property, and preparing for their future both personally and professionally.

“We are truly delighted to become a premium sponsor of Newcastle Startup Week in recognition of our capabilities in this area. The event has done so much to help support and inspire businesses and entrepreneurs in our region, and has played a central role in putting the North East of England on the map internationally as an ideal place to start or grow your business. We look forward to working with Paul and his team in preparing for Newcastle Startup Week 2019, and we are already looking forward to meeting yet more outstanding entrepreneurs and learning about their plans.”

Paul Lancaster said: “I’m delighted to have Sintons onboard this year after being impressed by how proactive, supportive and knowledgeable the team are in supporting businesses at every stage in their journey. They really ‘get’ startups and scaleups and have already delivered some excellent talks at our monthly Founders’ Friday events and provided expert legal advice to us on how to deal with international sponsorships and partnerships.

“We’re very much looking forward to working with them over the next eight months and are excited about how we can both use Newcastle Startup Week to help even more people to start or grow their business here in the North East of England.”

The GDPR – 4 months on

We have now all had time to consider the changes that have been made to our businesses since the GDPR came into force in May.

Many companies have reacted well to the compliance requirements, while others are still grappling with what it all means and whether they could in fact operate under their existing pre-GDPR policies. Most knew that changes were required to their privacy notices or statements so that they met the transparency principle as regards to letting data subjects what, how, why and for how long they hold personal data. Those who embraced the full compliance programme became aware that there are other documents that their business needed to demonstrate that they had done what was expected of them under the new regime.

The majority of businesses also came to understand that the GDPR doesn’t affect only the large, data heavy companies, but every business that takes even the bare essential personal data (names, addresses etc.) to complete transactions with their customers and suppliers. The Regulation affects the small family owned business and the corporate giants alike.

Boards have been put under pressure to commit resource to this surprisingly far-reaching legislation which has infiltrated almost all aspects of their business.  IT, HR, Governance and Marketing teams have been drawn in to explain their data processing activities internally, while commercial teams have been caught up identifying their third party suppliers and those who have access to customer or employee personal data. In such cases, GDPR mandatory data processing contracts have been put in place to ensure cooperation, security and control of the data when it leaves your business. Whilst cumbersome, many companies will rest assured in the knowledge that a data breach by a third party, should one occur, will place that supplier in the direct path of the Information Commissioner’s Office (ICO) and any failure or negligent handling of personal data will be focused squarely on them, and not you. That is, of course, assuming that you have shown that you are compliant with your own data protection obligations.

Businesses that operate with high quantities of personal data or special category data have been particularly responsive, knowing as they do that they are vulnerable to sanctions should sensitive data fall into the wrong hands. These companies have compiled records of their processing activities.  They have also ensured that a data breach policy has been prepared and an individual nominated within their company to deal with breach reporting. This person will take the reins and liaise internally with those who can assist with the investigation and deal with damage limitation when faced with lost or stolen documents, or a cybersecurity breach to their systems. A comfortable position for many board directors at this point is the knowledge that when panic sets in, they have a robust plan and have someone to lead the way.

The ICO have confirmed that so far, of all the data breaches reported since May, 1 in every 5 has been due to a cyber incident and half of all these was the result of phishing. It is therefore more important than ever to make sure that your employees not only get the data protection training required but that this training doesn’t lapse. Regular monitoring of your IT systems combined with a raised data consciousness of your staff will serve to minimise breaches occurring.

500 or so breaches are now reported to the ICO on a weekly basis which shows the magnitude of the problem. Some of these don’t meet the reporting criteria although businesses are showing heightened responsibility in making contact and treating cybersecurity and data protection as a boardroom issue, which is to be commended. For those who have, to this point, tried to ignore the “hype”, I advise that you get with the programme, the compliance programme, that is.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 2263699 or speak to another member of the Data Protection Team if you require any further information.

Brexit – What will happen to your European Trade Marks?

There has been a lot of speculation regarding the position of European Trademarks (“EUTMs”) and the implications for brand owners regarding the status of a UK rights once the UK formally leaves the EU on 29th March 2019.

On 19 March 2018, the European Commission published its first draft of the Withdrawal Agreement, setting out the terms upon which the UK will leave the EU.

The good news is that the owners of any EUTMs which have been registered before the end of the transition period – 31st December 2020 – will automatically be entered onto the UK Intellectual Property Office registry as a UK registration with the same scope of protection and filing priority dates and without the need for re-examination. The Trade Mark will continue to cover the remaining 27 EU countries.

The draft Withdrawal Agreement expressly considers the status of pending EUTM applications. It proposes that, where there are existing applications for EUTMs in progress at the end of the transitional period, the applicant will have 9 months in which to file an application for an equivalent trade mark in the UK.  Any such UK application will be given the same filing date as the EUTM application on which it is based. This means that if you want to avoid refiling the application in the UK after the transition period, you should aim to file the EUTM as soon as possible to ensure that these is sufficient time for your mark to be registered.  Timings vary but you should allow around 8 months from the start of the process for EUTM registration so it would make sense to commence the EUTM application sooner rather than later.

A further consideration for holders of EUTMs which have been used exclusively in the UK is that when the UK leaves the EU, those EUTMs may become vulnerable to successful revocation on the ground of non-use because use in the UK will no longer be taken into account.

It is important to note that the agreement is not yet finalised and further changes could occur. In the meantime, those businesses with the resources available and where the UK is their main market may wish to consider filing parallel UK applications now (corresponding to their current EUTM), in order to safeguard their position.  This tactic would secure the certainty of their rights and avoid any complications or rush in ‘converting’ in the future.

If you have any questions relating to this article or require any advice, please contact Pippa Aitken Senior Associate in our Company and Commercial team, on 0191 226 7842 or at pippa.aitken@sintons.co.uk.

Nestle’s Kit Kat trademark defeat and the lessons for others seeking to protect their products

For many, the distinctive appearance of a Kit Kat makes it instantly recognisable as one of the UK’s best-loved chocolate bars.

But, in the latest round of a legal battle lasting more than ten years, the European Court of Justice has ruled that is not sufficient to grant its manufacturer Nestle with the trademark it has fought so hard to secure.

Nestle wants to trademark the shape of its four-fingered Kit Kat, on the basis that it has been in circulation since 1935 and is recognised on the basis of its shape.

However, it has been fought all the way by Cadbury and its owner Mondelez, which has had a similar product in circulation in Norway called Kvikk Lunsj since 1937. While the taste of each product is different, their shape is essentially the same, and when Nestle sought to protect the shape of its Kit Kat with an EU-wide trademark in 2002, Cadbury went on the offensive, with their court battle beginning in earnest in 2007.

While the EU Trademark Office initially authorised that, the latest – and potentially final – verdict in this long-running battle essentially annulled this, telling the office is has to reconsider its decision on the basis that, while the four-finger Kit Kat has wide recognition in some parts of Europe, there is no evidence to support that in countries including Belgium, Ireland, Greece and Portugal.

Although Kit Kats have been commonplace in the UK for more than 80 years, and for many people probably are recognised instantly on their shape alone, they have never been trademarked – and when the attempt was made back in 2002, a competitor had already become established with its own product. This new ruling could now enable other competitors and supermarket own-brands to replicate the Kit Kat design.

It remains the case that new products should be trademarked at the earliest opportunity to protect their unique identity, be it their design, shape, brand or any other aspect of their intellectual property. For example, the Toblerone bar – made by Mondelez – has a full trademark of its shape in place, and last year successfully dismissed a challenge from Poundland, who sought to create an off-brand version.

For support in protecting your product or brand and its unique identity, professional advice should be sought.

TRADEMARK TIPS

  • Check no-one is already using your brand or brand idea
  • Brand registration is not essential, but will help protect you and your business from competitors
  • A company or web address alone is not sufficient and will not stop someone devising or using a very similar brand or brand name
  • Investing in expert professional advice is always advisable to ensure you, your brand and your business are fully protected legally.

GDPR Blog Week 10: GDPR or Data Protection Act 2018?

The UK Data Protection Act 2018 (“the new Act”) received royal assent on 23 May, and its provisions commenced 2 days later, at the same time as the GDPR.

Why do we need both? With Brexit looming ahead it will be necessary for the government to entrench the GDPR provisions into UK law. When we leave the EU, we will be designated by the EU Commission as a “third country” and it will be even more important in this brave new world to demonstrate that our data protection legislation is as robust as that of our European counterparts. In doing so, we will avoid infringements and maintain the confidence of our trading partners in the region that our (and their) personal data will be secure. We can’t have a situation where there are fears that the UK’s data laws won’t offer similar levels of protection as the GDPR, which will continue to operate across Europe.

The new Act covers some other areas on which the GDPR is silent. These are provisions relating to national security and there are some lengthy exemptions relating to data subject rights in sectors such as law enforcement and processing by the intelligence services. There is a general exemption against data subjects exercising their rights in areas of health, social work, education and child abuse data and the new Act also addresses situations of legal professional privilege and where personal data may contain personal information of others which, unless protected, would cause a breach in making a disclosure.

One important change between the GDPR and the new Act is the age of consent for children to provide their personal information in the area of Information Society Services (ISS), which has been reduced to age 13.  ISS are online services, often games, purchased and downloaded onto a child’s device. So, for example, a software company marketing directly to a child for on-line gaming products must seek parental consent for any child under the age of 13. This overrides the GDPR, which lists the age of consent for ISS as 16 years. For all other processing of children’s personal data, parental consent must be sought for all children under the age of 18. So the GDPR and new Act will work together for the time being.

The new Act also introduces new criminal offences, such as knowingly or recklessly re-identifying information that was previously made anonymous or obtaining or disclosing personal data without the consent of the controller. It is also an offence to deliberately alter or conceal information which should be provided in response to a subject access request. These are backed up with enforcement powers given to the Information Commissioner which allow her to serve enforcement or assessment notices on businesses and to exercise the right to enter premises for inspection where certain conditions prevail. Any efforts to sweep documents or other evidence under the proverbial mat will also be met with criminal sanctions.

Let’s not forget that the GDPR also significantly raises the penalties for non-compliance from £500,000 up to €20 million (or 4% of group annual turnover). One thing is for sure, the new Act has teeth, and the Information Commissioner isn’t afraid to use them.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

The importance of protecting your domain

A web address or domain name often forms a central component of a brand’s identity, playing a key role in their recognition in the marketplace.

Often, however, domain names can be used in a way that may be seen to replicate – and ‘trade off’ the success of – the names of recognised brands or trade marks. A tough stance is taken against this by many businesses, as the confusion among potential customers and clients can be very costly.

Recent figures from Nominet, which is responsible for running the .UK namespace, have shown a rise in this form of impersonation – 712 complaints were made last year, 55 per cent of which resulted in the domain name being transferred (meaning possession is given to the complainant) as they were deemed to be infringing the identity of another business.

One recent example involves international lingerie and beauty brand Victoria’s Secret, which successfully ordered the transfer of the domain victoriasecretbeauty.co.uk. They took action against a beauty therapist in London’s Mayfair, who claimed to have been unaware of the Victoria’s Secret brand – although the appointed expert in this dispute found that not to be a credible defence, particularly given the industry in which she operated.

The impersonation or taking of well-known web domain names is far from a new practice – shortly after the internet began to thrive in the early 1990s, the domain name of burgerking.co.uk was registered, with the purchaser then offering it to Burger King for £25,000. In the resultant dispute, the court ordered its transfer back to Burger King.

Generally, domain name disputes can be handled by invoking the Registrar’s domain name dispute policy. In order to gain control of a domain name under the domain name dispute resolution process, you would have to show that you have legitimate rights in the domain name and that the registration of that domain by the other party is an abusive one.

Much more difficult questions arise where there is a dispute between two legitimate trade mark owners under the same names. Where neither party has any superior trade marks, then usually the ‘first come, first served’ rule will apply.

Your brand is a hugely valuable asset to your business and your identity, so it is vital it is protected and that action is taken, if necessary, to do so.

Pippa Aitken is Head of IP at law firm Sintons. To speak to her about this or any other matter, contact Pippa on 0191 226 7842 or pippa.aitken@sintons.co.uk

Gaming giants’ Battle Royale over copyright

Two of the world’s most popular video games could be heading for their own ‘Battle Royale’ in the courts, and in the full glare of the media spotlight, after one was accused of copying the other.

The makers of Fortnite have been accused of copying the intellectual property of PlayerUnknown’s Battlegrounds (PUBG), both of which are among the biggest names in gaming of the modern day, with their ‘last player standing’ online battles becoming the new must-have for gamers.

PUGB was released in March 2017, inspired by the Japanese film Battle Royale, and involves 100 players parachuting onto an island, where they search for weapons and kill one another until only one player remains. Fortnite was released by Epic Games in July last year – with its Battle Royale mode launching in September – and also sees 100 players landing on an island, searching for weapons and killing one another until there is only one man left standing. However, Fortnite also allows players to collect wood, metal and bricks to build defences.

Both games have attracted record-breaking numbers of gamers – Fortnite set the world record in February 2018 with 3.4 million people playing at once, breaking the previous record of 3.3 million simultaneous players set by PUBG.

PUGB has now filed an injunction against Epic Games in its native Korea, in a move which, if successful, could restrain Fortnite’s distribution, in what would be a huge blow to a game that is estimated to currently generate over $200 million a month.

The case again brings the issue of protection of intellectual property to the fore, and the many factors that game designers and the gaming industry have to consider in respect of intellectual property rights (IPR). There are a wide range of IPR that are relevant in the gaming industry, though copyright is the most dominant and appears to be the issue in this case.

With the ease with which you can share, distribute and sell computer games across the world, it is important to consider the relevant IPR in each country and ensure that adequate and appropriate protection is obtained.

In England and Wales there is no system of registration of copyright, unlike in the US, where legal registration of original creations is offered. Generally speaking, copyright in gaming generally covers:

  • Software/coding – the ‘back room’ programming and development involved
  • Artwork/images – this includes graphic works like drawings, thus the game’s images and artwork, as well as those on its literature and marketing materials, can be protected
  • Music/sounds – including music, exclusive of any words or action intended to be sung, spoken or performed with the music
  • Films – most games include short video or film extracts as the gamer progresses through the game
  • Gameplay – images played onscreen as the gamer progresses

Should a challenge to copyright arise in England and Wales – or had the case of Fortnite and PUGB been filed under this jurisdiction – the makers of the alleged infringing party would have to show that:

  • Copyright or design right subsists within the item
  • The claimant owns that right
  • A substantial part of the copyright has been copied
  • The defendant copied the work or design

It remains to be seen what will happen with the case of Fortnite and PUGB, and whether its outcome will affect the rising popularity of both games, but it does serve as a reminder for game creators to be aware of their rights, and to enforce them when required, in the fast-growing multi-billion pound gaming industry.

Lewis Couth is an Associate and IP dispute specialist at law firm Sintons, based in Newcastle. To speak to him about this or any other matter, contact Lewis on 0191 226 3653 or lewis.couth@sintons.co.uk

Highly-rated tech lawyer joins Sintons

A highly-rated specialist tech lawyer has joined growing law firm Sintons.

Lucy Cook advises businesses of all sizes on commercial and intellectual property matters, and has a particular focus on the tech sector.

Lucy has been praised by Chambers for “standing out as a solicitor who genuinely understands how technology businesses work” and as an “Associate to Watch in the IT Sector”. She was also hailed by Legal 500 as a “Next Generation Lawyer for IT and telecoms in the North”.

Lucy, whose previous roles include working in-house at FTSE 100 software giant Sage, joins Newcastle-based Sintons as a Senior Associate.

Her professional memberships include the Society of Computers and the Law and the Chartered Institute of IT and Lucy is well known and respected in North East tech circles for her sector-specific work and knowledge.

Lucy’s appointment further strengthens the Commercial team at Sintons, which is recognised by Legal 500 as a “regional heavyweight”, at a time of strong growth for the firm, underpinned by client service excellence and with a focus on the recruitment and retention of outstanding legal talent.

Lucy said: “I am very pleased to move to Sintons, a growing and ambitious law firm whose specialism in commercial work is well known across the North of England. In a region as dynamic as the North East, our tech scene is developing at a phenomenal rate, and through the combination of my specialism in the tech sector and the support and outstanding capability of the wider corporate and commercial team at Sintons, we have a strong proposition to offer to businesses of all kinds, and especially to fast-growing tech companies.”

Karen Simms, Partner and Head of Corporate and Commercial at Sintons, said: “Lucy is a highly respected lawyer, whose recognition by both Legal 500 and Chambers (the go-to guides to the legal market) speaks volumes about her deep and genuine knowledge and understanding of the tech sector and her excellent reputation.

“As a business which understands that people are central to our continuing success, I am delighted that Lucy has chosen to join Sintons, and I look forward to working with her.”

The case of Naruto the monkey

The case of Naruto the monkey and whether he should be given copyright over the now infamous ‘selfie’ he took with a photographer’s camera has again brought the issue of ownership of such assets to the fore.

The wrangle which erupted over the photo dates back to 2011, when the seven-year-old macaque took a smiling selfie using the camera of David Slater, a British photographer.

While Mr Slater staked his claim to financial control over the photo, he was challenged by animal rights group PETA, who argued that Naruto took the photo and therefore should have control over it, and that it was irrelevant whether the creator of such a piece was human or an animal.

In a recent judgement, the US Circuit Court of Appeals ruled against Naruto and PETA, calling their claim ‘frivolous’.

While this case is certainly unique and was a US case, it does again raise the thorny issue of copyright and who owns a piece of original work. Under UK law, copyright gives the author of certain types of material – literary or artistic works, sound or film recordings, computer programs and so on – the rights to control the use or commercial exploitation of the work that they have created.

In the UK, copyright does not need to be registered as, provided it falls into the applicable categories, it will arise automatically when the work is created. To clarify their position, the copyright owner may mark their copyright material when it is published with the international copyright symbol © followed by the name of the copyright owner and year of publication – this is an important step when enforcing copyright in certain overseas countries.

However, in the case of a dispute or infringement of your rights, it is important action is taken promptly to ensure your work is protected. The specialist IP team at Sintons is highly-regarded for assisting businesses in protecting their brand and enforcing their intellectual property rights.

While the case of Naruto and the debate over whether an animal can own copyright is set to continue, with PETA appealing the verdict which ruled in favour of Mr Slater, it serves as a timely reminder of the importance of taking the necessary steps to protect your intellectual property, and to take immediate action if your intellectual property rights have been infringed.

Lewis Couth is an Associate and IP dispute specialist at law firm Sintons, based in Newcastle. To speak to him about this or any other matter, contact Lewis on 0191 226 3653 or lewis.couth@sintons.co.uk.

Pippa Aitken is Head of IP at Sintons and can be contacted on 0191 226 7842 or pippa.aitken@sintons.co.uk.

Photo by David J Slater.

GDPR Blog Week 9: Data Principles

Those personnel who already have data privacy responsibilities within their organisation will be aware that there were certain data protection principles under the Data Protection Act 1998 (or “DPA”) that were required to be followed. The GDPR, which will become enforceable on 25th May, doesn’t do a great deal more in terms of how the data should be processed, but there are some changes which businesses need to be aware of.

When applying the new GDPR framework, processing data must comply with the following requirements which I have put in a table below, together with their meaning:-

 

PRINCIPLEMEANING
processed lawfully, fairly and in a transparent manner in relation to individualsThis principle requires the data controller, that is, the person collecting the data, to ensure that they have a lawful basis for doing so. There are 6 lawful bases in relation to personal data and others if you are collecting sensitive data, or “special categories of data” as now redefined under the GDPR. The fairness and transparency elements refer to the information that a data subject must be given or have access to (e.g. by website), before you collect personal data about them.
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposesThis means that you have a legitimate reason for collecting the information you have about data subjects. The use of this data must be contemplated at the time it is collected. If the purpose changes or dual purposes materialise, then these may not necessarily be incompatible but much depends on whether this other purpose is fair to the data subject to collect their personal information for this reason. If a data subject would not reasonably expect their data to be used in this way then it is likely to be incompatible. Also consider whether the purpose, primary or secondary, could result in unjustified adverse effects to the individual.
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processedThe data should be no more than that which is necessary for the purpose(s) that you have already identified. An example would be an on-line purchase of goods.  You reasonably need to obtain a name, address, delivery and payment details from a data subject to perform your obligations under a contract to sell goods to them.  What you wouldn’t require in this scenario, is any purchasing preference information or location data that may be a bi-product of the transaction obtained on your website.
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delaySimilar to the requirement under the DPA, the data must be kept accurate.  This means that data that may change regularly, such as credit reports or insurance claim information, should be subject to more regular checks and refresh exercises than some other data that remains relatively static.   That said, all data should be subject to a data protection policy which details what measures are taken to meet this principle.
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individualsThis principle is similar to the old storage limitation principle.  Any refresh exercise carried out to satisfy the accuracy principle above can be done in conjunction with this principle so that certain categories of data are designated as ready for destruction once they have outlived their usefulness.  Consideration should be given here to the value of the information you hold to your business and balance this against the cost, resource and risks involved in retaining it.   Legal and regulatory requirements (these may be sector specific) may extend the period of any data which would otherwise be ready for destruction.  Other factors are potential civil/criminal claims and you may consider it necessary to hold onto some categories of data for longer periods for their evidential value.
processed in a manner that ensures appropriate security of the personal data , including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,using appropriate technical or organisational measuresOrganisations must demonstrate that they have taken the necessary security measures to ensure that the data they hold is safe.  This will include cyber security technical measures such as firewalls, virus checking, encryption of data but also training of staff and having a robust data protection policy in place.  Consider who has access to different levels of personal (or sensitive) data and whether this access is necessary for their role.  The measures implemented must be commensurate with the size of the organisation, the sensitivity and scope of data held and the resources available to it.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Data Transfers to different jurisdictions and looking at their application within a business or organisation.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 8: Data Controllers and Data Processors

After the 25th May this year, there is a new responsibility under the GDPR for data processors to be held accountable by the Information Commissioner’s Office (or “ICO”) for failing to comply with the new Regulation. If they are found to be in breach, or if they report a breach as required to do under the GDPR, then they may be liable to a penalty and this follows the same tariff as that applied to data controllers. This widening of the scope of data protection legislation to include data processors re-addresses the balance previously applied by the Data Protection Regulation 1998 (or “DPA”) and comes as a welcome change for data controllers. As mentioned in my previous blog on Fines (Blog 1), penalties can be significant, not to mention the harm they do to your reputation and brand. It is important, therefore, that you correctly identify whether you are a controller, a processor, or in some cases, both.

In order to answer the question of whether your organisation is a data controller or data processor, we need to take a step back to the guidance given under the old DPA regime. A data controller determines the purpose and manner in which the data is processed (the “why” and “how”) whereas a data processor processes that data on behalf of the data controller. Processing here is essentially anything you do with that data, be it obtaining, recording, storing, filing or carrying out any set of operations on that data.

A data processor, on the other hand, may decide what IT system is used to collect the data, how to store it, how to keep it secure and the means by which it is retrieved, deleted or transferred from one organisation to another. Whilst the definition of processing suggests a data processor’s activities would be limited to the more technical aspects of the operation, this distinction is often blurred where the holding of personal data may be common to both a controller and processor.

The starting point will be to consider what influence you, as an organisation, have over determining the purpose of processing the data. If you have exclusive control over this element, then you will be a controller. Other questions you should consider are whether you have a lawful basis to undertake data processing activities? Do you collect the data in the first place and decide which categories of data you need to support your business model? Do you decide who to disclose or share this data with and are you the organisation to whom subject access requests are made? Do you decide the retention periods for the data stored? If your answer to these questions is an affirmative, then you will be a data controller. Conversely, if you don’t store your data in-house and it is supported by a cloud service or IT system provider then they are likely to be a data processor.

These definitions may still be difficult to apply with the complexity surrounding modern business relationships. For example, outsourcing to an IT solutions firm to process your data means that this firm will have its own data controller responsibilities for the personal data it maintains in relation to its own workforce. Consequently it boils down to the processing activities an organisation carries out as to what label it operates under. You can see how things can get complicated.

As both controllers and processors are now liable under the GDPR, it makes sense for there to be a degree of collaboration/clarification between the two to ensure that any compliance gaps are identified and plugged. The GDPR assist in this by including a prescribed list of mandatory clauses that must be contained in any data processing agreement. These relate to the safety, security and sharing of data but also address compliance issues and cooperation when dealing with data subjects’ rights. Data controllers and processors should focus on negotiating and renegotiating their data processing agreements to ensure that the scope of instructions is clearly defined and any increased costs of compliance are allocated between the parties. A clear understanding of your obligations under a contract will limit your exposure under the new Regulation.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready.  Next week, our topic will be Data Principles and looking at their application within a business or organisation.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 7: Privacy Notices

Underpinning the principle of lawfulness, fairness and transparency is the concept that personal data collected from or about an individual must be done so openly and visibly. The use of that data must also be made clear to the data subject (the person whose data is being processed), and the supervising authority in the UK, the Information Commissioner’s Office, or “ICO”) recommend that this is done by issuing a Privacy Notice or Privacy Statement on your website where it may be accessed easily.

Articles 13 & 14 of the GDPR provides the detailed information that must be contained in a Privacy Notice. This allows a data subject to see the categories of data held and the legal basis on which the data controller has processed the information. A data controller must state in the Privacy Notice that it has complied with the data protection principles (collected for specified purpose, limited, accuracy, retention, transparency, security etc.) and give an account as to how this was achieved. The notice must also identify the data controller (this may be obscured if the controller is one company within a group) and provide contact details for the individual within your organisation who deals with data protection issues. As the GDPR gives enhanced rights to data subjects, these rights must also be set out in your notice.

Details regarding any cross-border transfers must also be provided so it is important that you look carefully at your operations as processing carried out in a different jurisdiction, particularly ones conducted outside the EEA (European Economic Area) will attract additional safeguarding responsibilities. Those processes carried out within the EEA must still be highlighted in your notice, as must details about any third parties with whom you share personal data.

The GDPR introduces a requirement to include any automated decision-making processes that have been used. These are essentially ones where an organisation obtains personal information about individuals from a variety of different sources, such as Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks and video surveillance systems. Once this information has been collected, it is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. Any data processing which includes profiling or automated decision making must be explained in your notice.

Finally, your Privacy Notice must provide contact details for the ICO so that a data subject has recourse to make a complaint, should they be unhappy with the way in which you are processing their data. More information regarding the contents of a Privacy Notice may be obtained from the ICO’s website.

As you can see, there is a significant amount of information required in the Privacy Notice. The language must be concise, transparent and intelligible and in an easily accessible form. It is important therefore that you consider the category of data subjects you are processing data on. If this is children, then the language you use must be easily understood by them. The ICO recommend that the use of child-friendly cartoons, diagrams, graphics, icons, emoji’s and other symbols would be a more effective way of explaining this somewhat complicated issue to children. Consider also whether parental consent is required. Children are classed as a special category of data subject and additional measures must be implemented to safeguard their personal data (and evidenced in your Privacy Notice). Conversely, if your data subjects are elderly and less likely to use the internet then you may need to find another way of ensuring your Privacy Notice is seen by them.

So, before embarking on your Privacy Notice, I suggest that you carry out a data mapping exercise. This will help you to understand the categories of data held by you and will inform your Privacy Notice. Also carry out an inventory of all your third party contracts to see if there is any transfer of personal data to them, as this information will need to be included in your notice. Once you have gathered the relevant information, you will be able to make a start on your Privacy Notice.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready.  Next week, our topic will be Data Controllers and Data Processors and looking at the obligations of both within a business or organisation.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 6: Security Breaches

The GDPR has made some important changes to the area of data breaches and the notifications a data controller is required to make to the ICO (Information Commissioner’s Office).

You may recall that a data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

This covers loss, theft or damage of physical equipment on which personal data is stored. If an organisation has inadequate access controls (i.e. passwords) which has allowed unauthorised use, then this would constitute a security breach but it also covers human error and unforeseen factors like fire or flooding. Remember there need not be anything sinister in the manner in which the data has been breached, merely that it has been removed from the boundaries of protection usually provided to it, is sufficient.

Presently, there is no legal requirement to report a data breach but under the GDPR this will change. The Regulations create an obligation on the controller to notify the ICO without undue delay and in any event, within 72 hours of the time that you become aware of the breach. If you outsource your data processing activities then your processor must alert you to a breach and it will be important to review your data processing contracts to ensure they are obligated to do so within strict time limits. Data subjects must also be notified about a breach where it presents a high risk to the individual affected. The ICO guidance clarifies that where this involves a disproportionate effort because of the volume of data subjects, this may be achieved with a public communication although we have yet to understand in what circumstances a public communication could occur.

There are some exceptions to this rule and you can avoid a notification to the ICO if the breach is unlikely to result in a risk to the data subject. You can also avoid notifying the data subject if the breach is unlikely to result in a high risk to them. Whilst the GDPR is silent on a definition of “risk” and “high risk”, the indication is that a breach without ramifications or risk to the data subject would fit this description. An example of this would be where there was a loss of encrypted/pseudonymised or destroyed data but a back-up recovery process would allow for data retrieval. If you are in any doubt about whether a breach is reportable then consult with the ICO who will advise whether a formal notification should be made to them and/or to the data subject.

At the point where a notification must be made, remember that the ICO don’t need a full and comprehensive report – you may not know the extent of the breach or data targeted at this point – but you will provide a valid notification if you ensure they have a few key facts. The notification should contain details about the number of data subjects and number and category of records concerned, if possible. It should also give a description of the likely consequences of a breach and the measures that have been taken to deal with the breach. A name and contact number of the DPO within the organisation should also be provided. Any additional information can be passed to them as and when it becomes available.

My advice would be to put in place a Data Breach Response Plan now to guide you through a breach if/when it occurs. Failure to make a valid notification may result in a fine, even if you are in every other way, GDPR compliant. Consider whether you are required to carry out a Data Protection Impact Assessment (DPIA) and whether you are embedding Privacy by Design into your processes (more on these later). Own a Breach Register so that you can list all breaches, even those that are not reportable, as you will need to evidence why you did not consider a notification necessary. This will ensure that you keep your house in order if audited at some later date.

I hope that this blog has been helpful but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready.  Next week, our topic will be Privacy Notices in your business or organisation. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 5: Direct Marketing

This is one of the most examined areas in the field of data protection. This is because there are two sets of regulations in play – the GDPR and PECR (Privacy and Electronic Communications Regulations) and as data protection evolves, so does the legislation. PECR is currently being updated and will be replaced soon by the new E-Privacy Regulations. This will change the goalposts again but for now the position is outlined below.

GDPR has a focus on the protection of personal data, that is, how it is collected, controlled, processed and protected. PECR on the other hand governs how you can communicate with people using their personal data. These are two separate issues but they work in tandem so that both must be considered jointly.

Assuming that you have complied with the new data protection principles (collected for specified purpose, limited, accuracy, retention, transparency, security etc), there are 6 lawful bases for legally processing data. The one that is often applied in cases to direct marketing is that of consent. This is because the other bases, such as legal obligation, performance of a contract etc. don’t apply to situations where the marketer has not had a business relationship with or duty of care to the data subject previously. Alternatively, the scope of personal data held may be wider than that required to perform a contract or fulfil a legal obligation. In either scenario, the data may only be held if it relies upon another lawful bases and this note addresses the issue of direct marketing through an individual’s consent.

The GDPR creates an overarching requirement to obtain an individual’s opt-in consent to contact them by email or SMS. This consent must be freely given, specific, informed and unambiguous (see our Week 2 Blog). It must be explicitly brought to the attention of the individual and presented separately from any other information. It must be capable of withdrawal at any time.

The four main types of marketing are direct mail, telephone, email and SMS (texts). If you propose to directly market using either direct mail or telephone, then you need to be aware that there is a preference service for both – the TPS and the MPS – and these must be checked before contact with an individual is made. In relation to email and SMS, explicit consent must be obtained unless you can rely on the exception of “soft opt-in” which assumes that the data subject has opted in to receive marketing material from you.

However, the soft opt-in may only be relied upon if the following requirements are met:

  • Individuals’ details have been obtained through a sale or negotiation with you and they have not opted out of receiving communications from you;
  • The email/SMS must relate to similar products or services to that of previous sale/negotiation;
  • Your identity must not be concealed; and
  • Your communication must contain a simple and free means of opting out (often “unsubscribe” button).

All four of the above criteria must be satisfied, otherwise your opt-in consent will not be valid.  Whether you rely on this soft-option or obtain explicit consent, you should ensure that you have an audit trail evidencing your consent and your compliance with the GDPR for it to be valid.

As with all data processing under the GDPR, you must support your business activities with a Privacy Notice or Statement, ideally on your website, to inform all data subjects what data you hold about them and the purpose for which it is held. The consents you receive, if this is the lawful basis on which you rely, should make reference to a privacy notice so that data subjects can access a detailed account of what you do with their personal information.

As a final word, remember that the above refers to personal data of a data subject, and not a business or “corporate subscriber”. If you are processing business information then this doesn’t require individual consents so you can send marketing emails and/or texts to these organisations whilst relying on the “legitimate interests” legal basis (assuming no personal corporate email accounts are used). Any targeting of corporate subscribers should include an opt-out link in your communications. The ICO has more detailed information about this.

Please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready.  Next week, our topic will be Security Breaches and how to deal with them.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 4: Responsibility and the DPO

Whether you need to make a mandatory appointment of a Data Protection Officer (DPO) or simply appoint someone within your organisation to take responsibility of this role, it’s important that you start planning for GDPR now.

There is, in fact, very little difference in the remit of a voluntarily appointed DPO or a mandatory one and notably, voluntarily appointed DPO’s will also need to comply with the requirements of the GDPR.

A mandatory DPO role is needed for the following organisations:-

  • a public authority; or
  • one carrying out regular and systemic monitoring of individuals on a large scale; or
  • one carrying out large scale processing of special categories of data, such as health records or information about criminal convictions.

Whilst the term “large scale” isn’t defined, guidance suggests that it affects a large number of data subjects on a regional, national or international level.   The number of data subjects concerned, either as a specific number or as a proportion of the population or the geographical extent of the processing activity would be relevant considerations in determining this.

In terms of governance, a DPO must be independent and report directly to the highest management level of an organisation.  This is to secure buy-in at executive level to ensure the required resources and budgets are available to comply with the legislation.

A DPO’s contact details must be provided to the supervisory authority (in this country that authority is the Information Commissioners Office, or ICO) and the position requires that they have expert knowledge of data protection legislation and practices, although with SME’s this is sometimes a compliance officer who takes on a developmental “knowledge through experience” data protection role.

The role of a DPO is to inform and advise the controller or processor and employees processing personal data of their legal obligations and to monitor the compliance of the GDPR’s through regular training and audits.  They must cooperate with, and be a contact point for, the ICO and must provide advice in relation to Data Protection Impact Assessments (DPIA).

A DPO will drive momentum on internal reviews of current policies and procedures to ensure that they are GDPR compliant and that they are adequately documented.  They should be the primary contact point for notification of a data breach.

I’ll discuss data breaches and security measures in a separate blog, but please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

 We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Direct Marketing. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 3: Subject Access Requests

One area that we expect to flare up following the GDPR’s implementation is data access requests by individuals who want to know what information is held about them.

There has been a mechanism under the DPA 1998 for individuals to access this information but this must now be done with tighter timescales so a streamlined approach from the point of inception is recommended.

In terms of timescales, the 40-day period to respond has been reduced to 1 calendar month. This is the maximum time, however, and the GDPR states that the relevant information must be provided without delay. If the scope of the request is too wide, or undefined, then clarification of the information sought should be made, again, with one eye on timescales.

I should mention here that it remains the data controller who is responsible for fulfilling a request from an individual. The role of a data processor here would be to assist the data controller with the data subject access request and they would be bound under the terms of the contract with the data controller to facilitate this request. This, of course, erodes the time you have, so it is important to act on a request once it is received.

The fee of £10 that could be charged under the old legislation has been removed and the cost of responding to a request must now be borne by the data controller. As you might anticipate, there are some exceptions to this rule, for example, when a request is “manifestly unfounded, excessive or repetitive”. In such circumstances, you can ask for a reasonable administrative fee or even refuse a request but you should ensure you explain this in writing and have a robust audit trail to support this action. It is never an option to simply ignore a subject access request.

If you do refuse a request, you will also need to advise the data subject of their right to complain to the ICO (Information Commissioner’s Office), the UK’s regulatory authority.

My advice would be to put in place a policy for addressing subject access requests now, compile a suite of standard letters and designate points of contact within your organisation to collate the data requested. That way, a request can be dealt with efficiently, economically and with accountability.

Please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready.  Next week, our topic will be Responsibility and the role of a Data Protection Officer in your business or organisation.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 2: Consent

The law is changing on 25 May 2018 when the GDPR’s become enforceable by the Information Commissioners Office.

You should know that, in order to process data, you need to identify a lawful basis for doing so. If you can’t identify a lawful basis come May, then you shouldn’t be processing data.

Consent is only one example of a lawful basis for processing data although there are others, such as “legitimate interest” which I will come to shortly. The GDPR is raising the bar to a higher standard for consent. Therefore, if you’re relying on consent as a lawful basis for processing data, you need to review how you seek, record and manage that consent.

Put simply, under the GDPR, consent must be:

  1. Freely given;
  2. Specific;
  3. Informed; and
  4. Unambiguous.

This means that any communications seeking consent must state the purpose the personal data will be used for, such as future marketing by your organisation or sharing the data with any third parties.  If you intend to you use more than one mode of communication such as post, email and telephone then each and every method should be stated on the consent form. It must also be separate from any other terms and conditions that you have – and you need to give individuals the opportunity to easily withdraw their consent. This is often done with an “unsubscribe” button but alternative means may be used so long as it doesn’t create an arduous task for the data subject.

There must also be a positive opt-in. Consent can’t be inferred from silence, pre-ticked boxes or an individual’s inactivity.

To be clear, you don’t always need consent to process data. For example, you can rely on there being a “legitimate interest” to do so. This would apply to an insurance company processing an individual’s claims information, or a bank processing data for fraud protection purposes.

If you rely on consent, you’ll need to review your current policies and procedures to ensure that they are robust enough to withstand scrutiny under the GDPR’s. If you rely on an alternative lawful basis, such as a “legitimate interest”, you’ll need to ensure that you have a detailed paper trail in place to show accountability and transparency. Either way, compliance is best demonstrated by a Privacy Impact Assessment (PIA) which is basically an internal audit detailing the technical and organisational security measures in place and have a Privacy Notice accessible to all data subjects advising what you intend to do with their personal data.

There are separate rules governing the issue of Direct Marketing and the necessary consent required to do this, so I’ll address this in a separate blog.

If you have any questions at all in relation to the above, please feel free to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team.

We will be releasing our blogs on a weekly basis in the run up to May to help you to get GDPR-ready.  Next week, our topic will be Subject Access Requests and the extended rights of data subjects under the new Regulations.  We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

GDPR Blog Week 1: Fines

You will no doubt be aware of the change in data protection laws which will become enforceable from. The headline news is that the Information Commissioner’s Office (ICO) are increasing fines for non-compliance up to a maximum of 20 million euros or 4% of your annual group turnover. On current exchange rates, that’s in the region of £17 million.

Whilst the GDPR is indeed increasing the maximum penalty for data protection breaches, these figures will only be invoked in the most serious of cases and in the largest organisations. Serious cases include breaching data protection principles (of which there are 7), not obtaining the necessary consents, ignoring data subjects’ rights and making unlawful international data transfers.

There is a second tier of sanctions capped at 10 million euros or 2% of annual group turnover for misdemeanours in record-keeping, ineffective or absent data protection officers (DPO’s) and insufficient safeguarding in data processor contracts.

The ICO have said that fines under the GDPR will be proportionate and not issued in the case of every infringement. They’ve also said that the sanctions are available where organisations systemically fail to comply with the law or completely disregard it, particularly where the public are exposed to significant data privacy risks.

What is clear is that the ICO aren’t looking for perfection. They’re looking for transparency and accountability – a paper trail to show that you’ve considered the GDPR, and that you’re doing everything within your power and resources to comply with it. The ICO guidance states that fines can be avoided if organisations are open, honest and report breaches without undue delay. Reading between the lines, if you have appointed a DPO, have a training programme rolled out or have a Privacy Impact Assessment (PIA) in place, then these measures will work in your favour.

Look within your organisation and raise this matter with your executive committee as the time for taking action is now.  Please don’t hesitate to contact me, Louise Weatherhead at Louise.weatherhead@sintons.co.uk or by telephone on 0191 226 3699 or speak to another member of the Data Protection Team if you require any further information.

We will be releasing our blogs on a weekly basis in the run up to May to pick apart the new legislation in simple terms and help you to get GDPR-ready. Next week, our topic will be Consent and the onerous burden of acquiring this under the new Regulations. We hope that our blogs help you to think about transition arrangements and getting to grips with the new GDPR’s.

23rd March 2016 Changes to European Trade Marks

A Community trade mark (known as the “CTM”) provides protection across the European Union. It is an extremely cost-effective means of securing protection for brands across Europe.

On 23rd March 2016 various EU reforms will take place. A few of the changes are as follows:

  • The CTM will be renamed as the European Union trademark (“EUTM”);
  • The registry which is responsible for administering the trademark applications will also change its name from the Office for Harmonisation in the Internal Market (OHIM) to the European Union Intellectual Property Office (EUIPO). Despite what the name might suggest, the registry will not be responsible for all types of intellectual property and will continue to only administer the trademark and design system in Europe;
  • The application fees to file a CTM will also change. At present, the official fee for filing a CTM is €900 which includes three classes of goods or services. Under the new system, the structure will be changed so that the fees will be payable on a per class basis as follows;
  • €850 for 1 class;
  • €900 for 2 classes; and
  • €1,050 for 3 classes.

These changes are part of wider amendments to the EU trademark system which will take place over the next three years.

Pippa Aitken is Head of IP at Sintons and a specialist in all matters regarding brand protection. To speak to her, contact Pippa on pippa.aitken@sintons.co.uk or 0191 226 7842

Have a Break, have a Taxi

High Court rules that zero emissions taxi does not infringe London taxi trademark/ Judge relies on European Court Kit Kat ruling

Key message: a shape trademark must identify a particular business before it can be a valid registered trademark.

The High Court has ruled in favour of Frazer-Nash, maker of the new zero emissions black cab, after London Taxi Company (LTC), the maker of the TX series of London black cabs, claimed trademark infringement and passing off. The case is also of interest as it follows a very recent key decision in the European Court in Societe des Produits Nestle SA v Cadbury UK Limited (the KitKat case).

Justice Arnold rejected all the infringement claims and also invalidated LTC’s trademarks as to shape, saying that the shape was simply that of ‘a car’.

LTC claimed that Frazer-Nash had intentionally copied the shape of its black cabs as to its new zero-emissions capable London taxi, so as to deceive both taxi drivers and the public that the new ‘Metrocab’ was one of LTC’s taxis.

The Court fully rejected this allegation, ruling that there is a low degree of similarity between the appearance of the new Metrocab and LTC’s taxis:

The trademark claims were also declared to be invalid and/or not infringed because:

  • the shape of the taxis gave the trademarks substantial value
  • one of the shapes had not been put to genuine use for at least five years; and
  • there had been no unfair advantage taken by Frazer-Nash of LTC’s trademarks

LTC’s trade marks should never have been registered because:

  • they were not inherently distinctive, being only variations of the typical shape of a taxi; and
  • they had not acquired distinctive character through use

In the European Court’s 2015 ruling in the KitKat Case it was held that people did not perceive Nestle’s KitKat as originating from Nestle only because of its shape as opposed to any other trademark present, like the wrapper design or logo or the  logo embossed on to the chocolate fingers.

Here, Justice Arnold applied for the first time his interpretation of the KitKat decision by finding that people did not see LTC’s taxis as those of LTC because of their shape, as opposed to other trademarks present, such as the badge on the front of their taxis. Taxi drivers know who makes the car they buy and taxi passengers don’t care.

Take away point – trademarks should not be registered without careful consideration and research. Think about your business and what trademarks you have or haven’t got protected, and take advice on how you should best protect your brand.

If you need advice as to protection or infringement of trademarks, copyright, designs, or trade secrets, contact Pippa Aitken from our intellectual property team.

Pippa Aitken
Associate
0191 226 7842
pippa.aitken@sintons.co.uk

Sintons helps childrens hair care range go nationwide

Sintons intellectual property team has successfully secured brand protection for a new line of children’s hair care products which has enabled the brand to gain listings in a major retailer nationally.

Two years ago, entrepreneurial couple, Geoff and Colette Bell, began to develop their up and coming children’s hair care range, “Shampooheads”.

Geoff sought advice from intellectual property specialist, Pippa Aitken regarding the new venture, involving dermatologically tested, irritation free line of hair care products for children together with bath time adventure books. They also developed an idea for characters to sit alongside the products which were based on their children, “Raging Rosie”, “Awesome Annie” and “Busy Bob”.

As the hair care range and bath time books were not novel, it was unlikely that a patent could be obtained so Pippa identified other ways of protecting the brand.

After clearance checks to ensure no one else was using the names of the characters and the brand name “Shampooheads”, Pippa successfully registered the names as Trade Marks and drawings of the characters as Designs at the UK Intellectual Property Office. 

As an external designer was used for the branding, Pippa ensured that all copyright and designs of logos and images were vested in Geoff’s company. As this would not happen automatically, a legal agreement transferring the rights was put in place.

Geoff and Colette have now signed a deal with Boots in the UK and Ireland and their products are now available to buy in 483 stores nationwide.

Geoff Bell commented: “The sound advice and direction from Pippa has allowed us to secure our brand identity with a focus on design and branding rather than product novelty. This has been vital to our business concept. We are delighted with the expertise and support provided.” 

Pippa Aitken commented: “We were delighted to help Geoff and Colette to protect the Shampooheads brand. We know how important it is to secure any intellectual property as early as possible to avoid problems further down the line and to protect the commercial value of the brand. It is fantastic to see a client’s initial ideas grow into an outstanding product being sold in the shops.”

If we can assist you in any way, or if you simply want to discuss any intellectual property issue, please contact us at any time.

It’s Your Brand, Own It

It cost $15 to create the iconic Twitter logo. For the iconic Nike swoosh, the designer billed $35. And the instantly-recognisable Google and Coca Cola brands were both created free of charge.

Whilst the founders of all four could probably never have foreseen the levels of global success they would achieve, the fact they all registered their brands under trademark as fledgling businesses has meant they have protected themselves legally against brand infringements and costly battles against competitors.

Coca Cola now enjoys 94 per cent brand recognition around the world, and spends well over $2bn each year on marketing. While there are numerous rivals and alternatives to its product, the fact its brand is so strong means it keeps its place way ahead of the competition.

While few businesses achieve the success of Coca Cola, for a newly established venture, the sky is the limit. Therefore, is vital you legally protect your ideas before someone else tries to use them as their own.

Failure to properly protect a brand leaves a business entirely open to copycats and competitors, and a potential costly legal dispute in fending them off.

But sometimes, legal attempts to rebuff competitors are not sufficient. The long-running dispute between Nestle and Cadbury’s has seen Nestle unable to protect the shape of its four-fingered Kit Kat through trademark in the UK, following a challenge to the trademark application from its rival confectioner.

This means that while Nestle’s trademarked brand cannot be copied, the shape of one of its main products can be. Such cases show that no matter what size your business is, or however distinctive your product may appear to be, without proper legal protection in place, you are vulnerable to challenges.

Once your trademark is in place, any infringement can be dismissed legally but for those which are not protected, the common law of ‘passing off’ could be used.

The case of Jack Wills v House of Fraser highlights such circumstances in which ‘passing off’ could apply. The department store’s Linea brand was found to have infringed the Jack Wills logo a side profile of a silhouetted pheasant with top hat and cane by using a pigeon in similar pose.

The judgement helped to underline the importance of protecting brands by trademark, as instantly-recognisable logos and brands are open to challenges even from major high street retailers which can only be dismissed effectively by legal means.  

In such a hugely competitive world of business, brands simply cannot afford for rivals to gain at their expense. Protecting your own brand, and seeking legal advice if necessary, at the earliest opportunity is the only way to ensure that does not happen.

FIVE TOP TRADEMARK TIPS

  • Check no-one is already using your brand or brand idea
  • Brand registration is not essential, but will help protect you and your business from competitors
  • Keep an eye on the competition to ensure they are not using your work as their own
  • A company or web address alone is not sufficient and will not stop someone devising or using a very similar brand or brand name
  • Investing in expert professional advice is always advisable to ensure you, your brand and your business are fully protected legally

Pippa Aitken is Head of IP at Sintons and a specialist in all matters regarding brand protection. To speak to her, contact Pippa on pippa.aitken@sintons.co.uk or 0191 226 7842

 

Rihanna right to get shirty with Top Shop says Court of Appeal

In a case brought in 2013 by the pop star Rihanna against Arcadia Group (the owners of retail chain Top Shop), the High Court held that the high number of sales of T-shirts bearing a photograph of Rihanna amounted to passing off. This was because although they had permission from the photographer to use the photograph (the photographer owned the copyright), they did not have Rihanna’s consent to use her image.

Top Shop went on to appeal the decision to the Court of Appeal, and contended that the original trial judge made a number of errors in reaching his conclusions. In January 2015, the Court of Appeal gave their judgment and the appeal was dismissed. The Court took the view that the High Court in 2013 was correct to find that the sale by Top Shop of the t-shirt amounted to passing off and so, the appeal should be dismissed.

Interestingly, one of the appeal Judges, Lord Justice Underhill said that he regarded the case as ‘close to the borderline’ as to whether there was passing off or not. This was because the original findings in the High Court, that some members of the relevant public (Top Shop shoppers and/or Rihanna fans) would think that the t-shirt was endorsed by Rihanna, were based essentially on two things;

  • Rihanna had a prior public association with and endorsement of Top Shop, well known amongst her UK followers (Top Shop ran a competition in 2010 to win a personal shopping appointment with Rihanna and she also visited Top Shop in February 2012, which Top Shop heavily publicised to their 350,000 Twitter followers); &
  • The particular features of the image itself. This was posed showing her with the very distinctive hairstyle adopted in the publicity for her album ‘Talk That Talk’.

LJ Underhill did not believe that either by itself would have been enough to see the appeal Court agree with the original decision but the two features in combination were capable of giving rise to the necessary apparent “endorsement”.

This passing off decision has stood the test of the Court of Appeal. As such other celebrities may now feel more empowered to complain about unauthorised use of their image on merchandise.

The take away point is that designers, manufacturers and retailers alike, in any industry sector, should consider seeking early legal advice if they have any concerns that any intellectual property rights may have been infringed.

If you are involved in a dispute and need advice on any aspect, please contact a member of our dispute resolution team.

Trademark Update

A company’s name, logo and brand are all assets.  

They are heavily invested in and attract invaluable goodwill and therefore require protection.

Failure to properly protect a brand leaves a business entirely open to copycats, competitors and a potential costly legal dispute in fending them off.  No matter what size your business is, or however distinctive your product or service may be, without proper legal protection in place you are vulnerable to challenges.

To gain optimum protection and commerciality it is advisable to register your trademark from the outset. Registration grants the owner more conclusive rights which will assist further in the common law action of passing off – an option you may have even if your mark is not registered.  

  • Is your trade registered?
  • Is it registered as a black and white mark?
  • Do you use a colour version of the mark more than in the black and white mark?

If your marks are already registered, now may be the time to review your registrations. A new Common Practice announced by the Office of Harmonization in the Internal Market (OHIM) raises the issues as to whether registration of a black and white mark is valid and protected if the mark is consistently used as a colour version. The "black and white covers all" approach has been acceptable Common Practice in many EU national offices,  including the UK.

Under the new Common Practice a registered black and white (or greyscale) mark will only be considered identical to a coloured mark where the differences between the marks are so insignificant that they would go unnoticed by the average consumer.  An insignificant difference will be one that a reasonably observant consumer will perceive only upon a side by side examination of the marks.  Further, use of the mark in colour will only support a black and white mark if the colour does not alter the “distinctive character” of the mark. The coloured mark must meet the following four requirements in order not to alter the mark’s distinctive character:

  • The word or figurative elements are the main distinctive elements;
  • The colour is not the main contributor to the overall distinctiveness of the mark;
  • The colour does not possess distinctive character in itself; &
  • The contrast of the shades is respective.

However, it seems clear that under the new Common Practice many black and white marks that have been registered for over five years could now be at greater risk of revocation because their use in colour may not be regarded as genuine use of the registered mark.

Trademark owners and applicants should review their current registrations and the actual use of their marks to ensure those marks are fully protected.  Use of colour marks that have been registered only in black and white may be insufficient to maintain registration of the mark.  For new applications, brand owners should consider applying to register marks in both black and white and in colour, particularly where colour is a distinctive element of the mark.  

For further information on trademark registration or other IP matters contact Pippa Aitken on 0191 226 or pippa.aitken@sintons.co.uk