Safe Harbor Data Privacy Statement
Cleary Gottlieb has noted the recent Decision of the Court of Justice of the European Union in Schrems v Data Protection Commissioner (a reference from the High Court in Ireland) (the so-called “Safe Harbor decision”) as well as press releases by several national data protection authorities in EU countries in which Cleary Gottlieb has offices.
The U.S. Offices of CGSH remain Safe Harbor certified and the Firm will continue to comply with the relevant Safe Harbor Privacy Principles referred to in our Statement on this page. We will continue to review the position and any guidance given by national and / or EU data protection authorities or the U.S. Department of Commerce. Cleary Gottlieb remains committed to the protection of personal data and has additional arrangements in place covering transfers of personal data (personally identifiable information) among its offices both within and outside the EU and in particular to the U.S.
The New York and District of Columbia offices (“the Firm’s U.S. offices”) of Cleary Gottlieb Steen & Hamilton LLP (“the Firm” or “CGSH”) adhere to the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework concerning the transfer of personal data from the European Union (“EU”) and/or Switzerland to the United States.
Accordingly, the Firm’s U.S. offices comply with the seven Safe Harbor Privacy Principles published by the U.S. Department of Commerce (“Principles”) with respect to all such data.
This privacy statement outlines our general policy and practices (the “Policy”) for implementing the Principles, including the types of personal data the Firm’s U.S. offices receive from the Firm’s EU offices or clients, how that data is used, and the choices affected individuals have regarding the use of, and their ability to correct, the personal data relating to them. If there is any conflict between this Policy and the Principles, the Principles will govern.
This Policy applies to all “personal data”, defined as information that:
- the Firm’s U.S. offices receive from the Firm’s EU offices (directly or through affiliated entities, and references herein to the Firm’s EU offices shall be deemed to include their affiliated entities);
- is about, or pertains to, a specific individual;
- can be linked to that individual (also hereafter referred to as the “data subject”); and
- is recorded in any form, including on-line, off-line and manually processed data.
Limitation on Application of Principles
Adherence by the Firm’s U.S. offices to the Principles (and this Policy) will be limited as explicitly permitted by the Principles: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, our non-adherence is limited to the extent necessary to meet the overriding legitimate interests we further; or (c) if the effect of the EU Directive on Data Protection (the “Directive”) or EU Member State law is to allow exceptions or derogations, provided we apply such exceptions or derogations in comparable contexts. Where the option is allowable under the Principles and/or U.S. law, we will opt for the higher protection where reasonably possible.
Principles Protecting Individuals’ Privacy, Notice and Choice
The Firm’s EU offices, in accordance with applicable local law, notify (to the extent required) individuals if personal data relating to them is collected. Our EU offices provide such notice (to the extent required) through this Policy, engagement letters or other similar documents, and direct communication with individuals from whom the EU offices collect personal data. The EU offices collect and process personal data about CGSH personnel and independent associates for the purpose of human resources administration, recruitment and emergency administration. They collect and process personal data about clients and their personnel or other types of data for the purpose of rendering professional services. If a corporate client transfers personal data (about its personnel or other data subjects) to us, it will need to ensure that such transfer to the Firm’s EU offices or U.S. offices is permissible under applicable law.
The EU offices collect personal data in compliance with applicable EU law. Consent for personal data to be collected, used, and/or disclosed in certain ways (including opt-in consent for sensitive data) may be required in order for an individual to obtain or use the Firm’s services. Such consent is provided through engagement letters, employment agreements, and other similar documents.
Although in most cases it is anticipated that personal data to which this Policy applies will originally be collected or processed by the Firm’s EU offices, if the Firm’s U.S. offices directly collect such personal data they will do so in accordance with the Principles.
Disclosures and Transfers
The Firm’s U.S. offices do not disclose an individual’s personal data to third parties except in accordance with the Principles. The following are examples, but not an exhaustive list, of situations where disclosure or transfer would be permitted in accordance with the section of this Policy above entitled “Limitation on Application of Principles”:
The disclosure involves personal data of a client and is permitted by U.S. court rules governing lawyers’ duty of confidentiality to their clients, such as
- information generally known in the local community or in the trade, field or profession to which the information relates.
- information disclosed with such client’s informed consent.
- when disclosure is impliedly authorized to advance the best interests of the client and is reasonable and customary.
- to prevent reasonably certain death or substantial bodily harm.
- to prevent the client from committing a crime.
- to withdraw an opinion we issued where we believe the opinion is being used to further a fraud.
- to secure legal advice about our compliance with the law.
- to defend ourselves against an accusation of wrongful conduct or to collect a fee.
- to respond to a subpoena served on the Firm or otherwise to comply with law.
- if the client has offered material evidence to a tribunal that is false and disclosure is necessary as a remedial measure.
The disclosure involves personal data of a non-client and one of the following applies:
- the individual intentionally made the information public.
- we have the individual’s consent to make the disclosure.
- our duty of confidentiality to a client combined with our professional obligation to provide competent representation and not prejudice the client during a representation preclude us from seeking consent from the data subject, for example:
- we represent a company in a transactional matter that requires transfer of employee or other individuals’ personal data in the company’s possession to prospective buyers or investors for the purposes of their due diligence, provided we have our client’s consent to do so.
- we represent a company in a litigation or government investigation and assist the company in responding to a subpoena where responsive company documents include employee or other individuals’ personal data that our client has transferred to us.
Whether the data subject is a client or not:
- a national security law such as the Patriot Act or law enforcement requirement states that we are obligated to disclose the information.
- disclosure is necessary or advisable to protect the rights, safety or property of the Firm or others.
- the disclosure is to another CGSH entity or office or to persons or entities providing data processing or other services on our or the individual’s behalf (each a “transferee”), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
- subscribes to the Principles;
- is subject to the Directive or another adequacy finding; or
- agrees in writing that it will provide at least the same level of privacy protection as is required by the relevant Principles.
- the disclosure is otherwise permissible under the Directive.
Permitted transfers of personal data, either to third parties or within CGSH, include the transfer of data from one jurisdiction to another, including transfers to and from the United States.
Data, Security, Integrity, and Access
The Firm employs various physical, electronic, and managerial measures, including education and training of our personnel, designed to provide personal data with reasonable protection from loss, misuse or unauthorized access, disclosure, alteration or destruction. Personal data collected or displayed through a website or that is transmitted between our offices is protected in transit by standard encryption processes. However, we cannot guarantee the security of information on or transmitted via the Internet.
If an individual becomes aware that information we maintain about that individual is inaccurate, or if an individual would like to update or review his or her information, the individual may contact us using the contact information below. The individual will need to provide sufficient identifying information, such as name, address, and birth date. We may request additional identifying information as a security precaution. In addition, we may limit or deny access to personal data where providing such access would be unreasonably burdensome or expensive in the circumstances, or as otherwise permitted by the Principles, in the case of the Firm’s U.S. offices, or the Directive, in the case of the Firm’s EU offices. In some circumstances, we may charge a reasonable fee, where warranted, for access to personal data.
Accountability and Enforcement
The Firm’s U.S. offices will monitor their adherence to the Principles and address questions and concerns regarding their adherence. At least once a year, an authorized representative of the Firm’s U.S. offices will certify that that this statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and accessible. We encourage interested persons to raise any concerns using the contact information below.
Individuals may file a complaint with the contacts named below under “Contact Information” in connection with CGSH’s processing of their personal data under the Principles. With respect to any dispute relating to this Policy that cannot be resolved through our internal processes:
- We will cooperate with competent EU and/or Swiss data protection authorities and comply with the advice of such authorities. In the event that we or such authorities determine that we did not comply with this Policy, we will take appropriate steps to address any adverse effects and to promote future compliance.
- Personnel who violate our privacy policies could be subject to disciplinary process.
We may amend this Policy from time to time by posting a revised policy on this website, or a similar website that replaces this site. So long as the Firm’s U.S. offices adhere to the Principles, we will not amend our Policy in a manner inconsistent with the Principles.
Information subject to Other Policies
The Firm’s U.S. offices are committed to following the Principles for all personal data within the scope of the Safe Harbor Agreement. Although this statement outlines our general policy for implementing the Principles, certain information is subject to other policies of the Firm’s U.S. offices that may differ in some respects from the general policies set forth in this statement but remain consistent with application of the Principles.
Certain CGSH websites have their own privacy policies that apply to those sites. These policies may be accessed through the websites in question.
In addition to above, information relating to present or former CGSH personnel or independent associates of the EU offices is also subject to such offices’ policies concerning personnel data privacy, which are available to such current CGSH personnel on CGSH’s intranet site and such former CGSH personnel upon request.
Information obtained from or relating to clients or former clients is further subject to the terms of any privacy notice to the client, any engagement letter or other similar letters or agreements with the client, and applicable laws and professional standards.
For further information, please contact us.
As to issues arising in the U.S.
Professional Responsibility Counsel
Cleary Gottlieb Steen & Hamilton LLP
One Liberty Plaza
New York, New York 10006-1470
As to issues arising in the EU
Belgium – BelgiumPrivacy.Office@cgsh.com
France – FrancePrivacy.Office@cgsh.com
Germany – GermanyPrivacy.Office@cgsh.com
Italy – ItalyPrivacy.Office@cgsh.com
United Kingdom – UKPrivacy.Office@cgsh.com