Global Privacy Standards

View in ChineseFrench, German, Italian, Japanese, Korean, and Spanish.

Effective Date of the Standards: September 2016
Last Updated: July 2024

Introduction

This document sets out the standards that apply to the processing of European Personal Data (as defined below) within Latham & Watkins (the Standards). Latham & Watkins is a global law firm with offices in 15 countries around the world. The firm operates without internal boundaries and the international nature of the business means it is vital that personal data can be transferred within the firm.

Latham & Watkins, through its Executive Committee, has made a commitment to protect personal data that is processed within the firm. In particular, these Standards are designed to facilitate the transfer of European Personal Data within Latham & Watkins, in accordance with European Regulation 2016/679.

Definitions

“Applicable Law” means the law in the jurisdiction in which an L&W Entity is situated and any other law to which an L&W Entity is subject.

“BCR Agreement” means the agreement which commits all L&W Entities that process European Personal Data to comply with the Standards. 

Data Protection Authority” or “DPA” means the supervisory authority responsible for monitoring and enforcing compliance with data protection laws in a particular country.

“DPIA” means data protection impact assessment as defined under Art. 35 GDPR. 

EEA” means the European Economic Area.

EU Privacy Laws” means national laws in the EEA that implement European Regulation 2016/679, Directive 2002/58 (and any legislation that amends or replaces it), and related European privacy legislation.

European Personal Data” means personal data of (i) staff, attorneys, partners, consultants, contractors, and potential candidates for any of the above collected and processed in relation to recruitment and human resources administration; (ii) clients, prospective clients, and alumni processed in relation to the provision of legal services and/or marketing and communications purposes; and (iii) suppliers, vendors, contractors, and advisers processed in the context of the relationship between such entities and Latham & Watkins (further information about which is set out in either the All-Personnel Fair Data Processing Statement, Recruitment Privacy Policy, Alumni Privacy Policy, or Client and Third Party Data Privacy Notice, by any L&W Entity as a data controller that is subject to applicable EU Privacy Laws.

“GDPR” means the European Regulation 2016/679.

Latham & Watkins” and “the firm” means Latham & Watkins, a firm which operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) (the Delaware LLP) with affiliated limited liability partnerships conducting the practice in France, Italy, Hong Kong, Singapore, Kingdom of Saudi Arabia, and the United Kingdom and as affiliated partnership conducting the practice in Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office, and in addition to the above, the firm also includes any and all entities that are wholly owned by the Delaware LLP.

Local Law” means the laws and/or regulations of, or any other legal obligation imposed by, any country to which an L&W Entity is subject other than applicable EU Privacy Laws.

L&W Entity” means each of the limited liability partnerships, partnerships, and limited companies forming part of the firm.

“L&W Germany” means the Frankfurt office of Latham & Watkins.

Model Clauses” means the standard contractual clauses for the transfer of personal data to processors or controllers established in third countries which are published and approved by the European Commission from time to time.

“Personal data” means information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. The term “personal data” will also include any information relating to persons who are not natural persons where this is a requirement of applicable EU Privacy Laws.

“Personnel” means Latham & Watkins partners, attorneys, and staff, both temporary and permanent.

“Security breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to European Personal Data that is processed by an L&W Entity. 

“Special category data” means European Personal Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, offences, criminal convictions, health, sexual orientation or sex life, genetic and biometric data, and any other special category covered by applicable EU Privacy Laws.

The terms “processing,” “data controller,” and “processor” shall have the meanings given to them in the GDPR.

Scope

Latham & Watkins currently operates in the following countries (countries within the EEA are in bold):

Country

Offices

Country Contact Details 

United States of America Austin, Boston, Century City, Chicago, Houston, Los Angeles, Los Angeles GSO, New York, Orange County, San Diego, San Francisco, Silicon Valley, Washington D.C. 1271 Avenue of the Americas, New York, NY 10020, USA
United Kingdom London, Manchester (no practice office) 99 Bishopsgate, London EC2M 3XF, United Kingdom
Belgium Brussels Boulevard du Régent, 43-44, B-1000 Brussels, Belgium
France Paris 45, rue Saint-Dominique, Paris 75007, France
Italy  Milan  Corso Matteotti, 22, Milano, 20121, Italy 
Germany Frankfurt, Munich, Hamburg, Düsseldorf
 
Reuterweg 20, 60323 Frankfurt am Main, Germany 
Spain  Madrid  Plaza de la Independencia 6, 28001 Madrid, Spain 
Saudi Arabia  Riyadh Al-Tatweer Towers, 7th Floor, Tower 1, King Fahad Highway, P.O. Box 17411, Riyadh 11484, Saudi Arabia 
United Arab Emirates  Dubai  ICD Brookfield Place, Level 16, Dubai International Financial Centre, P.O. Box 506698, Dubai, United Arab Emirates 
 Israel  Tel Aviv 28 HaArba’a Street, North Tower, 34th floor, Tel Aviv 6473925, Israel
South Korea   Seoul 29F One IFC, 10 Gukjegeumyung-ro Yeongdeungpo-gu, Seoul 07326, Korea 
China   Beijng Unit 2318, China World Trade Office 2, 1 Jian Guo Men Wai Avenue, Beijing 100004, People's Republic of China 
Hong Kong    18th Floor, One Exchange Square, 8 Connaught Place, Central, Hong Kong 
Singapore    9 Raffles Place, #42-02 Republic Plaza, Singapore 048619 
Japan   Tokyo Marunouchi Building, 32nd Floor, 2-4-1 Marunouchi, Chiyoda-ku, Tokyo 100-6332, Japan 
 

These Standards apply to the processing of European Personal Data by L&W Entities that are subject to applicable EU Privacy Laws.

These Standards apply to the transfer of personal data of employees, applicants, clients, and third parties.

Personal data of employees for instance includes:

  • identifiers (e.g., name, contact information, emergency contacts, photographs, proof of eligibility to work, and identification numbers);
  • personal and family details (e.g., place of birth, marital status, nationality, citizenship, family composition, passport and VISA details);
  • health information (e.g., disabilities, sickness absence records, accident reporting, health screening information, occupational health information, meal preferences and food allergies);
  • data with respect to career management and development (e.g., employee category, full-/part-time status, education and qualifications, language ability, references, background checks, professional experience);
  • data with respect to the execution and termination of the employment contract or engagement (e.g. dates of employment, employee ID, time recording, work time and leave, performance evaluations, training, disciplinary proceedings and grievances, exit interview);
  • financial data (e.g., remuneration, compensation, salary, benefits, bank account details, tax/social security number);
  • audio and video recordings (e.g., CCTV recordings, online meetings and webinars, events and publications);
  • data related to use of building access control systems and access to and usage of office equipment and resources;
  • data related to travel for the purposes of the working relationship or as part of employee benefits programs.

Personal data of applicants for instance includes:

  • information included in the application (e.g., name, contact information, work and educational experience and qualifications, proof of eligibility to work identifiers and further information on CV);
  • sensitive information (e.g.; race or ethnic origin, disabilities);
  • information collected during interviews and assessments (e.g.; interview notes, feedback, information collected through assessments and video interview);
  • information on usage of recruitment portal and website (e.g.; IP address information collected through cookies);
  • information from third parties, such as referees and recruiters;
  • information required to perform pre-employment background (e.g.; criminal records checks, verification of qualifications and employment);
  • information on building access, security camera footage).
Client and third party related information for instance includes:
  • identifiers (e.g., name, contact information, and identification numbers);
  • biometric information (e.g., photographs);
  • commercial information;
  • professional or employment related information;
  • publicly available social media and news reports;
  • characteristics of protected classifications (e.g., nationality, political affiliation, citizenship status); and 
  • audio and video recordings (e.g., CCTV recordings, online meetings and webinars).

The processing of European Personal Data is based on, as appropriate, 

  • consent, art 6 subsection 1 lit. a and art 9 subsection 2 lit a GDPR, 
  • performance of a contract, art 6 subsection 1 lit. b GDPR,
  • compliance with a legal obligation, art 6 subsection 1 lit. c GDPR,
  • legitimate interest, art 6 subsection 1 lit. f GDPR,
  • carrying out obligations and exercising specific rights in the field of employment, art 9 subsection 2 lit b GDPR,
  • establishment, exercise or defense of legal claims, art 9 subsection 2 lit f GDPR
European Personal Data might be transferred throughout the firm’s network to the locations described in the table above.

The Standards also apply to any export of European Personal Data out of the EEA by an L&W Entity and to the processing of such exported data by an L&W Entity (either in the capacity of a data controller or a data processor) located outside the EEA and onwards transfers of European Personal Data to L&W Entities outside the EEA.

For the purposes of these Standards, it is acknowledged that the United Kingdom (UK) is considered a third country under the terms of the GDPR. Accordingly, Latham & Watkins (London) LLP (L&W London) will implement separate Global Data Privacy Standards covering the transfer of UK data within the firm. As regards the respective data transfers, L&W London will bear the sole responsibility for taking action to remedy acts and omissions of other L&W Entities outside the EEA that breach the UK Standards and to pay compensation for any damages resulting from such a breach of the UK Standards by L&W Entities located outside the EEA. Accordingly, data subjects wishing to file a complaint with regard to the processing of UK data should contact L&W London. 

Rules and Principles

1. Data Handling Principles

When acting as a data controller, each L&W Entity, processing European Personal Data in accordance with either the All-Personnel Fair Data Processing Statement, Recruitment Privacy Policy, Alumni Privacy Policy, or Client and Third Party Data Privacy Notice (as applicable), will comply with these principles:

1.1   European Personal Data will be processed transparently, fairly and lawfully: data subjects will have available to them, to the extent the relevant data subjects are not already aware of or in receipt of, information as to the identity of the data controller(s), the purposes for which their personal data may be used (subject to any permitted restrictions on the provision of such information, for example in connection with crime prevention, legal proceedings or taxation, or where prohibited by Applicable Law), the legal basis for processing and other relevant information as required by applicable EU Privacy Laws. Such information will include details of the rights available to data subjects under EU Privacy Laws.

1.2 European Personal Data will be collected for specified, explicit and legitimate business purposes and, unless otherwise permitted by applicable EU Privacy Laws, will not be further processed in any way that is incompatible with those purposes.

1.3 Special category data will be processed only where strictly necessary for the firm’s business purposes and in accordance with the requirements of applicable EU Privacy Laws.

1.4 Appropriate steps will be taken to ensure that European Personal Data collected and processed is adequate but not excessive, and that it is relevant, accurate and (where necessary) kept up to date. Appropriate steps will also be taken to correct or delete personal data promptly where it is found to be inaccurate.

1.5 European Personal Data will not be retained for longer than is necessary for the purposes for which is it processed and will be retained in accordance with the firm’s documented data retention policies (subject to regulatory requirements and the requirements of applicable EU Privacy Laws).

2. Data Security

2.1 Having regard to the state of the art and the cost of implementation, each L&W Entity will take appropriate technical and organizational measures to protect European Personal Data against accidental or unlawful destruction or accidental loss, alteration, damage, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. The measures will ensure a level of security appropriate to the risks represented by the processing and the nature of the European Personal Data to be protected, so that special category and other highly confidential information will receive enhanced protection. Such measures will include the following, where appropriate:

(a) pseudonymization;

(b) encryption;

(c) confidentiality, integrity, availability and resilience of systems and services;

(d) back-up and disaster recovery facilities; and

(e) processes to test, assess and evaluate the effectiveness of the security measures.

2.2 Each L&W Entity shall without delay notify the firm’s Global Data Privacy Office of any security breach. The Global Data Privacy Office will keep appropriate records documenting the security breach, any potential impact on data subjects and any remedial action taken. The Global Data Privacy Office shall ensure that notifications are made to relevant Data Protection Authorities and affected data subjects as may be required under EU Privacy Laws. The Global Data Privacy Office will share the records of security breaches concerning European Personal Data which is processed by a L&W Entity as a data controller in the EEA with the DPA in their country or jurisdiction if requested by that DPA to do so.

2.3 Each L&W Entity will take steps to ensure the reliability of those personnel who have access to or responsibility for European Personal Data, including processing European Personal Data in accordance with the firm’s instructions.

3. Working With Data Processors

3.1 When an L&W Entity engages the services of another L&W Entity as a data processor to process European Personal Data on its behalf, such data processor will comply with the relevant requirements of these Standards, and if necessary, the parties will put in place and comply with the terms of any additional agreements which may be required by applicable EU Privacy Laws.

3.2 When an L&W Entity engages the services of a data processor to process European Personal Data on its behalf and the data processor is a third party, the L&W Entity will select a data processor that provides appropriate assurances as to the level of security it will employ in respect of the European Personal Data to be processed. The L&W Entity will ensure that a contract is entered into with third party data processors which addresses relevant requirements of applicable EU Privacy Laws.

3.3 Where the L&W Entity is established in the EEA and engages a third-party data processor established outside the EEA to process European Personal Data on its behalf, the L&W Entity will either:

(a) ensure that a contract is in place with the data processor substantially in the form of, or incorporating the terms of, the Model Clauses for data processors (subject to any amendments that may be permitted by applicable EU Privacy Laws); or

(b) ensure that other suitable protections are in place, in accordance with applicable EU Privacy Laws, to safeguard the European Personal Data.

The same standards apply to third party data processors established in the UK once the transition period as stated in Article FINPROV.10A para 1, 4 of the Trade and Cooperation Agreement between the EU and UK dated December 24, 2020, has expired. After the transition period has expired, L&W Entities will only transfer European Personal Data to the UK on the grounds of appropriate legal safeguards within the meaning of Art. 45 et seqq. GDPR. Respective safeguards may be, among other things, Model Clauses or an adequacy decision by the European Commission determining that the UK may guarantee a comparable level of data protection as the EU. 

3.4 If a L&W Entity (acting as a data controller) transfers European Personal Data to a third-party controller outside the firm, the L&W Entity will ensure that such transfers are carried out in accordance with the requirements of applicable EU Privacy Laws. Where required by applicable EU Privacy Laws, or where otherwise permitted by applicable EU Privacy Laws and considered appropriate, the L&W Entity will put in place safeguards to protect the European Personal Data and the rights of individuals. Such safeguards may take the form of a contract, either in the form of the Model Clauses for controller to controller transfers or in another form which will provide an adequate level of protection.

4. Staff Training

4.1 Latham & Watkins maintains a privacy and security awareness program focused on educating all staff, attorneys, and paralegals about the firm’s privacy and security policies as well as privacy and security best practices.

4.2 A variety of communications channels are used to disseminate privacy and security awareness information. Best practice guides and privacy and security awareness tip sheets and initiatives are available on dedicated privacy and security intranet sites for all personnel to access.

4.3 Each L&W Entity will also ensure that personnel who have access to or responsibility for handling personal data are provided with appropriate guidance and training.

5. Conflict With Applicable Local Laws

5.1 Where Local Law requires a higher level of protection for European Personal Data than is set out in these Standards, the provisions of the Local Law will take precedence.

6. Mutual Assistance and Cooperation With Data Protection Authorities

6.1 Each L&W Entity will comply with instructions issued by the DPA in their country or jurisdiction insofar as they relate to these Standards or to the processing of European Personal Data generally, and will take into consideration any advice given by the DPA as to the interpretation of these Standards.

6.2 L&W Entities will assist one another in responding to any enquiry or investigation by a DPA relating to these Standards and provide the relevant DPA with information the DPA reasonably requests in relating to the processing of European Personal Data.

6.3 L&W Entities will also assist one another in responding to an enquiry or complaint from a data subject relating to these Standards or the processing of their European Personal Data. 

7. Data Transfer

7.1 L&W Entities shall transfer European Personal Data to Data Processors and other third parties in accordance with Articles 44 to 46 GDPR or subject to a derogation in accordance with Article 49 GDPR.

7.2 The Global Data Privacy Office, on behalf of the L&W Entities, shall perform and document a transfer impact assessment prior to engaging in a transfer of European Personal Data taking into account the following elements:

7.2.1 the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

7.2.2 the laws and practices of the third country of destination — including those requiring the disclosure of data to public authorities or authorizing access by such authorities — relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

7.2.3 any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

8. Latham & Watkins Policies, Accountability, and Privacy Function

8.1 In accordance with the EU Privacy Laws, L&W Germany has appointed a DPO. The contact details of the DPO will be published in Latham & Watkins’ privacy policies.

9. Responsibility for Compliance

9.1 All Latham & Watkins personnel are required to comply with these Standards and must indicate their acceptance of these Standards, in conjunction with the firm’s latest Acceptable Use of Communication Systems Policy, when they join the firm and thereafter on an annual basis.

9.2 The firm has executed the BCR Agreement. L&W Germany has been appointed by the firm as the L&W Entity with delegated EEA data protection responsibilities. L&W Germany shall take action to remedy any breach of the Standards, which it can enforce contractually through the BCR Agreement.

9.3 L&W Germany accepts responsibility for taking action to remedy acts and omissions of other L&W Entities outside the EEA which breach these Standards and to pay compensation for any damages resulting from such a breach of these Standards by L&W Entities located outside the EEA. Consequently, any claims against Latham & Watkins offices located outside the EEA should be brought against L&W Germany (other than claims relating to the UK, which should be brought against Latham & Watkins (London) LLP). Any claim against a Latham & Watkins office located in the EEA should be brought against such Latham & Watkins office.

10. Audit Program to Verify Compliance

Latham & Watkins undertakes to put in place measures to assess and verify compliance with these Standards and applicable data protection legislation:

11. Updates

11.1 The Privacy Committee will keep these Standards under review, will ensure that they are updated regularly and will communicate relevant updates to L&W Entities without undue delay. The Privacy Committee will ensure that any changes in the firm’s structure are reflected in these Standards and that any new L&W Entities are required to accept and comply with the terms of these Standards. The Privacy Committee will inform L&W Entities about any changes to these Standards.

11.2 The non-confidential provisions of these Standards, including the content of Appendix 1 (Data Privacy Complaints Procedure), will be published on the external Latham & Watkins internet site and on the Latham & Watkins intranet site. Any updates to the Standards will be published without delay. The full text of the Standards will be made available on request (subject to a confidentiality agreement) to any data subject who wishes to exercise the rights of redress described in the Data Privacy Complaints Procedure at Appendix 1.

12. Rights of Access, Correction, and Objection (including Marketing and Profiling)

Each L&W Entity acknowledges that data subjects have the following rights as third party beneficiaries in relation to the L&W Entity in its capacity as a data controller of European Personal Data:

12.1 the right to receive information about the way in which their personal data is processed by the relevant L&W Entity in its capacity as a data controller of European Personal Data, including a copy of these Standards and the Data Privacy Complaints Procedure;

12.2 the right to receive a copy of European Personal Data held about them (including the purpose and manner of processing) by the L&W Entity within the time scales and at the intervals specified in applicable EU Privacy Law, subject to any right to refuse such request in whole or in part that may be available to the L&W Entity under applicable EU Privacy Laws; 

12.3 the right to have their European Personal Data updated, corrected or completed, in particular because of the incomplete or inaccurate nature of the data, subject to the provisions of applicable EU Privacy Laws;

12.4 the right to have European Personal Data erased, subject to the provisions of applicable EU Privacy Laws;

12.5 the right to restrict processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws;

12.6 the right to receive the European Personal Data, which the data subject has provided to a L&W Entity in its capacity as a data controller of European Personal Data, in a structured, commonly used and machine-readable format and to transmit such personal data to another data controller, subject to the provisions of applicable EU Privacy Laws;

12.7 where required by the provisions of applicable EU Privacy Laws, the right not to receive direct marketing material without having given prior consent and, in all cases, the right to object at any time to the processing of their personal data (including profiling) for direct marketing purposes;

12.8 the right to object at any time to the processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws; and

12.9 the right to object to decisions involving their European Personal Data being taken about them based solely on automated processing, including profiling, where such decisions assess their personal characteristics or behavior and produce legal effects which concern or significantly affect them (except to the extent permitted by and subject to the safeguards contained in applicable EU Privacy Laws).

13. Breaches of These Standards

Latham & Watkins acknowledges that data subjects shall be entitled to enforce the following rights against the firm in respect of European Personal Data as third-party beneficiaries:

13.1 a right to obtain a copy of these Standards upon request (subject to any confidentiality undertaking reasonably requested by the firm or the L&W Entity dealing with the request);

13.2 a right to receive a response within a reasonable time, and no later than 1 month after the request was made (or no later than three months in case of a complex request), to any queries concerning the processing of the data subject’s European Personal Data outside the EEA;

13.3 a right to make a complaint and obtain appropriate redress (including, where appropriate, compensation for damage suffered) as a result of a breach of these Standards by any L&W Entity (excluding any breaches of the provisions relating to staff training, Latham & Watkins’ policies and privacy function, audit program and updates to these Standards);

13.4 a right to make a complaint to a Data Protection Authority in the European Economic Area in the country of habitual residence or place of work of the data subject, or the location of the alleged infringement of these Standards; and

13.5 a right to seek an effective judicial remedy in the appropriate court in the European Economic Area, which may be in the jurisdiction in which the relevant L&W Entity is established or in the data subject’s habitual place of residence.

14. Enforcement of a Data Subject’s Rights

14.1 The process for exercising the rights described in section 14 is set out in more detail in the Latham & Watkins Data Privacy Complaints Procedure at Appendix 1 to these Standards.

14.2 A data subject wishing to enforce their rights should contact the Global Data Privacy Office in the first instance, but may also lodge a complaint with the Chair of the Privacy Committee located in Frankfurt, or the DPA or the courts in the territory in which the relevant L&W Entity is located.

14.3 Any data subject seeking to enforce their rights under these Standards will be required to produce evidence giving rise to a prima facie case showing that a breach has occurred.

14.4 The L&W Entities acknowledge that the data subject may be represented by a not-for-profit body, organization, or association in accordance with the EU Privacy Laws and subject to an appropriate power of attorney.

15. Termination

15.1 Upon termination of these Standard or suspension of the transfer, the relevant L&W Entities may keep, return or delete the European Personal Data and copies thereof based on the data exporter’s selection.

Appendix 1

Latham & Watkins Data Privacy Complaints Procedure