How we obtain personal data
As a law firm, we regularly receive personal data in the course of professional activities. We may collect personal data:
- As part of our business intake procedures;
- When you or your organization seek legal advice or representation from us;
- In the course of representing and counseling our clients;
- When you or your organization offer or provide services as our vendor;
- When you apply for employment or other roles with the firm;
- When you browse or interact with our website(s), use any of our online services; or
- When you email us or provide such data to us in other circumstances, such as when you request details about or attend a firm-sponsored event, or when you engage with the alumni or careers portal.
Ordinarily, you will provide any such personal data to us directly. In some cases, we may collect data about you from your organization, public records or third parties, such as government or credit reporting agencies, or via service providers that we may engage as part of the work we perform for our clients.
Use of cookies and tracking technologies
For additional information about our use of cookies and tracking technologies to collect personal data, please see our Cookie Notice.
“Do not track” requests
We do not currently respond to “do not track” requests made through browser settings.
Personal data we collect and process
The personal information that we collect and process may include:
- Basic information, such as your name, company or organization, professional role or title, and your relationships to other individuals;
- Contact information, such as your physical address, email address and phone number(s);
- Technical information (including your IP address and usage data), such as information we collect automatically during visits to our website(s), use of applications or through materials and communications we send to you electronically;
- Biographical information, such as your education or professional qualifications or otherwise related to your occupation, company or organization;
- Details of your visits to our offices and attendance of firm-sponsored events, and
- Content, such as correspondence when you communicate with us;
- Health information, such as accessibility requirements and dietary restrictions;
- Financial information, such as payment related information;
- Identification and background information, such as passport, driver’s license, social security or other government identification numbers, as well as your account username and password if you register with our website or other digital services;
- Demographic information, which may include sensitive or special categories of data, such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union membership or health information;
- Geographical information, such as your city, state, province and country;
- Audio & visual information, such as your voice and likeness captured in photographs, video, or audio recordings;
- Preferences, such as your stated interests or how frequently you wish to receive communications from us; and
- Any other information that you provide to us.
How we use your personal data
Whether we receive your personal data directly from you or from a third party, we will only use your personal data in connection with our professional and business activities (including to meet our legal or regulatory obligations). These “Permitted Uses” may include:
- Responding to your enquiries and communications;
- Providing legal advice, representation or other services to our clients;
- Managing our business relationship with you or your organization, including in connection with services that we provide to you;
- Recruiting for roles with the firm;
- Complying with legal, regulatory and professional obligations, including court orders and anti-money laundering and sanctions checks, and responding to legal, regulatory, professional and government bodies;
- Managing and securing access to our offices and facilities, as well as our systems, online platforms and other technology;
- Communicating with you with about legal and business developments, firm announcements and other news and events of interest to you, or to improve the quality and relevance of our communications and interaction with you;
- For our business purposes, including internal administration, data analysis, billing, detecting and preventing fraud, illegal activities and intellectual property infringement;
- Other processing that is necessary for purposes of the legitimate interests of the firm or third parties (that is not overridden by the fundamental rights and freedoms, or other interests of relevant individuals); and
- For any other purpose described at the time you provide us with personal data, or for other purposes that are compatible with the original purpose for which we collected your personal data, with your consent, or as otherwise described in this privacy notice.
How we share your personal data
If we process your personal data, it may be shared among the Shearman & Sterling offices in order to provide services to our clients or for our business operations. View a list of our offices.
We may disclose personal data to third parties in the course of representing our clients, for example (but not limited to) clients, other parties involved in client matters or those other parties’ counsel, courts, government agencies, industry regulators, vendors, service providers and consulting experts.
We may also disclose personal data to third parties in the course of administering, managing or developing our business and services, including managing our relationship with you and marketing our services to you.
Additionally, we may share personal data with third parties in the following circumstances:
- To comply with our legal or professional obligations, a court order or other governmental or legally enforceable demand;
- To establish or protect our legal rights, property or safety, or the rights, property or safety of others, or to defend against legal claims; or
- In the event of any reorganization, merger or similar organizational event or transaction involving the firm.
When we share or transfer your personal data, we do this in accordance with applicable data protection laws and take appropriate safeguards to ensure its integrity and protection.
International transfers, including from the UK and the EEA
We transfer personal data to countries or jurisdictions that do not by law provide similar safeguards for personal data as your local jurisdiction. We will ensure that such international transfers are made in accordance with applicable legal requirements and subject to appropriate safeguards for the protection and integrity of the transferred personal data.
For transfers of personal data from the UK or the EEA to third countries, we will use standard contractual clauses adopted by the European Commission or under UK law, or other safeguards recognized by applicable law. If you have any questions about or wish to obtain more information about international transfers of your personal data, please contact us at data.privacy@shearman.com.
No disclosures for others’ direct marketing or sale of data:
It is our policy not to provide your personal data to third parties for those third parties’ direct marketing purposes without your consent, and we do not sell personal data to third parties.
How long we retain your personal data
We will delete your personal data when it is no longer reasonably required for the Permitted Uses described above, or, where applicable, if you withdraw your consent, unless we are legally required or otherwise permitted to continue to hold such data. We may retain your personal data for an additional period if deletion would require us to overwrite our automated disaster recovery backup systems, or to the extent we deem it necessary to assert or defend legal claims during any relevant retention period.
Your rights regarding your personal data
You may have certain rights with respect to personal data we have collected about you. Individual rights concerning personal data vary by jurisdiction but may, for example, include rights to access, rectify or delete your personal data.
Rights of California residents
If you are a resident of California, please see our California Consumer Privacy Notice for information about your rights under the CCPA.
Rights under GDPR
Individuals in the UK, EEA or whose personal data is otherwise subject to the GDPR have the following rights, subject to certain exceptions and conditions:
- Right to access: You may obtain confirmation as to whether we process personal data about you, to receive a copy of your personal data and obtain certain other information about how and why we process your personal data. We may require you to prove your identity before providing the requested information. If you require multiple copies of your personal data, we may charge a reasonable administration fee.
- Right to rectify: You may request that your personal data be amended or rectified where it is inaccurate and to have incomplete personal data completed.
- Right to erasure: You may request deletion of your personal data, which is available under certain defined circumstances.
- Rights to restrict or object to processing: You may request we restrict the processing of your personal data, or you may object to our processing of your personal data, each of which is available under certain defined circumstances.
- Right to data portability: You may request to receive a copy of your personal data, that you provided to us, in a structured, commonly-used, machine-readable format, and you have the right to send the data to another organization (or ask us to do so if technically feasible) under certain defined circumstances.
- Right to withdraw consent: Where we process personal data based on your consent, you have a right to withdraw your consent at any time.
- Right to complain to a supervisory authority: If you believe that the processing of your personal data violates the GDPR or applicable EU member state or UK data protection law, you may lodge a complaint with a supervisory authority, in particular in the country where you normally reside or work, or in the place where the alleged violation occurred.
To exercise rights
All requests to exercise rights under applicable data protection law should be addressed to data.privacy@shearman.com.
Keeping your personal data secure
We will take appropriate technical and organizational measures against unauthorized or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data in accordance with our internal security procedures covering its storage, access and destruction. Personal data may be stored on our own technology systems or those of our vendors, or in paper files.