Privacy Notice

Privacy Notice

Updated:  December 20, 2019  |  Effective: January 1, 2020

Introduction

In this Notice, “King & Spalding” refers to King & Spalding LLP, a limited liability partnership under the laws of Georgia, U.S., and other affiliated limited liability entities, organized under the laws of the United Kingdom, Singapore, and Delaware, U.S.

This Privacy Notice describes the ways in which we collect, manage, store and dispose of data relating to individuals. We may amend or update it from time to time.  We encourage you to read this Privacy Notice.

King & Spalding is the data controller of the Personal Information we process which originates in the EU and is therefore responsible for ensuring that systems and processes we use are compliant with applicable data protection laws. 

What Personal Information We Collect

For purposes of this Privacy Notice, “Personal Information” means any information that, by itself or in combination with other information, identifies, relates to, describes, references, is capable of being associated with, or can reasonably be linked, directly or indirectly, to an individual, a device, or a household.  Personal Information does not include information that is anonymized, publicly available information from government records, deidentified or aggregated data subject information, information excluded from relevant data protection law by preemption by sector-specific privacy laws.  The Personal Information King & Spalding collects may include, but is not limited to: Contact Information, Applicant Information, Employment Information, Compliance Data, Client Service Data, Marketing Information, Technological Information, Special Categories of Personal Information, and Other Data. 

When we process Special Categories of Personal Information, our legal basis is compliance with applicable law; detection and prevention of crime; establishment, exercise or defense of legal rights; to fulfill a contract; or explicit consent.  


How and Why We Collect Personal Information

We collect Personal Information from many sources.  It may come directly from individuals (data subjects), indirectly from individuals (i.e. interactions with the website), or from clients, colleagues and publicly available sources.

As a law firm, we regularly receive Personal Information in connection with the provision of our services and as part of our professional activities. For example, we may collect Personal Information:

  • As part of our business intake procedures;
  • When clients and prospective clients seek legal advice;
  • When providing legal services to our clients (in connection with which we provide our clients based in the EU with additional information about how we process Personal Information);
  • That is publicly available (e.g. social media);
  • When it is required for the provision of services from our vendors;
  • When individuals browse or interact with our website or use any of our online services, including registration details when you use, or register to use, any of our Sites, Apps, or services;
  • From third parties who provide it to us;
  • In carrying out our business, including records of interactions or correspondence with the Firm, including your attendance and participation at events or meetings we hold (including when we record such events or meetings via Webex, of which you will be provided notification, where applicable);
  • In connection with any application for employment or interviews if you apply for a role with us and take part in an interview or selection process; and
  • When individuals email us or provide Personal Information to us in other circumstances, such as requesting details about or attending and participating in a firm sponsored event or engaging with the alumni or careers portal.

We collect Personal Information, among other reasons, for:

  1. Providing legal services and responding to requests for legal services;
  2. Managing our business relationships, including billing, accounting, collection and support services;
  3. Providing information relating to our services either in response to specific requests or generally to develop our business;
  4. Processing employment applications;
  5. Invoicing for our services and obtaining payment;
  6. Responding to complaints;
  7. Meeting our legal and regulatory obligations;
  8. Making appropriate business development plans to better support our clients’ needs for legal services;
  9. Preventing, detecting and responding to fraud or potential fraud or other illegal activities;
  10. Improving the functionality of our website and other IT services; and
  11. Leveraging communications data from our Exchange server to run analytics which advance our business development initiatives.

How We Use Personal Information

King & Spalding will use Personal Information only as set out in this Privacy Notice, as well as other purposes for which you give your consent. King & Spalding will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice. 

This includes, but is not limited to, the following purposes and legal bases for processing Personal Information.  We may rely on one or more legal bases for processing Personal Information.  When we rely upon our legitimate interests, we will balance any impact on you and your privacy rights and will not use your Personal Information where the impact on you would override our rights, unless we are otherwise permitted by law to process your Personal Information.


Internal Personal Information Sharing

King & Spalding is a global firm and a list of our offices, together with relevant contact information, may be found on our website. Irrespective of how we obtain your Personal Information, it may be shared among all the offices within King & Spalding (both inside and outside the European Economic Area (“EEA”) for the purposes outlined above.

Who We Disclose Personal Information To

We may retain other companies and individuals to perform functions on our behalf. Such third parties may be provided with access to Personal Information to perform the functions for which they have been retained. Our agreements with these third parties will describe the purpose of the processing, will not permit them to use Personal Information for any purposes other than as is required to perform the function for which they have been retained and will commit them to comply with applicable data privacy standards.  We also enter into data processing agreements and model clauses with our vendors and clients whenever required and appropriate. 

Third parties may include, but are not limited to: 

  • Providers of data services such as website hosting, data hosting, and SaaS tools;
  • Outsourced IT service providers;
  • Financial institutions;
  • Benefits and Human Resources service providers;
  • Professional services providers;
  • Building and facilities services;
  • Shipping or direct mail organization;
  • Paper-based service providers (i.e., storage, shredding, courier, printer, etc.);
  • Parties assisting us in recruitment and staffing, including contractors;
  • Our auditors and professional advisers;
  • Our professional indemnity insurers;
  • Travel service providers;
  • Our clients, as it relates to our professional services offering;
  • Other people in your organization; and
  • Regulators and public bodies, including in connection with tax and VAT payments, compliance with obligations relating to the prevention and reporting of financial crime and compliance with other applicable laws.

We may also disclose any information, including Personal Information, as we deem necessary, in our sole discretion, to comply with a subpoena, any applicable law, regulation, legal process or governmental request.

How We Protect Personal Information

King & Spalding has appropriate physical, technical, and administrative safeguards in place designed to protect your Personal Information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. You should keep in mind, however, that no Internet transmission is ever 100% secure or error-free. In particular, e-mail sent to or from our website may not be secure, and you should therefore take special care in deciding what information you send to us via e-mail. Please also read our Disclaimer before sending any information to us. Moreover, where you use passwords, ID numbers, or other special access features to access our website, it is your responsibility to safeguard them.

How Long We Retain Personal Information

Personal Information will be retained by King & Spalding for as long as the information is required to fulfill our legitimate business needs or the purposes for which the information was collected, or for as long as is required by law.

How We Transfer Data to Countries Outside the European Union (“EU”) / European Economic Area (“EEA”)

Our servers are either located in the United States or, if located in other countries, may be accessed from the United States. Please note that in countries outside your own country, and in particular outside the EU and EEA, standards of data protection might apply which are different from those which apply in your own country.

By sharing Personal Information with King & Spalding, including via our website, you acknowledge and consent that your data may be transferred across national borders, including to countries outside the EU/EEA.

To govern our transfers of Personal Information from the EU/EEA to recipients in our offices outside the EU/EEA, we have entered into the standard data protection clauses adopted by the European Commission (“Data Transfer Agreement”). We are happy to provide you with a copy of our Data Transfer Agreement upon request.

Your Rights

King & Spalding is committed to keeping the Personal Information you provide accurate and up to date. Please assist us with this commitment by informing us of any changes to your Personal Information.  

You have control regarding our use of your Personal Information for direct marketing. In certain countries, you will need to expressly consent before receiving marketing.  In all countries, you can choose to not receive such communications at any time. If you no longer wish to receive any marketing communications, remain on a mailing list to which you previously subscribed, or receive any other marketing communication, please follow the unsubscribe link in the relevant communication.  We will note the rights of individuals to unsubscribe from mailings and/or manage their preferences in all our mailings, and requests to unsubscribe may also be made by clicking here.


California Privacy Rights

“Shine the Light”

California’s “Shine the Light” law (Civil Code Section 1798.83) permits users of our Website who are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes.  California residents can make such a request by clicking this link.

CCPA

The California Consumer Privacy Act provides California residents (“you” in the following section) with additional, specific rights regarding their Personal Information. 

In particular, King & Spalding’s website has collected the following categories of Personal Information from its data subjects within the last (12) months:  Identifiers, Personal Information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), Protected classification characteristics under California or federal law, Commercial information, Biometric information,  Internet or similar network activity, Physical location or movements (Geolocation data), Sensory data, and Professional or employment-related information, Non-public education information (per the Family and Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)), Inferences drawn from other Personal Information.

Purposes of Collection and Processing in the table below are drawn from the Purpose of Processing and Legal Basis for Processing table above.

In the preceding 12 months, King & Spalding has not sold Personal Information covered by the California Consumer Privacy Act, but it has disclosed Categories A – K (all of the above) of Personal Information to Service Providers as listed above in Who We Share and Disclose Personal Information To for a business purpose.

King & Spalding obtains all the categories of Personal Information listed above from at least one of the following categories of sources:

  • Directly from you. For example, from forms you complete, services you purchase, emails you send;
  • Indirectly from you. For example, from observing your actions on our Website; or
  • From third parties. For example, from recruiting agencies and our clients.

Access to Specific Information and Data Portability Rights

You have the right to request that King & Spalding disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable request, which may require collection of additional information from you, we will disclose to you:

  • The categories of Personal Information we collected about you;
  • The categories of sources for the Personal Information we collected about you;
  • Our business or commercial purpose for collecting or selling that Personal Information;
  • The categories of third parties with whom we share that Personal Information;
  • The specific pieces of Personal Information we collected about you (also called a “data portability request”); and
  • If we disclosed your Personal Information for a business purpose, two separate lists disclosing:
  • sales, identifying the Personal Information categories that each category of recipient purchased; and
  • disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that King & Spalding delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable request, which may require collection of additional information from you, we will delete and direct our service providers to delete your Personal Information from our records, unless an exception applies.  We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;
  • Debug products to identify and repair errors that impair existing intended functionality;
  • Exercise free speech ensure the right of another data subject to exercise their free speech rights, or exercise another right provided for by law;
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.);
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
  • Enable solely internal uses that are reasonably aligned with data subject expectations based on your relationship with us;
  • Comply with a legal obligation; or
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable request related to your Personal Information.  You may also make a verifiable request on behalf of your minor child.  You may only make a verifiable request for access or data portability twice within a 12-month period. The verifiable request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative; and
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.  Making a verifiable request does not require you to create an account with us. We will only use Personal Information provided in a verifiable request to verify the requestor’s identity or authority to make the request.  We endeavor to respond to a verifiable request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  We will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.  We will not discriminate against you for exercising any of your CCPA rights. If you exercise any of your CCPA rights, we will not take any of the following actions unless permitted by the CCPA:

  • Deny you services;
  • Charge you different prices or rates for services, including through granting discounts or other benefits, or imposing penalties;
  • Provide you a different level or quality of services; or
  • Suggest that you may receive a different price or rate for services or a different level or quality of services.

California residents intending to exercise the access, data portability, or deletion rights described above should submit a verifiable request to us by either:


Children’s Rights

Our website is not intended for children under 13 years of age. No one under age 13 may provide any Personal Information to us through the Site. We do not knowingly collect Personal Information from children under 13. If you are under 13, do not access, use, or provide any information on the website or on or through any of its features. If we learn we have collected or received Personal Information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any Personal Information from or about a child under 13, please contact us.


GDPR Subject Access Rights

Depending on where you are located, you may have certain rights as an individual. This includes if your relationship with King & Spalding is as a client or in any other capacity as an individual with whom we deal. It includes individuals within client organisations, or individuals in third-party organisations. For example, European data protection legislation provides individuals with the right to lodge a complaint with a supervisory authority.   


Right to be informed

This Privacy Notice sets out how we use your Personal Information and gives you information about how you can exercise any of your rights in accordance with applicable privacy laws.


Right of access

You may be entitled to ask us for a copy of any Personal Information which we hold. This right is known as a ‘Subject Access Request.’

We will normally send you a copy of the Personal Information within one month of your request. However, that period may be extended by two further months where necessary, taking into account the complexity of the request or the difficulty in accessing the Personal Information that you request. There is usually no charge; but in exceptional circumstances we may charge but will discuss this with you if those circumstances apply.


Right to rectification

If the Personal Information we hold about you is inaccurate, you may request rectification. The Personal Information will be checked, and, where appropriate, inaccuracies will be rectified.


Right to erasure

In certain circumstances, you may be entitled to ask us to erase your Personal Information.


Right to data portability

In certain circumstances, you may wish to move, copy, or transfer the electronic Personal Information that we hold about you to another organization.


Right to object

You may object to your Personal Information being used for direct marketing.

You may object to the continued use of your Personal Information in any circumstances where we rely upon consent as the legal basis for processing it.

Where we rely upon legitimate interests as the legal basis for processing your Personal Information, you may object to us continuing to process your Personal Information, but you must give us specific reasons for objecting. We will consider the reasons you provide, but if we consider that there are compelling legitimate grounds for us to continue to process your Personal Information, we may continue to do so. In that event, we will let you know the reasons for our decision.


Rights related to automated decision-making including profiling

We will not use your Personal Information in connection with any automated decision-making process.  We use limited contact information to carry out certain business development profiling activities to support and grow our business.  When doing so, we rely upon our legitimate interests as the lawful basis for processing your Personal Information and you may exercise the above rights if you do not wish us to process your Personal Information in this way.

To exercise your GDPR rights in relation to your Personal Information, click here.


Web Tracking

Cookies

A "cookie" is an element of data that a website can send to your browser, which may then be stored on your system. King & Spalding uses different kinds of cookies on the Site. For detailed information please see our Cookie Notice.


Do-Not-Track Signals

Your browser may allow you to send "do-not-track" requests to websites you visit. If you enable this feature and your browser sends a "do-not-track" request, the Site will respond by deactivating all nonessential cookies set on the Site.


Google Services

On the Site, King & Spalding uses several services provided by Google:

Google Analytics

This Site uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”).

Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyze how users use the site. The information generated by the cookie about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Please note that, for the Site, we activated the IP anonymization, i.e., Google will truncate/anonymize the last octet of your IP address to ensure an anonymized collection of IP addresses (IP Anonymization). In exceptional cases only, the full IP address is sent to and shortened by Google servers in the USA.

On behalf of the website provider, Google will use this information for the purpose of evaluating your use of the Site, compiling analytics, demographics and interest reports on website activity for website operators and providing other services relating to website activity and internet usage to the website provider. Google will not associate your IP address with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore, you can prevent Google’s collection and use of data (cookies and IP address) by downloading and installing the browser plug-in available here.

Further information about how Google uses advertising cookies can be found here.

Google Maps

Additionally, because we use visual mapping services on the Site, please be aware that the Google Maps/Earth Terms of Service, including the Google Privacy Notice also applies.


Third Party Sites

Our Site may contain links to other third-party sites. When you click on one of these links you are visiting a website operated by someone other than King & Spalding, and the operator of that website may have a different privacy notice. King & Spalding is not responsible for their individual privacy practices. We encourage you to investigate the privacy notices of these third-party operators.


Revisions to This Privacy Notice

King & Spalding reserves the right to change this Privacy Notice at our discretion and at any time. Please check this Privacy Notice regularly. When we make changes to this privacy notice, we will post the updated notice on the Website and update the notice’s effective date. Your continued use of our Website following the posting of changes constitutes your acceptance of such changes.


Contact

King & Spalding has a Chief Privacy Officer and a European Data Protection Officer who you may contact if you have any questions or concerns about King & Spalding’s personal data policies or practices. You can contact them at dataprivacy@kslaw.com.

The Site is owned and operated by King & Spalding LLP.