This document sets out the standards that apply to the processing of European Personal Data (as defined below) within Latham & Watkins (the “Standards”). Latham & Watkins is a global law firm with offices in 16 countries around the world. The firm operates without internal boundaries and the international nature of the business means it is vital that personal data can be transferred within the firm.
Latham & Watkins, through its Executive Committee, has made a commitment to protect personal data that is processed within the firm. In particular, these Standards are designed to facilitate the transfer of European Personal Data within Latham & Watkins, in accordance with European Regulation 2016/679.
“Applicable Law” means the law in the jurisdiction in which a L&W Entity is situated and any other law to which a L&W Entity is subject.
“BCR Agreement” means the agreement which commits all L&W Entities which process European Personal Data to comply with the Standards.
“Data Protection Authority” or “DPA” means the supervisory authority responsible for monitoring and enforcing compliance with data protection laws in a particular country.
“DPIA” means data protection impact assessment as defined under Art. 35 GDPR.
“EEA” means the European Economic Area.
“EU Privacy Laws” means national laws in the EEA and the United Kingdom (“UK”) which implement European Regulation 2016/679, Directive 2002/58 (and any legislation that amends or replaces it) and related European privacy legislation (including for the avoidance of doubt the UK Data Protection Act 2018).
“GDPR” means the European Regulation 2016/679.
“Latham & Watkins” and “the firm” means Latham & Watkins, a firm which operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) (the “Delaware LLP”) with affiliated limited liability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore, as affiliated partnerships conducting the practice in Hong Kong and Japan and in cooperation with the Law Office of Salman M. Al-Sudairi in Saudi Arabia. In addition to the above, the firm also includes any and all entities that are wholly owned by the Delaware LLP.
“Local Law” means the laws and/or regulations of, or any other legal obligation imposed by, any country to which a L&W Entity is subject other than applicable EU Privacy Laws.
“L&W Entity” means each of the limited liability partnerships, partnerships and limited companies forming part of the firm.
“L&W Germany” means the Frankfurt office of Latham & Watkins.
“Model Clauses” means the standard contractual clauses for the transfer of personal data to processors or controllers established in third countries which are published and approved by the European Commission from time to time.
“Personal data” means information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity. The term “personal data” will also include any information relating to persons who are not natural persons where this is a requirement of applicable EU Privacy Laws.
“Personnel” means Latham & Watkins partners, attorneys and staff, both temporary and permanent.
“Security breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to European Personal Data which is processed by a L&W Entity.
“Special category data” means European Personal Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, offences, criminal convictions, health, sexual orientation or sex life, genetic and biometric data and any other category covered by applicable EU Privacy Law.
The terms “processing”, “data controller” and “processor” shall have the meanings given to them in the GDPR.
Latham & Watkins currently operates in the following countries (countries within the EEA are highlighted in grey):
* Latham & Watkins practices in Saudi Arabia in association with the Law Office of Salman M. Al-Sudairi.
These Standards apply to the processing of European Personal Data by Latham & Watkins Entities located in the EEA and also in the UK.
The Standards also apply to any export of European Personal Data out of the EEA or the UK by a L&W Entity and to the processing of such exported data by a L&W Entity (either in the capacity of a data controller or a data processor) located outside the EEA.
For the purposes of these Standards, it is acknowledged that:
a) the UK is considered a third country under the terms of European Regulation 2016/679;
b) under the UK Data Protection Act 2018, personal data may be exported from the UK to EEA member states; and
c) under the UK Data Protection Act 2018, Binding Corporate Rules provide appropriate safeguards for the transfer of personal data within a group of undertakings to countries outside the EEA.
RULES AND PRINCIPLES
1. Data Handling Principles
1.1 European Personal Data will be processed transparently, fairly and lawfully: data subjects will have available to them, to the extent the relevant data subjects are not already aware of or in receipt of, information as to the identity of the data controller(s), the purposes for which their personal data may be used (subject to any permitted restrictions on the provision of such information, for example in connection with crime prevention, legal proceedings or taxation, or where prohibited by Applicable Law), the legal basis for processing and other relevant information as required by applicable EU Privacy Laws. Such information will include details of the rights available to data subjects under EU Privacy Laws.
1.2 European Personal Data will be collected for specified, explicit and legitimate business purposes and, unless otherwise permitted by applicable EU Privacy Laws, will not be further processed in any way that is incompatible with those purposes.
1.3 Special category data will be processed only where strictly necessary for the firm’s business purposes and in accordance with the requirements of applicable EU Privacy Laws.
1.4 Appropriate steps will be taken to ensure that European Personal Data collected and processed is adequate but not excessive, and that it is relevant, accurate and (where necessary) kept up to date. Appropriate steps will also be taken to correct or delete personal data promptly where it is found to be inaccurate.
1.5 European Personal Data will not be retained for longer than is necessary for the purposes for which is it processed and will be retained in accordance with the firm’s documented data retention policies (subject to regulatory requirements and the requirements of applicable EU Privacy Laws).
2. Data Security
2.1 Having regard to the state of the art and the cost of implementation, each L&W Entity will take appropriate technical and organisational measures to protect European Personal Data against accidental or unlawful destruction or accidental loss, alteration, damage, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. The measures will ensure a level of security appropriate to the risks represented by the processing and the nature of the European Personal Data to be protected, so that special category and other highly confidential information will receive enhanced protection. Such measures will include the following, where appropriate:
(c) confidentiality, integrity, availability and resilience of systems and services;
(d) back-up and disaster recovery facilities; and
(e) processes to test, assess and evaluate the effectiveness of the security measures.
2.2 Each L&W Entity shall without delay notify the firm’s Global Data Privacy Office of any security breach. The Global Data Privacy Office will keep appropriate records documenting the security breach, any potential impact on data subjects and any remedial action taken. The Global Data Privacy Office shall ensure that notifications are made to relevant Data Protection Authorities and affected data subjects as may be required under EU Privacy Laws. The Global Data Privacy Office will share the records of security breaches concerning European Personal Data which is processed by a L&W Entity as a data controller in the EEA or in the UK with the DPA in their country or jurisdiction if requested by that DPA to do so.
2.3 Each L&W Entity will take steps to ensure the reliability of those personnel who have access to or responsibility for European Personal Data, including processing European Personal Data in accordance with the firm’s instructions.
3. Working with Data Processors
3.1 When a L&W Entity engages the services of another L&W Entity as a data processor to process European Personal Data on its behalf, such data processor will comply with the relevant requirements of these Standards, and if necessary, the parties will put in place and comply with the terms of any additional agreements which may be required by applicable EU Privacy Laws.
3.2 When a L&W Entity engages the services of a data processor to process European Personal Data on its behalf and the data processor is a third party, the L&W Entity will select a data processor that provides appropriate assurances as to the level of security it will employ in respect of the European Personal Data to be processed. The L&W Entity will ensure that a contract is entered into with third party data processors which addresses relevant requirements of applicable EU Privacy Laws.
3.3 Where the L&W Entity is established in the EEA or the UK and engages a third party data processor established outside the EEA to process European Personal Data on its behalf, the L&W Entity will either:
(a) ensure that a contract is in place with the data processor substantially in the form of, or incorporating the terms of, the Model Clauses for data processors (subject to any amendments that may be permitted by Applicable EU Privacy Laws); or
(b) ensure that other suitable protections are in place, in accordance with applicable EU Privacy Laws, to safeguard the European Personal Data.
3.4 If a L&W Entity (acting as a data controller) transfers European Personal Data to a third party controller outside the firm, the L&W Entity will ensure that such transfers are carried out in accordance with the requirements of applicable EU Privacy Laws. Where required by applicable EU Privacy Laws, or where otherwise permitted by applicable EU Privacy Laws and considered appropriate, the L&W Entity will put in place safeguards to protect the European Personal Data and the rights of individuals. Such safeguards may take the form of a contract, either in the form of the Model Clauses for controller to controller transfers or in another form which will provide an adequate level of protection.
4. Staff Training
4.1 Latham & Watkins maintains a privacy and security awareness program focused on educating all staff, attorneys and paralegals about the firm’s privacy and security policies as well as privacy and security best practices.
4.2 A variety of communications channels are used to disseminate privacy and security awareness information. Best practice guides and privacy and security awareness tip sheets and initiatives are available on dedicated privacy and security intranet sites for all personnel to access.
4.3 Each L&W Entity will also ensure that personnel who have access to or responsibility for handling personal data are provided with appropriate guidance and training.
5. Conflict with applicable Local Laws
5.1 Where Local Law requires a higher level of protection for European Personal Data than is set out in these Standards, the provisions of the Local Law will take precedence.
6. Mutual Assistance and Cooperation with Data Protection Authorities
6.1 Each L&W Entity will comply with instructions issued by the DPA in their country or jurisdiction insofar as they relate to these Standards or to the processing of European Personal Data generally, and will take into consideration any advice given by the DPA as to the interpretation of these Standards.
6.2 L&W Entities will assist one another in responding to any enquiry or investigation by a DPA relating to these Standards.
6.3 L&W Entities will also assist one another in responding to an enquiry or complaint from a data subject relating to these Standards or the processing of their European Personal Data.
7. Responsibility for Compliance
7.1 All Latham & Watkins personnel are required to comply with these Standards and must indicate their acceptance of these Standards, in conjunction with the firm’s latest Acceptable Use of Communication Systems Policy, when they join the firm and thereafter on an annual basis.
7.2 The firm has executed the BCR Agreement. L&W Germany has been appointed by the firm as the L&W Entity with delegated EEA data protection responsibilities. L&W Germany shall take action to remedy any breach of the Standards, which it can enforce contractually through the BCR Agreement.
7.3 L&W Germany accepts responsibility for taking action to remedy acts and omissions of other L&W Entities outside the EEA which breach these Standards and to pay compensation for any damages resulting from such a breach of the Standards by L&W Entities located outside the EEA. Consequently, any claims against Latham & Watkins offices located outside the EEA should be brought against Latham & Watkins Germany. Any claim against a Latham & Watkins office located in the EEA should be brought against such Latham & Watkins office.
8. Audit Programme to Verify Compliance
Latham & Watkins undertakes to put in place measures to assess and verify compliance with these Standards and applicable data protection legislation:
9.1 The Privacy Committee will keep these Standards under review, will ensure that they are updated regularly and will communicate relevant updates to L&W Entities without undue delay. The Privacy Committee will ensure that any changes in the firm’s structure are reflected in these Standards and that any new L&W Entities are required to accept and comply with the terms of these Standards.
9.2 The non-confidential provisions of these Standards, including the content of Appendix 1 (Data Privacy Complaints Procedure), will be published on the external Latham & Watkins internet site and on the Latham & Watkins intranet site. The full text of the Standards will be made available on request (subject to a confidentiality agreement) to any data subject who wishes to exercise the rights of redress described in the Data Privacy Complaints Procedure at Appendix 1.
10. Rights of Access, Correction and Objection (including Marketing and Profiling)
Each L&W Entity acknowledges that data subjects have the following rights as third party beneficiaries in relation to the L&W Entity in its capacity as a data controller of European Personal Data:
10.1 the right to receive information about the way in which their personal data is processed by the relevant L&W Entity in its capacity as a data controller of European Personal Data, including a copy of these Standards and the Data Privacy Complaints Procedure;
10.2 the right to receive a copy of European Personal Data held about them (including the purpose and manner of processing) by the L&W Entity within the time scales and at the intervals specified in Applicable EU Privacy Law, subject to any right to refuse such request in whole or in part that may be available to the L&W Entity under applicable EU Privacy Laws;
10.3 the right to have their European Personal Data updated, corrected or completed, in particular because of the incomplete or inaccurate nature of the data, subject to the provisions of applicable EU Privacy Laws;
10.4 the right to have European Personal Data erased, subject to the provisions of applicable EU Privacy Laws;
10.5 the right to restrict processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws;
10.6 the right to receive the European Personal Data, which the data subject has provided to a L&W Entity in its capacity as a data controller of European Personal Data, in a structured, commonly used and machine-readable format and to transmit such personal data to another data controller, subject to the provisions of applicable EU Privacy Laws;
10.7 where required by the provisions of applicable EU Privacy Laws, the right not to receive direct marketing material without having given prior consent and, in all cases, the right to object at any time to the processing of their personal data (including profiling) for direct marketing purposes;
10.8 the right to object at any time to the processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws; and
10.9 the right to object to decisions involving their European Personal Data being taken about them based solely on automated processing, including profiling, where such decisions assess their personal characteristics or behaviour and produce legal effects which concern or significantly affect them (except to the extent permitted by and subject to the safeguards contained in applicable EU Privacy Laws).
11. Breaches of these Standards
Latham & Watkins acknowledges that data subjects shall be entitled to enforce the following rights against the firm in respect of European Personal Data as third party beneficiaries:
11.1 a right to obtain a copy of these Standards upon request (subject to any confidentiality undertaking reasonably requested by the firm or the L&W Entity dealing with the request);
11.2 a right to receive a response within a reasonable time, and no later than 1 month after the request was made, to any queries concerning the processing of the data subject’s European Personal Data outside the EEA;
11.3 a right to make a complaint and obtain appropriate redress (including, where appropriate, compensation for damage suffered) as a result of a breach of these Standards by any L&W Entity (excluding any breaches of the provisions relating to staff training, Latham & Watkins’ policies and privacy function, audit programme and updates to these Standards);
11.4 a right to make a complaint to a Data Protection Authority in the European Economic Area in the country of habitual residence or place of work of the data subject, or the location of the alleged infringement of these Standards; and
11.5 a right to seek an effective judicial remedy in the appropriate court in the European Economic Area, which may be in the jurisdiction in which the relevant L&W Entity is established or in the data subject’s habitual place of residence.
12. Enforcement of a Data Subject’s Rights
12.1 The process for exercising the rights described in section 12 is set out in more detail in the Latham & Watkins Data Privacy Complaints Procedure at Appendix 1 to these Standards.
12.2 A data subject wishing to enforce their rights should contact the Global Data Privacy Office in the first instance, but may also lodge a complaint with the Chair of the Privacy Committee located in Frankfurt, or the DPA or the courts in the territory in which the relevant L&W Entity is located.
12.3 Any data subject seeking to enforce their rights under these Standards will be required to produce evidence giving rise to a prima facie case showing that a breach has occurred.
Effective Date of the Standards: September 2016
Updated July 2020
Latham & Watkins Data Privacy Complaints Procedure