Global Privacy Standards — UK BCR Summary

Last Updated: February 2025

Latham & Watkins has binding corporate rules approved by data protection authorities across Europe (EU BCR). The EU BCR are an internationally recognized standard providing adequate protection of personal data (as defined in the EU BCR) in multinational organizations. The EU BCR sets out the Global Privacy Standards (the Standards), which apply to the processing of European Personal Data (as defined in the EU BCR) and bind all Latham & Watkins entities (L&W Entities) to commit to the Standards through the BCR Agreement.

The EU BCR were reviewed and approved by the Hesse Commissioner for Data Protection and Freedom of Information (Hessischer Beauftragter fuer den Datenschutz und die Informationsfreiheit), PO Box 3163, 65021 Wiesbaden (https://datenschutz.hessen.de) (Hesse SA) in Germany in July 2024.

In order to extend the scope of the EU BCR to cover transfers of personal data to and from L&W Entities as a data controller that is subject to applicable UK data protection laws (UK Personal Data), Latham & Watkins has entered into the UK BCR Addendum to the EU BCR. The EU BCR and the UK BCR Addendum together form Latham & Watkins’s UK BCR and all L&W Entities are “BCR Members”. Further information about the UK BCR Addendum process is available on the UK Information Commissioner’s Office (ICO) website at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/guide-to-binding-corporate-rules/a-uk-bcr-addendum/

The purpose of this Summary is to provide information regarding (i) UK Personal Data which is transferred under Latham & Watkins’s UK BCR Addendum; (ii) how UK Personal Data is processed; (iii) what rights may be available under the UK BCR Addendum; and (iv) how to enforce them. Contact details are provided if there are further questions.

Description of data transfers covered by Latham & Watkins’s UK BCR	A description of the data transfers covered by Latham & Watkins’s UK BCR can be found in the paragraphs headed Definitions and Scope of the EU BCR Introduction. In summary: All types and categories of UK Personal Data processed by the BCR Members in the course of their business activities fall within the scope of the UK BCR. The UK Personal Data is likely collected from data subjects such as client representatives, representatives of prospective clients, partners, employees and staff, job applicants, agents, suppliers, and other third parties. The categories of UK Personal Data processed by the L&W Entities in respect of partners, employees and other staff includes: identification data, personal and family details, data with respect to career management and development, employment data, financial data, audio and video data relating to the work environment, data relating to building access control systems and access to and use of offices equipment and resources, data related to work travel, and health information. This is explained to these individuals in more detail in the firm’s internal privacy notice. The categories of UK Personal Data processed by the L&W Entities in respect of job applicants includes: data included on the application, special category personal data such as race or ethnic origin or disability data, data collected during interviews and assessments, data on use of the recruitment portal and website, data provided by third parties, such as referees and recruiters, data provided in connection with pre-employment background screening, and data on building access. The UK BCR cover both automated and manual types of Processing The categories of UK Personal Data processed by the L&W Entities in respect of agents, suppliers and other third parties include: business contact information and anti-money laundering information, including beneficial ownership information, where applicable.
List of countries to where UK Personal Data is transferred	The countries where UK Personal Data is transferred to are listed under the heading “Scope” in the EU BCR and are as follows: United States of America Belgium France Italy Germany Spain Saudi Arabia United Arab Emirates Israel South Korea China Hong Kong Singapore Japan
Data subject rights	In addition to the right to withdraw your consent, you also have the following rights as described in the following sections of the EU BCR in more detail: Article 13 — Rights of Access, Correction and Objection (including Marketing and Profiling) Article 14 — Breaches of these Standards Article 15 — Enforcement of a Data Subject’s Rights Appendix 1 — Latham & Watkins Data Privacy Complaints Procedure (also available online: https://www.lw.com/en/data-privacy-complaints-procedure)
Third party beneficiary rights	These rights are as described in the following sections of the EU BCR in more detail: Article 1 — Data Handling Principles Article 5 — Conflict with applicable Local Laws Article 6 — Mutual Assistance and Cooperation with Data Protection Authorities Article 10 — Audit Programme to Verify Compliance Article 11 — Government Access Requests Article 12 — Updates (access to Global Privacy Standards) Article 13 — Rights of Access, Correction and Objection (including Marketing and Profiling) (Data Subject Rights) Appendix 1 — Latham & Watkins Data Privacy Complaints Procedure (including the right to withdraw consent) (also available online: https://www.lw.com/en/data-privacy-complaints-procedure)
Contact details for queries about Latham & Watkins’s BCR	All queries about Latham & Watkins’ UK BCR or about Latham & Watkins’ privacy matters generally can be directed to Latham & Watkins via email to globaldpo@lw.com. Individuals subject to UK data protection laws can also contact Latham & Watkins’ London office (which is the Lead UK BCR Member) at the following address: Global Data Protection Office Latham & Watkins 99 Bishopsgate London, EC2M 3XF
How to complain about the UK BCRs to Latham & Watkins’s BCR Members	Details of how to complain about the UK BCRs are set out in Appendix 1 of the EU BCR: “Latham & Watkins Data Privacy Complaints Procedure” and are published online: https://www.lw.com/en/data-privacy-complaints-procedure For ease of reference and specifically in a UK context, in the event of a dispute, individuals may lodge a complaint about any unlawful or inappropriate processing of their UK Personal Data that is incompatible with the UK BCR in any fashion and without first exhausting the Complaint Handling Procedure, to: the Global Data Privacy Office, by email at Globaldpo@lw.com the Information Commissioner, and the courts of the UK. For avoidance of doubt, it is understood that if an individual is subject to UK data protection laws is not satisfied by the replies of the Global Data Privacy Office, they have the right to lodge a complaint before the Information Commissioner and/or the courts of the UK. Any individuals subject to the EU data protection laws can complain under the EU BCR in the courts of their country of residence. Consequently, any claims against Latham & Watkins offices located outside the EEA should be brought against L&W Germany (other than claims relating to the UK, which should be brought against Latham & Watkins (London) LLP).
How to complain to the Information Commissioner about UK BCR	Individuals have the right to make a complaint about Latham & Watkins’s UK BCR Addendum to the Information Commissioner. For more information, please see https://ico.org.uk/for-the-public/how-to-make-a-data-protection-complaint/ The Information Commissioner can be contacted using the following details between 9am to 4:30pm on Monday to Friday: Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF Telephone: 0303 123 1113 Textphone: 01625 545860
How to bring a claim in the UK courts against the lead UK BCR Member for breaches of the UK BCR caused by any non-UK BCR Member.	The individual national court systems provide guidance on how to bring a claim in England and Wales, Scotland, and Northern Ireland. Citizens Advice provides information on taking legal action in England and Wales and Scotland. They do not cover Northern Ireland.