Privacy Policy

Last Updated: January 3, 2020


We at Goodwin Procter LLP and its affiliated undertakings (“Goodwin”, “we”, “us” and/or “our”) respect your privacy and value the relationship we have with you. For full details of our affiliated entities, please view “Legal Notices – Jurisdictions” on our website (“Site”).


This Privacy Policy explains how we collect, use, share, store and otherwise process your personal data when you use our Site, in connection with your relationship with us as a Goodwin client, vendor, prospective employee, alumna or your general interest in our services, our publications and our events. It also explains your rights under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”).

Reference in this Privacy Policy to “personal data” means any information relating to an identified or identifiable individual, such as name, contact details, and bank account details. Personal data does not include data from which an individual can no longer be identified, such as anonymized data.

To the extent the GDPR applies to the processing of your personal data, and you are a visitor to the Site, the data controller for your personal data will be Goodwin Procter LLP, unless we advise you otherwise.  For other data subjects, including clients, vendors, prospective employees and alumna, the data controller will be the relevant Goodwin entity with which you engage(d).  The data controller decides how personal data about you is used.

Information We Collect

We regularly collect personal data as a law firm providing professional services. The types of personal data relating to you that we may collect, and the purposes for which we collect and process this data, depends on the nature of your interaction with us. Please read the table below for more information. Under the GDPR, we are required to specify the legal basis under which we are allowed to use your personal data – this information is also described below.

How we obtain your personal data  Types of personal data that we may process  Purpose/legal basis for processing 
When you browse or interact with our Site, including through the use of cookies (for more information, read our Cookie Policy Name, title, gender
Contact details (email address, physical address, phone numbers)
Your employer
Description of yourself, your position, your requirements or comments, and your relationship to a person
Technical information (including your IP address, domain name, type of browser and operating system used)
Your preferences  
Legitimate interests, as follows:
Getting to know clients or potential clients, colleagues, recruiters, employees, workers, consultants, service providers
Managing business communications with our clients
Maintaining and managing our Site
Responding to your communication(s) with us
Improving the quality of our communications and interaction with you
Internal statistical analysis (including to see where our Site is being used geographically)
If you ask us to delete your data or to be removed from our databases and we are required to fulfil your request, keeping basic data to identify you and prevent further unwanted processing 
As part of our business intake/client onboarding procedures and when providing legal services to you or to an entity with which you are associated, including as an employee, representative, authorized signatory, director, shareholder or beneficial owner Name, title, gender
Contact details (personal or business email address, telephone numbers, physical address)
Information relating to any matter that you want to discuss with us that relates to you as an individual, which may include special categories of data
Information from identification documents
Financial information, such as bank account details and requests relating to invoices
Any other personal data, which may include special categories of personal data, disclosed to us during the provision of legal services, such as in  phone or email correspondence and including personal data relating to a corporate client's employees, customers and other individuals 

Legal obligation:
Acting in compliance with anti-money laundering regulations, sanctions requirements and any other applicable legal obligations, such as legal privilege
Legitimate interests:
When we are required to comply with laws other than EEA laws 
• In order to fulfill our contractual obligations to you when you are an entity and the processing relates to natural persons; provided you have undertaken to inform such persons of this privacy policy and obtained any necessary consents
Fulfilling our obligations under our engagement agreement with you
• When processing special categories of personal data; unless one of the other conditions in Article 9(2) of the GDPR applies, including processing that is the for the establishment, exercise or defence of legal claims
• When processing personal data relating to criminal convictions and offences or related security measures, unless another condition applies under applicable law, such as protecting an individual's vital interests, personal data manifestly made public by the data subject, or processing in connection with legal proceedings, legal advice or legal rights

When you provide data to us in order to receive event invitations, updates, or other marketing materials  Name, title, gender
Contact details (personal or business email address, telephone numbers, physical address)
Your communication preferences (what types of communication you want to receive, when you want to stop receiving communications, feedback, and requests relating to our communications)
Any other personal data that you disclose to us, such as dietary and access requirements, comments, or requests 
Consent (opt in):
On the basis of the consent that you have provided us to receive certain communications 
When you apply for a job, traineeship, secondment, summer placement, vacation scheme or internship  Name, title, gender, date of birth, NIN, SSN
Results of background checks including references, qualifications, and to the extent permitted by law, criminal background checks (unspent convictions)
Passport, work permit, visa, or other immigration documentation
Contact details (personal, business or educational institution email address, telephone numbers, physical address)
CV, including relevant skills and experience
Special requirements (such as, or relating to, a disability/health issue)
Any other personal data that you may provide to us through the application process, such as views and preferences that you disclose to us in interviews, your responses to questions, and demonstration of your skills 
Legitimate interests:
Fulfilling our staffing requirements
Ensuring potential recruits of any kind are appropriately qualified for positions at the firm
When we are required to comply with laws other than EEA laws 
On the basis of any consent that we are required to obtain under applicable law, in relation to our criminal background checks
Legal obligation:
Acting in compliance with anti-money laundering regulations concerning screening
• Verifying your right to work lawfully in the relevant country applicable to your application
If you are applying to work at Goodwin  – whether as a partner, employee, intern, trainee, secondee, vacation student, or in any other capacity – please also refer to our separate “Recruitment Privacy Policy”. Please request/review this policy before submitting any personal data to us. 
If you are an alumnus/a  • Name, title, gender, date of birth
Contact details (personal or business email address, telephone numbers, physical address)
Length of time with Goodwin
Details of your role with Goodwin
Higher education information (graduation year, degree, schools attended)
Communication preferences
Any other personal data that you may provide to us through your use of our alumni/ae services or at alumni/ae events

Legitimate interests:
Maintaining contact with alumni/ae
Expanding our professional networks
Understanding your communication preferences
Considering you for any future staffing requirements
• Facilitating your future employment and meeting practicing / regulatory requirements 
On the basis of the consent that you have provided to us to process your personal data in the context of your alumni/ae registration

You offer or provide services to us as our vendor  Name, title, position, employer, physical address, email address, phone numbers
• Any other personal data, which may include special categories of personal data in aggregate form, disclosed to us in a supplier audit

Fulfilling our obligations under our agreement with you and/or your employer 

Legal obligation:
• Monitoring the risk of modern slavery in our supply chain

Automatically Collected Data

When you interact with us through the Site, we automatically collect information about you through cookies (small text files placed on your device). Please read our Cookie Policy to learn more about how we use cookies. Our servers also record information (“log data”), including information that your browser automatically sends whenever you visit the Site. This log data includes your Internet Protocol (“IP”) address (from which we can discern the country you are connecting from at the time you visit the Site), browser type and settings, and the date and time of your request.

Where the information that we collect automatically on our Site is personal data, our legal basis for the use of this information is that it is necessary for the purposes of our legitimate interests in maintaining the safe operation of our Site and learning how Site visitors interact with our Site to improve your use of it.

What If You Do Not Provide the Personal Data We Request?

When we need your personal data to comply with legal obligations or to perform our contract, failure to provide this data may impact our ability to provide our services.

How We Share Your Personal Data

We share information with certain third parties, as follows:

  • Third party service providers. Third parties who provide services to us have access to your personal data. For the purposes described above, we engage providers of website analytics, hosting and cloud computing services and other IT services, payroll services, auditing services, consultancy services, regulatory services, legal services, CRM, marketing and sales software solutions, software platforms and services for the legal profession, translation services, background checks, talent management and recruitment services, in addition to other administrative services. Pursuant to our instructions, these parties may access, process or store personal data in the course of performing their duties to us and solely in order to perform the services we have hired them to provide.
  • Administrative and legal reasons. We may disclose personal data as we deem necessary and appropriate under applicable laws, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process; in response to lawful requests by public, governmental and regulatory authorities, including to meet national security or law enforcement requirements; or when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Goodwin, you or third parties, or the public at large.
  • Business transfers. We may disclose and transfer your information and data to a third party: (a) if we assign our rights regarding any of the information to a third party or (b) in connection with a corporate merger, consolidation, restructuring, sale of certain of our ownership interests, assets, or both, or other corporate change, including without limitation, during the course of any due diligence process.
  • Goodwin entities. When using your personal data for the purposes described above, we may share your personal data with other Goodwin offices around the world. Please read the International Data Transfers section below for more information on how we transfer your personal data.

International Data Transfers

For the purposes described in this Privacy Policy, we may transfer your personal data from the European Economic Area (EU Member States plus Iceland, Liechtenstein and Norway) to a Goodwin office or a third party outside of the EEA and in a jurisdiction not subject to an adequacy decision of the European Commission. We have executed data transfer agreements pursuant to standard contractual clauses approved by the European Commission to transfer your personal data to our affiliates located outside of the EEA, in order to ensure appropriate safeguards for such transfers.  When we transfer your personal data to other third parties outside of the EEA, for example service providers, other counsel and accountants and third parties involved in your matters, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure the integrity and protection of your personal data wherever processed.

Retaining Your Personal Data

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws or until you withdraw your consent (where applicable). To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

We do not collect more personal data than we need to fulfill our purposes stated in this Privacy Policy. We may retain your personal data for an additional period to the extent deletion would require us to overwrite our automated disaster recovery backup systems or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.

Your Rights in Relation to Your Personal Data under GDPR

Subject to the applicable provision of the GDPR, you have the following rights with respect to your personal data:

  • If we rely on our legitimate interests, or those of a third party, as a ground for processing, you have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, and we shall no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing is for the establishment, exercise or defense of legal claims. 
  • If we rely on your consent to process your personal data, to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place before withdrawal of your consent.
  • To access your personal data (commonly known as a “data subject access request”) along with certain other details in relation to its processing (if you require additional copies, we may need to charge a reasonable fee).
  • To rectify your personal data if it is inaccurate or incomplete.
  • To have your personal data erased if it is no longer necessary for the purposes for which it was processed; you have withdrawn your consent where previously given and there is no other legal ground for processing; you object to its processing for direct marketing purposes; or you object to the processing of your data based on a legitimate interest (described above) and there is no other overriding legitimate grounds for processing; or you consider it to have been unlawfully processed.
  • To have the processing of your personal data restricted in certain circumstances, such as if you contest its accuracy or object to us processing it.
  • To have your personal data transferred to another company in a structured, commonly used and machine-readable format, if you consented to give your personal data to us or it was provided to us as necessary in connection with our contract with you and if the processing is carried out by automated means.
  • To object to the processing of your personal data, and we will cease processing it if (a) we are relying on a legitimate interest to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or (b) we are processing your personal data for direct marketing.
  • To lodge a complaint with your national data protection authority if you have a concern about our privacy practices, including the way we handle your personal data.

Keeping Your Personal Data Secure

We take appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal data, in accordance with our internal security procedures. Personal data may be stored on our own technology systems or those of our vendors or in paper files.

Personal Data of Children

Our Site is not directed to children who are under the age of 13 and is directed to adults only. Goodwin does not knowingly collect personal data from children under 13. If you have reason to believe that a child under the age of 13 has provided personal data to Goodwin through the Site please contact us and we will endeavour to delete that information from our databases.

Links To Other Websites

Our Site may contain links to other sites operated by third parties, including social media websites and services. We are not responsible for information on these sites, nor for services or products offered by them.  By providing these links we do not imply that we endorse or have reviewed these sites. Use of these sites, including transmitting your personal data to them, is at your own risk. The information that you share with these sites will be governed by the specific privacy policies and terms of service of these third-party sites and not by this Privacy Policy. Please contact those sites directly for information on their privacy practices and policies.

Your California Privacy Rights

Pursuant to California Civil Code Section 1798.83(c)(2), California law requires us to inform California residents who have provided us with personal information that they may request information from us about our disclosures to third parties for their direct marketing purposes. Goodwin Procter LLP (“Goodwin”) does not share individuals’ personal information with third parties outside of Goodwin for those parties’ direct marketing use. To request information, please contact us at

Goodwin has collected the following types of information from consumers within the past twelve (12) months:

  • Name;
  • Contact details and preferences, including physical address, e-mail address, phone number, and other contact information that individuals have chosen to provide to us;
  • Professional or employment-related information;
  • Internet and electronic network activity information; and
  • Topics of interest to the individual.
  • Other information about individuals has been provided to us in connection with services we provide to our clients including our legal representation of clients.

Within the past twelve (12) months, Goodwin has not sold information about consumers or disclosed information about consumers for a business purpose to a third party.

Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on this Site and will be effective upon posting. If we make a material change to this Privacy Policy, we will provide you with notice in accordance with the applicable law.

How to Contact Us

If you have any questions about our Privacy Policy, or if you would like to access personal data we hold about you or exercise your other rights under the applicable law, you can contact us at Goodwin Procter LLP, The New York Times Building, 620 Eighth Avenue, New York, NY 10018-1405 or on

Please also refer to our Cookie Policy, which explains the use of cookies via our Site.