Privacy Policy

Last Updated: November 28, 2023

Introduction

We at Goodwin Procter LLP and its affiliated undertakings (“Goodwin”, “we”, “us” and/or “our”) value the relationship we have with you. For full details of our affiliated entities, please view “Legal Notices – Jurisdictions” on our website (“Site”).

This Privacy Policy explains how we collect, use, share, store and otherwise process your personal data when you use our Site, in connection with your relationship with us as a Goodwin client/recipient of our services, vendor, prospective employee, alumna or your general interest in our services, publications and events. It also explains your rights under applicable data protection laws, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the United Kingdom General Data Protection Regulation, which is the GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”) the Singapore Personal Data Protection Act 2012 ("PDPA") and the California Consumer Privacy Act of 2018 (“CCPA”). Information for California residents about the CCPA can be found here.

Where the GDPR or the UK GDPR applies to the processing of your personal data, and you are a visitor to the Site, the data controller for your personal data is Goodwin Procter LLP, unless we advise you otherwise. For other data subjects, including clients/recipients of our services, vendors, prospective employees and alumna, the data controller is the specific Goodwin entity with which you engage(d). The data controller decides how personal data about you is processed.

Information We Collect; Purpose of Processing

We regularly collect personal data as a law firm providing professional services. The types of personal data relating to you that we may collect, and the purposes for which we process this data, depends on the nature of your interaction with us. Please read the table below for more information, including the legal basis under which we are allowed to process your personal data.

When do we obtain your personal data? Types of personal data that we may process Purpose/legal basis for processing
When you browse or interact with us, our Site or other services, including by email and through the use of cookies and other similar technologies (for more information, read our Cookie Policy) • Name, title, gender
• Contact details (email address, physical address, phone numbers)
• Your employer
• Description of yourself, your position, your requirements or comments, and your relationship to a person
• Technical information (including your IP address, domain name, type of browser and operating system used)
• Frequency and timing of email contact and information included in email subject lines
• Your preferences
Legitimate interests (evaluative purposes or consent for Singapore), as follows:
• Getting to know clients or potential clients, colleagues, recruiters, employees, workers, consultants, service providers
• Managing business communications with our clients
• Maintaining and managing our Site
• Responding to your communication(s) with us
• Improving the quality of our communications and interaction with you
• Internal statistical analysis (which may include where our Site is being used geographically or understanding how you interact with certain emails we send you and understanding relationships and activities between our partners and their business contacts for more efficient and targeted marketing) unless we need your consent before placing analytics cookies, as described in our Cookie Policy
As part of our business intake/client onboarding procedures and when providing legal services to you or to an entity with which you are associated, including as an employee, representative, authorized signatory, director, shareholder or beneficial owner and when we provide charitable, volunteer or other such services to you or the organization you are associated with, including as a student • Name, title, gender
• Contact details (personal or business email address, telephone numbers, physical address)
• Company
• Position
• Information relating to any matter that you want to discuss with us that relates to you as an individual, which may include special categories of data
• Insurance number
• Birthday, birthplace, nationality, zipcode and any other information from identification documents
• Financial information, such as bank account details and requests relating to invoices
• Any other personal data, which may include special categories of personal data, disclosed to us when verifying your identify and screening for sanctions and negative news during “know your client checks” and during the provision of legal services, including personal data relating to a corporate client's or another's employees, customers and other individuals

Legal obligation:
• Acting in compliance with anti-money laundering regulations, sanctions requirements and any other applicable legal obligations, such as legal privilege
Legitimate interests (evaluative purposes or consent for Singapore):
• When we are required to comply with laws other than EEA, UK or Singapore laws
• In order to fulfill our contractual obligations to you when you are an entity and the processing relates to natural persons; provided you have undertaken to inform such persons of this privacy policy and obtained any necessary consents
Contract:
• Fulfilling our obligations under our engagement or other agreement with you
Consent:
• When processing special categories of personal data; unless another condition applies, such as processing that is necessary for the establishment, exercise or defence of legal claims or for carrying out our obligations under employment, social security and social protection laws
• When processing personal data relating to criminal convictions and offences or related security measures, unless another condition applies under applicable law, such as protecting an individual's vital interests, personal data manifestly made public by the data subject, or processing in connection with legal proceedings, legal advice or legal rights

When you provide data to us in order to register for an in person or virtual event or to receive event invitations, updates, or other marketing materials • Name, title, gender
• Contact details (personal or business email address, telephone numbers, physical address)
• Company
• Position
• Your communication preferences (what types of communication you want to receive, when you want to stop receiving communications, feedback, and requests relating to our communications)
• Any other personal data that you disclose to us, such as dietary and access requirements, comments, or requests

Consent (opt in):
• On the basis of the consent that you have provided us to receive certain communications
Legitimate Interests (evaluative purposes or consent for Singapore):
• When we share with co-hosts or speakers limited personal data (name, title, employer) of attendees to events we host, in order to ensure the efficient management of the event.
• When registering you for an event, in order to fulfill your event registration request

When you apply for a job, traineeship, secondment, summer placement, vacation scheme or internship • Name, title, gender, date of birth, NIN, SSN
• Results of background checks including references, qualifications, and to the extent permitted by law, criminal background checks (unspent convictions)
• Passport, work permit, visa, or other immigration documentation
• Contact details (personal, business or educational institution email address, telephone numbers, physical address)
• CV, including relevant skills and experience
• Special requirements (such as, or relating to, a disability/health issue)
• Any other personal data that you may provide to us through the application process, such as views and preferences that you disclose to us in interviews, your responses to questions, and demonstration of your skills
Legitimate Interests (evaluative purposes or consent for Singapore):
• Fulfilling our staffing requirements
• Ensuring potential recruits of any kind are appropriately qualified for positions at the firm
• When we are required to comply with laws other than EEA, UK or Singapore laws
Consent:
• On the basis of any consent that we are required to obtain under applicable law, in relation to our criminal background checks
Legal obligation:
• Acting in compliance with anti-money laundering regulations concerning screening
• Verifying your right to work lawfully in the relevant country applicable to your application
 
PLEASE NOTE
If you are applying to work at Goodwin – whether as a partner, employee, intern, trainee, secondee, vacation student, or in any other capacity please also refer to our separate recruitment privacy policies for our European offices and California residents. Please request/review these policies before submitting any personal data to us.
If you are an alumnus/a • Name, title, gender, date of birth
• Contact details (personal or business email address, telephone numbers, physical address)
• Length of time with Goodwin
• Details of your role with Goodwin
• Higher education information (graduation year, degree, schools attended)
• Communication preferences
• Any other personal data that you may provide to us through your use of our alumni/ae services or at alumni/ae events

Legitimate Interests (evaluative purposes or consent for Singapore):
• Maintaining contact with alumni/ae
• Expanding our professional networks
• Understanding your communication preferences
• Considering you for any future staffing requirements
• Facilitating your future employment and meeting practicing / regulatory requirements
Contract:
• Fulfilling our obligations under the Terms of Service for the Alumni Relations Portal

If you offer or provide services to us as our vendor • Name, title, position, employer, physical address, email address, phone numbers
• Any other personal data, which may include special categories of personal data in aggregate form, disclosed to us in a supplier audit

Contract:
• Fulfilling our obligations under our agreement with you and/or your employer

Legal obligation:
• Monitoring the risk of modern slavery in our supply chain (where applicable).

When you visit our offices and we issue you with a visitor pass, register you with building security/management and/or
capture and record your image on fixed cameras (CCTV)

• Name and email address
• Your image

Legitimate Interests (evaluative purposes or consent for Singapore):
• Helping to maintain a safe and secure environment for all employees and visitors
When we provide virtual training and record the session for future use • Your image, comments, voice, screen name Legitimate Interests (evaluative purposes or consent for Singapore):
• Fulfilling a request from you for training on specific topics on which we have expertise

Automatically Collected Data

When you interact with us through the Site or other services, we automatically collect information about you through cookies (small text files placed on your device) or other similar technologies. Please read our Cookie Policy to learn more about how we use cookies and other technologies. Our servers also record information (“log data”), including information that your browser automatically sends whenever you visit the Site. This log data includes your Internet Protocol (“IP”) address (from which we can discern the country you are connecting from at the time you visit the Site), browser type and settings, and the date and time of your request.

Where the information that we collect automatically on our Site or via other services (such as emails we send you) is personal data, our legal basis for the use of this information is that it is necessary for the purposes of our legitimate interests / evaluative purposes (as applicable) in maintaining the safe operation of our Site and learning how you interact with our Site and certain emails we send you to improve user experience.

Failure to Provide the Personal Data We Request

When we need your personal data to comply with business and/or legal obligations or to perform our contract, failure to provide this data may impact our ability to provide our services.

How We Share Your Personal Data

We share your information as follows:

  • Third party service providers. Third parties who provide services to us have access to your personal data. For the purposes described above, we engage providers of website analytics, hosting and cloud computing services and other IT services, payroll services, building management services, auditing services, consultancy services, regulatory services, legal services, CRM, marketing and sales software solutions, software platforms and services for the legal profession, translation services, event software, background checks, talent management and recruitment services, in addition to other administrative services. These parties may access, process or store personal data in the course of performing the services we have hired them to provide.
  • Event co-hosts and booking companies. We may share limited personal data with co-hosts of events we host or otherwise sponsor (such as name, title, employer) and with speakers in order to administer the event and provide a list of attendees and with booking companies (such as name, email address and phone number) in order to fulfil your registration request.
  • Administrative and legal reasons. We may disclose personal data as we deem necessary and appropriate under applicable laws, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process; in response to lawful requests by public, governmental and regulatory authorities, including to meet national security or law enforcement requirements; or when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Goodwin, you or third parties, or the public at large.
  • Business transfers. We may disclose and transfer your information and data to a third party: (a) if we assign our rights regarding any of the information to a third party or (b) in connection with a corporate merger, consolidation, restructuring, sale of certain of our ownership interests, assets, or both, or other corporate change, including without limitation, during the course of any due diligence process.
  • Goodwin entities. When using your personal data for the purposes described above, we may share your personal data with other Goodwin offices around the world. Please read the International Data Transfers section below for more information on how we transfer your personal data.

International Data Transfers

For the purposes described in this Privacy Policy, we may transfer your personal data from the European Economic Area (EU Member States, Iceland, Liechtenstein and Norway) and/or the United Kingdom to a Goodwin office or a third party outside of the EEA or the UK and in a jurisdiction not subject to an adequacy decision of the European Commission or the UK Government, as applicable. We have executed an intragroup data transfer agreement which incorporates the standard contractual clauses for the transfer of data to third countries approved by the European Commission and the UK International Data Transfer Addendum approved by the UK Information Commissioner to transfer your personal data to our affiliated entities located in the United States, Singapore and Hong Kong, in order to ensure appropriate safeguards for such transfers. When we transfer your personal data to other third parties outside of the EEA or the UK, for example service providers, other counsel and accountants and other third parties involved in your matters, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure the integrity and protection of your personal data wherever processed. If you wish to see details of these safeguards, please contact us on dataprivacy@goodwinlaw.com.

Where your personal data is transferred by the Goodwin Singapore office to another Goodwin office or third party outside of Singapore, we will do so in compliance with the PDPA. In this regard, we will ensure that such recipient enters into legally enforceable obligations to provide a standard of protection in respect of your personal data that is comparable to the protections provided under the PDPA.

Retaining Your Personal Data

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws or until you withdraw your consent (where applicable). To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

We do not collect more personal data than we need to fulfill our purposes stated in this Privacy Policy. We may retain your personal data for an additional period to the extent deletion would require us to overwrite our automated disaster recovery backup systems or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.

Your Rights in Relation to your personal data under GDPR, UK GDPR and/or PDPA

Subject to the applicable provision of the GDPR, UK GDPR and/or PDPA, you have the following rights with respect to your personal data:

  • Right of access (commonly known as a “data subject access request”): If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
  • Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it.
  • Right to erasure (UK GDPR/GDPR): You may ask us to erase your personal data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable) and there is no other legal basis for processing.
  • Right to restrict processing (UK GDPR/GDPR): You may ask us to restrict or ‘block’ the processing of your personal data in certain circumstances, such as if you contest its accuracy or object to us processing it.
  • Right to data portability (UK GDPR/GDPR): You have the right to obtain your personal data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and if the processing is carried out by automated means.
  • Right to object (UK GDPR/GDPR): You may ask us at any time to stop processing your personal data, and we will do so: (a) if we are relying on a legitimate interest (described above) to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or your data is needed to establish, exercise, or defend legal claims; or (b) we are processing your personal data for direct marketing and, in such case, we may keep minimum information about you (for example, in a suppression list) as necessary for our and your legitimate interest to ensure your opt out choices are respected in the future and to comply with data protection laws.
  • Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.
  • Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your personal data, you can report it to the data protection authority that is authorized to hear those concerns (in the United Kingdom, the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns; in Frankfurt, Der Hessische Beauftragte für Datenschutz und Informationsfreiheit at https://datenschutz.hessen.de/; in Munich, Das Bayerische Landesamt für Datenschutzaufsicht at https://www.lda.bayern.de/de/index.html; in France, Commission Nationale de l’Informatique et des Libertés (CNIL) at https://www.cnil.fr/; in Luxembourg, Commission nationale pour la protection des données (CNPD), at https://cnpd.public.lu and in Singapore, the Personal Data Protection Commission at https://www.pdpc.gov.sg/Complaints-and-Reviews

To exercise your rights under the GDPR, the UK GDPR and/or PDPA, as applicable, please send us your request as described under the “How to Contact Us” section below.

Keeping Your Personal Data Secure

We take appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal data, in accordance with our internal security procedures. Personal data may be stored on our own technology systems or those of our vendors or in paper files.

Personal Data of Children

Our Site is not directed to children who are under the age of 16 and is solely intended for adults. Goodwin does not knowingly collect personal data from children under 16. If you have reason to believe that a child under the age of 16 has provided personal data to Goodwin through the Site please contact us and we will endeavor to delete that information from our databases.

Links To Other Websites

Our Site may contain links to other sites operated by third parties, including social media websites and services. We are not responsible for information on these sites, nor for services or products offered by them. By providing these links we do not imply that we endorse or have reviewed these sites. Use of these sites, including transmitting your personal data to them, is at your own risk. The information that you share with these sites will be governed by the specific privacy policies and terms of service of these third-party sites and not by this Privacy Policy. Please contact those sites directly for information on their privacy practices and policies.

Additional Information for California Residents

Disclosures Related to Collection, Use, and Disclosure of Personal Information

Pursuant to the CCPA, we are providing the following additional details regarding the collection, use, and disclosure of personal information about California residents:

  • Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information: identifiers, characteristics of protected classifications under California or U.S. law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences drawn about your preferences, and other categories of personal information that relates to or is reasonably capable of being associated with you. For examples of the data points we collect, please see “Information We Collect” above.
  • Business or Commercial Purpose for Collecting and Using Data: We have collected the above categories of personal information for the business purposes described in the “Information We Collect” section above.
  • Categories of Sources of Personal Information: We may have collected the above categories of personal information directly from you, automatically about your use of our Site , and from third parties, such as clients of our legal services, government and public entities, public records, industry research databases, parties and related parties in litigation matters, and others. For more detail, please see “Information We Collect” above.
  • Categories of Personal Information Disclosed: In the preceding 12 months, we have disclosed the following categories of personal information for business or commercial purposes: identifiers, characteristics of protected classifications under California or U.S. law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences drawn about your preferences, and other categories of personal information that relates to or is reasonably capable of being associated with you.
  • Categories of Third Parties With Whom We Share Personal Information: We may share your personal information with the third parties as described in the “How We Share Your Personal Data” section above.
  • Sale of Personal Information (as defined by the CCPA): We do not sell, and in the preceding 12 months have not sold, the personal information we have collected.

Your Rights

To the extent provided for by law and subject to applicable exceptions, including but not limited to attorney-client privilege, California residents have the following privacy rights in relation to the personal information we collect:

  • The right to know what personal information we have collected and how we have used and disclosed that personal information;
  • The right to request deletion of your personal information;
  • The right to opt out of the sale of your personal information; and
  • The right to be free from discrimination relating to the exercise of any of your privacy rights.

Exercising Your Rights

California residents can exercise the above privacy rights by emailing us at dataprivacy@goodwinlaw.com, or calling toll-free us at +1 855 243 2070.

Verification: in order to protect your personal information from unauthorized access or deletion, we may ask you to provide additional personal information for verification. If we cannot verify your identity, we will not provide or delete your personal information.

Authorized Agents: you may submit a request to know or a request to delete your personal information through an authorized agent. If you do so, the agent must present signed written permission to act on your behalf and you may also be required to independently verify your identity with us and confirm that you have provided authorization to the agent.

California “Shine the Light” Disclosures

Pursuant to California Civil Code Section 1798.83(c)(2), California law requires us to inform California residents who have provided us with personal information that they may request information from us about our disclosures to third parties for their direct marketing purposes. To request this information, please contact us at dataprivacy@goodwinlaw.com

Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on this Site and will be effective upon posting. If we make a material change to this Privacy Policy, we will provide you with notice in accordance with the applicable law.

How to Contact Us

If you have any questions about our Privacy Policy, or if you would like to access personal data we hold about you or exercise your other rights under the applicable law, you can contact us toll free at +1 855 243 2070 at Goodwin Procter LLP, 100 Northern Avenue, Boston, MA 02210, or on dataprivacy@goodwinlaw.com. For our German and Singapore offices, please see our Legal Notices for contact information regarding the local Data Protection Officer.

Goodwin Procter (UK) LLP is required to designate a representative in the EU that can be addressed by data subjects in addition to or instead of it on all issues related to the processing of personal data under the GDPR. Its representative in the EU is Goodwin Procter (France) LLP, 12 rue d’Astorg, 75 008 Paris.

Goodwin Procter (France) LLP, Goodwin Procter (Luxembourg), and Goodwin Procter LLP (in respect of its branch offices in Frankfurt and in Munich) are each required to designate a representative in the UK that can be addressed by data subjects in addition to or instead of them on all issues related to the processing of personal data under the UK GDPR. Their representative in the UK is Goodwin Procter (UK) LLP, 100 Cheapside, London EC2V 6DT.

Please also refer to our Cookie Policy, which explains the use of cookies via our Site and other services.