PAUL HASTINGS GLOBAL PRIVACY STATEMENT
Paul Hastings1 is committed to protecting the privacy of Personal Information we may collect or obtain in the course of business from individuals inside or outside the organization. This Global Privacy Statement (“Privacy Statement”) describes the type of Personal Information Paul Hastings may collect, how we may use and share that information, and how you can correct or change such information.
This Privacy Statement describes the ways Paul Hastings manages Personal Information it receives: (i) in the course of its operations involving current, prospective, and former clients (collectively, “Clients”); (ii) from visitors of Paul Hastings offices, websites, or events; (iii) from prospective employees in connection with employment applications and prospective partners in association with partnership considerations; and (iv) in the course of interactions with its current, prospective, and former suppliers, vendors, subcontractors, and business partners (collectively, “Suppliers”), including in each such case on Paul Hastings’ website located at https://www.paulhastings.com/ and any and all future websites operated by or on behalf of Paul Hastings (the “Sites”). All individuals and entities that Process Personal Information on behalf of Paul Hastings are expected to protect Personal Information in adherence to this Privacy Statement.
1.3 KEY TERMS
- “Controller" has the meaning set forth in the Regulation (EU) 2016/679 (“GDPR”);
- “Data Protection Laws" means the European Economic Area, which is currently composed of the following thirty-one (31) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and United Kingdom.
- “GDPR" means Regulation (EU) 2016/679;
- “Paul Hastings" means Paul Hastings LLP its affiliated entities;
- “Personal Data" or “Personal Information" has the meaning set forth in the GDPR.
- “Process" or “Processing" means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, acquisition, holding, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
- “Processor" has the meaning set forth in the GDPR;
- “Sensitive Data" or “Sensitive Personal Information" is a subset of Personal Information which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Information includes Personal Information regarding individuals located in the EEA that is classified as a “Special Category of Personal Data” under European Union or EEA member state law, which consists of the following data elements:
(1) race or ethnic origin;
(2) political opinions;
(3) religious or philosophical beliefs;
(4) trade union membership;
(5) genetic data;
(6) biometric data where Processed to uniquely identify a person;
(7) health information; and
(8) sexual orientation or information about the individual’s sex life.
- “Supervisory Authority” means an independent public authority established in a local country within the European Union pursuant to GDPR Article 51.
- “Supervisory Authority Concerned" means a Supervisory Authority which is concerned with the Processing of Personal Information because: (a) the Controller or Processor is established on the territory of the member state of that Supervisory Authority; (b) data subjects residing in the member state of that Supervisory Authority are substantially affected or likely to be substantially affected by the Processing; or (c) a complaint has been lodged with that Supervisory Authority.
- “Third Party" is any natural or legal person, public authority, agency, or body other than the Data Subject, Paul Hastings, or Paul Hastings’ agents.
2.1 THE PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT
The types of Personal Information we may collect (directly from you or Third Parties) depend on the nature of the relationship that you have with Paul Hastings and the requirements of applicable law. We collect only information relevant for the purposes of Processing. We do not engage in automated decision making when Processing your Personal Information. Below are the legal bases for Processing Personal Information, some of the ways we collect information and how we use it.
Information Paul Hastings collects from or on behalf of its Clients includes title, name, address, phone number, email address, business or company affiliation, username and, if you have access to any of our secure online resources, an answer to a security question, password, government identification (driver’s license, passport), credit card, and other financial information related to payments for services or goods and other details Clients may provide. In certain Client engagements, we may collect employee and other information of our Clients, as well as employee or other Personal Information of others who have a relationship or otherwise interact with our Clients (e.g., in the context of Client investments, mergers, acquisitions, or disputes).
We Process Personal Information about or on behalf of Clients for a variety of business purposes, including but not limited to:
- providing legal services;
- generally managing Client information;
- responding to questions and requests;
- providing access to certain areas and features of the Sites;
- verifying Client identity;
- communicating about Client accounts and activities on the Sites and systems and, at Paul Hastings’ discretion, changes to any Paul Hastings policy;
- tailoring content, publications, and advertisements and offering what we believe may be of interest to Clients;
- processing transactions and payments for services purchased by Clients;
- improving Paul Hastings Sites and systems;
- developing new services; and
- further purposes disclosed at the time that Clients provide
Personal Information, or otherwise with consent.
The information Paul Hastings collects from its Suppliers relates to the management of these relationships and the exchange of requested products and services. Such information may include title, name, address, phone number, email address, invoicing and other payment information, and agreements executed with Paul Hastings.
We Process Personal Information about Suppliers for a variety of business purposes, including but not limited to:
- generally managing Supplier information;
- responding to questions and requests;
- providing access to
certain areas and features of the Sites;
- verifying Supplier
- communicating about Supplier accounts and activities, including activities on Paul Hastings Sites and systems, and, in Paul Hastings’ discretion, changes to any Paul Hastings policy;
- processing payments for products or services purchased by Paul Hastings;
- improving Paul
Hastings Sites and systems;
- developing new
products, processes and services;
- processing applications and transactions; and
- further purposes disclosed at the time Suppliers provide Personal Information, or otherwise with consent of the Supplier.
If you visit a Paul Hastings office, we may collect Personal Information about you, including, but not limited to, your title, name, address, phone number, email address, business or company affiliation, government identification (driver’s license, passport), and other details you provide. We Process this information for a variety of purposes, including to verify your identity, to provide access to Paul Hastings facilities and systems, for security and other safety purposes, to communicate with you regarding your visit, to provide information we believe may be of interest to you, including regarding Paul Hastings’ services, and for purposes disclosed at the time you provide Personal Information, or otherwise with your consent.
If you submit Personal Information via the Careers section of our Sites, or otherwise to inquire about or apply for a position at Paul Hastings, we will Process such Personal Information solely for the purposes of considering applications and recruitment (and for purposes of our administration or management if you commence work for Paul Hastings) and not to market to you.
Social Media Activities
Paul Hastings may collect Personal Information to enable Data Subjects to use online social media resources, which may include posting or sharing Personal Information with others.
When using these resources, you should consider what Personal Information you share with others.
Information from Third-Party
Paul Hastings may collect information about you from Third Party sources to supplement information provided by you. This supplemental information allows us to verify or supplement information that you have provided to Paul Hastings and to enhance our ability to provide you with information about our business and services. Paul Hastings’ agreements with these Third Parties typically limit how Paul Hastings may use this supplemental information.
Direct Mail, Email and Other
Forms of Electronic Communication
Clients and Suppliers that provide us with Personal Information, or whose Personal Information we obtain from Third Parties, may receive periodic emails, mailings, or other forms of electronic communication from us with information on our services, legal or other news or developments, or upcoming special events. We offer our Clients and Suppliers the option to decline these communications at no cost.
Paul Hastings may perform research (online and offline) via surveys and may engage Third Parties to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected may be used or disclosed for research, analytics, and reporting purposes to help us to better serve Clients and Suppliers.
Users of Our Sites – Cookies, Similar
Tools and Aggregate Information
Mobile Computing and Other
Paul Hastings may provide websites and online resources that are designed to be used on mobile computing devices. Mobile versions of Paul Hastings Sites may require that users log in with a user name and password. In such cases, information about use of each mobile version of the Sites may be associated with user accounts. In addition, Paul Hastings may enable individuals to download an application, widget, or other tools that can be used on mobile or other computing devices. Some of these tools may store information on mobile or other devices. These tools may transmit Personal Information to Paul Hastings to enable Data Subjects to access user accounts and to enable Paul Hastings to track use of these tools. Some of these tools may enable users to email reports and other information from the tool. Paul Hastings may use Personal Information or non-identifiable information transmitted to us to enhance these tools, to develop new tools, for quality improvement, and as otherwise described in this Privacy Statement or in other notices Paul Hastings provides.
2.2 CHOICE/MODALITIES TO OPT OUT
You have the right to opt-out of certain uses and disclosures of your Personal Information, as set out in this Privacy Statement.
Where you have consented to Paul Hastings’ Processing of your Personal Information or Sensitive Personal Information, subject to applicable legal and ethical obligations that may apply to us and to our lawful ability to enforce our rights or your obligations to us, you may withdraw that consent at any time and opt-out. Additionally, before we use Personal Information for any new purpose not originally authorized by you, we will provide information regarding the new purpose and give you the opportunity to opt-in to such secondary uses. If you choose not to opt-in to our secondary use of your Personal Information, we will not Process it for that use.
Prior to disclosing Sensitive Data to a Third Party or Processing Sensitive Data for a purpose other than its original purpose or the purpose authorized subsequently by the Data Subject, Paul Hastings will endeavor to obtain each Data Subject’s consent. Where consent of the Data Subject is required by law or contract, we will comply with the law or contract. For more information about how to consent to or withdraw consent for certain uses and disclosures of your Personal Information, contact us.
An “Unsubscribe” button will be provided at the top or bottom of each email marketing communication sent by Paul Hastings, so that you may opt out of further email communications. However, we will continue to send transaction-related emails regarding our relationship and the services you have requested.
2.3 ONWARD TRANSFER
Information We Share
Paul Hastings does not sell or otherwise disclose Personal Information about you, except as described in this Privacy Statement or as you explicitly consent. Paul Hastings may share Personal Information with our service providers and consultants for our internal business purposes or to provide you with a service that you have requested. Payment information will be used and shared only to effectuate your order and may be stored by a service provider for purposes of future orders. Paul Hastings requires our service providers to agree in writing to maintain confidentiality and security of Personal Information they maintain on our behalf, including to provide at least the same level of protection as required by the Privacy Shield Principles and GDPR, not to use it for any purpose other than the purpose for which Paul Hastings retained them and to notify Paul Hastings if they make a determination that they can no longer comply with that obligation. With respect to onward transfers to third-party agents under Privacy Shield and GDPR, Privacy Shield and GDPR require that Paul Hastings remain liable should such agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles and GDPR.
We may disclose information about you: (i) if we are required to do so by law, court order, or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation or arbitration; (iv) to enforce Paul Hastings policies, contracts, or other rights; (v) to collect amounts owed to Paul Hastings; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) if in good faith we believe that disclosure is otherwise necessary or advisable. In addition, from time to time, server logs may be reviewed for security purposes—e.g., to detect unauthorized activity on the Sites. In such cases, server log data containing IP addresses may be shared with law enforcement bodies, contractors, or consultants so that they may identify users in connection with their investigation of the unauthorized activities.
We reserve the right to disclose or transfer any information we have about you in the event of a proposed or actual reorganization, sale, lease, merger, joint venture, assignment, amalgamation, or any other type of acquisition, disposal, or financing of all or any portion of Paul Hastings or of any of our assets (including should Paul Hastings cease to trade, become insolvent, or enter into receivership or any similar event occur). Should such an event take place, we will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Privacy Statement.
Paul Hastings is a global law firm, with offices, Clients, and Suppliers located throughout the world. As a result, your Personal Information may be transferred to other Paul Hastings offices, data centers, and servers in Europe, Asia, South America, or the United States for the purposes identified. Any such transfer of Personal Information shall take place only in accordance with applicable law.
Paul Hastings will take steps designed to comply with all applicable local laws when Processing Personal Information, including any local law conditions for and restrictions on the transfer of Personal Information. Paul Hastings may also protect your data through other legally valid methods, including international data transfer agreements.
Persons located within the EEA:
Paul Hastings takes steps to ensure that appropriate technical and organizational security measures and safeguards are applied when transferring personal information outside of the EEA and that privacy rights outlined in this Policy are preserved. Paul Hastings has established Standard Contractual Clauses that have been recognized by EEA Data Protection Authorities as providing an adequate level of protection to the Personal Information we Process globally. Paul Hastings ensures that all transfers of Personal Information are subject to appropriate safeguards as defined by the regulation.
Paul Hastings complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and Switzerland to the United States. Paul Hastings has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visithttps://www.privacyshield.gov/.
2.4 INDIVIDUAL RIGHTS OF ACCESS AND CHOICE
Subject to applicable law, you may have the right to obtain confirmation regarding whether Paul Hastings Processes Personal Information about you, request access to and receive information about the Personal Information we maintain about you, receive copies of the Personal Information we maintain about you, update and correct inaccuracies in your Personal Information, object to the Processing of your Personal Information, and have the information blocked, anonymized, or deleted, as appropriate. The right to access Personal Information may be limited in some circumstances by local law. To exercise these rights, please contact us.
Where otherwise permitted by applicable law, you may use any of the methods set out in this Privacy Statement to request access to, receive (port), or restrict Processing, seek rectification, or request erasure of Personal Information held about you by Paul Hastings. Such requests will be processed in line with applicable laws. Although Paul Hastings makes good faith efforts to provide individuals with access to their Personal Information, there may be circumstances in which Paul Hastings is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the information is commercially proprietary. If Paul Hastings determines that access should be restricted in any particular instance, we will endeavor to provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, Paul Hastings will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.
Persons located within the EEA
Paul Hastings adheres to applicable Data Protection Laws in the EEA, which, if applicable, practicable, and required under the GDPR, include the following rights:
- If the Processing of Personal Information is based on your consent, you have a right to withdraw consent at any time for future Processing;
- You have a right to request from us, where we act as a Controller as defined in the law, access to and rectification of your Personal Information;
- You have a right to object to the Processing of your Personal Information;
- You have a right to lodge a complaint with a Supervisory Authority; and
- As applicable under French law, you can also send us specific instructions regarding the use of your Personal Information after your death, by submitting a written request to us at Privacy@paulhastings.com.
When we Process Personal Information about you, we do so with your consent or as necessary to provide the products you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our Clients, or fulfill other legitimate interests of Paul Hastings, or otherwise as described in Section 2 (“Policy”) above. When we transfer Personal Information from the European Economic Area, we do so based on a variety of legal mechanisms, as described in Section 2.3 (“Onward Transfer”) above.
Paul Hastings retains Personal Information that we receive for as long as necessary to fulfill the purpose(s) for which the information was collected, to provide our services and products and to resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with all applicable laws.
The security of all Personal Information provided to Paul Hastings is important to us and we take reasonable steps designed to protect your Personal Information. Paul Hastings maintains administrative, technical and physical safeguards designed to protect Personal Information that is received against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure or use.
2.7 OTHER RIGHTS AND IMPORTANT INFORMATION
Links to Third Party Websites
Please note that our Sites may contain links to other websites for your convenience and information. Paul Hastings does not control Third Party websites or their privacy practices, which may differ from those set out in this Privacy Statement. Paul Hastings does not endorse or make any representations about Third Party websites. Any Personal Information you choose to give to these Third Parties is not covered by this Privacy Statement. Paul Hastings encourages you to review the Privacy Statement of any company or website before submitting your Personal Information. Some Third Parties may choose to share their users’ Personal Information with Paul Hastings; that sharing is governed by that company’s Privacy Statement, not Paul Hastings’ Privacy Statement.
Changes to this Privacy Statement
Paul Hastings may update this Privacy Statement from time to time as it deems necessary or appropriate in its sole discretion. If there are any material changes to this Privacy Statement, Paul Hastings will notify you by email, by means of a notice on our Sites, or as otherwise required by applicable law. Paul Hastings encourages you to review this Privacy Statement periodically to be informed regarding how Paul Hastings is using and protecting your information and to be aware of any policy changes. Any changes to this Privacy Statement take effect immediately after being posted or otherwise provided by Paul Hastings.
2.8 CONTACT US
If you have any questions or comments regarding this Privacy Statement or Paul Hastings privacy practices, or if you would like us to update information or preferences you provided to us, you may contact us at Privacy@paulhastings.com.
In compliance with the Privacy Shield Principles, Paul Hastings commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at Privacy@paulhastings.com.
Paul Hastings has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.
If you believe that Paul Hastings has not adequately resolved any such issues, you may contact the Supervisory Authority concerned. Paul Hastings has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States and the EU. For more information and to submit a complaint to JAMS, a dispute resolution provider which has locations in the United States and the EU, visit https://www.jamsadr.com/eu-us-privacy-shield.
This independent dispute resolution mechanism is available to EEA and Swiss residents free of charge. If any request remains unresolved, you may have a right, under certain conditions, to invoke binding arbitration under Privacy Shield; for additional information, see https://www.privacyshield.gov/Individuals-in-Europe. The FTC has jurisdiction over Paul Hastings’ compliance with the Privacy Shield.
Effective date: December 2018
1Capitalized terms located throughout this document are defined either immediately following the first reference if a given term, or in Section 1.3 – Key Terms.