Legal notices: US additional privacy information
DLA Piper LLP (US): EU GDPR Privacy Notice
Last updated 23 May 2018
Your privacy is important to us. DLA Piper LLP (US) ("DLA Piper US", "we" or "us") has developed this EU GDPR Privacy Notice (the "GDPR Privacy Notice") to provide additional information about how we handle personal information that is subject to the GDPR when we are the controller of that information. In this GDPR Privacy Notice, we use the term "GDPR" to include the EU General Data Protection Regulation, as well as associated national laws.
- This GDPR Privacy Notice explains how DLA Piper US handles the personal information we collect from individuals through the Site, the personal information we collect when individuals engage with us or use our products or services (our "Services") and the personal information we receive about individuals as a result of providing the Services to third parties, whenever personal information is subject to the GDPR.
For the purposes of this GDPR Privacy Notice, "personal information" means any information relating to an identified or identifiable person.
|1. Purpose of this notice||9. Retention of personal information|
|2. Who are we and what do we do?||10. Confidentiality and security of your personal information|
|3. Personal information we collect||11. How to access your information and your other rights|
|4. Purpose and legal basis for our use your personal information||12. Collection of information by third-party sites and sponsors|
|5. Sharing your personal information||13. Children|
|6. Third party contractors and other data controllers||14. Changes to this GDPR privacy notice|
|8. Where we transfer your personal information|
1. Purpose of this notice
This GDPR Privacy Notice explains how we process personal information that is subject to EU data protection laws, and also sets out individuals' rights related to our processing of such personal information.
2. Who are we and what do we do?
DLA Piper is a global law firm operating through a number of separately constituted and regulated legal entities, which provide legal and other client services in accordance with the relevant laws of the jurisdictions in which they respectively operate. Details of the different DLA Piper entities that provide legal services or other services to clients in respect of each country in which DLA Piper carries on business can be found here.
DLA Piper UK LLP and DLA Piper LLP (US) are independent data controllers responsible for your personal information collected via the Site.
DLA Piper LLP (US) is the data controller of personal information subject to the GDPR that we collect and process in connection with the Services.
Please note that depending on which DLA Piper entity you engage with in relation to the Services, the practicing entities, available here, may also be data controllers responsible for processing your personal information in relation to the Services.
3. Personal information we collect
We may collect personal information in the course of our business, including through your use of our Site, when you contact us or request information from us, when you engage our Services or as a result of your relationship with one or more of our staff and clients. When we require personal information from you in order to fulfill a statutory or contractual requirement, or where such information is necessary to enter into a contract or is otherwise an obligation, we will inform you and indicate the consequences of failing to do so.
- Registrations, subscriptions, forms
If you register with us via the Site, sign up to receive news and information from us, or communicate with us through or related to the Site, we may collect the following personal information:
- Your name, job title and company.
- Contact information for you, including the company you work for and email address.
- Demographic information, such as your address, preferences and interests.
- Other information relevant to the provision of Services.
- Client matters
From individuals who are clients and prospective clients, or are representatives of clients and prospective clients, we may collect the following personal information:
- Your name, the named DLA Piper client, the name of the company you work for (if different) and your job title.
- Contact information for you, the named DLA Piper client, and the company you work for (if different), including address, fax, phone number and email address.
- Payment information (including bank account and wire details), billing instructions and preferences (including to whom to direct invoices). Relevant information so that we can perform conflicts of interest checks.
- Relevant information as required by regulatory Know Your Client and/or Anti Money Laundering regulations and as part of our client intake procedures. This may possibly include evidence of source of funds, at the outset of and possibly from time to time throughout our relationship with clients, which we may request and/or obtain from third party sources. The sources for such verification may include documentation, which we request from the client or prospective client or through the use of online or public sources or both.
- Information you provide to us for the purposes of attending meetings and events, including dietary requirements, which may reveal information about your health or religious beliefs.
- Information that you provide to us as part of the provision of Services to you, which depends on the nature of your engagement with DLA Piper.
- Other information relevant to the provision of Services.
- Related parties and client representatives
DLA Piper US is primarily engaged by corporate entities and clients (ie, legal entities), and those legal entities are not data subjects (ie, natural persons to whom personal information relates). However, as part of our engagement with these clients, we may receive personal information about individuals. For example, we may receive names, contact details and other information relating to:
- Officers, representatives and/or personnel of our corporate clients or prospective clients, as well as their affiliated and related entities.
- Adverse parties in a matter or potential matter, such as claimants, plaintiffs, defendants and other adverse parties.
- Related parties in a matter or potential matter.
- Vendors and suppliers of our corporate clients or prospective clients.
- Current and former legal advisors, consultants and other professional advisors of our corporate clients or prospective clients.
- Government and/or law enforcement entities and their representatives.
If you are an individual whose personal information is processed by us as a result of providing the Services to others (including individual clients and corporate clients), we will process a variety of different personal information depending on the Services provided.
For example, if we are representing a client in a cross-border acquisition, we may receive and then process (among other information) details of the key managers of the target company.
We might also need to process personal information in relation to other third parties instructed either by our own clients or other persons or companies involved in providing the Services to our client (eg, other law firms, experts etc.).
These examples are non-exhaustive, which is reflective of the varied nature of the personal information we process as part of a law firm providing legal services.
- Mailing lists
For clients and prospects, we also collect information to enable us to market our Services, which may be of interest to you. For this purpose we collect:
- Name and contact details.
- Other business information, such as job title and the company you work for.
- Areas or topics that interest you.
- Additional information may be collected, such as events you attend and if you provide it to us, dietary preferences which may indicate data about your health or religious beliefs.
4. Purpose and legal bases for our use of your personal information
Our processing of personal information is justified by a "legal basis", that is, a specific condition. We may use personal information for the following purposes, in each case as justified by a legal basis:
- Fulfilment of services
We use personal information to enable us to perform the Services, respond to your requests and deliver our Services, to provide legal advice and related Services for which you have engaged us, verify your identity, and carry out requests made by you on the Site or in relation to our Services.
- What is our legal basis?
This processing is necessary for our compliance with legal obligations (including our professional and ethical duties as attorneys). It is in our legitimate interest or a third party's legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others and comply with our professional and ethical duties as attorneys, consistent with applicable law. In some cases, this processing is necessary to perform a contract to which you are a party.
- Client services
We use personal information to provide and operate our Site and the Services, to communicate with you about your use of the Site and Services, to respond to your inquiries, to provide troubleshooting, to fulfill your requests, to bill you for our Services, to collect payments, to respond to complaints and inquiries, to provide technical support, and to provide other client service and support.
- What is our legal basis?
This processing is necessary to establish, exercise or defend our legal claims and rights. It is in our legitimate interest or a third party's legitimate interest to use your personal information in such a way to ensure that we provide the very best client service we can to you or others and comply with our professional and ethical duties as attorneys, consistent with applicable law. In some cases, this processing is necessary to perform a contract to which you are a party.
- Business administration and legal compliance
We use personal information for the following business administration and legal compliance purposes:
- To perform and maintain information for the purposes of performing conflicts of interest searches.
- To comply with our legal obligations (including Know Your Client, Anti-Money Laundering, Anti-Bribery, conflicts or similar obligations including, but without limitation, maintaining regulatory insurance).
- To enforce our legal rights.To investigate and/or settle inquiries or disputes.
- To comply with any applicable law, court order, other judicial process, law enforcement requests or the requirements of a regulator.
- To enforce our agreements with you.
- To protect the rights, property or safety of us or third parties, including our other clients and users of the Site or our Services.
- To maintain our records.
- To process business transaction data, such as in connection with a merger, or a restructuring, or sale.
- To use as otherwise required or permitted by law, consistent with these purposes.
- What is our legal basis?
It is necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties. This processing is necessary to comply with EU legal obligations imposed upon us. It is in our legitimate interest or a third party's legitimate interest to use your personal information to comply with other legal obligations. In some cases, this processing will be necessary to perform a contract to which you are a party.
- Marketing and promotions
We may use personal information for marketing and promotional purposes, such as to send you news and newsletters, or to otherwise contact you about products or information we think may interest you, by email and direct (postal) mail. We may also use it develop new Services and determine how to market our Services.
- What is our legal basis?
It is in our legitimate interest to use your personal information for marketing purposes in order to develop and grow our business and Services and promote the reputation of our firm. We will, where required by applicable law, obtain your consent to send such communications.
- Client development
We may use personal information in order to respond to Requests for Proposals ("RFPs"), prepare for and present pitches and other proposals, and identify potential business opportunities. Largely, this involves our collection and use of non-personal business information about current, former and prospective corporate clients. However, we may also process limited personal information about individuals (name, current and former company, current and former title, contact information and similar information).
- What is our legal basis?
This processing is also in our legitimate interest to use your personal information in order to develop and grow our business and Services and promote the reputation of our firm. We also may process this information to respond to an RFP or a specific request in anticipation of a contract with you (ie, engagement for Services).
- Client insight and analytics
We use personal information to better understand how you and others use our Services, so that we can improve our Site and Services, develop new features, tools, offerings, services and the like, and for other research and analytical purposes. We also use the information we collect to measure the effectiveness of our online content and how visitors use our Site and our Services. This allows us to learn what pages of our Site are most attractive to our visitors, which parts of our Site are the most interesting, and what kind of offers our registered users like to see. We may use this information and the insights we have derived for marketing purposes (see the marketing section above for further details), or to make decisions about events, news and information that may be of interest to clients, prospective clients, Site users and others.
- What is our legal basis?
It is in our legitimate interest to use your personal information in such a way to ensure that we provide the very best Services to our clients and others in order to develop and grow our business and Services and promote the reputation of our firm.
- Industry benchmarking and rankings
We participate in industry surveys and reports (such as Chambers and Partners and Legal 500), which clients use to assess law firms and the legal industry. Largely, this involves our collection and use of non-personal business information about clients and matters. However, we may also review and share limited personal information about individuals (such as referee name, title and contact).
- What is our legal basis?
It is in our legitimate interest to use your personal information in order to develop and grow our business and Services and promote the reputation of our firm. Where required, we will obtain your consent.
- Prevent misconduct, abuse and misuse
Subject to our professional and ethical duties, we use personal information where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, or violations of our terms of engagement. We also use personal information to protect and secure the Site and our information systems and networks.
- What is our legal basis?
This processing is necessary to comply with EU legal obligations imposed upon us. It is necessary to enforce, establish or defend our legal rights, or to protect the rights of third parties. It is in our legitimate interest or a third party's legitimate interest to use your personal information to comply with other legal obligations. In some cases, this processing will be necessary to perform a contract to which you are a party.
5. Sharing your personal information
DLA Piper is a global law firm and any information that we collect or that you provide to us may be shared and processed by any DLA Piper practicing entity. You can find out more about the DLA Piper entities and locations here.
We may also share personal information with a variety of the following categories of third parties as necessary:
- Our professional advisers, such as lawyers and accountants.
- Government and/or regulatory authorities.
- Professional indemnity insurers.
- Regulators, tax authorities and/or corporate registries.
- Third parties to whom we outsource certain services, such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT Support service providers, and document and information storage providers.
- Third parties engaged in connection with our Services, such as counsel, arbitrators, mediators, clerks, witnesses, court reporters, court, opposing party and their lawyers, document review platforms and experts, such as tax advisors.
- Third party service providers to assist us with client insight analytics, such as Google Analytics.
- Third party postal or courier providers who assist us in delivering our postal marketing campaigns to you, or delivering documents related to a matter.
6. Third party contractors and other data controllers
As mentioned above, we may appoint sub-contractor data processors as required to deliver the Services, such as, without limitation, document processing and translation services, confidential waste disposal, IT systems or software providers, IT Support service providers, and document and information storage providers, who will process personal information on our behalf and at our direction. We conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor to ensure that they process personal information appropriately and according to our legal and regulatory obligations.
Further, we may appoint external data controllers where necessary to deliver the Services (for example, but without limitation, accountants, attorneys, consultants and other third party experts including, but without limitation, other DLA Piper practicing entities, as well as other law firms). When doing so, we will comply with our legal and regulatory obligations in relation to the personal information including, but without limitation, putting appropriate safeguards in place.
- What is our legal basis?
It is necessary for us to perform our obligations in accordance with any contract or engagement that we may have with you. It is in our legitimate interest or a third party's legitimate interest to use personal information in such a way to ensure that we provide the Services in the best way that we can.
8. Where we transfer your personal information
DLA Piper LLP (US) is located in the United States; when you submit personal information to us, or when others provide personal information to us, we will receive it and process it in the United States. In order to provide the Services, we also may need to transfer your personal information to locations in other jurisdictions (including to other DLA Piper practicing entities).
If you are based within the European Union/European Economic Area (EEA), please note that where necessary to deliver the Services, we will transfer personal information to countries outside the EEA (including to other DLA Piper practicing entities). Countries outside the EEA may not provide an adequate level of protection for your personal information, which is why the DLA Piper practicing entities have signed a data sharing agreement, based on the EU standard contractual clauses, to provide appropriate safeguards and an adequate level of protection for personal information.
You have a right to obtain details of the mechanism under which your personal information is transferred outside of the EEA by contacting GDPR.inquiries.DLAUS@dlapiper.com.
9. Retention of personal information
In general, we will retain relevant personal information of Site visitors for at least three years from the date of our last interaction with you and in compliance with our obligations under applicable laws, or for longer if we are required to do so according to our regulatory obligations or professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others.
We generally retain files and information regarding client engagements and matters for which we have been retained for at least seven years from the date of our last interaction with the relevant client, in compliance with our obligations under applicable laws, or for longer where required by our regulatory obligations, professional indemnity obligations, or where we believe necessary to establish, defend, or protect our legal rights and interests or those of others. We may then destroy such files without further notice or liability.
10. Confidentiality and security of your personal information
We are committed to keeping personal information secure and we have implemented appropriate information security policies, rules and technical measures to protect the personal information that we have under our control from unauthorized access, improper use or disclosure, unauthorized modification and unlawful destruction or accidental loss. Please note that no transmission over the Internet is completely secure or error-free, and that the information security policies, rules and technical measures utilized and maintained by us may be subject to compromise.
All of our partners, employees, consultants, workers and data processors (ie, those who process your personal information on our behalf, for the purposes listed above), who have access to, and are associated with the processing of personal information, are obliged to respect the confidentiality of such personal information.
11. How to access your information and your other rights
You have the following rights in relation to the personal information we hold about you:
- Your right of access
If you ask us, we will confirm whether we are processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
- Your right to correction (rectification)
If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it corrected. If you are entitled to have information corrected and if we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, we will also tell you, where possible and lawful to do so, with whom we have shared your personal information so that you can contact them directly.
- Your right to erasure
You can ask us to delete or remove your personal information in some circumstances, such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we have shared your personal information with others, we will let them know about the erasure where possible. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information with so that you can contact them directly.
- Your right to restrict (block) processing
You can ask us to restrict the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we have shared your personal information with others, we will let them know about the restriction where it is possible for us to do so. If you ask us, we will also tell you, where it is possible and lawful for us to do so, with whom we have shared your personal information so that you can contact them directly.
- Your right to data portability
You have the right, in certain circumstances, to receive a copy of personal information we've obtain from you in a structured, commonly used and machine readable format, and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.
- Your rights in relation to automated decision-making and profiling
You have the right not to be subject to a decision when it's based on automatic processing, including profiling, if it produces a legal effect or similarly significantly affects you, unless such profiling is necessary for entering into, or the performance of, a contract between you and us.
- Your right to withdraw consent
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
- Your right to lodge a complaint with the supervisory authority
If you have a concern about any aspect of our privacy practices, including the way we've handled your personal information, you can report it to the relevant supervisory authority.
Please note that some of these rights may be limited where we have an overriding legitimate interest or legal obligation to continue to process the personal information, or where the personal information may be exempt from disclosure due to applicable law, the applicable rules of professional conduct, attorney-client privilege, legal professional privilege, other applicable privileges or protections, or professional secrecy obligations.
12. Collection of information by third-party sites and sponsors
The Site contains links to other sites whose information practices may be different than ours. Visitors should consult the other sites' privacy notices as DLA Piper has no control over information that is submitted to or collected by these third parties.
The Site is not for use by children under the age of sixteen (16) years, and we do not knowingly collect, store, share or use the personal information of children under 16 years. If you are under the age of 16 years, please do not provide any personal information, even if prompted by the Site to do so. If you are under the age of 16 years and you believe you have provided personal information to us, please ask your parent(s) or guardian(s) to notify us and we will delete all such personal information.
14. Changes to this GDPR privacy notice
We may make changes to this GDPR Privacy Notice from time to time, to reflect changes in our practices. We may also make changes as required to comply with changes in applicable law or regulatory requirements. Where we materially change this Policy, we will take steps to notify you (such as by posting a notice on the Site or via email), and where required by applicable law to obtain your consent.
15. How to contact us?
If you have any questions about this GDPR Privacy Notice or want to exercise your rights set out in this GDPR Privacy Notice, please contact us at GDPR.inquiries.DLAUS@dlapiper.com.
DLA Piper US and DLA Piper UK LLP, as independent data controllers of the personal information collected via the Site, will work together to appropriately respond to your inquiries or requests related to that personal information. You may also contact DLA Piper UK LLP at firstname.lastname@example.org.