PAUL HASTINGS GLOBAL PRIVACY STATEMENT

1.0 OVERVIEW

1.1 PURPOSE

Paul Hastings¹ is committed to protecting the privacy of Personal Information we may collect or obtain in the course of business from individuals inside or outside the organization. This Global Privacy Statement (“Privacy Statement”) describes the type of Personal Information Paul Hastings may collect, how we may use and share that information, and how you can correct or change such information.

1.2 SCOPE

This Privacy Statement describes the ways Paul Hastings manages Personal Information it receives: (i) in the course of its operations involving current, prospective, and former clients (collectively, “Clients”); (ii) from visitors of Paul Hastings offices, websites, or events; (iii) from prospective employees in connection with employment applications and prospective partners in association with partnership considerations; and (iv) in the course of interactions with its current, prospective, and former suppliers, vendors, subcontractors, and business partners (collectively, “Suppliers”), including in each such case on Paul Hastings’ website located at https://www.paulhastings.com/ and any and all future websites operated by or on behalf of Paul Hastings (the “Sites”). All individuals and entities that Process Personal Information on behalf of Paul Hastings are expected to protect Personal Information in adherence to this Privacy Statement.

Our Privacy Policy for Talent Management Data governs the management of the Personal Information of our employees and partners and shall control in the event of a conflict with this Privacy Statement.

If you are a resident of California, please review our California Privacy Notice here.

1.3 KEY TERMS

• “Controller" has the meaning set forth in the Regulation (EU) 2016/679 (“GDPR”);
• “EEA" means the European Economic Area, which is currently composed of the following thirty (30) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.
• “GDPR" means Regulation (EU) 2016/679;
• “Paul Hastings" means Paul Hastings LLP its affiliated entities: Paul Hastings Cares Foundation, Paul Hastings LLP, Paul Hastings LLP Defined Benefit Retirement Plan for Partners, Paul Hastings LLP Defined Contribution Retirement Plan, Paul Hastings LLP Nonqualified Retirement Plan and Paul Hastings LLP Master Welfare Benefits Plan;
• “Personal Data" or “Personal Information" has the meaning set forth in the GDPR.
• “Process" or “Processing" means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, acquisition, holding, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction;
• “Processor" has the meaning set forth in the GDPR;
• “Sensitive Data" or “Sensitive Personal Information" is a subset of Personal Information which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Information includes Personal Information regarding individuals located in the EEA that is classified as a “Special Category of Personal Data” under European Union or EEA member state law, which consists of the following data elements:
  (1) race or ethnic origin;
  (2) political opinions;
  (3) religious or philosophical beliefs;
  (4) trade union membership;
  (5) genetic data;
  (6) biometric data where Processed to uniquely identify a person;
  (7) health information; and
  (8) sexual orientation or information about the individual’s sex life.
• “Supervisory Authority” means an independent public authority established in a local country within the European Union pursuant to GDPR Article 51.
• “Supervisory Authority Concerned" means a Supervisory Authority which is concerned with the Processing of Personal Information because: (a) the Controller or Processor is established on the territory of the member state of that Supervisory Authority; (b) data subjects residing in the member state of that Supervisory Authority are substantially affected or likely to be substantially affected by the Processing; or (c) a complaint has been lodged with that Supervisory Authority.
• “Third Party" is any natural or legal person, public authority, agency, or body other than the Data Subject, Paul Hastings, or Paul Hastings’ agents.

2.0 POLICY

2.1 THE PERSONAL INFORMATION WE COLLECT AND HOW WE USE IT

The types of Personal Information we may collect (directly from you or Third Parties) depend on the nature of the relationship that you have with Paul Hastings and the requirements of applicable law. We collect only information relevant for the purposes of Processing. We do not engage in automated decision making when Processing your Personal Information. Depending upon Paul Hastings’ relationship with you, we Process your Personal Information with your consent; for the performance of a contract with you; for a legitimate interest; or as necessary for a legal requirement or obligation. Below are some of the ways we collect Personal Information and how we use it.

Clients

Personal Information Paul Hastings Processes from or about Clients includes title, name, address, phone number, email address, business or company affiliation, username and, if you have access to any of our secure online resources, an answer to a security question, password, government identification, credit card, and other financial information related to payments for services or goods and other details Clients may provide. In certain Client engagements, we may collect employee and other information of our Clients, including Personal Information of others who have a relationship or otherwise interact with our Clients.

We Process Personal Information about or on behalf of Clients for a variety of business purposes, including but not limited to:

• providing legal services;
• generally managing Client information;
• responding to questions and requests;
• providing access to certain areas and features of the Sites;
• ·verifying Client identity;
• communicating about Client accounts and activities on the Sites and systems and, at Paul Hastings’ discretion, changes to any Paul Hastings policy;
• tailoring content, publications, and advertisements and offering what we believe may be of interest to Clients;
• processing transactions and payments for services purchased by Clients;
• improving Paul Hastings Sites and systems;
• developing new services; and
• further purposes disclosed at the time that Clients provide Personal Information, or otherwise with consent.

Suppliers

The Personal Information Paul Hastings collects from its Suppliers relates to the management of these relationships and the exchange of requested products and services. Such Personal Information may include title, name, address, phone number, email address, invoicing and other payment information, and agreements executed with Paul Hastings.

We Process Personal Information about Suppliers for a variety of business purposes, including but not limited to:

• generally managing Supplier information;
• responding to questions and requests;
• providing access to certain areas and features of the Sites;
• verifying Supplier identity;
• communicating about Supplier accounts and activities, including activities on Paul Hastings Sites and systems, and, in Paul Hastings’ discretion, changes to any Paul Hastings policy;
• processing payments for products or services purchased by Paul Hastings;
• improving Paul Hastings Sites and systems;
• developing new products, processes and services;
• processing applications and transactions; and
• further purposes disclosed at the time Suppliers provide Personal Information, or otherwise with consent of the Supplier.

Visitors

If you visit a Paul Hastings office, we may collect Personal Information about you, including, but not limited to, your title, name, address, phone number, email address, business or company affiliation, government identification (driver’s license, passport), and other details you provide. We Process this Personal Information for a variety of purposes, including to verify your identity, to provide access to Paul Hastings facilities and systems, for security and other safety purposes, to communicate with you regarding your visit, to provide information we believe may be of interest to you, including regarding Paul Hastings’ services, and for purposes disclosed at the time you provide Personal Information, or otherwise with your consent.

Recruiting

If you submit Personal Information via the Careers section of our Sites, or otherwise to inquire about or apply for a position at Paul Hastings, we will Process such Personal Information in accordance with our Privacy Policy for Talent Management Data and not to market to you.

Social Media Activities

Paul Hastings may collect Personal Information to enable Data Subjects to use online social media resources, which may include posting or sharing Personal Information with others. When using these resources, you should consider what Personal Information you share with others.

Information from Third-Party Sources

Paul Hastings may collect Personal Information about you from Third Party sources to supplement information provided by you. This supplemental information allows us to verify or supplement information that you have provided to Paul Hastings and to enhance our ability to provide you with information about our business and services. Paul Hastings’ agreements with these Third Parties typically limit how Paul Hastings may use this supplemental information.

Direct Mail, Email and Other Forms of Electronic Communication

Clients and Suppliers that provide us with Personal Information, or whose Personal Information we obtain from Third Parties, may receive periodic emails, mailings, or other forms of electronic communication from us with information on our services, legal or other news or developments, or upcoming special events. We offer our Clients and Suppliers the option to decline these communications at no cost.

Research/Survey Solicitations

Paul Hastings may perform research (online and offline) via surveys and may engage Third Parties to conduct such surveys on our behalf. All survey responses are voluntary, and the information collected may be used or disclosed for research, analytics, and reporting purposes to help us to better serve Clients and Suppliers.

Users of Our Sites – Cookies, Similar Tools and Aggregate Information

We may use cookies or similar tools to collect internet protocol (IP) addresses of those who use our Sites. When visiting one of our Sites for the first time, you will be prompted to provide consent for our use of cookies. Should you decline, some features of our Sites may be unavailable to you. Should you consent to our use of cookies; the cookie will be deleted once you end your session by closing your browser.

Mobile Computing and Other Applications

Paul Hastings may provide websites and online resources that are designed to be used on mobile computing devices. Mobile versions of Paul Hastings Sites may require that users log in with a user name and password. In such cases, information about use of each mobile version of the Sites may be associated with user accounts. In addition, Paul Hastings may enable individuals to download an application, widget, or other tools that can be used on mobile or other computing devices. Some of these tools may store information on mobile or other devices. These tools may transmit Personal Information to Paul Hastings to enable Data Subjects to access user accounts and to enable Paul Hastings to track use of these tools. Some of these tools may enable users to email reports and other information from the tool. Paul Hastings may use Personal Information or non-identifiable information transmitted to us to enhance these tools, to develop new tools, for quality improvement, and as otherwise described in this Privacy Statement or in other notices Paul Hastings provides.

2.2 CHOICE/MODALITIES TO OPT OUT

You have the right to opt-out of certain uses and disclosures of your Personal Information, as set out in this Privacy Statement.

Where you have consented to Paul Hastings’ Processing of your Personal Information or Sensitive Personal Information, subject to applicable legal and ethical obligations that may apply to us and to our lawful ability to enforce our rights or your obligations to us, you may withdraw that consent at any time and opt-out. Additionally, before we use Personal Information for any new purpose not originally authorized by you, we will provide information regarding the new purpose and give you the opportunity to opt-in to such secondary uses. If you choose not to opt-in to our secondary use of your Personal Information, we will not Process it for that use.

Prior to disclosing Sensitive Data to a Third Party or Processing Sensitive Data for a purpose other than its original purpose or the purpose authorized subsequently by the Data Subject, Paul Hastings will endeavor to obtain each Data Subject’s consent. Where consent of the Data Subject is required by law or contract, we will comply with the law or contract. For more information about how to consent to or withdraw consent for certain uses and disclosures of your Personal Information, contact us.

An “Unsubscribe” button will be provided at the top or bottom of each email marketing communication sent by Paul Hastings, so that you may opt out of further email communications. However, we will continue to send transaction-related emails regarding our relationship and the services you have requested.

2.3 ONWARD TRANSFER

Information We Share

Paul Hastings does not sell or otherwise disclose Personal Information about you, except as described in this Privacy Statement or as you explicitly consent. Paul Hastings may share Personal Information with our service providers and consultants for our internal business purposes or to provide you with a service that you have requested. Payment information will be used and shared only to effectuate your order and may be stored by a service provider for purposes of future orders. Paul Hastings requires our service providers to agree in writing to maintain confidentiality and security of Personal Information they maintain on our behalf, including to provide at least the same level of protection as required by the applicable data protection laws, including the GDPR, not to use it for any purpose other than the purpose for which Paul Hastings retained them and to notify Paul Hastings if they make a determination that they can no longer comply with that obligation. With respect to onward transfers to third parties under GDPR, Paul Hastings is required to remain liable should such third parties Process Personal Information in a manner inconsistent with the GDPR.

We may disclose information about you: (i) if we are required to do so by law, court order, or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation or arbitration; (iv) to enforce Paul Hastings policies, contracts, or other rights; (v) to collect amounts owed to Paul Hastings; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) if in good faith we believe that disclosure is otherwise necessary or advisable. In addition, from time to time, server logs may be reviewed for security purposes—e.g., to detect unauthorized activity on the Sites. In such cases, server log data containing IP addresses may be shared with law enforcement bodies, contractors, or consultants so that they may identify users in connection with their investigation of the unauthorized activities.

We reserve the right to disclose or transfer any information we have about you in the event of a proposed or actual reorganization, sale, lease, merger, joint venture, assignment, amalgamation, or any other type of acquisition, disposal, or financing of all or any portion of Paul Hastings or of any of our assets (including should Paul Hastings cease to trade, become insolvent, or enter into receivership or any similar event occur). Should such an event take place, we will endeavor to direct the transferee to use Personal Information in a manner that is consistent with this Privacy Statement.

Data Transfers

Paul Hastings is a global law firm, with offices, Clients, and Suppliers located throughout the world. As a result, your Personal Information may be transferred to other Paul Hastings offices, data centers, and servers in Europe, Asia, South America, or the United States for the purposes identified. Any such transfer of Personal Information shall take place only in accordance with applicable law.

Paul Hastings will take steps designed to comply with all applicable local laws when Processing Personal Information, including any local law conditions for and restrictions on the transfer of Personal Information. Paul Hastings may also protect your data through other legally valid methods, including international data transfer agreements.

Persons located within the EEA, Switzerland or the United Kingdom:

Paul Hastings aims to ensure that appropriate technical and organizational security measures and safeguards are applied when transferring Personal Information outside of the EEA, Switzerland or the United Kingdom and that privacy rights outlined in this Policy are preserved. Paul Hastings has established Standard Contractual Clauses that have been recognized by the applicable data protection authorities as providing an adequate level of protection to the Personal Information we Process globally. Where appropriate, we enact other data protection measures intended to ensure that all transfers of Personal Information are subject to appropriate safeguards as defined by the regulation.

2.4 INDIVIDUAL RIGHTS OF ACCESS AND CHOICE

Subject to applicable law, you may have the right to obtain confirmation regarding whether Paul Hastings Processes Personal Information about you, request access to and receive information about the Personal Information we maintain about you, receive copies of the Personal Information we maintain about you, update and correct inaccuracies in your Personal Information, object to the Processing of your Personal Information, and have the information blocked, anonymized, or deleted, as appropriate. The right to access Personal Information may be limited in some circumstances by local law. To exercise these rights, please contact us.

Where otherwise permitted by applicable law, you may use any of the methods set out in this Privacy Statement to request access to, receive (port), or restrict Processing, seek rectification, or request erasure of Personal Information held about you by Paul Hastings. Such requests will be processed in line with applicable laws. Although Paul Hastings makes good faith efforts to provide individuals with access to their Personal Information, there may be circumstances in which Paul Hastings is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the information is commercially proprietary. If Paul Hastings determines that access should be restricted in any particular instance, we will endeavor to provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, Paul Hastings will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.

Persons located within the EEA, Switzerland or the United Kingdom

Paul Hastings adheres to applicable data protection laws, which, if applicable, practicable, and required under the GDPR or other applicable law, include the following rights:

• If the Processing of Personal Information is based on your consent, you have a right to withdraw consent at any time for future Processing;
• You have a right to request from us, where we act as a Controller as defined in the law, access to and rectification of your Personal Information;
• You have a right to object to the Processing of your Personal Information;
• You have a right to lodge a complaint with the local Supervisory Authority in your country; and
• As applicable under French law, you can also send us specific instructions regarding the use of your Personal Information after your death, by submitting a written request to us at Privacy@paulhastings.com.
• When we Process Personal Information about you, we do so with your consent or as necessary to provide the products you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our Clients, or fulfill other legitimate interests of Paul Hastings, or otherwise as described in Section 2 (“Policy”) above. When we transfer Personal Information from the EEA, Switzerland or the United Kingdom, we do so based on a variety of legal mechanisms, as described in Section 2.3 (“Onward Transfer”) above.

2.5 RETENTION

Paul Hastings retains Personal Information that we receive for as long as necessary to fulfill the purpose(s) for which the information was collected, to provide our services and products and to resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with all applicable laws.

2.6 SECURITY

The security of all Personal Information provided to Paul Hastings is important to us and we take reasonable steps designed to protect your Personal Information. Paul Hastings maintains administrative, technical and physical safeguards designed to protect Personal Information that is received against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure or use.

2.7 OTHER RIGHTS AND IMPORTANT INFORMATION

Do Not Track

Our Sites are not designed to respond to "do not track" requests from browsers.

“Shine the Light” and “Eraser” Laws

Residents of the State of California may request a list of all third parties to which we have disclosed certain information during the preceding year for those third parties’ direct marketing purposes.

Links to Third Party Websites

Please note that our Sites may contain links to other websites for your convenience and information. Paul Hastings does not control Third Party websites or their privacy practices, which may differ from those set out in this Privacy Statement. Paul Hastings does not endorse or make any representations about Third Party websites. Any Personal Information you choose to give to these Third Parties is not covered by this Privacy Statement. Paul Hastings encourages you to review the Privacy Statement of any company or website before submitting your Personal Information. Some Third Parties may choose to share their users’ Personal Information with Paul Hastings; that sharing is governed by that company’s Privacy Statement, not Paul Hastings’ Privacy Statement.

Changes to this Privacy Statement

Paul Hastings may update this Privacy Statement from time to time as it deems necessary or appropriate in its sole discretion. If there are any material changes to this Privacy Statement, Paul Hastings will notify you by email, by means of a notice on our Sites, or as otherwise required by applicable law. Paul Hastings encourages you to review this Privacy Statement periodically to be informed regarding how Paul Hastings is using and protecting your information and to be aware of any policy changes. Any changes to this Privacy Statement take effect immediately after being posted or otherwise provided by Paul Hastings.

2.8 CONTACT US

If you have any questions or comments regarding this Privacy Statement or Paul Hastings privacy practices, or if you would like us to update information or preferences you provided to us, you may contact us at Privacy@paulhastings.com. If you are located in the EEA and believe Paul Hastings has not adequately resolved any issues, you may contact the Supervisory Authority concerned.

Effective date: April 2023

Paul Hastings’ Client EEA, Switzerland, UK Data Processing Addendum