Updated: December 20, 2019 | Effective: January 1, 2020
In this Notice, “King & Spalding” refers to King & Spalding LLP, a limited liability partnership under the laws of Georgia, U.S., and other affiliated limited liability entities, organized under the laws of the United Kingdom, Singapore, and Delaware, U.S.
This Privacy Notice describes the ways in which we collect, manage, store and dispose of data relating to individuals. We may amend or update it from time to time. We encourage you to read this Privacy Notice.
King & Spalding is the data controller of the Personal Information we process which originates in various jurisdictions, including the European Union (EU) and the Dubai International Finance Centre (DIFC), and is therefore responsible for ensuring that systems and processes we use are compliant with applicable data protection laws.
For purposes of this Privacy Notice, “Personal Information” means any information that, by itself or in combination with other information, identifies, relates to, describes, references, is capable of being associated with, or can reasonably be linked, directly or indirectly, to an individual, a device, or a household. Personal Information does not include information that is anonymized, publicly available information from government records, deidentified or aggregated data subject information, information excluded from relevant data protection law by preemption by sector-specific privacy laws. The Personal Information King & Spalding collects may include, but is not limited to: Contact Information, Applicant Information, Employment Information, Compliance Data, Client Service Data, Marketing Information, Technological Information, Special Categories of Personal Information, and Other Data.
When we process Special Categories of Personal Information, our legal basis is compliance with applicable law; detection and prevention of crime; establishment, exercise or defense of legal rights; to fulfill a contract; or explicit consent.
We collect Personal Information from many sources. It may come directly from individuals (data subjects), indirectly from individuals (i.e. interactions with the website), or from clients, colleagues and publicly available sources.
As a law firm, we regularly receive Personal Information in connection with the provision of our services and as part of our professional activities. For example, we may collect Personal Information:
We collect Personal Information, among other reasons, for:
King & Spalding will use Personal Information only as set out in this Privacy Notice, as well as other purposes for which you give your consent. King & Spalding will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
This includes, but is not limited to, the following purposes and legal bases for processing Personal Information. We may rely on one or more legal bases for processing Personal Information. When we rely upon our legitimate interests, we will balance any impact on you and your privacy rights and will not use your Personal Information where the impact on you would override our rights, unless we are otherwise permitted by law to process your Personal Information.
King & Spalding is a global firm and a list of our offices, together with relevant contact information, may be found on our website. Irrespective of how we obtain your Personal Information, it may be shared among all the offices within King & Spalding (jurisdictions include the European Economic Area (“EEA”) and the DIFC) for the purposes outlined above.
We may retain other companies and individuals to perform functions on our behalf. Such third parties may be provided with access to Personal Information to perform the functions for which they have been retained. Our agreements with these third parties will describe the purpose of the processing, will not permit them to use Personal Information for any purposes other than as is required to perform the function for which they have been retained and will commit them to comply with applicable data privacy standards. We also enter into data processing agreements and model clauses with our vendors and clients whenever required and appropriate.
Third parties may include, but are not limited to:
We may also disclose any information, including Personal Information, as we deem necessary, in our sole discretion, to comply with a subpoena, any applicable law, regulation, legal process or governmental request.
King & Spalding has appropriate physical, technical, and administrative safeguards in place designed to protect your Personal Information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. You should keep in mind, however, that no Internet transmission is ever 100% secure or error-free. In particular, e-mail sent to or from our website may not be secure, and you should therefore take special care in deciding what information you send to us via e-mail. Please also read our Disclaimer before sending any information to us. Moreover, where you use passwords, ID numbers, or other special access features to access our website, it is your responsibility to safeguard them.
Personal Information will be retained by King & Spalding for as long as the information is required to fulfill our legitimate business needs or the purposes for which the information was collected, or for as long as is required by law.
Our servers are either located in the United States or, if located in other countries, may be accessed from the United States. Please note that in countries outside your own country, and in particular outside the EU, EEA, and DIFC, standards of data protection might apply which are different from those which apply in your own country.
By sharing Personal Information with King & Spalding, including via our website, you acknowledge and consent that your data may be transferred across national borders.
To govern our transfers of Personal Information from the EU, EEA and DIFC to recipients in our offices outside those jurisdictions, we have entered into the standard data protection clauses adopted by the European Commission (“Data Transfer Agreement”). We are happy to provide you with a copy of our Data Transfer Agreement upon request.
King & Spalding is committed to keeping the Personal Information you provide accurate and up to date. Please assist us with this commitment by informing us of any changes to your Personal Information.
You have control regarding our use of your Personal Information for direct marketing. In certain countries, you will need to expressly consent before receiving marketing. In all countries, you can choose to not receive such communications at any time. If you no longer wish to receive any marketing communications, remain on a mailing list to which you previously subscribed, or receive any other marketing communication, please follow the unsubscribe link in the relevant communication. We will note the rights of individuals to unsubscribe from mailings and/or manage their preferences in all our mailings, and requests to unsubscribe may also be made by clicking here.
California Privacy Rights
California’s “Shine the Light” law (Civil Code Section 1798.83) permits users of our Website who are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. California residents can make such a request by clicking this link.
The California Consumer Privacy Act provides California residents (“you” in the following section) with additional, specific rights regarding their Personal Information.
In particular, King & Spalding’s website has collected the following categories of Personal Information from its data subjects within the last (12) months: Identifiers, Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), Protected classification characteristics under California or federal law, Commercial information, Biometric information, Internet or similar network activity, Physical location or movements (Geolocation data), Sensory data, and Professional or employment-related information, Non-public education information (per the Family and Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)), Inferences drawn from other Personal Information.
Purposes of Collection and Processing in the table below are drawn from the Purpose of Processing and Legal Basis for Processing table above.
In the preceding 12 months, King & Spalding has not sold Personal Information covered by the California Consumer Privacy Act, but it has disclosed Categories A – K (all of the above) of Personal Information to Service Providers as listed above in Who We Share and Disclose Personal Information To for a business purpose.
King & Spalding obtains all the categories of Personal Information listed above from at least one of the following categories of sources:
Access to Specific Information and Data Portability Rights
You have the right to request that King & Spalding disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable request, which may require collection of additional information from you, we will disclose to you:
Deletion Request Rights
You have the right to request that King & Spalding delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, which may require collection of additional information from you, we will delete and direct our service providers to delete your Personal Information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable request related to your Personal Information. You may also make a verifiable request on behalf of your minor child. You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable request must:
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable request does not require you to create an account with us. We will only use Personal Information provided in a verifiable request to verify the requestor’s identity or authority to make the request. We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. We will not discriminate against you for exercising any of your CCPA rights. If you exercise any of your CCPA rights, we will not take any of the following actions unless permitted by the CCPA:
California residents intending to exercise the access, data portability, or deletion rights described above should submit a verifiable request to us by either:
Our website is not intended for children under 13 years of age. No one under age 13 may provide any Personal Information to us through the Site. We do not knowingly collect Personal Information from children under 13. If you are under 13, do not access, use, or provide any information on the website or on or through any of its features. If we learn we have collected or received Personal Information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any Personal Information from or about a child under 13, please contact us.
Rights under GDPR and DIFC Privacy Law
If you are located in the EU or DIFC, you may have certain rights as an individual under privacy laws applicable in those jurisdictions. This includes if your relationship with King & Spalding is as a client or in any other capacity as an individual with whom we deal. It includes individuals within client organisations, or individuals in third-party organisations. For example, European data protection legislation provides individuals with the right to lodge a complaint with a supervisory authority.
This Privacy Notice sets out how we use your Personal Information and gives you information about how you can exercise any of your rights in accordance with applicable privacy laws.
You may be entitled to ask us for a copy of any Personal Information which we hold. This right is known as a ‘Subject Access Request.’
We will normally send you a copy of the Personal Information within one month of your request. However, that period may be extended by two further months where necessary, taking into account the complexity of the request or the difficulty in accessing the Personal Information that you request. There is usually no charge; but in exceptional circumstances we may charge but will discuss this with you if those circumstances apply.
If the Personal Information we hold about you is inaccurate, you may request rectification. The Personal Information will be checked, and, where appropriate, inaccuracies will be rectified.
In certain circumstances, you may be entitled to ask us to erase your Personal Information.
In certain circumstances, you may wish to move, copy, or transfer the electronic Personal Information that we hold about you to another organization.
You may object to your Personal Information being used for direct marketing.
You may object to the continued use of your Personal Information in any circumstances where we rely upon consent as the legal basis for processing it.
Where we rely upon legitimate interests as the legal basis for processing your Personal Information, you may object to us continuing to process your Personal Information, but you must give us specific reasons for objecting. We will consider the reasons you provide, but if we consider that there are compelling legitimate grounds for us to continue to process your Personal Information, we may continue to do so. In that event, we will let you know the reasons for our decision.
We will not use your Personal Information in connection with any automated decision-making process. We use limited contact information to carry out certain business development profiling activities to support and grow our business. When doing so, we rely upon our legitimate interests as the lawful basis for processing your Personal Information and you may exercise the above rights if you do not wish us to process your Personal Information in this way.
To exercise the rights in relation to your Personal Information set out in this section, click here.
Rights under Australian Privacy Laws
If you are located in Australia, you may have certain rights as an individual under privacy laws applicable in that jurisdiction. Provided that we are not subject to confidentiality obligations or some other restriction to our giving access to the information, you may contact us to access, correct or update your Personal Information.
To exercise the rights in relation to your Personal Information set out in this section, click here.
A "cookie" is an element of data that a website can send to your browser, which may then be stored on your system. King & Spalding uses different kinds of cookies on the Site. For detailed information please see our Cookie Notice.
Your browser may allow you to send "do-not-track" requests to websites you visit. If you enable this feature and your browser sends a "do-not-track" request, the Site will respond by deactivating all nonessential cookies set on the Site.
On the Site, King & Spalding uses several services provided by Google:
This Site uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).
Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Please note that, for the Site, we activated the IP anonymization, i.e., Google will truncate/anonymize the last octet of your IP address to ensure an anonymized collection of IP addresses (IP Anonymization). In exceptional cases only, the full IP address is sent to and shortened by Google servers in the USA.
On behalf of the website provider, Google will use this information for the purpose of evaluating your use of the Site, compiling analytics, demographics and interest reports on website activity for website operators and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address with any other data held by Google.
Further information about how Google uses advertising cookies can be found here.
Additionally, because we use visual mapping services on the Site, please be aware that the Google Maps/Earth Terms of Service, including the Google Privacy Notice also applies.
Third Party Sites
Our Site may contain links to other third-party sites. When you click on one of these links you are visiting a website operated by someone other than King & Spalding, and the operator of that website may have a different privacy notice. King & Spalding is not responsible for their individual privacy practices. We encourage you to investigate the privacy notices of these third-party operators.
King & Spalding reserves the right to change this Privacy Notice at our discretion and at any time. Please check this Privacy Notice regularly. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.
King & Spalding has a Chief Privacy Officer and an EMEA Data Protection Officer who you may contact if you have any questions or concerns about King & Spalding’s personal data policies or practices. You can contact them at email@example.com.
The Site is owned and operated by King & Spalding LLP.