Privacy Policy

Last Updated: October 1, 2024

Introduction

We at Goodwin Procter LLP and its affiliated undertakings (“Goodwin”, “we”, “us” and/or “our”) value the relationship we have with you. For full details of our affiliated entities, please view “Legal Notices – Jurisdictions” on our website (“Site”).

This Privacy Policy explains how we collect, use, share, store and otherwise process your personal data when you use our Site, in connection with your relationship with us as a Goodwin client/recipient of our services, vendor, prospective employee, alumna or your general interest in our services, publications and events. It also explains your rights under applicable data protection laws such as the General Data Protection Regulation (GDPR), the Singapore Data Protection Act (PDPA) and US consumer privacy laws, including the California Consumer Privacy Act (CCPA)

The data controller for personal data we collect via the Site is Goodwin Procter LLP, unless we advise you otherwise. For other data subjects, including clients/recipients of our services, vendors, prospective employees and alumna, the data controller is the specific Goodwin entity that is processing your personal data. The data controller decides how personal data about you is processed.

Information We Collect; Purpose of Processing

We regularly collect personal data as a law firm providing professional services. The types of personal data relating to you that we may collect, and the purposes for which we process this data, depends on the nature of your interaction with us. Please read the table below for more information, including the legal basis under which we are allowed to process your personal data.

When do we obtain your personal data?	Types of personal data that we may process	Purpose/legal basis for processing
When you browse or interact with us, our Site or other services, including by email and through the use of cookies and other similar technologies (for more information, read our Cookie Policy)	Name, title, gender Contact details (email address, physical address, phone numbers) Your employer Description of yourself, your position, your requirements or comments, and your relationship to a person Technical information (including your IP address, domain name, type of browser and operating system used) Frequency and timing of email contact and information included in email subject lines Your preferences	Legitimate interests: Getting to know clients or potential clients, colleagues, recruiters, employees, workers, consultants, and service providers Managing business communications with our clients and prospective clients Maintaining and managing our Site Responding to your communication(s) with us Improving the quality of our communications and interaction with you Internal statistical analysis (which may include where our Site is being used geographically or understanding how you interact with certain emails we send you and understanding relationships and activities between our partners and their business contacts for more efficient and targeted marketing) unless we need your consent before placing analytics cookies, as described in our Cookie Policy Consent: When required under the PDPA
As part of our business intake/client onboarding procedures and when providing legal services to you or to an entity with which you are associated, including as an employee, representative, authorized signatory, director, shareholder or beneficial owner and when we provide charitable, volunteer or other such services to you or the organization you are associated with, including as a student	Name, title, gender Contact details (personal or business email address, telephone numbers, physical address) Company Position Information relating to any matter that you want to discuss with us that relates to you as an individual, which may include sensitive personal data Information from identification documents Financial information, such as bank account details and requests relating to invoices Any other personal data, which may include sensitive personal data, disclosed to us during the onboarding process and the provision of legal services, including personal data relating to a corporate client's or another's employees, customers and other individuals	Legal obligation: Acting in compliance with anti-money laundering regulations, sanctions requirements and any other applicable legal obligations, such as legal privilege Legitimate interests: When we are required to comply with laws other than EEA, UK or Singapore laws In order to fulfill our contractual obligations to you when you are an entity and the processing relates to natural persons; provided you have undertaken to inform such persons of this privacy policy and obtained any necessary consents Contract: Fulfilling our obligations under our engagement or other agreement with you Consent: When processing special categories of personal data; unless another condition applies, such as processing that is necessary for the establishment, exercise or defense of legal claims or for carrying out our obligations under employment, social security and social protection laws When processing personal data relating to criminal convictions and offences or related security measures, unless another condition applies under applicable law, such as protecting an individual's vital interests, personal data manifestly made public by the data subject, or processing in connection with legal proceedings, legal advice or legal rights When required under the PDPA
When you provide data to us in order to register for an in person or virtual event or to receive event invitations, updates, or other marketing materials	Name, title, gender Contact details (personal or business email address, telephone numbers, physical address) Company Position Your communication preferences (what types of communication you want to receive, when you want to stop receiving communications, feedback, and requests relating to our communications) Any other personal data that you disclose to us, such as dietary and access requirements, comments, or requests	Consent: On the basis of the consent that you have provided us to receive certain communications When required under the PDPA Legitimate Interests: When we share with co-hosts or speakers limited personal data (name, title, employer) of attendees to events we host, in order to ensure the efficient management of the event. When registering you for an event, in order to fulfill your event registration request
When you apply for a job, traineeship, secondment, summer placement, vacation scheme or internship	Name, title, gender, date of birth, NIN, SSN Results of background checks including references, qualifications, and to the extent permitted by law, criminal background checks (unspent convictions) Passport, work permit, visa, or other immigration documentation Contact details (personal, business or educational institution email address, telephone numbers, physical address) CV, including relevant skills and experience Special requirements (such as, or relating to, a disability/health issue) Any other personal data that you may provide to us through the application process, such as views and preferences that you disclose to us in interviews, your responses to questions, and demonstration of your skills Voluntary Equal Employment Opportunity (EEO) information that you may choose to provide to us, such as your ethnic origin, gender, veteran status, and whether you identify as LGBTQ+	Legitimate Interests: Fulfilling our staffing requirements Ensuring potential recruits of any kind are appropriately qualified for positions at the firm When we are required to comply with laws other than EEA, UK or Singapore laws Consent: On the basis of any consent that we are required to obtain under applicable law, in relation to our criminal background checks When required under the PDPA Legal obligation: Acting in compliance with anti-money laundering regulations concerning screening Verifying your right to work lawfully in the relevant country applicable to your application PLEASE NOTE If you are applying to work at Goodwin – whether as a partner, employee, intern, trainee, secondee, vacation student, or in any other capacity please also refer to our separate recruitment privacy policies before submitting any personal data to us.
If you are an alumnus/a	Name, title, gender, date of birth Contact details (personal or business email address, telephone numbers, physical address) Length of time with Goodwin Details of your role with Goodwin Higher education information (graduation year, degree, schools attended) Communication preferences Any other personal data that you may provide to us through your use of our alumni/ae services or at alumni/ae events	Legitimate Interests: Maintaining contact with alumni/ae Expanding our professional networks Understanding your communication preferences Considering you for any future staffing requirements Facilitating your future employment and meeting practicing / regulatory requirements Contract: Fulfilling our obligations under the Terms of Service for the Alumni Relations Portal Consent: When required under the PDPA
If you offer or provide services to us as our vendor	Name, title, position, employer, physical address, email address, phone numbers Any other personal data, which may include sensitive personal data in aggregate form, disclosed to us in a supplier audit	Contract: Fulfilling our obligations under our agreement with you and/or your employer Legal obligation: Monitoring the risk of modern slavery in our supply chain (where applicable). Consent: When required under the PDPA
When you visit our offices and we issue you with a visitor pass, register you with building security/management and/or we capture and record your image on fixed cameras (CCTV)	Name and email address Your image	Legitimate Interests: Helping to maintain a safe and secure environment for all employees and visitors Consent: When required under the PDPA
When we provide virtual training and record the session for future use	Your image, comments, voice, screen name	Legitimate Interests (evaluative purposes or consent for Singapore: Fulfilling a request from you for training on specific topics on which we have expertise Consent: When required under the PDPA

Sensitive Personal Data

If you choose to provide sensitive personal data to us, we do not use such data for purposes other than as reasonably necessary to provide legal advice or other requested services, to protect or defend our legal rights, to identify, investigate, and protect against claims, incidents, and fraud, to comply with applicable laws, or to monitor diversity and equal opportunities. Where required under applicable laws, we will obtain your explicit consent to process your sensitive data, unless the processing is required for reasons of substantial public interest.

Automatically Collected Data

When you interact with us through the Site or other services, we automatically collect information about you through cookies (small text files placed on your device) or other similar technologies. Please read our Cookie Policy to learn more about how we use cookies and other technologies. Our servers also record information (“log data”), including information that your browser automatically sends whenever you visit the Site. This log data includes your Internet Protocol (“IP”) address (from which we can discern the country you are connecting from at the time you visit the Site), browser type and settings, and the date and time of your request.

Where the information that we collect automatically on our Site or via other services (such as emails we send you) is personal data, our legal basis for the use of this information is that it is necessary for the purposes of our legitimate interests / evaluative purposes (as applicable) in maintaining the safe operation of our Site and learning how you interact with our Site and certain emails we send you to improve user experience.

Failure to Provide the Personal Data We Request

When we need your personal data to comply with business and/or legal obligations or to perform our contract, failure to provide this data may impact our ability to provide our services.

How We Share Your Personal Data

We share your information as follows:

Service providers and authorized third parties. Third parties who provide services to us have access to your personal data. For the purposes described above, we engage providers of website analytics, hosting and cloud computing services and other IT services, payroll services, building management services, auditing services, consultancy services, regulatory services, legal services, CRM, marketing and sales software solutions, software platforms and services for the legal profession, translation services, event software, background checks, talent management and recruitment services, in addition to other administrative services. These parties may access, process or store personal data in the course of performing the services we have hired them to provide.
Event co-hosts and booking companies. We may share limited personal data with co-hosts of events we host or otherwise sponsor (such as name, title, employer and speakers) in order to administer the event with and provide a list of attendees to booking companies (such as name, email address and phone number) in order to fulfil your registration request.
Administrative and legal reasons. We may disclose personal data as we deem necessary and appropriate under applicable laws, such as to comply with a subpoena, bankruptcy proceedings, or similar legal process; in response to lawful requests by public, governmental and regulatory authorities, including to meet national security or law enforcement requirements; or when we believe in good faith that disclosure is reasonably necessary to protect the property or rights of Goodwin, you or third parties, or the public at large.
Business transfers. We may disclose and transfer your information and data to a third party: (a) if we assign our rights regarding any of the information to a third party or (b) in connection with a corporate merger, consolidation, restructuring, sale of certain of our ownership interests, assets, or both, or other corporate change, including without limitation, during the course of any due diligence process.
Goodwin entities. When using your personal data for the purposes described above, we may share your personal data with other Goodwin offices around the world. Please read the International Data Transfers section below for more information on how we transfer your personal data.

International Data Transfers

For the purposes described in this Privacy Policy, we may transfer your personal data from the European Economic Area (EU Member States, Iceland, Liechtenstein and Norway) and/or the United Kingdom to a Goodwin office or a third party outside of the EEA or the UK and in a jurisdiction not subject to an adequacy decision of the European Commission or the UK Government, as applicable. We have executed an intragroup data transfer agreement that incorporates the standard contractual clauses for the transfer of data to third countries approved by the European Commission and the UK International Data Transfer Addendum approved by the UK Information Commissioner to transfer your personal data to our affiliated entities located in the United States, Singapore, and Hong Kong, in order to ensure appropriate safeguards for such transfers. When we transfer your personal data to other third parties outside of the EEA or the UK, for example service providers, other counsel and accountants and other third parties involved in your matters, we will do this in accordance with applicable data protection laws and will take appropriate safeguards to ensure the integrity and protection of your personal data wherever processed. If you wish to see details of these safeguards, please contact us on dataprivacy@goodwinlaw.com.

Where your personal data is transferred by the Goodwin Singapore office to another Goodwin office or third party outside of Singapore, we will do so in compliance with the PDPA. In this regard, we will ensure that such recipient enters into legally enforceable obligations to provide a standard of protection in respect of your personal data that is comparable to the protections provided under the PDPA.

Retaining Your Personal Data

We retain your personal data only for as long as is necessary to fulfill the purposes for which it was collected and processed, in accordance with our retention policies, and in accordance with applicable laws or until you withdraw your consent (where applicable). To determine the appropriate retention period for your personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we use your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. In some circumstances we may anonymize your personal data so that it can no longer be associated with you, in which case it is no longer personal data.

We do not collect more personal data than we need to fulfill our purposes stated in this Privacy Policy. We may retain your personal data for an additional period to the extent deletion would require us to overwrite our automated disaster recovery backup systems or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period. For more information on our data retention policies please contact us as set out in the “How to Contact Us” section below.

Your Rights and Choices

To the extent provided for by law and subject to applicable exceptions, including but not limited to attorney-client privilege, you have the following privacy rights in relation to the personal data we collect:

Right to Information: You have a right to information about how we collect and use your personal data. We have made this information available to you without having to request it by including it in this Privacy Policy;
Right to Access: If you ask us, we will provide a copy of the personal data that we have collected about you. Where applicable, we will provide the information in a portable, machine-readable, readily usable format;
Right to Correct: If your personal data is inaccurate, incomplete, or out of date for the purpose for which we collected or use this data, you are entitled to ask that we correct or complete it;
Right to Delete: You may ask us to delete your personal data in some circumstances, such as where we no longer need it, or you withdraw your consent (where applicable) and there is no other legal basis for processing;
Right to Opt Out of the Sale of Personal Data and Targeted Advertising: We may share personal data we collect through cookies and similar technologies with advertising partners for the purposes of serving you advertisements based on your activity across other sites and services. To opt out of the sharing of your cookie-based personal data for these targeted advertising purposes, please visit our Cookie Policy or click the “Do Not Sell or Share My Personal Information” link within the footer of our Site. You may also have the ability to reject or toggle off optional cookies through a cookie banner on our Site or by enabling the Global Privacy Control setting within the browser that you use to access our Site. Learn more at the Global Privacy Control website. Please note that your opt out will be specific to the device and browser you use when you opt out; and
Additional Rights: You may object to and request that we restrict our use of your personal data; you may request to be given your personal data for transmitting to another controller; and you may withdraw your consent.

Exercising Your Rights

You are entitled to exercise rights described above free from discrimination.

To make a request, please send us your request as described in the “How to Contact Us” section below. We may ask for specific information from you to help us confirm your identity.

If you reside in the EU, UK, or Singapore and have a concern about our privacy practices, including the way we handled your personal data, you have a right to report it to the data protection authority that is authorized to hear those concerns in:

The United Kingdom: The Information Commissioner’s Office (ICO) at https://ico.org.uk/concerns;
Frankfurt: Der Hessische Beauftragte für Datenschutz und Informationsfreiheit at https://datenschutz.hessen.de/;
Munich: Das Bayerische Landesamt für Datenschutzaufsicht at https://www.lda.bayern.de/de/index.html;
France: Commission Nationale de l’Informatique et des Libertés (CNIL) at https://www.cnil.fr/;
Luxembourg: Commission nationale pour la protection des données (CNPD), at https://cnpd.public.lu; and
Singapore: The Personal Data Protection Commission at https://www.pdpc.gov.sg/Complaints-and-Reviews.

In order to protect your personal information from unauthorized access or deletion, we may ask you to provide additional personal information for verification. If we cannot verify your identity, we may not provide or delete your personal information.

You may also be entitled to empower an “authorized agent” to submit requests on your behalf. We will require authorized agents to confirm their identity and authority in accordance with applicable laws.

Do Not Track

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Keeping Your Personal Data Secure

We take appropriate administrative, technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, your personal data, in accordance with our internal security procedures. Personal data may be stored on our own technology systems or those of our vendors or in paper files.

Personal Data of Children

Our Site is not directed to children who are under the age of 16 and is solely intended for adults. Goodwin does not knowingly collect personal data from children under 16. If you have reason to believe that a child under the age of 16 has provided personal data to Goodwin through the Site, please contact us and we will endeavor to delete that information from our databases.

Links To Other Websites

Our Site may contain links to other sites operated by third parties, including social media websites and services. We are not responsible for information on these sites, nor for services or products offered by them. By providing these links we do not imply that we endorse or have reviewed these sites. Use of these sites, including transmitting your personal data to them, is at your own risk. The information that you share with these sites will be governed by the specific privacy policies and terms of service of these third-party sites and not by this Privacy Policy. Please contact those sites directly for information on their privacy practices and policies.

Changes to this Privacy Policy

We reserve the right to amend this Privacy Policy from time to time to reflect changing legal requirements or our processing practices. Any such changes will be posted on this Site and will be effective upon posting. If we make a material change to this Privacy Policy, we will provide you with notice in accordance with the applicable law.

How to Contact Us

If you have any questions about our Privacy Policy, or if you would like to access personal data we hold about you or exercise your other rights under the applicable law, you can contact us toll free at +1 855 243 2070 at Goodwin Procter LLP, 100 Northern Avenue, Boston, MA 02210, or on dataprivacy@goodwinlaw.com. For our German and Singapore offices, please see our Legal Notices for contact information regarding the local Data Protection Officer.

Goodwin Procter (UK) LLP is required to designate a representative in the EU that can be addressed by data subjects in addition to or instead of it on all issues related to the processing of personal data under the GDPR. Its representative in the EU is Goodwin Procter (France) LLP, 12 rue d’Astorg, 75 008 Paris.

Goodwin Procter (France) LLP, Goodwin Procter (Luxembourg), and Goodwin Procter LLP (in respect of its branch offices in Frankfurt and in Munich) are each required to designate a representative in the UK that can be addressed by data subjects in addition to or instead of them on all issues related to the processing of personal data under the UK GDPR. Their representative in the UK is Goodwin Procter (UK) LLP, Sancroft, 10-15 Newgate Street, London, EC1A 7AZ United Kingdom.

Please also refer to our Cookie Policy, which explains the use of cookies via our Site and other services.

Translations