PAUL HASTINGS GLOBAL PRIVACY STATEMENT

I. PURPOSE

Paul Hastings LLP (“we”, “us”, and “our”) is committed to protecting the privacy of the information we collect or obtain from you the course of operating our law firm and providing our legal services. In accordance with applicable data protection laws and best practices; this Global Privacy Statement (“Privacy Statement”) describes the types of “Personal Data” (defined as any information related to an identified or an identifiable natural person) that we collect, process, store, use or share depending upon our relationship with you. It also explains your rights in relation to your Personal Data and how to contact us should you have any questions or wish to exercise any privacy rights.

II. SCOPE

Because we operate and have offices, clients and suppliers, located throughout the world, we must comply with various data protection laws and regulations, including but not limited to, the European Union’s General Data Protection Regulation (“EU GDPR”), the United Kingdom’s General Data Protection Regulation (“UK GDPR”), and U.S. state privacy laws, such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”).

If you are a resident of California, please also see our California Privacy Notice here.

This Privacy Statement describes the ways Paul Hastings processes Personal Data it receives:

1. in the course of our operations involving current, prospective, and former clients (collectively referred to as “Clients”).

2. from in-person visitors to Paul Hastings offices or events (collectively referred to as “Visitors”).

3. from online users of our Paul Hastings’ websites, including https://www.paulhastings.com/ and all other websites operated by or on behalf of Paul Hastings, from which this Privacy Statement has been linked (collectively referred to as the “Sites”).

4. from prospective candidates in connection with employment applications and prospective partners in association with partnership considerations (collectively referred to as the “Candidates”).

5. in the course of interactions with our current, prospective, and former suppliers, vendors, subcontractors, and business partners (collectively referred to as “Suppliers”).

All individuals and entities that Process Personal Data on behalf of Paul Hastings are expected to protect Personal Data in adherence to this Privacy Statement.

Our Talent Management Privacy Policy, which will be provided to you during the onboarding process, governs the management of the Personal Data of our employees and partners and takes precedence in the event of a conflict with this Privacy Statement.

III. COLLECTION AND PROCESSING OF PERSONAL DATA

The categories and types of Personal Data we collect depends on the nature of the relationship with you and our requirements under applicable laws.

Clients:  We collect and process the following Personal Data from and about our Clients:  title, name, address, phone number, email address, business or company affiliation, username and, if you have access to any of our secure online resources, an answer to a security question, password, government identification, credit card, and other financial information related to payments for services or goods and other details Clients may provide.  In certain Client engagements, we may collect other Personal Data about employees and other individuals who have a relationship or otherwise interact with our Clients (e.g., customers).

Business Purposes for Collection & Use

Legal Basis for Processing Personal Data

Providing legal services. Managing Client information. Responding to questions and requests. Providing access to certain areas and features of the Sites. Verifying Client identity, including for “Know Your Customer” (“KYC”) and “Anti-Money Laundering” (“AML”) purposes or internal investigations. Communicating about Client matters and accounts, our legal services, and activities on the Sites. Tailoring content, publications, and advertisements and offering what we believe may be of interest to Clients. Processing transactions and payments for services to Clients. Improving Paul Hastings Sites and systems. Developing new services and capabilities. For other purposes disclosed at the time the Clients provide Personal Data to us and otherwise with Client consent.

Consent. Performance of a contract. Compliance with a legal obligation. Legitimate interests.

Visitors:  If you visit a Paul Hastings office or attend a Paul Hastings sponsored in-person event, we may collect Personal Data from you, including but not limited to, your title, name, address, phone number, email address, business or company affiliation, government identification (driver’s license, passport), and other details you provide.

Business Purposes for Collection & Use	Legal Basis for Processing Personal Data
Confirming your identity. Securing and ensuring the safety of our facilities and systems. Providing you appropriate access to our facilities and systems. Communicating with you about your visit. Providing you information that we believe may be of interest to you. For other purposes disclosed at the time you provide Personal Data to us and otherwise with your consent.	Consent. Performance of a contract. Compliance with a legal obligation. Necessary for vital interests. Legitimate interests.

Visitors to our Sites:  We enable cookies and other online tracking tools to collect information about your use of our Sites. This information may include your internet protocol (“IP”) address, details about the time you spend on our Sites, pages viewed, and links clicked. For additional details on our use of cookies and other online tracking technologies, please see the “Cookies and Online Tracking Technologies” section below.

Business Purposes for Collection & Use	Legal Basis for Processing Personal Data
Providing and enhancing our Sites, systems, and legal services. Providing access to certain areas and features of the Sites. Confirming your identity and communicating with you. Securing our Sites and related systems. Tailoring content, publications, and advertisements and offering what we believe may be of interest to you. For other purposes disclosed at the time of collection and your consent.	Consent. Legitimate interests.

Candidates:  We collect Personal Data from individuals who submit applications for employment with us directly via the “Careers” section of our Sites and from other third-party resources such as recruiting firms. This information includes your name, contact information, such as email address and phone number, details regarding your education and professional work history, as well as any other details you choose to share with us.

Business Purposes for Collection & Use

Legal Basis for Processing Personal Data

Communicating with you regarding your application, any interviews, our recruitment events and other information regarding Paul Hastings. Evaluating your application and compatibility with Paul Hastings and the position for which you have applied. Providing and enhancing our Sites, systems, and legal services. For other purposes disclosed at the time of collection and with your consent, where required. Please note, our Privacy Policy for Talent Management Data may also apply to you and will be provided to you when and where necessary.

Consent. Performance of a contract. Compliance with a legal obligation. Legitimate interests.

Suppliers:  We collect Personal Data from our Suppliers in relation to the management of these relationships and the exchange of requested products and services. Such Personal Data may include business contact information of the individual employees of our Suppliers such as name, title, postal address, email address, phone number, invoicing and/or other payment information, and as well as details regarding the agreements executed with Paul Hastings.

Business Purposes for Collection & Use

Legal Basis for Processing Personal Data

Managing our Supplier relationships, products and services. Communicating with our Suppliers. Verifying identities of Supplier employees. Providing access to facilities, our Sites, and systems. Supporting our data privacy and cybersecurity obligations and other due diligence requirements. Processing payments for products and services received. Providing and enhancing our legal services and capabilities and business operations. For other purposes disclosed at the time of collection and with your consent, where required.

Consent. Performance of a contract. Compliance with a legal obligation. Necessary for vital interests. Legitimate interests.

Other Sources of Personal Data:  At times, we may choose to collect Personal Data through other sources, such as social media websites and applications (including details regarding your interactions on our social media accounts, e.g., posts, “likes”, “follows”, subscriptions, as well as details regarding your personal social media accounts); news media, educational and professional publications (including news, articles, and updates from your schools, current or past employers, or legal publications); references and opinions from others familiar with you (including details regarding services or products or capabilities); and research or surveys (including from third-party service providers who administer such tools on our behalf).

Business Purposes for Collection & Use	Legal Basis for Processing Personal Data
Providing and enhancing our legal services and capabilities. Evaluating Candidate applications. Tailoring content, publications, and advertisements and offering what we believe may be of interest to you. For other purposes disclosed at the time of collection and with your consent, where required.	Consent. Legitimate interests.

Legal Basis for Processing Personal Data:  While given the nature of our business we typically rely upon your consent or a contract as a legal basis to process your Personal Data, to the extent we rely on legitimate interests as a legal basis for processing your Personal Data, we have considered the balance between our own interests (among other things, the lawful and efficient operation of our legal services, the quality and enhancement of our online services and resources, and our continuing relationship with you) and your interests and we believe that (a) you would reasonably expect us to carry out the kind of processing referenced and (b) such processing will not cause you any harm and/or will not seriously impact your rights and freedoms with respect to your privacy.

We do not engage in automated decision making when processing Personal Data.

IV. COOKIES AND ONLINE TRACKING TECHNOLOGIES

We may use cookies and other online tracking technologies to collect Personal Data about you, your location, your preferences and usage of our Sites. We use this information to improve our Sites and to enhance the content and services we provide online.

When visiting one of our Sites for the first time, you will be prompted to provide consent for our use of cookies and similar online tracking technologies. Please note, should you decline or otherwise disable the use of cookies and online tracking technologies, some features of our Sites may be unavailable to you.

You can delete cookies and other online tracking technologies from your device by clearing your browser history. This will delete all online tracking technologies from all websites and applications you have visited since you last cleared your browser history. You can also set your browser to prevent certain online tracking technologies from being placed on your device. If you delete cookies, change your browser settings, switch browsers or computers, or use another operating system, you may need to opt-out again. To learn more, please see the links below:

• Firefox
• Google Chrome
• Internet Explorer
• Safari / Safari Mobile
• Microsoft Edge

To learn more about cookies, please see:  https://www.aboutcookies.org/.

V. MARKETING AND YOUR RIGHT TO OPT-OUT

Where you have consented and/or we believe we have a legitimate interest to do so, we may use your Personal Data to send you updates about our legal services or other topics or events that may be relevant to you (e.g. by email, text message, telephone or post). To opt-out of any marketing communications, you can click on the “unsubscribe” link that is provided at the top or bottom of each email marketing communication. Please note that unsubscribing from marketing communications will not terminate communications we send to you in relation to your instructions, transactions and our relationship and the legal services we provide to you.

For more information about how to consent to or how to withdraw consent for marketing purposes, please contact us at privacy@paulhastings.com.

VI. SHARING OF PERSONAL DATA

We do not sell Personal Data, and we will only share your Personal Data as described in this Privacy Statement.  We may share your Personal Data to assist our internal business purposes or to provide you with a service that you have requested. We routinely share Personal Data with:

1. Suppliers and consultants who we use to help deliver our services to you, (e.g. information technology resources, case management system providers and anti-money laundering system providers);

2. external advisors or experts engaged in the course of providing services to you, (e.g. barristers, tax advisors, local counsel);

3. marketing agencies and providers used to help promote our business;

4. our insurers and brokers;

5. our banks;

6. legal directories and professional accreditation organizations; and/or

7. other third parties where we have your consent to do so.

Where necessary, we may also disclose your Personal Data: (i) if we are required to do so by law, court order, or legal process; (ii) in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; (iii) under the discovery process in litigation or arbitration; (iv) to enforce Paul Hastings policies, contracts, or other rights; (v) to collect amounts owed to Paul Hastings; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation or prosecution of suspected or actual illegal or unauthorized activity, including any unauthorized activities in relation to our Sites; or (vii) if in good faith we believe that disclosure is otherwise necessary or advisable.

We only transfer Personal Data to third parties if we are satisfied that they have taken appropriate measures to protect your Personal Data. Further, prior to transferring any Personal Data, we require the third party service provider to contractually agree to maintaining confidentiality and security of Personal Data they will Process on our behalf, including to provide at least the same level of protection as required by the applicable data protection laws, not to use it for any purpose other than the purpose for which Paul Hastings retained them, and to notify Paul Hastings if they make a determination that they can no longer comply with that obligation.

We reserve the right to disclose or transfer any information we have about you in the event of a proposed or actual reorganization, sale, lease, merger, joint venture, assignment, amalgamation, or any other type of acquisition, disposal, or financing of all or any portion of Paul Hastings or of any of our assets (including should Paul Hastings, become insolvent, or enter into receivership or any similar event occur). Should such an event take place, we will endeavour to direct the transferee to use Personal Data in a manner that is consistent with this Privacy Statement.

Clients for whom we are acting as a data processor may request a current list of our sub-processors at any time by contacting privacy@paulhastings.com.

VII. CROSS-BORDER DATA TRANSFERS

Because we operate and have offices, Clients and Suppliers located throughout the world, your Personal Data may be transferred to other Paul Hastings offices, data centers, and servers in Europe, Asia, South America, or the United States for the purposes identified. Any such transfer of Personal Data shall take place only in accordance with applicable laws.

We take steps designed to comply with all applicable local laws when processing Personal Data, including any local law conditions for and restrictions on the transfer of Personal Data. We may also protect your Personal Data through other legally valid methods, including international data transfer agreements.

For individuals located within the EEA, Switzerland or the United Kingdom:  Where necessary, we execute the Standard Contractual Clauses that have been recognized by the applicable data protection authorities as providing an adequate level of protection to the Personal Data we process globally and where appropriate, we enact other data protection measures intended to ensure that all transfers of Personal Data are subject to appropriate safeguards.

VIII. YOUR PRIVACY RIGHTS

Depending upon where you reside, certain privacy rights may be available to you under applicable data protection laws. To inquire about or to exercise these rights, please contact privacy@paulhastings.com. We will respond to you and your request within the timeline outlined in the data protection laws applicable to you.  These rights may be available to you:

1. Right to Know and Access:  You may have the right to know and access the Personal Data we have collected about you. We will provide to you your Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit your Personal Data to another controller.
2. Right to Delete:  You may have the right to request that we delete the Personal Data we have collected about you, subject to certain legal exceptions.
3. Right to Withdraw Consent:  You may have the right to withdraw any consent to the collection and/or use of your Personal Data that you have given to us.
4. Right to Correct:  You may have the right to request that we correct any inaccurate Personal Data we have collected about you.
5. Rights to Restrict or Limit Processing, Opt-Out of Targeted Advertising, Sale of Personal Data and/or Profiling:  You may have the right to opt-out of our processing of your Personal Data for the purposes of (i) targeted advertising, (ii) the sale of Personal Data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. Please note we do not sell your Personal Data, nor do we process Personal Data for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects.
6. Right to Appeal:  You may have the right to appeal any of our responses with respect to your Personal Data privacy rights requests. You may do so by contacting us at privacy@paulhastings.com.
7. Right to No Discrimination:  You will not receive any discriminatory treatment by us for the exercise of your privacy rights as outlined in this Privacy Statement.
8. Right to Contact Supervisory Authority:  You may have the right to bring a complaint to the relevant supervisory authority.

For individuals located in France, you can also send us specific instructions regarding the use of your Personal Data after your death, by submitting a written request to us at privacy@paulhastings.com.

Verifying Your Request: Only you, or a person that you authorize to act on your behalf, may make a request related to your Personal Data. In the case of access and deletion, your request must be verifiable before we can fulfill such request. Verifying your request will require you to provide sufficient information for us to reasonably verify that you are the person about whom we collected Personal Data, or a person authorized to act on your behalf. We will only use the Personal Data you have provided in a verifiable request in order to verify your request. Please note that we may charge a reasonable fee or refuse to act on a request if such request is excessive, repetitive or manifestly unfounded.

Authorized Agents: 

If a person is submitting a privacy rights request on your behalf, we may require more information from you or ask for written confirmation that the identified individual is acting as your authorized agent with respect to this request. We may ask you to provide a signed authorization for your agent to make the request or to verify your identity or confirm your request directly with us.

Do Not Track:  Our Sites are not designed to respond to "do not track" requests from browsers.

“Shine the Light” and “Eraser” Laws:  Residents of the State of California may request a list of all third parties to which we have disclosed certain information during the preceding year for those third parties’ direct marketing purposes.

IX. RETENTION

We will retain your Personal Data only for as long as necessary to fulfil the purpose(s) for which the information was collected, including to provide our services and products and to resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with all applicable laws.

All digital data (including emails and electronic copies of documents) may be retained on our servers.

X. SECURITY

We maintain reasonable administrative, technical and physical safeguards to protect the Personal Data we process against accidental, unlawful, or unauthorized destruction, loss, alteration, access, disclosure or use and we require our business partners and Suppliers to do the same.

XI. CHILDREN’S DATA

We do not knowingly ask for or collect Personal Data from children under 13 years of age. If you believe a child under 13 has submitted Personal Data to us and you have authority to act on behalf of the child, please contact us to ask to have the information deleted.

XII. LINKS TO OTHER WEBSITES

Please note that our Sites may contain links to other websites or resources for your convenience and information. We have no control over those websites or resources and encourage you to review their privacy policies before submitting any Personal Data or other information to them.

XIII. CHANGES TO THIS PRIVACY STATEMENT

This Privacy Statement is effective as of the date stated at the top of this page. We may update or change this Privacy Statement from time to time as we deem necessary or appropriate in our sole discretion. We encourage you to review this Privacy Statement periodically to be informed regarding how Paul Hastings is using and protecting your information and to be aware of any changes.

XIV. CONTACT US

If you have any questions or comments regarding this Privacy Statement or Paul Hastings privacy practices, or if you would like to exercise any of your privacy rights, please contact us at privacy@paulhastings.com.

As outlined above, individuals located in the EU or the UK may also lodge a complaint with your local Supervisory Authority, as follows:

• Germany:  German Federal Commissioner for Data Protection and Freedom of Information
• France:  CNIL
• UK:  Information Commissioner’s Office

XV. OTHER DOCUMENTS

• Paul Hastings Client EEA, Switzerland, UK Data Processing Addendum