Privacy Policy

Last Updated: February 25, 2020

Introduction

We at Goodwin Procter LLP and its affiliated undertakings (“Goodwin”, “we”, “us” and/or “our”) value the relationship we have with you. For full details of our affiliated entities, please view “Legal Notices – Jurisdictions” on our website (“Site”).

This Privacy Policy explains how we collect, use, share, store and otherwise process your personal data when you use our Site, in connection with your relationship with us as a Goodwin client, vendor, prospective employee, alumna or your general interest in our services,  publications and  events. It also explains your rights under applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”). Information for California residents about the CCPA can be found here.

Where the GDPR applies to the processing of your personal data, and you are a visitor to the Site, the data controller for your personal data is  Goodwin Procter LLP, unless we advise you otherwise. For other data subjects, including clients, vendors, prospective employees and alumna, the data controller is the specific Goodwin entity with which you engage(d). The data controller decides how personal data about you is processed.

Information We Collect; Purpose of Processing

We regularly collect personal data as a law firm providing professional services. The types of personal data relating to you that we may collect, and the purposes for which we  process this data, depends on the nature of your interaction with us. Please read the table below for more information. Under the GDPR, we are required to specify the legal basis under which we are allowed to process  your personal data – this information is also described below.

How we obtain your personal data Types of personal data that we may process Purpose/legal basis for processing
When you browse or interact with our Site, including through the use of cookies (for more information, read our Cookie Policy) Name, title, gender
Contact details (email address, physical address, phone numbers)
Your employer
Description of yourself, your position, your requirements or comments, and your relationship to a person
Technical information (including your IP address, domain name, type of browser and operating system used)
Your preferences  
Legitimate interests, as follows:
Getting to know clients or potential clients, colleagues, recruiters, employees, workers, consultants, service providers
Managing business communications with our clients
Maintaining and managing our Site
Responding to your communication(s) with us
Improving the quality of our communications and interaction with you
Internal statistical analysis (including to see where our Site is being used geographically) unless we need your consent before placing analytics cookies, as described in our Cookie Policy
As part of our business intake/client onboarding procedures and when providing legal services to you or to an entity with which you are associated, including as an employee, representative, authorized signatory, director, shareholder or beneficial owner Name, title, gender
Contact details (personal or business email address, telephone numbers, physical address)
Company
Position
Information relating to any matter that you want to discuss with us that relates to you as an individual, which may include special categories of data
Information from identification documents
Financial information, such as bank account details and requests relating to invoices
Any other personal data, which may include special categories of personal data, disclosed to us during the provision of legal services, such as in  phone or email correspondence and including personal data relating to a corporate client's employees, customers and other individuals 

Legal obligation:
•Acting in compliance with anti-money laundering regulations, sanctions requirements and any other applicable legal obligations, such as legal privilege
Legitimate interests:
•When we are required to comply with laws other than EEA laws
•In order to fulfill our contractual obligations to you when you are an entity and the processing relates to natural persons; provided you have undertaken to inform such persons of this privacy policy and obtained any necessary consents
Contract:
•Fulfilling our obligations under our engagement agreement with you
Consent:
• When processing special categories of personal data; unless one of the other conditions in Article 9(2) of the GDPR applies, including processing that is the for the establishment, exercise or defence of legal claims
• When processing personal data relating to criminal convictions and offences or related security measures, unless another condition applies under applicable law, such as protecting an individual's vital interests, personal data manifestly made public by the data subject, or processing in connection with legal proceedings, legal advice or legal rights

When you provide data to us in order to receive event invitations, updates, or other marketing materials •Name, title, gender
•Contact details (personal or business email address, telephone numbers, physical address)
•Company
•Position
•Your communication preferences (what types of communication you want to receive, when you want to stop receiving communications, feedback, and requests relating to our communications)
•Any other personal data that you disclose to us, such as dietary and access requirements, comments, or requests
Consent (opt in):
•On the basis of the consent that you have provided us to receive certain communications
When you apply for a job, traineeship, secondment, summer placement, vacation scheme or internship •Name, title, gender, date of birth, NIN, SSN
•Results of background checks including references, qualifications, and to the extent permitted by law, criminal background checks (unspent convictions)
•Passport, work permit, visa, or other immigration documentation
•Contact details (personal, business or educational institution email address, telephone numbers, physical address)
•CV, including relevant skills and experience
•Special requirements (such as, or relating to, a disability/health issue)
•Any other personal data that you may provide to us through the application process, such as views and preferences that you disclose to us in interviews, your responses to questions, and demonstration of your skills
Legitimate interests:
•Fulfilling our staffing requirements
•Ensuring potential recruits of any kind are appropriately qualified for positions at the firm
•When we are required to comply with laws other than EEA laws
Consent:
•On the basis of any consent that we are required to obtain under applicable law, in relation to our criminal background checks
Legal obligation:
•Acting in compliance with anti-money laundering regulations concerning screening
•Verifying your right to work lawfully in the relevant country applicable to your application
 
PLEASE NOTE
If you are applying to work at Goodwin – whether as a partner, employee, intern, trainee, secondee, vacation student, or in any other capacity please also refer to our separate recruitment privacy policies for our European offices and California residents. Please request/review these policies before submitting any personal data to us.
If you are an alumnus/a •Name, title, gender, date of birth
•Contact details (personal or business email address, telephone numbers, physical address)
•Length of time with Goodwin
•Details of your role with Goodwin
•Higher education information (graduation year, degree, schools attended)
•Communication preferences
•Any other personal data that you may provide to us through your use of our alumni/ae services or at alumni/ae events

Legitimate interests:
•Maintaining contact with alumni/ae
•Expanding our professional networks
•Understanding your communication preferences
•Considering you for any future staffing requirements
•Facilitating your future employment and meeting practicing / regulatory requirements
Consent:
•On the basis of the consent that you have provided to us to process your personal data in the context of your alumni/ae registration

If you offer or provide services to us as our vendor •Name, title, position, employer, physical address, email address, phone numbers
• Any other personal data, which may include special categories of personal data in aggregate form, disclosed to us in a supplier audit

Contract:
•Fulfilling our obligations under our agreement with you and/or your employer

Legal obligation:
• Monitoring the risk of modern slavery in our supply chain

Automatically Collected Data

When you interact with us through the Site, we automatically collect information about you through cookies (small text files placed on your device). Please read our Cookie Policy to learn more about how we use cookies. Our servers also record information (“log data”), including information that your browser automatically sends whenever you visit the Site. This log data includes your Internet Protocol (“IP”) address (from which we can discern the country you are connecting from at the time you visit the Site), browser type and settings, and the date and time of your request.

Where the information that we collect automatically on our Site is personal data, our legal basis for the use of this information is that it is necessary for the purposes of our legitimate interests in maintaining the safe operation of our Site and learning how Site visitors interact with our Site to improve your use of it.

Failure to Provide the Personal Data We Request

When we need your personal data to comply with legal obligations or to perform our contract, failure to provide this data may impact our ability to provide our services.

How We Share Your Personal Data

We share your information as follows:

  • Third party service providers. Third parties who provide services to us have access to your personal data. For the purposes described above, we engage providers of website analytics, hosting and cloud computing services and other IT services, payroll services, auditing services, consultancy services, regulatory services, legal services, CRM, marketing and sales software solutions, software platforms and services for the legal profession, translation services, background checks, talent management and recruitment services, in addition to other administrative services. Pursuant to our instructions, these parties may access, process or store personal data in the course of performing their duties to us and solely in order to perform the services we have hired them to provide.
  • Event co-hosts. We may share limited personal data with co-hosts of events we host or otherwise sponsor in order to administer the event and provide a list of attendees.
  • Administrative and legal reasons. We may disclose personal data as we deem necessary and appropriate under applicable laws, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process; in response to lawful requests by public, governmental and regulatory authorities, including to meet national security or law enforcement requirements; or when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Goodwin, you or third parties, or the public at large.
  • Business transfers. We may disclose and transfer your information and data to a third party: (a) if we assign our rights regarding any of the information to a third party or (b) in connection with a corporate merger, consolidation, restructuring, sale of certain of our ownership interests, assets, or both, or other corporate change, including without limitation, during the course of any due diligence process.
  • Goodwin entities. When using your personal data for the purposes described above, we may share your personal data with other Goodwin offices around the world. Please read the International Data Transfers section below for more information on how we transfer your personal data.

International Data Transfers

For the purposes described in this Privacy Policy, we may transfer your personal data from the European Economic Area (EU Member States, Iceland, Liechtenstein and Norway and the United Kingdom during the Brexit transition period) to a Goodwin office or a third party outside of the EEA and in a jurisdiction not subject to an adequacy decision of the European Commission. We have executed data transfer agreements pursuant to standard contractual clauses approved by the European Commission to transfer your personal data to our affiliates located outside of the EEA, in order to ensure appropriate safeguards for such transfers.  When we transfer your personal data to other third parties outside of the EEA, for example service providers, other counsel and accountants and third parties involved in your matters, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure the integrity and protection of your personal data wherever processed.

Retaining Your Personal Data

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws or until you withdraw your consent (where applicable). To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

We do not collect more personal data than we need to fulfill our purposes stated in this Privacy Policy. We may retain your personal data for an additional period to the extent deletion would require us to overwrite our automated disaster recovery backup systems or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.

Your Rights in Relation to Your Personal Data under GDPR

Subject to the applicable provision of the GDPR, you have the following rights with respect to your personal data:

  • Right of access (commonly known as a “data subject access request”): If you ask us, we will confirm whether we are processing your personal data and, if so, provide you with a copy of that personal data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
  • Right to rectification: If your personal data is inaccurate or incomplete, you are entitled to ask that we correct or complete it.
  • Right to erasure: You may ask us to erase your personal data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable) and there is no other legal basis for processing.
  • Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your personal data in certain circumstances, such as if you contest its accuracy or object to us processing it.
  • Right to data portability: You have the right to obtain your personal data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you, and if the processing is carried out by automated means.
  • Right to object: You may ask us at any time to stop processing your personal data, and we will do so: (a) if we are relying on a legitimate interest (described above) to process your personal data, unless we demonstrate compelling legitimate grounds for the processing or your data is needed to establish, exercise, or defend legal claims; or (b) we are processing your personal data for direct marketing and, in such case, we may keep minimum information about you (for example, in a suppression list) as necessary for our and your legitimate interest to ensure your opt out choices are respected in the future and to comply with data protection laws.
  • Right to withdraw consent: If we rely on your consent to process your personal data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.
  • Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your personal data, you can report it to the data protection authority that is authorized to hear those concerns (in the United Kingdom, the Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns; in Frankfurt, Der Hessische Beauftragte für Datenschutz und Informationsfreiheit at https://datenschutz.hessen.de/; in France, Commission Nationale de l’Informatique et des Libertés (CNIL) at https://www.cnil.fr/; in Luxembourg, Commission nationale pour la protection des données (CNPD), at https://cnpd.public.lu.)

To exercise your rights under the GDPR, please send us your request as described under the “How to Contact Us” section below.

Keeping Your Personal Data Secure

We take appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal data, in accordance with our internal security procedures. Personal data may be stored on our own technology systems or those of our vendors or in paper files.

Personal Data of Children

Our Site is not directed to children who are under the age of 16 and is solely intended for adults. Goodwin does not knowingly collect personal data from children under 16. If you have reason to believe that a child under the age of 16 has provided personal data to Goodwin through the Site please contact us and we will endeavor to delete that information from our databases.

Links To Other Websites

Our Site may contain links to other sites operated by third parties, including social media websites and services. We are not responsible for information on these sites, nor for services or products offered by them.  By providing these links we do not imply that we endorse or have reviewed these sites. Use of these sites, including transmitting your personal data to them, is at your own risk. The information that you share with these sites will be governed by the specific privacy policies and terms of service of these third-party sites and not by this Privacy Policy. Please contact those sites directly for information on their privacy practices and policies.

Additional Information for California Residents

Disclosures Related to Collection, Use, and Disclosure of Personal Information

Pursuant to the CCPA, we are providing the following additional details regarding the collection, use, and disclosure of personal information about California residents:

  • Categories of Personal Information Collected: In the preceding 12 months, we have collected the following categories of personal information: identifiers, characteristics of protected classifications under California or U.S. law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences drawn about your preferences, and other categories of personal information that relates to or is reasonably capable of being associated with you. For examples of the data points we collect, please see “Information We Collect” above.
  • Business or Commercial Purpose for Collecting and Using Data: We have collected the above categories of personal information for the business purposes described in the “Information We Collect” section above.
  • Categories of Sources of Personal Information: We may have collected the above categories of personal information directly from you, automatically about your use of our Site , and from third parties, such as clients of our legal services, government and public entities, public records, industry research databases, parties and related parties in litigation matters, and others. For more detail, please see “Information We Collect” above.
  • Categories of Personal Information Disclosed: In the preceding 12 months, we have disclosed the following categories of personal information for business or commercial purposes: identifiers, characteristics of protected classifications under California or U.S. law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences drawn about your preferences, and other categories of personal information that relates to or is reasonably capable of being associated with you.
  • Categories of Third Parties With Whom We Share Personal Information: We may share your personal information with the third parties as described in the “How We Share Your Personal Data” section above.
  • Sale of Personal Information (as defined by the CCPA): We do not sell, and in the preceding 12 months have not sold, the personal information we have collected.

Your Rights 

To the extent provided for by law and subject to applicable exceptions, including but not limited to attorney-client privilege, California residents have the following privacy rights in relation to the personal information we collect:

  • The right to know what personal information we have collected and how we have used and disclosed that personal information;
  • The right to request deletion of your personal information;
  • The right to opt out of the sale of your personal information; and
  • The right to be free from discrimination relating to the exercise of any of your privacy rights.

Exercising Your Rights

California residents can exercise the above privacy rights by emailing us at dataprivacy@goodwinlaw.com, or calling toll-free us at +1 855 243 2070.

Verification: in order to protect your personal information from unauthorized access or deletion, we may ask you to provide additional personal information for verification. If we cannot verify your identity, we will not provide or delete your personal information.

Authorized Agents: you may submit a request to know or a request to delete your personal information through an authorized agent. If you do so, the agent must present signed written permission to act on your behalf and you may also be required to independently verify your identity with us and confirm that you have provided authorization to the agent.

California “Shine the Light” Disclosures

Pursuant to California Civil Code Section 1798.83(c)(2), California law requires us to inform California residents who have provided us with personal information that they may request information from us about our disclosures to third parties for their direct marketing purposes. To request this information, please contact us at dataprivacy@goodwinlaw.com

Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on this Site and will be effective upon posting. If we make a material change to this Privacy Policy, we will provide you with notice in accordance with the applicable law.

How to Contact Us

If you have any questions about our Privacy Policy, or if you would like to access personal data we hold about you or exercise your other rights under the applicable law, you can contact us toll free at +1 855 243 2070 at Goodwin Procter LLP, The New York Times Building, 620 Eighth Avenue, New York, NY 10018-1405, or on dataprivacy@goodwinlaw.com.

Please also refer to our Cookie Policy, which explains the use of cookies via our Site.