Last Updated: April 20, 2021
We at Goodwin Procter LLP and its affiliated undertakings (“Goodwin”, “we”, “us” and/or “our”) value the relationship we have with you. For full details of our affiliated entities, please view “Legal Notices – Jurisdictions” on our website (“Site”).
Where the GDPR or the UK GDPR applies to the processing of your personal data, and you are a visitor to the Site, the data controller for your personal data is Goodwin Procter LLP, unless we advise you otherwise. For other data subjects, including clients/recipients of our services, vendors, prospective employees and alumna, the data controller is the specific Goodwin entity with which you engage(d). The data controller decides how personal data about you is processed.
Information We Collect; Purpose of Processing
We regularly collect personal data as a law firm providing professional services. The types of personal data relating to you that we may collect, and the purposes for which we process this data, depends on the nature of your interaction with us. Please read the table below for more information. Under the GDPR and the UK GDPR, we are required to specify the legal basis under which we are allowed to process your personal data – this information is also described below.
|How we obtain your personal data||Types of personal data that we may process||Purpose/legal basis for processing|
• Contact details (email address, physical address, phone numbers)
• Your employer
• Description of yourself, your position, your requirements or comments, and your relationship to a person
• Technical information (including your IP address, domain name, type of browser and operating system used)
• Your preferences
|Legitimate interests, as follows:
• Getting to know clients or potential clients, colleagues, recruiters, employees, workers, consultants, service providers
• Managing business communications with our clients
• Maintaining and managing our Site
• Responding to your communication(s) with us
• Improving the quality of our communications and interaction with you
|As part of our business intake/client onboarding procedures and when providing legal services to you or to an entity with which you are associated, including as an employee, representative, authorized signatory, director, shareholder or beneficial owner and when we provide charitable, volunteer or other such services to you or the organization you are associated with, including as a student||• Name, title, gender
• Contact details (personal or business email address, telephone numbers, physical address)
• Information relating to any matter that you want to discuss with us that relates to you as an individual, which may include special categories of data
• Information from identification documents
• Financial information, such as bank account details and requests relating to invoices
• Any other personal data, which may include special categories of personal data, disclosed to us during the provision of legal services, such as in phone or email correspondence and including personal data relating to a corporate client's or another's employees, customers and other individuals
|When you provide data to us in order to register for an in person or virtual event or to receive event invitations, updates, or other marketing materials||•Name, title, gender
•Contact details (personal or business email address, telephone numbers, physical address)
•Your communication preferences (what types of communication you want to receive, when you want to stop receiving communications, feedback, and requests relating to our communications)
•Any other personal data that you disclose to us, such as dietary and access requirements, comments, or requests
Consent (opt in):
|When you apply for a job, traineeship, secondment, summer placement, vacation scheme or internship||•Name, title, gender, date of birth, NIN, SSN
•Results of background checks including references, qualifications, and to the extent permitted by law, criminal background checks (unspent convictions)
•Passport, work permit, visa, or other immigration documentation
•Contact details (personal, business or educational institution email address, telephone numbers, physical address)
•CV, including relevant skills and experience
•Special requirements (such as, or relating to, a disability/health issue)
•Any other personal data that you may provide to us through the application process, such as views and preferences that you disclose to us in interviews, your responses to questions, and demonstration of your skills
•Fulfilling our staffing requirements
•Ensuring potential recruits of any kind are appropriately qualified for positions at the firm
•When we are required to comply with laws other than EEA laws
•On the basis of any consent that we are required to obtain under applicable law, in relation to our criminal background checks
•Acting in compliance with anti-money laundering regulations concerning screening
•Verifying your right to work lawfully in the relevant country applicable to your application
If you are applying to work at Goodwin – whether as a partner, employee, intern, trainee, secondee, vacation student, or in any other capacity please also refer to our separate recruitment privacy policies for our European offices and California residents. Please request/review these policies before submitting any personal data to us.
|If you are an alumnus/a||•Name, title, gender, date of birth
•Contact details (personal or business email address, telephone numbers, physical address)
•Length of time with Goodwin
•Details of your role with Goodwin
•Higher education information (graduation year, degree, schools attended)
•Any other personal data that you may provide to us through your use of our alumni/ae services or at alumni/ae events
|If you offer or provide services to us as our vendor||•Name, title, position, employer, physical address, email address, phone numbers
• Any other personal data, which may include special categories of personal data in aggregate form, disclosed to us in a supplier audit
|When you visit our offices and we capture and record your image on fixed cameras (CCTV)||•Your image||Legitimate interests:
•Helping to maintain a safe and secure environment for all employees and visitors
Automatically Collected Data
Where the information that we collect automatically on our Site is personal data, our legal basis for the use of this information is that it is necessary for the purposes of our legitimate interests in maintaining the safe operation of our Site and learning how Site visitors interact with our Site to improve your use of it.
Failure to Provide the Personal Data We Request
When we need your personal data to comply with legal obligations or to perform our contract, failure to provide this data may impact our ability to provide our services.
How We Share Your Personal Data
We share your information as follows:
- Third party service providers. Third parties who provide services to us have access to your personal data. For the purposes described above, we engage providers of website analytics, hosting and cloud computing services and other IT services, payroll services, auditing services, consultancy services, regulatory services, legal services, CRM, marketing and sales software solutions, software platforms and services for the legal profession, translation services, event software providers, background checks, talent management and recruitment services, in addition to other administrative services. Pursuant to our instructions, these parties may access, process or store personal data in the course of performing their duties to us and solely in order to perform the services we have hired them to provide.
- Event co-hosts. We may share limited personal data (name, title, employer) with co-hosts of events we host or otherwise sponsor in order to administer the event and provide a list of attendees.
- Administrative and legal reasons. We may disclose personal data as we deem necessary and appropriate under applicable laws, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process; in response to lawful requests by public, governmental and regulatory authorities, including to meet national security or law enforcement requirements; or when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Goodwin, you or third parties, or the public at large.
- Business transfers. We may disclose and transfer your information and data to a third party: (a) if we assign our rights regarding any of the information to a third party or (b) in connection with a corporate merger, consolidation, restructuring, sale of certain of our ownership interests, assets, or both, or other corporate change, including without limitation, during the course of any due diligence process.
- Goodwin entities. When using your personal data for the purposes described above, we may share your personal data with other Goodwin offices around the world. Please read the International Data Transfers section below for more information on how we transfer your personal data.
International Data Transfers
Retaining Your Personal Data
We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws or until you withdraw your consent (where applicable). To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case it is no longer personal data.
Your Rights in Relation to Your Personal Data under GDPR
Subject to the applicable provision of the GDPR and the UK GDPR, you have the following rights with respect to your personal data:
- Right of access (commonly known as a “data subject access request”): If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it.
- Right to erasure: You may ask us to erase your personal data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable) and there is no other legal basis for processing.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your personal data in certain circumstances, such as if you contest its accuracy or object to us processing it.
- Right to data portability: You have the right to obtain your personal data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and if the processing is carried out by automated means.
- Right to object: You may ask us at any time to stop processing your personal data, and we will do so: (a) if we are relying on a legitimate interest (described above) to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or your data is needed to establish, exercise, or defend legal claims; or (b) we are processing your personal data for direct marketing and, in such case, we may keep minimum information about you (for example, in a suppression list) as necessary for our and your legitimate interest to ensure your opt out choices are respected in the future and to comply with data protection laws.
- Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your personal data, you can report it to the data protection authority that is authorized to hear those concerns (in the United Kingdom, the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns; in Frankfurt, Der Hessische Beauftragte für Datenschutz und Informationsfreiheit at https://datenschutz.hessen.de/; in France, Commission Nationale de l’Informatique et des Libertés (CNIL) at https://www.cnil.fr/; in Luxembourg, Commission nationale pour la protection des données (CNPD), at https://cnpd.public.lu.)
To exercise your rights under the GDPR or the UK GDPR, as applicable, please send us your request as described under the “How to Contact Us” section below.
Keeping Your Personal Data Secure
We take appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal data, in accordance with our internal security procedures. Personal data may be stored on our own technology systems or those of our vendors or in paper files.
Personal Data of Children
Our Site is not directed to children who are under the age of 16 and is solely intended for adults. Goodwin does not knowingly collect personal data from children under 16. If you have reason to believe that a child under the age of 16 has provided personal data to Goodwin through the Site please contact us and we will endeavor to delete that information from our databases.
Links To Other Websites
Pursuant to the CCPA, we are providing the following additional details regarding the collection, use, and disclosure of personal information about California residents:
- Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information: identifiers, characteristics of protected classifications under California or U.S. law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences drawn about your preferences, and other categories of personal information that relates to or is reasonably capable of being associated with you. For examples of the data points we collect, please see “Information We Collect” above.
- Business or Commercial Purpose for Collecting and Using Data: We have collected the above categories of personal information for the business purposes described in the “Information We Collect” section above.
- Categories of Sources of Personal Information: We may have collected the above categories of personal information directly from you, automatically about your use of our Site , and from third parties, such as clients of our legal services, government and public entities, public records, industry research databases, parties and related parties in litigation matters, and others. For more detail, please see “Information We Collect” above.
- Categories of Personal Information Disclosed: In the preceding 12 months, we have disclosed the following categories of personal information for business or commercial purposes: identifiers, characteristics of protected classifications under California or U.S. law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences drawn about your preferences, and other categories of personal information that relates to or is reasonably capable of being associated with you.
- Categories of Third Parties With Whom We Share Personal Information: We may share your personal information with the third parties as described in the “How We Share Your Personal Data” section above.
- Sale of Personal Information (as defined by the CCPA): We do not sell, and in the preceding 12 months have not sold, the personal information we have collected.
To the extent provided for by law and subject to applicable exceptions, including but not limited to attorney-client privilege, California residents have the following privacy rights in relation to the personal information we collect:
- The right to know what personal information we have collected and how we have used and disclosed that personal information;
- The right to request deletion of your personal information;
- The right to opt out of the sale of your personal information; and
- The right to be free from discrimination relating to the exercise of any of your privacy rights.
Exercising Your Rights
California residents can exercise the above privacy rights by emailing us at email@example.com, or calling toll-free us at +1 855 243 2070.
Verification: in order to protect your personal information from unauthorized access or deletion, we may ask you to provide additional personal information for verification. If we cannot verify your identity, we will not provide or delete your personal information.
Authorized Agents: you may submit a request to know or a request to delete your personal information through an authorized agent. If you do so, the agent must present signed written permission to act on your behalf and you may also be required to independently verify your identity with us and confirm that you have provided authorization to the agent.
California “Shine the Light” Disclosures
Pursuant to California Civil Code Section 1798.83(c)(2), California law requires us to inform California residents who have provided us with personal information that they may request information from us about our disclosures to third parties for their direct marketing purposes. To request this information, please contact us at firstname.lastname@example.org.
How to Contact Us
Goodwin Procter (UK) LLP is required to designate a representative in the EU that can be addressed by data subjects in addition to or instead of it on all issues related to the processing of personal data under the GDPR. Its representative in the EU is Goodwin Procter (France) LLP, 12 rue d’Astorg, 75 008 Paris.
Goodwin Procter (France) LLP, Goodwin Procter (Luxembourg), and Goodwin Procter LLP (in respect of its branch office in Frankfurt) are each required to designate a representative in the UK that can be addressed by data subjects in addition to or instead of them on all issues related to the processing of personal data under the UK GDPR. Their representative in the UK is Goodwin Procter (UK) LLP, 100 Cheapside, London EC2V 6DT.