Client and Third Party Privacy Notice
Last Updated: August 2023
Latham & Watkins (“Latham” or “the firm”) is committed to collecting, maintaining, and using personal information about our clients and business contacts responsibly. The provisions of data protection laws in Europe, the United Kingdom and elsewhere impose strict conditions on the firm. The firm has made a commitment through our Binding Corporate Rules to apply a consistent standard across the firm when collecting, using, and managing personal information. You can find out more about our Binding Corporate Rules below. See section 5 International Transfers.
This privacy notice explains how we may collect, use and disclose information about clients and other business and firm contacts, and describes the rights you may have in respect of your own personal information. Please read it carefully.
1. Who We Are
Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in France, Hong Kong, Italy, Singapore, and the United Kingdom (UK) and as an affiliated partnership conducting the practice in Japan. Latham & Watkins operates in Israel through a limited liability company, in South Korea as a Foreign Legal Consultant Office, and in Saudi Arabia through a limited liability company.
Contact details for our offices around the world can be found on our website www.lw.com. The data controller(s) in respect of your personal information will be the Latham entity or entities with which you are dealing and/or Latham & Watkins LLP. In accordance with applicable law, we have appointed a Data Privacy Officer (DPO) for our German offices. Our DPO, Dr. Sebastian Kraska, can be reached at +220.127.116.116-0 or email@example.com.
2. Who Does This Privacy Notice Apply To?
This notice applies to the individual client contacts with whom we deal, including prospective clients. It applies to personal information that is collected as part of our client on-boarding process and disengagement, as well as to the information gathered during the course of a client relationship.
It also applies to the personal information of employees at client entities and businesses and related contacts whose details we may receive as part of the provision of legal services. In these circumstances our main client contact is responsible for ensuring that all affected individuals are made aware that their personal details will be provided to us and of the purposes for which we will use that information, for example by showing them a copy of this notice.
In addition, this notice covers the personal information of individuals who are not existing or former clients but who engage with the firm by signing up to receive communications such as email alerts and publications, or who attend events run by the firm (either alone or in conjunction with partner organisations) whether online or in person.
Other Firm Contacts
This notice also covers the personal information of individuals that the firm has a business arrangement with, such as vendors, agents and adverse parties, or those who choose to register for the Directors Referral Program.
3. What Information Is Covered?
In this privacy notice, “personal information” means any information (whether electronic or written) relating to an individual who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
It also includes special categories of personal information (“special category data”) from which we can determine or infer an individual's racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, membership of a trade union, physical or mental health or condition (including biometric and genetic data), sexual life/orientation, or judicial data (including information concerning the commission or alleged commission of a criminal offence and any sentence or penalty imposed).
Latham will only collect special category data if it is necessary for one of the purposes described below. Further information about when and why we may need to do this is set out in section 4 The information we collect and how we use it.
4. The Information We Collect And How We Use It
Latham may use your personal information for a variety of purposes, as outlined in the following sections. Latham is committed to collecting and using only the personal information that is necessary for the provision of legal services to our clients; to establish and/or maintain its business relationship with business and/or firm contacts; to respond to your requests and inquiries, and to make individuals aware of and keep them informed of opportunities, services and events which it reasonably considers may be of interest to them and/or which they have otherwise confirmed their preference to receive from the firm. In the past 12 months, Latham has collected the following categories of personal information:
- identifiers (e.g., name, contact information, and identification numbers);
- biometric information (e.g., photographs);
- commercial information;
- professional or employment related information;
- publicly available social media and news reports;
- characteristics of protected classifications (e.g., nationality, political affiliation, citizenship status); and
- audio and video recordings (e.g., CCTV recordings, online meetings and webinars).
Appendix 1 provides more detail about the purposes, the information we may collect, the sources of the information and the legal authority relied upon by the firm.
In some cases, it will be mandatory for you to provide personal information to the firm to enable us to provide services to you (or your employer), engage with you or to comply with the firm’s legal obligations.
Identity, Conflicts, Anti-Money Laundering and other Checks
The firm collects a variety of information about clients and client contacts as part of our new client on boarding process. This may be referred to as due diligence or “Know Your Client.” The checks may include some or all of the following:
- Identity verification: proof of name and address
- Ultimate beneficial ownership of corporate and other legal entities
- Conflicts checks: to avoid a conflict of interest with any other client
- Anti-money laundering, proceeds of crime and terrorist financing checks
- Politically Exposed Persons checks: those with prominent roles in government, judiciary, courts, central banks, embassies, armed forces and state-owned enterprises, including their family members and close associates
- Government Sanctions List checks
These checks are made for legal, regulatory or business reasons and may need to be repeated during the course of our engagement. It is important that you provide us with all necessary information and documents or this may affect our ability to provide services.
If we hold funds for you in our client account, we may be required to provide information on your identity to the bank(s) which administer the account.
We may use third party sources to obtain some of this information. Details can be found in Appendix 1.
Providing Legal Services
The firm may collect or generate additional details about you during the course of our engagement, for the purpose of providing legal services. As part of this we may collect information about employees of client organizations, for example when advising on a business sale, relocation program or share scheme. In addition, we may collect information to build up a client profile, which could include information regarding pitches, fees, events attended and business development endeavors, as well as publicly available social media and news reports, so we can track and understand the client relationship better. We may also collect information about parties and other individuals involved in an arbitration, where a member of the firm acts as arbiter.
We may also use your personal information:
- To administer our relationship and maintain contractual relations
- For accounting and tax purposes
- For marketing and business development
- To comply with the firm’s regulatory obligations
- To establish, exercise or defend legal rights
- For the prevention and detection of crime
- For historical and statistical purposes
Other Business Interactions
As part of your business or other commercial dealings with the firm, we may collect or generate details about you. We may use this personal information to administer our relationship and maintain contractual relations, for the provision of legal services to our clients, for accounting and tax purposes and to comply with our regulatory obligations.
Information Collected at our Premises
If you visit our premises, your image may be captured on CCTV systems operated by the firm or the entity which manages our premises. Building access control systems may also capture the location, time and date of your entry and exit to our offices. Where required by local law or regulation, we may also collect health screening information (including temperature) or other wellness data necessary to facilitate the safe functioning of our offices.
Where permitted by applicable law, Latham may record and/or monitor telephone calls made and received and electronic communications sent to or received by the firm’s networks in order to protect our business and verify compliance with our policies and relevant legal requirements. Any such recording and/or monitoring will be carried out for lawful business purposes and in accordance with applicable laws and regulations. This may include the following purposes:
- Recording facts (including converting voice messages into text)
- Establishing compliance with the firm’s policies and procedures
- Complying with applicable laws and regulations
- For crime prevention and detection
- To monitor the effective use and operation of the firm’s networks and systems
If you participate in a WebEx, Zoom or similar online meeting, event, web conference, or videoconference, the contents of the call or meeting (video and audio) may be recorded either by Latham or by our service provider. Recordings retained by the firm may be used for the firm’s legitimate business purposes. Please note that recordings may be discoverable in a relevant legal matter.
In order to communicate efficiently, correspondence and documents may be sent by unencrypted email. You will be aware that this is not guaranteed as a secure method of communication, nor are there any service standards for delivery. If you would prefer us not to use unencrypted email, please speak to your contact at the firm.
Marketing and Business Development
The firm collects information for marketing and business development purposes and as part of the general administration of client relationships. We may use some personal information for client entertainment purposes, including recording your interests and preferences.
We may pass your contact details to legal directories so they can contact you to provide a reference for the firm. We will let you know when we do this and you will have an opportunity to tell us if you do not want to be contacted in this way.
We will also use your personal details to send you information by email or post, or using social media or social networking sites, about our services, developments in law and practice, brochures, press releases, invitations to seminars and talks. You can select the practice areas and subjects you are interested in when you sign up on our website. You may update your preferences or opt out at any time. For more information on how to exercise your rights, see section 10 Your rights below.
If you attend an event that is run by or in association with the firm (whether online or in person), we will collect contact details as part of event registration. This information may include dietary requirements and details of any health issues or disabilities which may impact upon your attendance at or participation in the event. We may also request a delivery address (which may be your home address) for the purpose of sending a gift or other item to those attending the event.
Where an event is run in association with a partner organisation or hosted at an external venue, we may need to share your personal details with the partner, event organiser or venue. This will be made clear to you before you sign up for the event. Only the minimum information will be shared as necessary for the purposes of running the event.
If the event is run in association with a partner organisation, they will be responsible for informing you about any marketing they may wish to undertake and obtaining your consent where necessary.
If the event is run online, we may make a video and/or audio recording. You will be informed about this prior to the event so that you can choose whether or not to attend a recorded session, or whether to withhold your personal details during the event.
Board of Directors Referral Program
If you choose to register for the Directors Referral Program, we may pass your contact details and other relevant personal information to third parties to enable those third parties to consider you for positions on boards of directors or other similar opportunities.
5. International Transfers
Latham is an international firm operating on a global basis. Like most international businesses, Latham has centralised certain aspects of its client administration and records management in the United States, the UK, Belgium, Singapore and Hong Kong. In addition, where client projects span more than one jurisdiction, information will need to be accessed by all those within the firm who are working on the matter. As a result, your personal information may be transferred outside the country of origin (which includes transfers outside the European Economic Area ("EEA") and the UK and may be accessed across the firm on a global basis.
Latham takes all necessary security and legal precautions to ensure the safety and integrity of personal information that is transferred within the firm. The firm has implemented Binding Corporate Rules (“BCRs”) which allow for global transfers within the firm of personal information originating in the EEA and the UK in accordance with applicable European and UK privacy laws. The BCRs require all Latham entities and offices worldwide to use the same standards of protection for personal information. Your personal information will therefore be given the same level of protection regardless of its location within the firm.
You can access the firm’s Binding Corporate Rules here.
Your personal information will also be accessed by Latham’s service providers who may be located in the United States and other jurisdictions. For more information, see section 7 service providers below.
The firm may disclose your personal information (i) where this is necessary for the purposes described in Appendix 1, including within the firm itself; (ii) if required by applicable law; (iii) in connection with a reorganization or combination of our firm with another firm, (iv) if we believe that such disclosure is necessary to enforce or apply terms of engagement and other agreements or otherwise protect and defend Latham’s rights, property or safety; (v) in order to comply with a judicial proceeding, court order or other legal obligation, or a regulatory or government inquiry; or (vi) with your consent.
We would like to draw particular attention to the fact that in some jurisdictions, Latham has a legal obligation to report suspicious transactions and other activity to relevant regulatory authorities under anti-money laundering, terrorist financing, insider dealing or related legislation. The firm may also report suspected criminal activity to the police and other law enforcement bodies. We may not be permitted to inform you about this in advance of the disclosure, or at all.
Third party recipients of personal information relating to clients, business and firm contacts may include:
- Tax and Customs & Excise authorities
- Regulatory, financial and other professional bodies
- Stock exchange and listing authorities
- Public registries of company directors and shareholdings
- Public health authorities
- Providers of identity verification services
- Credit reference agencies
- The courts, police and law enforcement agencies
- Government departments and agencies
- Auditors and professional advisers (including professional indemnity insurers and advisers)
Latham will use all reasonable efforts to disclose the minimum personal information necessary in each case.
We have in the last 12 months disclosed for a business purpose the categories of personal information listed in Appendix 1.
7. Service Providers
Third parties providing services to Latham are referred to as “Vendors.” Latham will put in place contracts with Vendors which address the requirements of relevant privacy laws. Vendors will be required to use appropriate security measures to protect personal information and will be prohibited from using personal information other than as instructed by the firm.
Vendors who process personal information on behalf of the firm may be located in the United States, Europe, the UK or other countries around the world. Latham will ensure that Vendors comply with any applicable legal requirements for transferring personal information outside the jurisdiction in which it was originally collected. If data is transferred outside the EEA or the UK to a country that has not been granted “adequate” status by the European Commission, Latham will require Vendors to execute the Standard Contractual Clauses for the transfer of personal information to third countries, as sanctioned under applicable European and UK privacy laws.
If you would like more information about the Vendors we work with, please contact the Global Data Privacy Office.
8. Keeping Your Information Up To Date
Latham makes every effort to maintain the accuracy and completeness of the personal information held by the firm. To help us ensure we have the most up to date information about you, it is important that you inform us of any updates to your contact details or other personal information. Please contact your Client Relationship Partner or the person you usually deal with at the firm. You can also contact Latham's Global Data Privacy Office.
The firm will retain personal information only for as long as it is needed for the purposes described in section 4 above: The information we collect and how we use it. Note that retention periods may vary in different jurisdictions.
The retention period for client files is detailed in our Engagement Letters.
We may need to retain information for significant periods of time in order to establish, exercise or defend our legal rights, and for archiving and historical purposes. Where possible and practical, personal information will be rendered anonymous through the removal, substitution or blocking of details which enable individuals to be identified.
10. Your Rights
In certain circumstances, subject to certain exceptions and applicable law, you may have the following rights in relation to personal information about you:
- the right to know (i) the specific pieces of personal information collected; (ii) the categories of personal information; (iii) the categories of sources of the personal information: (iv) the business or commercial purpose for collecting the personal information; (v) the categories of personal information disclosed for a business purpose; and (vi) the categories of third parties with whom the personal information is shared;
- the right to have your personal information corrected, for example if it is incomplete or incorrect;
- the right to opt out of receiving marketing communications at any time;
- the right to request that your personal information is deleted;
- the right to restrict or object to the processing of your personal information;
- the right to receive a copy of the personal information which you have provided to the firm, in a structured, commonly used and machine-readable format (known as “data portability”);
- where you have provided personal information voluntarily, or otherwise consented to its use, the right to withdraw your consent;
- the right not to be discriminated against if you exercise any rights conferred on you by the California Consumer Privacy Act of 2018;
- the right to complain to a Data Protection Authority (see further below).
If you have an online account, you may access, update and correct your personal information – including your marketing choices – using the account management facilities. You may also opt out of receiving marketing and market research communications at any time by contacting us at firstname.lastname@example.org.
Latham does not and will not sell your personal information as defined under the California Consumer Privacy Act of 2018.
If you have a query about this statement or wish to exercise your rights, please contact Latham's Global Data Privacy Office at GlobalDPO@lw.com. California residents may also call our toll-free number (866) 596-3896. You may also appoint an agent to submit a request on your behalf.
Once we receive your request, a member of the firm’s Global Data Privacy Office will contact you or your agent within the timeframe specified by applicable law to confirm receipt of your request and, if needed, to gather more information about your request. Depending on the nature of the request, additional information may be requested. You or your authorized agent may need to provide the following:
- Proof of identity and address (e.g., a copy of your driving license or valid passport);
- If you are acting as an authorized agent, express notarized permission from the individual on whose behalf you are acting;
- A description of the right(s) you want to exercise and the information to which your request relates.
Please note, we may not be obligated to provide access to personal information or delete any data to the extent that we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on that person’s behalf. Any personal information we collect from you to verify your identity in connection with you request will be used solely for the purposes of verification.
You also have the right to complain to a Data Protection Authority if you believe that your personal information has been collected or used in breach of relevant privacy legislation or Latham’s Binding Corporate Rules. If you are located in the European Union, this will be the Data Protection Authority in the country in which you are located. Alternatively you may contact the Hesse Commissioner for Data Protection and Freedom of Information (Hessischer Beauftragter fuer den Datenschutz und die Informationsfreiheit), PO Box 3163, 65021 Wiesbaden, Germany. Further information and contact details can be found at https://datenschutz.hessen.de/. Further information about making a complaint, either to Latham or to a Data Protection Authority, can be found in the Latham Data Privacy Complaints Procedure.