Global Privacy Statement

Paul Hastings Global Privacy Statement



PaulHastings[1] is committed to protecting the privacy of Personal
Information we may collect or obtain in the course of business from individuals
inside or outside the organization. This Global Privacy Statement (“Privacy
Statement”) describes the type of Personal Information Paul Hastings may
collect, how we may use and share that information, and how you can correct or
change such information.


This Privacy Statement describes the ways Paul Hastings manages
Personal Information it receives: (i) in the course of its operations involving
current, prospective, and former clients (collectively, “Clients”); (ii) from
visitors of Paul Hastings offices, websites, or events; (iii) from prospective
employees in connection with employment applications and prospective partners
in association with partnership considerations; and (iv) in the course of
interactions with its current, prospective, and former suppliers, vendors,
subcontractors, and business partners (collectively, “Suppliers”), including in
each such case on Paul Hastings’ website located at 

 and any and all future websites
operated by or on behalf of Paul Hastings (the “Sites”). All individuals and
entities that Process Personal Information on behalf of Paul Hastings are
expected to protect Personal Information in adherence to this Privacy

Our Privacy Policy for Talent Management Data governs the management of the
Personal Information of our employees and partners and shall control in the
event of a conflict with this Privacy Statement.

If you are a resident of California, please review our
California Consumer Privacy Act (CCPA) Privacy Notice 


1.3 KEY TERMS        

  • Controller" has the meaning set forth in the Regulation (EU) 2016/679 (“GDPR”);

  • EEA" means the European Economic Area, which is currently composed of the following thirty (30) countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Ireland, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden.        

  • GDPR" means Regulation (EU) 2016/679;        

  • Paul Hastings" means Paul Hastings LLP its affiliated entities: Paul Hastings Cares Foundation, Paul Hastings LLP, Paul Hastings LLP Defined Benefit Retirement Plan for Partners, Paul Hastings LLP Defined Contribution Retirement Plan, Paul Hastings LLP Nonqualified Retirement Plan and Paul Hastings LLP Master Welfare Benefits Plan;    

  • Personal Data" or “Personal Information" has the meaning set forth in the GDPR.·        
    Process" or “Processing" means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, acquisition, holding, use, disclosure by transmission, dissemination or otherwise making
    available, alignment or combination, restriction, erasure, or destruction;        
    Processor" has the meaning set forth in the GDPR;

  • Sensitive Data" or “Sensitive Personal Information" is a subset of Personal Information which, due to its nature, has been classified by law or by policy as deserving additional
    privacy and security protections. Sensitive Personal Information includes Personal Information regarding individuals located in the EEA that is classified as a “Special Category of Personal Data” under European Union or EEA member state law, which consists of the following data elements:
    (1) race or ethnic origin;
    (2) political opinions;
    (3) religious or philosophical beliefs;
    (4) trade union membership;
    (5) genetic data;
    (6) biometric data where Processed to uniquely identify a person;
    (7) health information; and
    (8) sexual orientation or information about the individual’s sex life.

  • Supervisory Authority” means an independent public authority established in a local country within the European Union pursuant to GDPR Article 51.

  • Supervisory Authority Concerned" means a Supervisory Authority which is concerned with the Processing of Personal Information because: (a) the Controller or Processor is established on the territory of the member state of that Supervisory Authority; (b) data subjects residing in the member state of that Supervisory Authority are substantially
    affected or likely to be substantially affected by the Processing; or (c) a complaint has been lodged with that Supervisory Authority.

  • Third Party" is any natural or legal person, public authority, agency, or body other than the Data Subject, Paul Hastings, or Paul Hastings’ agents.



The types of Personal Information we may collect (directly from you or Third
Parties) depend on the nature of the relationship that you have with Paul
Hastings and the requirements of applicable law. We collect only information
relevant for the purposes of Processing. We do not engage in automated decision
making when Processing your Personal Information. Depending upon Paul Hastings’
relationship with you, we Process your Personal Information with your consent;
for the performance of a contract with you; for a legitimate interest; or as
necessary for a legal requirement or obligation. Below are some of the ways we
collect Personal Information and how we use it.


Personal Information Paul Hastings Processes from or about Clients includes title, name,
address, phone number, email address, business or company affiliation, username
and, if you have access to any of our secure online resources, an answer to a
security question, password, government identification , credit card, and other
financial information related to payments for services or goods and other
details Clients may provide. In certain Client engagements, we may collect
employee and other information of our Clients, including Personal Information
of others who have a relationship or otherwise interact with our Clients.

We Process Personal Information about or on behalf of Clients for a variety of
business purposes, including but not limited to:·        

  • providing legal services;

  • generally managing Client information;        

  • responding to questions and requests;        

  • providing access to certain areas and features of the Sites;        
    verifying Client identity;        

  • communicating about Client accounts and activities on the Sites and systems and, at Paul Hastings’ discretion, changes to any Paul Hastings policy;        

  • tailoring content, publications, and advertisements and offering
    what we believe may be of interest to Clients;        

  • processing transactions and payments for services purchased by

  • improving Paul Hastings Sites and systems;        

  • developing new services; and        

  • further purposes disclosed at the time that Clients provide
    Personal Information, or otherwise with consent.


The Personal Information Paul Hastings collects from its Suppliers relates to the
management of these relationships and the exchange of requested products and
services. Such Personal Information may include title, name, address, phone
number, email address, invoicing and other payment information, and agreements
executed with Paul Hastings.

We Process Personal Information about Suppliers for a variety of business
purposes, including but not limited to:

  • generally managing Supplier information;

  • responding to questions and requests;·        
    providing access to certain areas and features of the Sites;·        

  • verifying Supplier identity;        

  • communicating about Supplier accounts and activities, including
    activities on Paul Hastings Sites and systems, and, in Paul Hastings’
    discretion, changes to any Paul Hastings policy;·        

  • processing payments for products or services purchased by Paul

  • improving Paul Hastings Sites and systems;        

  • developing new products, processes and services;        

  • processing applications and transactions; and        

  • further purposes disclosed at the time Suppliers provide

  • Personal Information, or otherwise with consent of the Supplier.


If you visit a Paul Hastings office, we may collect Personal Information about
you, including, but not limited to, your title, name, address, phone number,
email address, business or company affiliation, government identification
(driver’s license, passport), and other details you provide. We Process this Personal
Information for a variety of purposes, including to verify your identity, to
provide access to Paul Hastings facilities and systems, for security and other
safety purposes, to communicate with you regarding your visit, to provide information
we believe may be of interest to you, including regarding Paul Hastings’
services, and for purposes disclosed at the time you provide Personal
Information, or otherwise with your consent.


If you submit Personal Information via the Careers section of our Sites, or
otherwise to inquire about or apply for a position at Paul Hastings, we will
Process such Personal Information in accordance with our Privacy Policy for
Talent Management Data and not to market to you.

Social Media Activities

Paul Hastings may collect Personal Information to enable Data Subjects to use online
social media resources, which may include posting or sharing Personal
Information with others. When using these resources, you should consider what
Personal Information you share with others.

Information from Third-Party Sources

Paul Hastings may collect Personal Information about you from Third Party sources to
supplement information provided by you. This supplemental information allows us
to verify or supplement information that you have provided to Paul Hastings and
to enhance our ability to provide you with information about our business and
services. Paul Hastings’ agreements with these Third Parties typically limit
how Paul Hastings may use this supplemental information.

Direct Mail, Email and Other Forms of Electronic Communication

Clients and Suppliers that provide us with Personal Information, or whose Personal
Information we obtain from Third Parties, may receive periodic emails,
mailings, or other forms of electronic communication from us with information
on our services, legal or other news or developments, or upcoming special
events. We offer our Clients and Suppliers the option to decline these
communications at no cost.

Research/Survey Solicitations

Paul Hastings may perform research (online and offline) via surveys and may engage
Third Parties to conduct such surveys on our behalf. All survey responses are
voluntary, and the information collected may be used or disclosed for research,
analytics, and reporting purposes to help us to better serve Clients and

Users of Our Sites – Cookies, Similar Tools and Aggregate

We may use cookies or similar tools to collect internet protocol (IP) addresses of
those who use our Sites. When visiting one of our Sites for the first time, you
will be prompted to provide consent for our use of cookies. Should you decline,
some features of our Sites may be unavailable to you. Should you consent to our
use of cookies; the cookie will be deleted once you end your session by closing
your browser.

Mobile Computing and Other Applications

Paul Hastings may provide websites and online resources that are designed to be used
on mobile computing devices. Mobile versions of Paul Hastings Sites may require
that users log in with a user name and password. In such cases, information
about use of each mobile version of the Sites may be associated with user
accounts. In addition, Paul Hastings may enable individuals to download an
application, widget, or other tools that can be used on mobile or other
computing devices. Some of these tools may store information on mobile or other
devices. These tools may transmit Personal Information to Paul Hastings to
enable Data Subjects to access user accounts and to enable Paul Hastings to track
use of these tools. Some of these tools may enable users to email reports and
other information from the tool. Paul Hastings may use Personal Information or
non-identifiable information transmitted to us to enhance these tools, to
develop new tools, for quality improvement, and as otherwise described in this
Privacy Statement or in other notices Paul Hastings provides.


You have the right to opt-out of certain uses and disclosures of your Personal
Information, as set out in this Privacy Statement.

Where you have consented to Paul Hastings’ Processing of your Personal Information or
Sensitive Personal Information, subject to applicable legal and ethical
obligations that may apply to us and to our lawful ability to enforce our
rights or your obligations to us, you may withdraw that consent at any time and
opt-out. Additionally, before we use Personal Information for any new purpose
not originally authorized by you, we will provide information regarding the new
purpose and give you the opportunity to opt-in to such secondary uses. If you
choose not to opt-in to our secondary use of your Personal Information, we will
not Process it for that use.

Prior to disclosing Sensitive Data to a Third Party or
Processing Sensitive Data for a purpose other than its original purpose or the
purpose authorized subsequently by the Data Subject, Paul Hastings will
endeavor to obtain each Data Subject’s consent. Where consent of the Data
Subject is required by law or contract, we will comply with the law or
contract. For more information about how to consent to or withdraw consent for
certain uses and disclosures of your Personal Information, 


An “Unsubscribe” button will be provided at the top or bottom of each email
marketing communication sent by Paul Hastings, so that you may opt out of
further email communications. However, we will continue to send
transaction-related emails regarding our relationship and the services you have


Information We Share

Paul Hastings does not sell or otherwise disclose Personal Information about you,
except as described in this Privacy Statement or as you explicitly consent.
Paul Hastings may share Personal Information with our service providers and
consultants for our internal business purposes or to provide you with a service
that you have requested. Payment information will be used and shared only to
effectuate your order and may be stored by a service provider for purposes of
future orders. Paul Hastings requires our service providers to agree in writing
to maintain confidentiality and security of Personal Information they maintain
on our behalf, including to provide at least the same level of protection as
required by the applicable data protection laws, including the GDPR, not to use
it for any purpose other than the purpose for which Paul Hastings retained them
and to notify Paul Hastings if they make a determination that they can no
longer comply with that obligation. With respect to onward transfers to third
parties under GDPR, Paul Hastings is required to remain liable should such third
parties Process Personal Information in a manner inconsistent with the GDPR.

We may disclose information about you: (i) if we are required to do so by law,
court order, or legal process; (ii) in response to lawful requests by public
authorities, including to meet national security or law enforcement
requirements; (iii) under the discovery process in litigation or arbitration;
(iv) to enforce Paul Hastings policies, contracts, or other rights; (v) to
collect amounts owed to Paul Hastings; (vi) when we believe disclosure is
necessary or appropriate to prevent physical harm or financial loss, or in
connection with an investigation or prosecution of suspected or actual illegal
activity; or (vii) if in good faith we believe that disclosure is otherwise
necessary or advisable. In addition, from time to time, server logs may be
reviewed for security purposes—e.g., to detect unauthorized activity on the
Sites. In such cases, server log data containing IP addresses may be shared
with law enforcement bodies, contractors, or consultants so that they may
identify users in connection with their investigation of the unauthorized

We reserve the right to disclose or transfer any information we have about you in
the event of a proposed or actual reorganization, sale, lease, merger, joint
venture, assignment, amalgamation, or any other type of acquisition, disposal,
or financing of all or any portion of Paul Hastings or of any of our assets
(including should Paul Hastings cease to trade, become insolvent, or enter into
receivership or any similar event occur). Should such an event take place, we
will endeavor to direct the transferee to use Personal Information in a manner
that is consistent with this Privacy Statement.

Data Transfers

Paul Hastings is a global law firm, with offices, Clients, and Suppliers located
throughout the world. As a result, your Personal Information may be transferred
to other Paul Hastings offices, data centers, and servers in Europe, Asia,
South America, or the United States for the purposes identified. Any such
transfer of Personal Information shall take place only in accordance with
applicable law.

Paul Hastings will take steps designed to comply with all applicable local laws when
Processing Personal Information, including any local law conditions for and
restrictions on the transfer of Personal Information. Paul Hastings may also
protect your data through other legally valid methods, including international
data transfer agreements.

Persons located within the EEA, Switzerland or the United

Paul Hastings aims to ensure that appropriate technical and organizational security
measures and safeguards are applied when transferring Personal Information
outside of the EEA, Switzerland or the United Kingdom and that privacy rights
outlined in this Policy are preserved. Paul Hastings has established Standard
Contractual Clauses that have been recognized by the applicable data protection
authorities as providing an adequate level of protection to the Personal Information
we Process globally. Where appropriate, we enact other data protection measures
intended to ensure that all transfers of Personal Information are subject to
appropriate safeguards as defined by the regulation.


Subject to applicable law, you may have the right to obtain
confirmation regarding whether Paul Hastings Processes Personal Information
about you, request access to and receive information about the Personal
Information we maintain about you, receive copies of the Personal Information
we maintain about you, update and correct inaccuracies in your Personal
Information, object to the Processing of your Personal Information, and have
the information blocked, anonymized, or deleted, as appropriate. The right to
access Personal Information may be limited in some circumstances by local law.
To exercise these rights, please 


Where otherwise permitted by applicable law, you may use any of the methods set out
in this Privacy Statement to request access to, receive (port), or restrict
Processing, seek rectification, or request erasure of Personal Information held
about you by Paul Hastings. Such requests will be processed in line with applicable
laws. Although Paul Hastings makes good faith efforts to provide individuals
with access to their Personal Information, there may be circumstances in which
Paul Hastings is unable to provide access, including but not limited to: where
the information contains legal privilege, would compromise others’ privacy or
other legitimate rights, where the burden or expense of providing access would
be disproportionate to the risks to the individual’s privacy in the case in
question, or where the information is commercially proprietary. If Paul
Hastings determines that access should be restricted in any particular
instance, we will endeavor to provide you with an explanation of why that
determination has been made and a contact point for any further inquiries. To
protect your privacy, Paul Hastings will take commercially reasonable steps to
verify your identity before granting access to or making any changes to your
Personal Information.

Persons located within the EEA, Switzerland or the United

Paul Hastings adheres to applicable data protection laws, which, if applicable,
practicable, and required under the GDPR or other applicable law, include the
following rights:     

  • If the Processing of Personal Information is based on your
    consent, you have a right to withdraw consent at any time for future

  • You have a right to request from us, where we act as a
    Controller as defined in the law, access to and rectification of your Personal

  • You have a right to object to the Processing of your Personal

  • You have a right to lodge a complaint with the local Supervisory
    Authority in your country; and        

  • As applicable under French law, you can also send us specific
    instructions regarding the use of your Personal Information after your death,
    by submitting a written request to us at 


  • When we Process Personal Information about you, we do so with
    your consent or as necessary to provide the products you use, operate our
    business, meet our contractual and legal obligations, protect the security of
    our systems and our Clients, or fulfill other legitimate interests of Paul
    Hastings, or otherwise as described in Section 2 (“Policy”) above. When we
    transfer Personal Information from the EEA, Switzerland or the United Kingdom,
    we do so based on a variety of legal mechanisms, as described in Section 2.3
    (“Onward Transfer”) above.


Paul Hastings retains Personal Information that we receive for as long as necessary
to fulfill the purpose(s) for which the information was collected, to provide
our services and products and to resolve disputes, establish legal defenses,
conduct audits, pursue legitimate business purposes, enforce our agreements,
and comply with all applicable laws.


The security of all Personal Information provided to Paul Hastings is important to
us and we take reasonable steps designed to protect your Personal Information.
Paul Hastings maintains administrative, technical and physical safeguards
designed to protect Personal Information that is received against accidental,
unlawful, or unauthorized destruction, loss, alteration, access, disclosure or


Links to Third Party Websites

Please note that our Sites may contain links to other websites for your convenience
and information. Paul Hastings does not control Third Party websites or their
privacy practices, which may differ from those set out in this Privacy
Statement. Paul Hastings does not endorse or make any representations about
Third Party websites. Any Personal Information you choose to give to these
Third Parties is not covered by this Privacy Statement. Paul Hastings
encourages you to review the Privacy Statement of any company or website before
submitting your Personal Information. Some Third Parties may choose to share
their users’ Personal Information with Paul Hastings; that sharing is governed
by that company’s Privacy Statement, not Paul Hastings’ Privacy Statement.

Changes to this Privacy Statement

Paul Hastings may update this Privacy Statement from time to time as it deems
necessary or appropriate in its sole discretion. If there are any material
changes to this Privacy Statement, Paul Hastings will notify you by email, by
means of a notice on our Sites, or as otherwise required by applicable law.
Paul Hastings encourages you to review this Privacy Statement periodically to
be informed regarding how Paul Hastings is using and protecting your
information and to be aware of any policy changes. Any changes to this Privacy
Statement take effect immediately after being posted or otherwise provided by
Paul Hastings.


If you have any questions or comments regarding this Privacy
Statement or Paul Hastings privacy practices, or if you would like us to update
information or preferences you provided to us, you may contact us at 

If you are located in the EEA and believe Paul Hastings has not
adequately resolved any issues, you may contact the Supervisory Authority

Effective date:  December 2020

[1]Capitalized terms located throughout this
document are defined either immediately following the first reference if a
given term, or in Section 1.3 – Key Terms.