Scope Of Privacy Policy
Like most businesses, Goodwin Procter (UK) LLP, Goodwin Procter (France) LLP, Goodwin Procter LLP (acting through its branch offices in Germany) and Goodwin Procter Luxembourg (each a “Goodwin entity” and together, “we”, “us”, “our”) hold and process a wide range of information, which relates to the individuals who apply, and those we recruit, to work for us. Our branch offices in Germany also hold and process information that relates to potential candidates for positions at their offices in Frankfurt and Munich as part of their talent relationship management process (the “TRM process”). This Policy explains the type of information we process, why we are processing it and how that processing may affect you.
This Policy also includes the Supplementary Information contained in Appendix A, wherein we explain what we mean by “personal data”, “processing”, “special categories of personal data” and other terms used in this Policy.
In brief, this Policy explains:
- what personal data we hold and why we process it;
- the legal grounds that allow us to process your personal data;
- where the personal data comes from, who gets to see it and how long we keep it;
- how to access your personal data and other rights; and
- how to contact us.
Personal Data – What We Hold and Why We Process It
We process personal data for the purposes of our business, including recruitment, management, administrative, employment and legal purposes. The Supplementary Information provides more specific information on these purposes, on the type of data that may be processed and on the grounds on which we process data in the context of recruitment. See What are the legal grounds for processing? and Further information on the data we process and our purposes.
Where The Data Comes From and Who Gets To See It
Some of the personal data that we process about you comes from you. For example, you tell us your contact details and work history. If you are joining us, you may provide your banking details.
Other personal data may come from third parties, such as recruiters acting on your or our behalf or from your references.
Your personal data will be seen internally by administrators, HR, lawyers and managers involved in the interview and decision-making process, and, in some circumstances (if you accept an offer to join us), colleagues. Personal data of people who are part of the German TRM process will be seen internally by the German HR department. We may, where necessary and as set out in this Policy, also pass your data outside the firm.
Further information on this is provided in the Supplementary Information. See Where the data comes from and Who gets to see your data?
How Long Do We Keep Your Personal Data?
We keep your personal data in line with our document retention policy, and as described below under Retaining your personal data – more information in the Supplementary Information, and in any event we will not retain it for longer than is necessary for our lawful purposes.
International Transfers of Personal Data
We may transfer your personal data outside of the EEA or the UK (as applicable) to other Goodwin offices in our international network and to third parties, who provide services to us and to you.
Further information on these transfers and the measures taken to safeguard your data are set out in the Supplementary Information under International transfers of personal data – more information.
Your Data Rights
You have a right to make a subject access request to receive information about the personal data that we process about you. Further information on this and on other rights that you have in respect of your personal data is in the Supplementary Information under Access to your personal data and other rights. We also explain how to make a complaint about our processing of your personal data.
Controller Contact Details
In processing your personal data, we act as a data controller. This means that we determine the purposes and means of the processing of your personal data. In most cases, the controller for your personal data will be the Goodwin entity to which you apply for work, and you would contact them by email on dataprivacy@goodwinlaw.com and at the following office addresses:
London:
Goodwin Procter (UK) LLP
Sancroft
10-15 Newgate Street
London EC1A 7AZ
Cambridge:
Goodwin Procter (UK) LLP
50-60 Station Rd
Cambridge CB1-2JH
Frankfurt:
Goodwin Procter LLP
TaunusTurm, Taunustor 1
60310 Frankfurt am Main
Munich:
Goodwin Procter LLP
Max-Joseph-Straße 2
80333 München
The Data Protection Officer (Datenschutzbeauftragter) for the Frankfurt and Munich offices, appointed in accordance with the GDPR and the requirements of the German Federal Data Protection Act can be contacted at IITR Datenschutz GmbH, Dr. Sebastian Kraska, Marienplatz 2, 80331 München.
Paris:
Goodwin Procter (France) LLP
12 rue d’Astorg
75008 Paris
Luxembourg:
Goodwin Procter (Luxembourg)
Royal Park
29 Avenue de la Porte-Neuve
L-2227 Luxembourg
EU and UK Representatives Contact Details
Goodwin Procter (UK) LLP is required to designate a representative in the EU that can be addressed by data subjects in addition to or instead of it on all issues related to the processing of personal data under the GDPR. Its representative in the EU is:
Goodwin Procter (France) LLP
12 rue d’Astorg
75008 Paris
Goodwin Procter (France) LLP, Goodwin Procter (Luxembourg), and Goodwin Procter LLP (in respect of its branch office in Frankfurt) are each required to designate a representative in the UK that can be addressed by data subjects in addition to or instead of them on all issues related to the processing of personal data under the UK GDPR. Their representative in the UK is:
Goodwin Procter (UK) LLP
Sancroft
10-15 Newgate Street
London EC1A 7AZ
Status of this Policy
This Policy does not form part of any contract of employment you might enter into and does not create contractual rights or obligations. It may be amended by us at any time. Nothing in this Policy is intended to create an employment relationship between any Goodwin entity and any non-employee.
Last updated: May 2024
APPENDIX A: SUPPLEMENTARY INFORMATION
WHAT DO WE MEAN BY “PERSONAL DATA” AND “PROCESSING”?
“Personal data” is information relating to a natural person, from which such person may be identified. It includes not only facts about you, but also intentions and opinions about you.
“Processing” means doing anything with the personal data, whether or not by automated means, such as collecting, holding, disclosing and deleting the data. Examples of personal data processed automatically include information held on, or relating to use of, a computer, laptop, mobile phone or similar device. It covers data derived from equipment such as access passes within a building and sound and image data such as CCTV or photographs.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) and the United Kingdom General Data Protection Regulation, which is the GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“UK GDPR”) apply to the processing of personal data by automated means and otherwise when that data forms (or is intended to form) part of a filing system.
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sexual orientation, sex life, trade union membership and genetic and biometric data are subject to special protection and considered by the GDPR and the UK GDPR to be “special categories of personal data”.
References in this Policy to employment, work (and similar expressions) include any arrangement we may have under which an individual provides us with work or services, or applies for such work or services. By way of example, when we mention an “employment contract”, that includes a contract under which you provide us with services; when we refer to ending your potential employment, that includes terminating a contract for services. We use the word “you” to refer to anyone within the scope of this Policy.
WHAT ARE THE LEGAL GROUNDS FOR PROCESSING?
Under the GDPR and the UK GDPR (as applicable), there are various grounds on which we can rely when processing your personal data. In some contexts more than one ground applies. We have summarised these grounds as Contract, Legal Obligation, Legitimate Interests and Consent and outline what those terms mean in the following table. When processing your personal data for the purpose of recruitment in our German offices, we also rely on §26 of the German Bundesdatenschutzgesetz (BDSG), which applies to data processing for employment related purposes.
Term | Ground for Processing | Explanation |
Contract | Processing necessary for performance of a contract with you or to take steps at your request to enter a contract | This covers carrying out our contractual duties, exercising our contractual rights and taking the necessary steps to prepare your employment contract. |
Legal Obligation | Processing necessary to comply with our legal obligations | Ensuring we perform our legal and regulatory obligations. For example, depending on applicable law, providing a safe place of work, avoiding unlawful discrimination, including with regard to disabled workers and complying with our obligations relating to equality and diversity, fulfilling our obligations of tax and social declarations, and responding to relevant regulators, immigration authorities and other government departments or public bodies. |
Legitimate Interests | Processing necessary for our or a third party’s legitimate interests |
We or a third party have legitimate interests in carrying on, managing and administering our respective businesses effectively and properly and in connection with those interests processing your data. This includes in particular our legitimate interest to assess your suitability for the proposed job. Personal data will not be processed on this basis if our or a third party’s interests are overridden by your own interests or fundamental rights and freedoms. |
Consent | You have given specific consent to processing your data | In general, processing your data in connection with employment is not conditional on your consent (even for processing special categories of personal data). However, there may be occasions where we do specific things, such as obtain medical reports, and rely on your consent to our doing so, where permitted by applicable law. |
Processing special categories of personal data
If we process special categories of personal data about you, as well as ensuring that one of the legal grounds for processing listed in the table above applies, we will make sure that the processing is:
- necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorised by law or collective agreement;
- related to data about you that you have made manifestly public;
- necessary for the purpose of establishing, making or defending legal claims;
- necessary for provision of health care or treatment, medical diagnosis, and assessment of your working capacity, where permitted by applicable law;
- for equality and diversity purposes to the extent permitted by applicable law; or
- subject to your explicit consent.
If we make you an offer, or earlier in the recruitment process if necessary, we will collect the following special categories of personal data:
UK offices:
- your health data as needed to allow us to comply with relevant employment laws, such as details of your disability in order to provide you with reasonable adjustments;
- your diversity data to promote equality of opportunity in our workplace and to recruit ethnically diverse people for senior roles;
- your criminal conviction and offences data as necessary to meet the requirements of UK money laundering regulations with respect to certain categories of employees and in connection with any legal proceedings, in order to obtain any legal advice or otherwise as necessary to establish, exercise or defend a legal claim.
German offices:
- details of any disability or incapacity; medical and sickness certificates; and medical data and other documents required to confer special benefit status, where applicable; and
- information about your religion if required for tax purposes and in compliance with German law and trade union affiliation, if you have informed us of your trade union membership and/or asked us to make payments to trade unions or for religious tax on your behalf.
Further information on the data we process and our purposes
This Policy outlines the purposes for which we process your personal data. More specific information on these purposes, including examples of the personal data that may be processed and the grounds on which we process such data, are included in the table below for illustrative purposes and are not meant to be exhaustive.
Purpose | Examples of personal data that may be processed | Grounds for Processing |
Recruitment in relation to any role for which you apply, we recruit you for and/or any role we think you might be suitable for in the future |
Name, address, email address, ID information and related documents, place of birth, contact details, professional experience, education (including university degrees, academic records, professional licenses, memberships and certifications, awards and achievements, and current and previous employment details), financial information (including current salary information), language skills, and any other personal data that you present us with as part of your application related to the fulfilment of the role (which may include special categories of personal data, such as ethnicity, LGBTQ+, and disability, as permitted by applicable law). In the UK, background data on whether your parents attended university, whether you hold refugee or asylum seeker status, whether you are, or have been, a parent or a registered carer, whether you had free school meals, whether you have ever been in local authority care, whether you undertook paid work during school or university term time), and whether or not you applied to work for another Goodwin affiliated entity. Information concerning your application and our assessment of it, interview notes and meeting history, your references, social media checks (in the UK and in Luxembourg for certain roles), any checks we may make to verify information and any information connected with your right to work in the relevant country. If we decide to hire you, if necessary, we will also process information concerning your health (UK) and/or any disability/incapacity (all offices) in connection with any adjustments needed to working arrangements. |
Substantial Public Interest (UK) Contract Legal Obligation Legitimate Interests §26 BDSG (German offices) |
Administering our recruitment process |
Your experience and qualifications for the position you are applying for (or any future job for which we think you are suitable). Data you enter into our online careers portal. Data we receive from our online recruitment sourcing tool. Communications with you in respect of any offer of employment we choose to make and providing you with information about our onboarding process. |
Contract Legal Obligation Legitimate Interests §26 BDSG (German offices) |
To remain in contact with potential recruitment candidates for our Germany offices that have been identified at job fairs, etc. (our TRM process) and alert them to suitable job openings | Name, email address, date of birth, CV, grades, university attended, work certificates, and any other relevant information | Contract |
Assessing communication and working styles, risks, issues of importance, and conducting psychometric analysis of personality type through surveys or questionnaires administered by external vendors for coaching, to aid interviewing best practice, and for providing developmental feedback | Name, email address, IP address, gender, language, communication styles, and work preferences | Legitimate Interest |
Conducting pre-employment screening to assess your suitability for employment (if you are made an offer by us) |
Criminal records, credit worthiness, standing and capacity, sex offender records, insolvency records, bankruptcy filings, civil litigation history and national insurance numbers (UK offices). Certificate of Conduct issued by the German Federal Office of Justice and credit rating from SCHUFA (German offices) Extracts from your criminal record, i.e., “B3”, when this is necessary for the position you are applying for (Paris office). Education records, previous employment records, legal admissions, certificates of good standing and media publications (all offices). |
Contract Legitimate Interest Legal Obligation Consent §26 BDSG (German offices) |
Entering into a contract with you (if you are made an offer by us) |
Information on your terms of employment from time to time, including your hours and working patterns, your pay and benefits, such as your participation in pension arrangements, life and medical insurance, and any bonus schemes. |
Contract Legal Obligation Legitimate Interests §26 BDSG (German offices) |
Payroll administration / partnership accounts / communication with social bodies (for the Paris, Luxembourg and German offices)(if you are made an offer by us) | Information on your bank account, pension contributions and tax (except that tax number of potential employees cannot be collected in France), national insurance, social security numbers or other government issued identifier as permitted by applicable law. |
Contract Legal Obligation Legitimate Interests §26 BDSG (German offices) |
Financial planning and budgeting | Information such as your proposed salary and (if applicable) envisaged bonus levels. |
Legitimate Interests §26 BDSG (German offices) |
Physical and system security |
CCTV images upon attendance for interviews at our premises. |
Legal Obligation Legitimate Interests §26 BDSG (German offices) |
Providing information to third parties in connection with transactions that we contemplate | Information on any offer made to you and your proposed contract and other employment data that may be required by a party to a transaction such as a prospective purchaser, seller or outsourcer. |
Legitimate Interests §26 BDSG (German offices) |
Monitoring of diversity and equal opportunities |
Information on your nationality, gender, disability and age; and for the UK, also information on your racial and ethnic origin and sexual orientation. |
Legitimate Interests Legal Obligation §26 BDSG (German offices) Substantial Public Interest |
Disputes and legal proceedings | Any information relevant or potentially relevant to a dispute or legal proceeding affecting us. |
Legitimate Interests Legal Obligation §26 BDSG (German offices) |
Complying with data subject rights | Information necessary to comply with rights asserted by you over the personal data that we process. | Legal Obligation §26 BDSG (German offices) |
Complying with legal and regulatory obligations | Any information relevant to reports we are required to make to a regulator/law enforcement, e.g., information relevant to a suspected crime or wrongdoing. | Legal Obligation |
Please note that if you accept an offer from us, we will process further information as part of the employment relationship. We will provide you with our full Workplace Privacy Policy (European offices) as part of the on-boarding process.
Where the data comes from
When you apply to work for us, the initial data about you that we process is likely to come from you, for example from your CV/application/interview, as applicable. Where necessary and in accordance with this Policy, we will require references and information to carry out background checks. If you do not provide information that you are required by statute or contract to give us, you may lose benefits or we may decide not to employ you. If you have concerns about this in a particular context, you should speak to your recruiter or our HR department.
Please note we may also receive data from third party recruiters/recruitment tools, agents and similar organisations, and social media (in the UK and in Luxembourg for certain roles) as a part of the recruitment process.
When you are part of the German TRM process, the personal data we process comes from you.
Who gets to see your data?
Internal use: Where necessary and as set out in this Policy, your personal data will be disclosed to relevant lawyers, HR and administrators for the purposes of your application. We will also disclose this to other Goodwin affiliated entities where necessary for decision making regarding your application – this will depend on the type of role you are applying for. These affiliated entities may also process your personal data if you visit their offices, for instance, in order to provide IT support, access to systems, and for purposes of security.
Personal data of people who are part of the German TRM process will be seen by the German HR department.
External use: We will only disclose your personal data (see the table at paragraph 4 above) outside a Goodwin entity if disclosure is consistent with a ground for processing on which we rely and doing so is lawful and fair to you.
Please note that when we disclose your data in such circumstances we will ensure that any necessary due diligence has been undertaken on the recipient and any necessary contractual documentation is in place to ensure the integrity and security of the data as required by law.
Specific circumstances in which your personal data may be disclosed include:
- Disclosure to organisations / vendors that process data on our behalf (such as our payroll service, our bank, vendors that host or support our IT systems and data - this would normally occur if you accept an offer from us and would be carried out as part of the on-boarding process);
- Disclosure to third party recruitment consultants and similar businesses (including online recruitment portals) as a part of the recruitment process;
- Disclosure to any regulator in order to comply with relevant laws;
- In our UK offices, disclosure to a third party background report service provider for the purposes of conducting pre-employment screening in relation to the following areas (as applicable to the role you are applying for): education verification; previous employment verification; legal / bar admissions; criminal records; credit worthiness; standing and capacity; sex offender notification and disclosure scheme; insolvency; bankruptcy filings; and civil litigation.
- Disclosure on a confidential basis to our advisers, for example to our external lawyers for the purposes of seeking legal advice; and
- Disclosure to a third party HR management system which tracks your application and stores your personal data for us once you have made an application.
We also use a third party HR management system which tracks your application and stores your personal data for us once you have made an application.
Retaining your personal data – more information
We will retain your personal data in line with our document retention policy, and in any event we will not keep it for longer than is necessary for our lawful purposes.
In general, if you are successful in becoming employed by us, we will keep your personal data for the duration of your employment and for a period afterwards. In considering how long to keep it, we will take into account its relevance to our business and your employment either as a record or in the event of a legal claim.
If you are unsuccessful in gaining employment with us, we will keep personal data from your application and interview(s) for: (i) 6 months (Germany), and (ii) approximately 12 months (UK, Paris, Luxembourg) after informing you that you were unsuccessful as a record, in the event of a legal claim, and to consider you for other roles. However, any criminal record data processed in accordance with applicable law will not be retained.
If we are processing your personal data in connection with the TRM process, we will retain this data for 6 months after your last point of contact with us.
If your data is only useful for a short period, or we are only permitted by law to retain it for a specified period of time (for example, CCTV footage), we will delete it more frequently.
International transfers of personal data – more information
In connection with our business and for recruitment, administrative, management and legal purposes, we transfer your personal data outside the EEA (EU Member States, Iceland, Liechtenstein and Norway) or the UK (as applicable) to other Goodwin offices in our international network and to third parties, including to countries that may have data protection laws less stringent than or otherwise different from the laws in effect in the country in which you are located.
When we transfer your personal data to:
- Goodwin offices located in the United States, Singapore and Hong Kong, we do so in reliance on an intragroup data transfer agreement which incorporates the standard contractual clauses for the transfer of data to third countries approved by the European Commission and the UK Addendum approved by the UK Information Commissioner (together the “SCCs”). These Goodwin offices will from time to time transfer your personal data onward to third parties outside of the UK and the EEA in accordance with the terms of the SCCs;
- Goodwin offices and/or other third parties located in the EU or the UK, we do so were necessary in reliance on a decision by the European Commission or the UK government (as applicable) that the data privacy regimes of the EEA or the UK (as applicable) ensure an adequate level of protection (“Adequacy Decision”), so additional safeguards are not needed to transfer your personal data there; and
- third parties located outside of the UK or the EEA, for example to our service providers, external recipients of electronic communications, other counsel, accountants, insurers and advisors, we do so in reliance on an Adequacy Decision, SCCs or your consent.
If you wish to see details of these safeguards, please contact dataprivacy@goodwinlaw.com.
Access to your personal data and other rights
You have the following rights with respect to your data:
- Right of access (commonly known as a “data subject access request”): If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it.
- Right to erasure: You may ask us to erase your personal data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable) and there is no other legal basis for processing.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your personal data in certain circumstances, such as if you contest its accuracy or object to us processing it.
- Right to data portability: You have the right to obtain your personal data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and if the processing is carried out by automated means.
- Right to object: You may ask us at any time to stop processing your personal data, and we will do so: (a) if we are relying on a legitimate interest to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or your data is needed to establish, exercise, or defend legal claims; or (b) we are processing your personal data for direct marketing and, in such case, we may keep minimum information about you (for example, in a suppression list) as necessary for our and your legitimate interest to ensure your opt out choices are respected in the future and to comply with data protection laws.
- Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.
If you are hired to work for our Paris office, you will have the right under French data protection laws to provide instructions regarding the management of your personal data after your death.
If you wish to exercise your rights, please contact your HR contact and/or dataprivacy@goodwinlaw.com.
Complaints
If you have complaints relating to our processing of your personal data, you should raise these with HR in the first instance. You may also raise complaints with the relevant Data Protection Authority, as detailed below:
United Kingdom:
Information Commissioner’s Office (ICO). For contact and other details please contact our HR department or see: https://ico.org.uk/ICO.
France:
Commission Nationale de l’Informatique et des Libertés (CNIL). For contact and other details please contact our HR department or see: https://www.cnil.fr/
Frankfurt:
Der Hessische Beauftragte für Datenschutz und Informationsfreiheit. For contact and other details please contact our HR department or see: https://datenschutz.hessen.de/
Munich:
Das Bayerische Landesamt für Datenschutzaufsicht. For contact and other details, please contact our HR department or see https://www.lda.bayern.de/de/index.html
Luxembourg:
Commission nationale pour la protection des données (CNPD). For contact and other details please contact our HR department or see: https://cnpd.public.lu