Global Privacy Standards

View in ChineseFrench, German, Italian, Japanese, Korean, and Spanish.

Effective Date of the Standards: September 2016
Last Updated: February 2025

Introduction

This document sets out the standards that apply to the processing of European Personal Data (as defined below) within Latham & Watkins (the Standards). Latham & Watkins is a global law firm with offices in 15 countries around the world. The firm operates without internal boundaries and the international nature of the business means it is vital that personal data can be transferred within the firm.

Latham & Watkins, through its Executive Committee, has made a commitment to protect personal data that is processed within the firm. In particular, these Standards are designed to facilitate the transfer of European Personal Data within Latham & Watkins, in accordance with European Regulation 2016/679.

Definitions

“Applicable Law” means the law in the jurisdiction in which an L&W Entity is situated and any other law to which an L&W Entity is subject.

“BCR Agreement” means the agreement which commits all L&W Entities that process European Personal Data to comply with the Standards. 

Data Protection Authority” or “DPA” means the supervisory authority responsible for monitoring and enforcing compliance with data protection laws in a particular country.

“DPIA” means data protection impact assessment as defined under Art. 35 GDPR. 

EEA” means the European Economic Area.

EU Privacy Laws” means national laws in the EEA that implement European Regulation 2016/679, Directive 2002/58 (and any legislation that amends or replaces it), and related European privacy legislation.

European Personal Data” means personal data of (i) staff, attorneys, partners, consultants, contractors, and potential candidates for any of the above collected and processed in relation to recruitment and human resources administration; (ii) clients, prospective clients, and alumni processed in relation to the provision of legal services and/or marketing and communications purposes; and (iii) suppliers, vendors, contractors, and advisers processed in the context of the relationship between such entities and Latham & Watkins (further information about which is set out in either the All-Personnel Fair Data Processing Statement, Recruitment Privacy Policy, Alumni Privacy Policy, or Client and Third Party Data Privacy Notice, by any L&W Entity as a data controller that is subject to applicable EU Privacy Laws.

“GDPR” means the European Regulation 2016/679.

Latham & Watkins” and “the firm” means Latham & Watkins, a firm which operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) (the Delaware LLP) with affiliated limited liability partnerships conducting the practice in France, Italy, Hong Kong, Singapore, Kingdom of Saudi Arabia, and the United Kingdom and as affiliated partnership conducting the practice in Japan. Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office, and in addition to the above, the firm also includes any and all entities that are wholly owned by the Delaware LLP.

Local Law” means the laws and/or regulations of, or any other legal obligation imposed by, any country to which an L&W Entity is subject other than applicable EU Privacy Laws.

L&W Entity” means each of the limited liability partnerships, partnerships, and limited companies forming part of the firm.

“L&W Germany” means the Frankfurt office of Latham & Watkins.

Model Clauses” means the standard contractual clauses for the transfer of personal data to processors or controllers established in third countries which are published and approved by the European Commission from time to time.

“Personal data” means information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural, or social identity. The term “personal data” will also include any information relating to persons who are not natural persons where this is a requirement of applicable EU Privacy Laws.

“Personnel” means Latham & Watkins partners, attorneys, and staff, both temporary and permanent.

“Security breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to European Personal Data that is processed by an L&W Entity. 

“Special category data” means European Personal Data concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, offences, criminal convictions, health, sexual orientation or sex life, genetic and biometric data, and any other special category covered by applicable EU Privacy Laws.

The terms “processing,” “data controller,” and “processor” shall have the meanings given to them in the GDPR.

Scope

Latham & Watkins currently operates in the following countries (countries within the EEA are in bold):

Country

Offices

Country Contact Details 
United States of America Austin, Boston, Century City, Chicago, Houston, Los Angeles, Los Angeles GSO, New York, Orange County, San Diego, San Francisco, Silicon Valley, Washington D.C. 1271 Avenue of the Americas, New York, NY 10020, USA
United Kingdom London, Manchester (no practice office) 99 Bishopsgate, London EC2M 3XF, United Kingdom
Belgium Brussels Boulevard du Régent, 43-44, B-1000 Brussels, Belgium
France Paris 45, rue Saint-Dominique, Paris 75007, France
Italy  Milan  Corso Matteotti, 22, Milano, 20121, Italy 
Germany Frankfurt, Munich, Hamburg, Düsseldorf
 		 Reuterweg 20, 60323 Frankfurt am Main, Germany 
Spain  Madrid  Plaza de la Independencia 6, 28001 Madrid, Spain 
Saudi Arabia  Riyadh Al-Tatweer Towers, 7th Floor, Tower 1, King Fahad Highway, P.O. Box 17411, Riyadh 11484, Saudi Arabia 
United Arab Emirates  Dubai  ICD Brookfield Place, Level 16, Dubai International Financial Centre, P.O. Box 506698, Dubai, United Arab Emirates 
 Israel  Tel Aviv 28 HaArba’a Street, North Tower, 34th floor, Tel Aviv 6473925, Israel
South Korea   Seoul 29F One IFC, 10 Gukjegeumyung-ro Yeongdeungpo-gu, Seoul 07326, Korea 
China   Beijng Unit 2318, China World Trade Office 2, 1 Jian Guo Men Wai Avenue, Beijing 100004, People's Republic of China 
Hong Kong    18th Floor, One Exchange Square, 8 Connaught Place, Central, Hong Kong 
Singapore    9 Raffles Place, #42-02 Republic Plaza, Singapore 048619 
Japan   Tokyo Marunouchi Building, 32nd Floor, 2-4-1 Marunouchi, Chiyoda-ku, Tokyo 100-6332, Japan 
 

These Standards apply to the processing of European Personal Data by L&W Entities that are subject to applicable EU Privacy Laws.

These Standards apply to the transfer of personal data of employees, applicants, clients, and third parties.

Personal data of employees for instance includes:

  • identifiers (e.g., name, contact information, emergency contacts, photographs, proof of eligibility to work, and identification numbers);
  • personal and family details (e.g., place of birth, marital status, nationality, citizenship, family composition, passport and VISA details);
  • health information (e.g., disabilities, sickness absence records, accident reporting, health screening information, occupational health information, meal preferences and food allergies);
  • data with respect to career management and development (e.g., employee category, full-/part-time status, education and qualifications, language ability, references, background checks, professional experience);
  • data with respect to the execution and termination of the employment contract or engagement (e.g. dates of employment, employee ID, time recording, work time and leave, performance evaluations, training, disciplinary proceedings and grievances, exit interview);
  • financial data (e.g., remuneration, compensation, salary, benefits, bank account details, tax/social security number);
  • audio and video recordings (e.g., CCTV recordings, online meetings and webinars, events and publications);
  • data related to use of building access control systems and access to and usage of office equipment and resources;
  • data related to travel for the purposes of the working relationship or as part of employee benefits programs.

Personal data of applicants for instance includes:

  • information included in the application (e.g., name, contact information, work and educational experience and qualifications, proof of eligibility to work identifiers and further information on CV);
  • sensitive information (e.g.; race or ethnic origin, disabilities);
  • information collected during interviews and assessments (e.g.; interview notes, feedback, information collected through assessments and video interview);
  • information on usage of recruitment portal and website (e.g.; IP address information collected through cookies);
  • information from third parties, such as referees and recruiters;
  • information required to perform pre-employment background (e.g.; criminal records checks, verification of qualifications and employment);
  • information on building access, security camera footage.
Client and third party related information for instance includes:
  • identifiers (e.g., name, contact information, and identification numbers);
  • biometric information (e.g., photographs);
  • commercial information;
  • professional or employment related information;
  • publicly available social media and news reports;
  • characteristics of protected classifications (e.g., nationality, political affiliation, citizenship status); and 
  • audio and video recordings (e.g., CCTV recordings, online meetings and webinars).

The processing of European Personal Data is based on, as appropriate, 

  • consent, art 6 subsection 1 lit. a and art 9 subsection 2 lit a GDPR, 
  • performance of a contract, art 6 subsection 1 lit. b GDPR,
  • compliance with a legal obligation, art 6 subsection 1 lit. c GDPR,
  • legitimate interest, art 6 subsection 1 lit. f GDPR,
  • carrying out obligations and exercising specific rights in the field of employment, art 9 subsection 2 lit b GDPR,
  • establishment, exercise or defense of legal claims, art 9 subsection 2 lit f GDPR.
European Personal Data might be transferred throughout the firm’s network to the locations described in the table above.

The Standards also apply to any export of European Personal Data out of the EEA by an L&W Entity and to the processing of such exported data by an L&W Entity (either in the capacity of a data controller or a data processor) located outside the EEA and onwards transfers of European Personal Data to L&W Entities outside the EEA.

For the purposes of these Standards, it is acknowledged that the United Kingdom (UK) is considered a third country under the terms of the GDPR. Accordingly, Latham & Watkins (London) LLP (L&W London) will implement separate Global Data Privacy Standards covering the transfer of UK data within the firm. As regards the respective data transfers, L&W London will bear the sole responsibility for taking action to remedy acts and omissions of other L&W Entities outside the EEA that breach the UK Standards and to pay compensation for any damages resulting from such a breach of the UK Standards by L&W Entities located outside the EEA. Accordingly, data subjects wishing to file a complaint with regard to the processing of UK data should contact L&W London. 

Rules and Principles

1. Data Handling Principles

When acting as a data controller, each L&W Entity, processing European Personal Data in accordance with either the All-Personnel Fair Data Processing Statement, Recruitment Privacy Policy, Alumni Privacy Policy, or Client and Third Party Data Privacy Notice (as applicable), will comply with these principles:

1.1   European Personal Data will be processed transparently, fairly and lawfully: data subjects will have available to them, to the extent the relevant data subjects are not already aware of or in receipt of, information as to the identity of the data controller(s), the purposes for which their personal data may be used (subject to any permitted restrictions on the provision of such information, for example in connection with crime prevention, legal proceedings or taxation, or where prohibited by Applicable Law), the legal basis for processing and other relevant information as required by applicable EU Privacy Laws. Such information will include details of the rights available to data subjects under EU Privacy Laws.

1.2 European Personal Data will be collected for specified, explicit and legitimate business purposes and, unless otherwise permitted by applicable EU Privacy Laws, will not be further processed in any way that is incompatible with those purposes.

1.3 Special category data will be processed only where strictly necessary for the firm’s business purposes and in accordance with the requirements of applicable EU Privacy Laws.

1.4 Appropriate steps will be taken to ensure that European Personal Data collected and processed is adequate but not excessive, and that it is relevant, accurate and (where necessary) kept up to date. Appropriate steps will also be taken to correct or delete personal data promptly where it is found to be inaccurate.

1.5 European Personal Data will not be retained for longer than is necessary for the purposes for which is it processed and will be retained in accordance with the firm’s documented data retention policies (subject to regulatory requirements and the requirements of applicable EU Privacy Laws).

2. Data Security

2.1 Having regard to the state of the art and the cost of implementation, each L&W Entity will take appropriate technical and organizational measures to protect European Personal Data against accidental or unlawful destruction or accidental loss, alteration, damage, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. The measures will ensure a level of security appropriate to the risks represented by the processing and the nature of the European Personal Data to be protected, so that special category and other highly confidential information will receive enhanced protection. Such measures will include the following, where appropriate:

(a) pseudonymization;

(b) encryption;

(c) confidentiality, integrity, availability and resilience of systems and services;

(d) back-up and disaster recovery facilities; and

(e) processes to test, assess and evaluate the effectiveness of the security measures.

2.2 Each L&W Entity shall without delay notify the firm’s Global Data Privacy Office of any security breach. The Global Data Privacy Office will keep appropriate records documenting the security breach, any potential impact on data subjects and any remedial action taken. The Global Data Privacy Office shall ensure that notifications are made to relevant Data Protection Authorities and affected data subjects as may be required under EU Privacy Laws. The Global Data Privacy Office will share the records of security breaches concerning European Personal Data which is processed by a L&W Entity as a data controller in the EEA with the DPA in their country or jurisdiction if requested by that DPA to do so.

2.3 Each L&W Entity will take steps to ensure the reliability of those personnel who have access to or responsibility for European Personal Data, including processing European Personal Data in accordance with the firm’s instructions.

2.4 Section 8 describes the firm’s information security policies and privacy function. The Security Committee described in section 8.3 is responsible for all information security policies and standards within the firm. The firm’s policies and procedures, as amended from time to time, set out the firm’s detailed standards on information security which must be complied with.

3. Working With Data Processors

3.1 When an L&W Entity engages the services of another L&W Entity as a data processor to process European Personal Data on its behalf, such data processor will comply with the relevant requirements of these Standards, and if necessary, the parties will put in place and comply with the terms of any additional agreements which may be required by applicable EU Privacy Laws.

3.2 When an L&W Entity engages the services of a data processor to process European Personal Data on its behalf and the data processor is a third party, the L&W Entity will select a data processor that provides appropriate assurances as to the level of security it will employ in respect of the European Personal Data to be processed. The L&W Entity will ensure that a contract is entered into with third party data processors which addresses relevant requirements of applicable EU Privacy Laws.

3.3 Where the L&W Entity is established in the EEA and engages a third-party data processor established outside the EEA to process European Personal Data on its behalf, the L&W Entity will either:

(a) ensure that a contract is in place with the data processor substantially in the form of, or incorporating the terms of, the Model Clauses for data processors (subject to any amendments that may be permitted by applicable EU Privacy Laws); or

(b) ensure that other suitable protections are in place, in accordance with applicable EU Privacy Laws, to safeguard the European Personal Data.

The same standards apply to third party data processors established in the UK once the transition period as stated in Article FINPROV.10A para 1, 4 of the Trade and Cooperation Agreement between the EU and UK dated December 24, 2020, has expired. After the transition period has expired, L&W Entities will only transfer European Personal Data to the UK on the grounds of appropriate legal safeguards within the meaning of Art. 45 et seqq. GDPR. Respective safeguards may be, among other things, Model Clauses or an adequacy decision by the European Commission determining that the UK may guarantee a comparable level of data protection as the EU. 

3.4 If a L&W Entity (acting as a data controller) transfers European Personal Data to a third-party controller outside the firm, the L&W Entity will ensure that such transfers are carried out in accordance with the requirements of applicable EU Privacy Laws. Where required by applicable EU Privacy Laws, or where otherwise permitted by applicable EU Privacy Laws and considered appropriate, the L&W Entity will put in place safeguards to protect the European Personal Data and the rights of individuals. Such safeguards may take the form of a contract, either in the form of the Model Clauses for controller to controller transfers or in another form which will provide an adequate level of protection.

4. Staff Training

4.1 Latham & Watkins maintains a privacy and security awareness program focused on educating all staff, attorneys, and paralegals about the firm’s privacy and security policies as well as privacy and security best practices. All personnel are required to complete a mandatory data privacy e-learning module when they join the firm and thereafter on a biennial basis. Completion rates for this module are tracked by the firm. Bespoke data protection training is also provided as required to personnel with specific responsibility for personal data. 

4.2 A variety of communications channels are used to disseminate privacy and security awareness information. Best practice guides and privacy and security awareness tip sheets and initiatives are available on dedicated privacy and security intranet sites for all personnel to access.

4.3 Each L&W Entity will also ensure that personnel who have access to or responsibility for handling personal data are provided with appropriate guidance and training.

5. Conflict With Applicable Local Laws

5.1 If a L&W Entity has reason to believe that Local Law, regulations or other legal obligations prevent the L&W Entity from complying with the Standards and that this may have a substantial adverse effect on the guarantees provided by the Standards, the L&W Entity will promptly inform the Privacy Committee (as defined below) (except where prohibited from doing so by law or by a law enforcement authority, for example to preserve the confidentiality of a law enforcement investigation) and suspend the intended transfer of European Personal Data. The Privacy Committee will keep records of all such notifications and the actions taken in relation to them. 

5.2 The Privacy Committee will take all necessary decisions regarding any action that is required as a result of such a notification by a L&W Entity and the L&W Entity will comply with any instructions issued by the Privacy Committee. The Privacy Committee acknowledges that no transfers of European Personal Data should be made by a L&W Entity to any public authority which are of a massive scale, disproportionate or indiscriminate in a manner that would go beyond what is necessary in a democratic society. The Privacy Committee may consult the relevant DPA for advice at any time, including how to address a conflict between Local Laws and the Standards.

5.3 The Privacy Committee will inform the relevant DPA if it has determined that Local Laws are likely to have a substantial adverse effect on the guarantees provided by the Standards except where prohibited from doing so by law or by a law enforcement authority, for example to preserve the confidentiality of a law enforcement investigation. If such a prohibition is in force, the Privacy Committee will direct the relevant L&W Entity to use its best efforts to obtain a waiver of the restriction in order to permit the disclosure of as much information to the relevant DPA as quickly as possible, and to keep records of its efforts to do so. Any dispute with the DPA relating to the DPA’s exercise of supervision of the compliance with these Standards will be brought at a court within the European Economic Area.

5.4 The Privacy Committee will keep records of any disclosures of European Personal Data which the firm is obliged to make and which are likely to have a substantial adverse effect on the guarantees provided by these Standards, and will provide a summary of the disclosures to the relevant DPA on an annual basis (taking into account any restrictions imposed by law or by a law enforcement authority).

5.5 Where Local Law requires a higher level of protection for European Personal Data than is set out in these Standards, the provisions of the Local Law will take precedence.

6. Mutual Assistance and Cooperation With Data Protection Authorities

6.1 Each L&W Entity will comply with instructions issued by the DPA in their country or jurisdiction insofar as they relate to these Standards or to the processing of European Personal Data generally, and will take into consideration any advice given by the DPA as to the interpretation of these Standards.

6.2 L&W Entities will assist one another in responding to any enquiry or investigation by a DPA relating to these Standards and provide the relevant DPA with information the DPA reasonably requests in relating to the processing of European Personal Data.

6.3 L&W Entities will also assist one another in responding to an enquiry or complaint from a data subject relating to these Standards or the processing of their European Personal Data. 

7. Data Transfer

7.1 L&W Entities shall transfer European Personal Data to Data Processors and other third parties in accordance with Articles 44 to 46 GDPR or subject to a derogation in accordance with Article 49 GDPR.

7.2 The Global Data Privacy Office, on behalf of the L&W Entities, shall perform and document a transfer impact assessment prior to engaging in a transfer of European Personal Data taking into account the following elements:

7.2.1 the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

7.2.2 the laws and practices of the third country of destination — including those requiring the disclosure of data to public authorities or authorizing access by such authorities — relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

7.2.3 any relevant contractual, technical, or organizational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

7.3 The L&W Entities will inform the Global Data Privacy Office and the Privacy Committee to the extent additional safeguards need to be put in place prior to the transfer of European Personal Data.

7.4 In the event the L&W Entity acting as a data importer believes that subject to the laws or practices in the destination country it cannot fulfil its obligations under these Standards, the L&W Entity acting as data importer shall notify the L&W Entity acting as data exporter as well as the Data Privacy Committee and shall identify supplementary measures to ensure security and confidentiality of the European Personal Data. To the extent the L&W Entities and the Data Privacy Committee determine that the identified supplementary measures cannot guarantee compliance with these Standards, the L&W Entities will suspend the intended transfer of European Personal Data.

7.5 The L&W Entities will regularly review the transfer impact assessments and share the assessments with the other L&W Entities. 

8. Latham & Watkins Policies, Accountability, and Privacy Function

8.1 Policies and Guidance

The firm has put in place detailed policies, standards, procedures and guidance documents approved by the Privacy Committee and Security Committee, as updated and amended from time to time, to describe in more detail the rules and processes that must be followed to achieve compliance with these Standards, and in particular the data handling principles set out in section 1 and the information security obligations set out in section 2. Employees can find further details of the relevant policies in the policies section on the firm’s intranet.

8.2 Accountability

The firm will maintain records of its processing activities relating to European Personal Data as required under EU Privacy Laws. In particular, the firm will maintain in electronic form the records of processing activities required under Article 30.1 GDPR. Such records shall be made available upon request to Data Protection Authorities in the EEA countries in which the firm carries on business.

8.3 Privacy and Security Committees

(a) Latham & Watkins’ Privacy Committee and Security Committee are separate but closely linked committees chaired by partners in the firm and reporting to the firm’s Executive Committee. While the Privacy Committee’s (through the Global Data Privacy Office) main focus is on raising awareness and enforcing compliance with relevant privacy laws and the Standards (and any associated policies), the Security Committee’s main focus is developing and enforcing the firm’s information security policy and standards and the firm’s Incident Response Plan. The Security Committee is responsible for the firm’s security policies, standards, guidelines and practices including sign-up to the Acceptable Use of Communication Systems Policy, while the Privacy Committee (through the Global Data Privacy Office) oversees internal privacy matters such as data transfer agreements, data processing agreements with suppliers, compliance with local regulatory requirements, internal privacy updates (including those to the Acceptable Use of Communication Systems Policy), training and guidance notes and privacy queries from local offices. The Privacy Committee (together with the Global Data Privacy Office) is responsible for enforcing compliance with these Standards.

(b) The Privacy Committee (through the Global Data Privacy Office) and Security Committee are jointly responsible for ensuring the firm’s approach to privacy is proactive, incorporating the principles of privacy by design and default, and is not just a reaction to data breaches or other faults. This approach will include the use of techniques (such as data minimization) designed to limit processing to that which is necessary for the purposes in question and to protect the rights of data subjects.

(c) The Privacy Committee (through the Global Data Privacy Office) is responsible for carrying out DPIAs as required by EU Privacy Laws. Where a DPIA indicates that processing is likely to result in a high risk to the rights and freedoms of individuals who are the subject of European Personal Data, in the absence of any steps taken to mitigate the risk, the Privacy Committee will consult the relevant DPA in accordance with EU Privacy Laws.

8.4 In accordance with the EU Privacy Laws, L&W Germany has appointed a DPO. The contact details of the DPO will be published in Latham & Watkins’ privacy policies.

8.5 Privacy Personnel

8.5.1 Latham & Watkins’ Global Data Privacy Office is the administrative function  of the firm’s Privacy Committee and is responsible for the promotion of data privacy compliance and best practice across the firm.  The Global Data Privacy Office works closely with the Privacy and Security Committees and data privacy attorneys in the various firm locations to develop, interpret and monitor the firm’s data privacy practices, policies and procedures and contributes to strategic planning and implementation of goals and objectives relevant to data privacy compliance and best practice throughout the various Latham & Watkins offices. The Global Data Privacy Office provides guidance and advice to partners, managers, supervisors, attorneys and staff regarding privacy best practices. In the event of a breach or potential breach of the Standards, the Global Data Privacy Office will report such breach or potential breach to the Privacy Committee, which can decide whether enforcement or other actions need to be taken.

8.5.2 Latham & Watkins’ Chief Information Officer is a member of the firm’s Security Committee and oversees the Information Security Officer’s security responsibilities. The Information Security Officer is responsible for maintaining Latham & Watkins’ information security management program. This includes establishing processes to oversee, enforce and monitor compliance with the firm’s information security polices and information security standards.

8.5.3 Each system or application that supports a practice or business function at the firm has an Information Owner. The Information Owner is a representative of the firm’s management and is responsible for the protection of the system or application. In addition, Office Technology Managers and Leads are responsible for supporting and administering the firm’s information security policies and standards in their particular location.

8.5.4 The Office Administrator in each location works with the Office Managing Partner and the Chief Operating Officer to develop, interpret and monitor the firm’s practices, policies and procedures for implementation, and contributes to strategic planning and implementation of goals and objectives in the relevant Latham & Watkins office. The Office Administrator provides guidance and advice to all managers, supervisors, attorneys and staff regarding the general business operations of the firm, and is also responsible for handing escalated business enquiries and issues.

9. Responsibility for Compliance

9.1 All Latham & Watkins personnel are required to comply with these Standards and must (with the exception of the Paris office) indicate their acceptance of these Standards, in conjunction with the firm’s latest Acceptable Use of Communication Systems Policy, when they join the firm and thereafter on an annual basis. Personnel within Latham & Watkins’ Paris office will be made aware of the Standards via the office’s internal rules (“règlement intérieur”), which personnel are able to view and access via the office’s intranet site or by way of physical notice in the office. In addition, the règlement intérieur is emailed to all personnel on an annual basis to ensure all personnel have knowledge of the rules and their content. Under French law, all personnel of the Paris office are required to comply with the provisions of the règlement intérieur. Failure to comply with the Standards (or the règlement intérieur in the case of the Paris office) is a disciplinary offence, which could lead to disciplinary action up to and including termination of employment or removal from the partnership. In Paris, the disciplinary action will be as applicable to each category of personnel: for staff, the disciplinary sanction is set out in the French Labor Code (which may range from a warning to a dismissal for serious misconduct); for attorneys, the sanctions may be pronounced by the disciplinary body of the Bar Council and/or by the firm (up to and including termination of the self-employed associate agreement or removal from the partnership).

9.2 The firm has executed the BCR Agreement. L&W Germany has been appointed by the firm as the L&W Entity with delegated EEA data protection responsibilities. L&W Germany shall take action to remedy any breach of the Standards, which it can enforce contractually through the BCR Agreement.

9.3 L&W Germany accepts responsibility for taking action to remedy acts and omissions of other L&W Entities outside the EEA which breach these Standards and to pay compensation for any damages resulting from such a breach of these Standards by L&W Entities located outside the EEA. Consequently, any claims against Latham & Watkins offices located outside the EEA should be brought against L&W Germany (other than claims relating to the UK, which should be brought against Latham & Watkins (London) LLP). Any claim against a Latham & Watkins office located in the EEA should be brought against such Latham & Watkins office.

9.4 In order to discharge itself from liability under any claim brought by a data subject, L&W Germany must demonstrate either that no such breach occurred or that any L&W Entity located outside the EEA is not liable for a breach of the Standards which resulted in the damages or other remedy claimed by the data subject.

9.5 L&W Entities shall transfer European Personal Data subject to these Standards only to L&W Entities that are effectively bound by these Standards.

10. Audit Program to Verify Compliance

Latham & Watkins undertakes to put in place the following measures to assess and verify compliance with these Standards and applicable data protection legislation:

10.1 Internal audit — audits are carried out by the firm’s internal audit team with support from  members of the Privacy Committee and/or the Global Data Privacy Office on a rolling basis assessing compliance with these Standards such as testing of applications, IT systems and databases that process European Personal Data, transfers of European Personal Data, review of laws of recipient countries, review of vendor contracts. The appropriate scope of the audit will be determined on a case-by-case basis. These Standards will be audited on a regular basis as reasonably required by the firm’s risk-based audit approach. Audit findings will be reported, as appropriate, to the firm’s Global Data Privacy Office, the management of L&W Germany and to the firm’s senior management. Any corrective actions identified by such audits as being necessary for compliance with these Standards will be implemented, and this will be monitored by the Audit Committee.

10.2 External audit — audits testing the security of the firm’s business systems are carried out annually by the firm’s external auditors. Additional external audits may be arranged on an ad hoc basis by any L&W Entity. Audit findings will be reported, as appropriate, to the firm’s Privacy Committee and/or the Security Committee to the extent that they relate to privacy or information security.

10.3 In addition to audits described in clauses 10.1 and 10.2., the Executive Committee, Audit Committee, the DPO, the Privacy Committee or the Security Committee can request additional audits.

10.4 Provide audit results to DPAs within the EEA — insofar as they relate to compliance with these Standards, a L&W Entity in the EEA will share the findings from such internal or external audits with the DPA in their country or jurisdiction if requested by that DPA to do so.

10.5 Submit to DPA audit — each L&W Entity shall permit the DPA in the EEA country in which it carries on business to audit its operations in that EEA country for the purpose of verifying compliance with these Standards and with applicable EU Privacy Laws.

11. Government Access Requests

11.1 In the event a L&W Entity receives a demand to provide, retain, disclose, grant access, or otherwise process European Personal Data from any third party, including without limitation law enforcement or a government authority (“Third-Party Demand”), then the L&W Entity shall:

11.1.1 promptly notify the other relevant L&W Entities and the Privacy Committee of the request or order, use reasonable efforts to assist the L&W Entity acting as data exporter in its efforts to oppose the request or order;

11.1.2 in the event it is prohibited by applicable laws from notifying the other relevant L&W Entities and the Privacy Committee of the request or order, use reasonable efforts to challenge such request or order in a court of competent jurisdiction and to seek relevant permission to allow the other relevant L&W Entities to intervene in the proceedings; and

11.1.3 in the event such request or any subsequent disclosure or other action by the L&W Entity that has received the Third-Party Demand prevents or would prevent the relevant L&W Entity from complying with these Standards, then the relevant L&W Entity agrees to promptly inform other relevant L&W Entities and the Privacy Committee of its inability to comply.

11.2 The L&W Entities will document their legal assessment relating to the Third-Party Demand and retain the information for the duration of these Standards. The assessment will be made available to the DPA upon request.

11.3 Subject to Section 11.1, the L&W Entities will provide only such European Personal Data to the third party as is reasonably necessary to comply with the Third-Party Demand and such transfer shall not be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.

12. Updates

12.1 The Privacy Committee referred to in section 8.3 will keep these Standards under review, will ensure that they are updated regularly and will communicate relevant updates to L&W Entities without undue delay. The Privacy Committee will ensure that any changes in the firm’s structure are reflected in these Standards and that any new L&W Entities are required to accept and comply with the terms of these Standards. The Privacy Committee will inform L&W Entities about any changes to these Standards.

12.2 The Privacy Committee will keep the Security Committee and the L&W Entities informed of all updates and will report updates promptly to the relevant DPAs as appropriate.

12.3 The non-confidential provisions of these Standards, including the content of Appendix 1 (Data Privacy Complaints Procedure), will be published on the external Latham & Watkins internet site and on the Latham & Watkins intranet site. Any updates to the Standards will be published without delay. The full text of the Standards will be made available on request (subject to a confidentiality agreement) to any data subject who wishes to exercise the rights of redress described in the Data Privacy Complaints Procedure at Appendix 1.

13. Rights of Access, Correction, and Objection (including Marketing and Profiling)

Each L&W Entity acknowledges that data subjects have the following rights as third party beneficiaries in relation to the L&W Entity in its capacity as a data controller of European Personal Data:

13.1 the right to receive information about the way in which their personal data is processed by the relevant L&W Entity in its capacity as a data controller of European Personal Data, including a copy of these Standards and the Data Privacy Complaints Procedure;

13.2 the right to receive a copy of European Personal Data held about them (including the purpose and manner of processing) by the L&W Entity within the time scales and at the intervals specified in applicable EU Privacy Law, subject to any right to refuse such request in whole or in part that may be available to the L&W Entity under applicable EU Privacy Laws; 

13.3 the right to have their European Personal Data updated, corrected or completed, in particular because of the incomplete or inaccurate nature of the data, subject to the provisions of applicable EU Privacy Laws;

13.4 the right to have European Personal Data erased, subject to the provisions of applicable EU Privacy Laws;

13.5 the right to restrict processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws;

13.6 the right to receive the European Personal Data, which the data subject has provided to a L&W Entity in its capacity as a data controller of European Personal Data, in a structured, commonly used and machine-readable format and to transmit such personal data to another data controller, subject to the provisions of applicable EU Privacy Laws;

13.7 where required by the provisions of applicable EU Privacy Laws, the right not to receive direct marketing material without having given prior consent and, in all cases, the right to object at any time to the processing of their personal data (including profiling) for direct marketing purposes;

13.8 the right to object at any time to the processing of their European Personal Data, subject to the provisions of applicable EU Privacy Laws; and

13.9 the right to object to decisions involving their European Personal Data being taken about them based solely on automated processing, including profiling, where such decisions assess their personal characteristics or behavior and produce legal effects which concern or significantly affect them (except to the extent permitted by and subject to the safeguards contained in applicable EU Privacy Laws).

14. Breaches of These Standards

Latham & Watkins acknowledges that data subjects shall be entitled to enforce the following rights against the firm in respect of European Personal Data as third-party beneficiaries:

14.1 a right to obtain a copy of these Standards upon request (subject to any confidentiality undertaking reasonably requested by the firm or the L&W Entity dealing with the request);

14.2 a right to receive a response within a reasonable time, and no later than 1 month after the request was made (or no later than three months in case of a complex request), to any queries concerning the processing of the data subject’s European Personal Data outside the EEA;

14.3 a right to make a complaint and obtain appropriate redress (including, where appropriate, compensation for damage suffered) as a result of a breach of these Standards by any L&W Entity (excluding any breaches of the provisions relating to staff training, Latham & Watkins’ policies and privacy function, audit program and updates to these Standards);

14.4 a right to make a complaint to a Data Protection Authority in the European Economic Area in the country of habitual residence or place of work of the data subject, or the location of the alleged infringement of these Standards; and

14.5 a right to seek an effective judicial remedy in the appropriate court in the European Economic Area, which may be in the jurisdiction in which the relevant L&W Entity is established or in the data subject’s habitual place of residence.

15. Enforcement of a Data Subject’s Rights

15.1 The process for exercising the rights described in section 14 is set out in more detail in the Latham & Watkins Data Privacy Complaints Procedure at Appendix 1 to these Standards.

15.2 A data subject wishing to enforce their rights should contact the Global Data Privacy Office in the first instance, but may also lodge a complaint with the Chair of the Privacy Committee located in Frankfurt, or the DPA or the courts in the territory in which the relevant L&W Entity is located.

15.3 Any data subject seeking to enforce their rights under these Standards will be required to produce evidence giving rise to a prima facie case showing that a breach has occurred.

15.4 The L&W Entities acknowledge that the data subject may be represented by a not-for-profit body, organization, or association in accordance with the EU Privacy Laws and subject to an appropriate power of attorney.

16. Termination

16.1 Upon termination of these Standard or suspension of the transfer, the relevant L&W Entities may keep, return or delete the European Personal Data and copies thereof based on the data exporter’s selection.

16.2 To the extent the data exporter agrees that the relevant L&W Entity may keep the personal data, the data importer must ensure that protection of European Personal Data in accordance with the data transfer provisions of the GDPR is maintained.

16.3 To the extent local laws prohibit the L&W Entity acting as data importer from returning or deleting the European Personal Data, the data importer must ensure that protection of European Personal Data in accordance with these Standards is maintained.

Appendix 1

Latham & Watkins Data Privacy Complaints Procedure

Global Privacy Standards — UK BCR Summary