Skip to main content

Privacy notice

1. OUR COMMITMENT TO DATA PROTECTION

Freshfields Bruckhaus Deringer, (the “firm”, “we”, “us”, or “our”) takes its data protection and information security responsibilities very seriously. The effective management of all personal data, including its security and confidentiality, lies at the heart of our business and underpins our practices and processes. This is not only conditioned by Data Protection Legislation, but is also driven by our commitment to our clients and to meet their expectations of having in place robust compliance and risk management practices and protocols.

Through this privacy notice (the “Notice”), we would like to inform you about the processing of your personal data in the context of your visit to and use of this website and in the course of our business.

As a firm with a global presence, we are subject to the varying requirements of Data Protection Legislation in the jurisdictions where we operate.  Although our approach to data protection across our business aims to be as consistent as possible and to accord with all Applicable Laws, the specific requirements, rights and obligations relating to personal data and/or our data processing activities can be different. The following descriptions of data processing, rights and obligations, and in particular the limitations to data processing apply within the scope of applicability of the GDPR. Where we operate in jurisdictions with Data Protection Legislation which is substantially different to the GDPR (such as in the United States of America), these descriptions, rights and obligations, and limitations to processing do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.  

This Notice is in addition to, and does not relieve, remove or replace, our rights and responsibilities under Applicable Laws. In case of a conflict between a provision or requirement of Applicable Laws and a provision of this Notice, the former shall take precedence.

 

In this section, we inform you about the processing of personal data in the context of your visit to, and use of, our website. Unless stated otherwise, Freshfields Bruckhaus Deringer LLP controls the processing of the personal data in this regard.

Description and purposes of the processing

When visiting our website, your browser will contact our webserver to retrieve the sites you wish to visit. In this context, personal data such as your IP address is transferred by your browser (i.e. by HTTP/S requests) to us. This connection data is processed by our webserver to enable access to and the display of our website.

Our webserver automatically saves a record of the pages you visited (so-called ‘logfiles’ or ‘session records’). We use these logfiles to ensure the security of our website, in particular to prevent unauthorised interference with it, and to enable us to exercise our legal rights and obligations in regard to such unauthorised interference.

Furthermore, we analyse session records to optimise our website. The results cannot be linked to your person.

Legal basis for the processing and legitimate interests for the processing

Generally, the processing activities in the context of your visit to and use of our website are based on our legitimate interests to operate an internet website for general information and communication purposes, to optimise our website and to protect it from attacks.

Exceptionally, we may process personal data to fulfil our legal obligations, in particular with regard to the relevant authorities in cases of unauthorised interference with our website.

Recipients

Our IT department has access to logfiles and will pass them on to other internal or external recipients including to the relevant authorities if necessary to exercise our legal rights regarding any unauthorised interference with our website.

Our website is hosted on our behalf by the hosting services provider Episerver Inc. (542 Amherst Street, Route 101A, Nashua, NH 03063, USA).

Retention period

Logfiles are normally erased after 90 days. They may be stored for a longer period if necessary for the above-mentioned purposes, including for the exercise of our legal rights.

All other data is erased immediately after processing the HTTP/S request.

Possible consequences of failure to provide personal data

Without processing the above mentioned personal data, you cannot display and visit our website.

Description and purposes of the processing

Our information hubs offer a wide range of additional information resources, primarily to our clients in the course of our business relationship with them but also to other registered parties. These are part of our business development endeavours.

If you register to use our information hubs, we will process the registration data you provide, such as name and e-mail, to administer access to these non-public areas of our website. In order to further optimise the user experience and in particular to tailor the information provided to you, we also process information on your specified preferences, if any, and in some instances follow your consumption of material on our website (usage data).

We also use registration data for business development purposes.

Legal basis for the processing and legitimate interests for the processing

The processing is based on our legitimate interests to provide you with certain know-how and information, and in doing so to develop our business and promote client relationships. It serves the legitimate interests of users to access the know-how and information provided to them through the information hubs.

When you register to access our information hubs or apps, and accept their terms of use, we will (also) process your personal data as necessary in relation to those terms of use (performance of a contract).      

Recipients

Our internal business development and IT departments have access to and process registration and usage data for the optimisation of our information resources and business development initiatives.

Transfer of personal data to third countries or international organisations

As a global law firm, we may share your data within Freshfields Bruckhaus Deringer. Appropriate safeguards for personal data transfers within Freshfields Bruckhaus Deringer will be ensured through standard contractual clauses .

Additionally, we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

Possible consequences of failure to provide personal data

Without processing the above mentioned personal data, you cannot access the restricted areas for our website that are designated information hubs.

Controller

Data processing in the context of seminars and webinars is ordinarily controlled by the relevant Freshfields Entity offering the seminar or webinar.

Description and purposes of the processing

We offer seminars and webinars on a wide range of topics primarily to our clients in the course of our business relationship with them, but also to other registered parties. Seminars and webinars are part of our business development endeavours.

When you sign up for a seminar or webinar, we will process the registration data you provide, such as your name and e-mail, to administer access to and present the respective seminar or webinar. Occasionally, we also use registration data for purposes of business development.

Legal basis for the processing and legitimate interests for the processing

The processing is based on our legitimate interests to develop our business and promote client relationships. It also serves the legitimate interests of users and attendees to receive training in legal matters and know-how.

Recipients

Registration data is processed by the relevant departments of the respective Freshfields Entity hosting and/or performing the seminar or webinar. It may also be processed by the internal business development departments of other Freshfields Entities. Lists of attendees may be provided to other attendees.

Transfer of personal data to third countries or international organisations

As an organisation with a global presence, we share registration and usage data with Freshfields Entities in third countries. Adequate safeguards for personal data transfers within Freshfields Bruckhaus Deringer will be ensured through standard contractual clauses. Additionally, we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

Possible consequences of failure to provide personal data

Without us processing the above mentioned personal data, you cannot participate in our seminars or webinars.

Data Controller

We do not control the processing of personal data in the context of social media plug-ins. We do not have any access to the data collected and transferred by the social media plug-in to the social network provider. Any data processing is determined solely by the network service provider.

In the interest of transparency, we would like to inform you about the processing of your personal data in this context.

Description and purposes of the processing

To improve your user experience, our website includes social media plug-ins of the large social media networks Twitter, LinkedIn Google+. These plug-ins allow you to directly post links to and other content from our websites on the relevant network.

Upon you opening a website on which a social media plug-in is embedded, the respective social network provider

  • Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
  • Twitter Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA
  • LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

will collect and process information on your visit to our website for its own business purposes. This processing is not initiated or controlled by us, but is a built-in feature of the respective social media plug-in.

For further information on the processing of personal data, please contact the respective social media provider or refer to their respective privacy policy:

  • Google: policies.google.com/privacy
  • Twitter: twitter.com/privacy
  • LinkedIn: linkedin.com/legal/privacy-policy

Legal basis for the processing and legitimate interests for the processing

The processing of personal data in this context by us, if any, is based on our legitimate interests to: (i) improve our website’s user experience thereby making it more attractive and thus increasing user traffic; and (ii) make our content more visible and thereby promote our business.

For information on the legal basis of processing by the social media provider, please contact the respective social media provider or refer to their respective privacy policy:

  • Google: policies.google.com/privacy
  • Twitter: twitter.com/privacy
  • LinkedIn: linkedin.com/legal/privacy-policy

Recipients

We do not have access to, nor share, any personal data in this context.

For sharing of personal data by the social media provider, please contact the respective social media provider.

Transfer of personal data to third countries or international organisations

We do not transfer personal data to third countries. However, the social media plug-in will connect to the webserver of the social media network in the United States of America. For further information on transfers and relevant safeguards regarding them, please contact the respective social media provider or refer to their respective privacy policy:

  • Google: policies.google.com/privacy
  • Twitter: twitter.com/privacy
  • LinkedIn: linkedin.com/legal/privacy-policy

Retention period

We do not store any personal data in this context.

For storage of personal data by the social media provider, please contact the respective social media provider or refer to their respective privacy policy:

  • Google: policies.google.com/privacy
  • Twitter: twitter.com/privacy
  • LinkedIn: linkedin.com/legal/privacy-policy

Possible consequences of failure to provide personal data

Without processing the above mentioned personal data, you will not be able to post links to and other content from our website.

Our website uses cookies. Cookies are usually small text files that are stored on your computer's browser directory or program data subfolders. Cookies are created when you use your browser to visit a website that uses cookies to keep track of your movements within the site, help you resume where you left off, remember your registered login, theme selection, preferences, and other customisation functions. Our website stores a corresponding file (with same ID tag) to the one we set in your browser and in this file we can track and keep information on your movements within the site and information you may have voluntarily given while visiting the website.

By using our website and accepting these cookies, you are agreeing to our use of these cookies. Cookies allow us to distinguish you from other users of our website. This helps us optimise your access to and use of our website and enables the correct functioning of those parts of our site that you access. You can find out more about our cookies on  www.allaboutcookies.org.

Description and purposes of the processing

We use certain cookies (we refer to these as ‘essential cookies’) that are necessary for users to visit and display our website provided by Microsoft Corp. (One Microsoft Way, Redmond, WA 98052-7329, USA) and Episerver Inc. (542 Amherst Street, Route 101A, Nashua, NH 03063, USA).

These cookies are essential in order to enable you to move around the website and use its features. Without these cookies services you have asked for cannot be provided.

We collect essential cookie data, such as your unique session ID, authentication data and the time of your login (time stamp). This data allows us to relate the visitor's unique session to server side data. The cookies act as a reference to the session created. Whenever an activity is performed on our website, our server recognises your session ID and validates that activity.

Legal basis for the processing and legitimate interests for the processing

Processing of strictly necessary cookies data is based on our legitimate interests to enable users to visit our website and to promote our business.

Recipients

Essential cookie data is processed by Microsoft Corp. and Episerver Inc. as data processor on our behalf on the basis of data processing agreements between Microsoft Corp./ Episerver Inc. and us.

Transfer of personal data to third countries or international organisations

Essential cookie data may be processed by Microsoft Corp. / Episerver Inc. on servers in the United States of America. Microsoft Corp. and Episerver Inc. are certified under the so-called EU-US Privacy Shield.

Possible consequences of failure to provide personal data

Disabling these essential cookies will hinder our website’s performance, and may make certain of its functions and features unavailable.

We use the following essential cookies:

Tool

Cookie

Name

Type

Purpose

Expiry after

Microsoft

ASP.Net_SessionId

Session

This is the default ASP.net cookie which uniquely identifies each user session. It allows users to log-in and expires at the end of your session.

When you close your browser

Ektron

Ecm

Session

This cookie provides user data directly to our internal systems as part of the log-in process.

When you close your browser

Description and purposes of the processing

We use the web analytics services of

  • Google Analytics,
  • Ektron and
  • Microsoft

for statistical analysis purposes and the optimisation of our website. This helps us to tailor our website to our users’ needs by, for example, placing the most sought-after sites where they are most easily found. It also allows us to gauge how attractive our website is, how many of our users are regulars and how we can improve the reach of our website, e.g. by optimising search engine ranking.

For this purpose,

  • Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA),
  • Episerver Inc. (542 Amherst Street, Route 101A, Nashua, NH 03063, USA) and
  • Microsoft Corp. (One Microsoft Way, Redmond, WA 98052-7329, USA)

(together referred to as ‘cookie suppliers’) collect and store on our behalf certain usage data (e.g. which sites you navigate to, how long you spend on these sites, how often you return to our website) attributed to an anonymous identifier. This usage data is then used to generate non-personalised analyses of website usage for us.

When you visit a site on our website that uses Google Analytics, Ektron or NmStat, certain information on this “pageview hit” (incl. the URL of the site visited by you as well as your IP address, information on the operating system, browser and language setting used by you and potentially some information stored in the cookies described below) will be transmitted to our cookie supplier´s server by code embedded in the respective site. The IP address is only used for the technical purposes of transmission and is anonymised by deleting the last digits immediately after reception. The other usage data will be attributed to an anonymous / pseudonymous identifier that is automatically generated and stored in a cookie on your device (cf. below). This identifier cannot and will not be traced back to you. Its sole purpose is to allow us to analyse typical website usage by obtaining information on relevant usage cycles.

Legal basis for the processing and legitimate interests for the processing

Processing of usage data is based on our legitimate interests to optimise our web presence and improve its reach, usability and content and thereby ultimately promote our business.

Recipients

Usage data is processed by our cookie supplier as a data processor on our behalf. Analyses of website traffic provided by our cookie suppliers are used by our internal departments, in particular the IT and business development departments, for the abovementioned purposes.

Transfer of personal data to third countries or international organisations

Usage data may be processed by our cookie suppliers on servers in the United States of America. Google LLC, Episerver Inc. and Microsoft Corp. are certified under the so-called EU-US Privacy Shield.

Possible consequences of failure to provide personal data

None.

You may prevent the processing of your personal data by activating the “do-not-track”-option of your browser.

For Google analytics cookies, you can opt-out by installing the Google Analytics opt-out browser add-on.

Further information

Please see the privacy notices of Microsoft, Google and Episerver.

 

The following cookies are used for the purposes of web analytics:

Tool

Cookie

Name

Type

Purpose

Expiry after

Google Analytics

_utma

Permanent

This tracks the number of times a visitor has been to our site, when their first visit was, and when their last visit occurred. Google Analytics uses the information to calculate visitor statistics

2 years

Google Analytics

_utmb _utmc

Session

These cookies work together to calculate how long a visit takes. _utmb takes a timestamp of the exact moment when a visitor enters a site, while_utmc takes a timestamp of the exact moment when a visitor leaves a site. _utmb expires at the end of the session. _utmc waits 30 minutes, and then expires. _utmc waits 30 minutes for another page view to happen, and if it doesn't, it expires.

30 min

Google Analytics

_utmz

Permanent

This cookie tracks where visitors came from. What search engine was used. What links were clicked on. What keywords were used. Where they were in the world when they accessed the website. It expires in 6 months.

6 months

Google Analytics Google Analytics

_utmv

Permanent

This cookie stores custom variables for each visitor and allows us to use segmentation to better understand our visitors. It expires 2 years after last visit.

2 years after last visit

Google Analytics

_ga

Permanent

This cookie is used to distinguish between site visitors. It expires 2 years after last visit.

2 years after last visit

Ektron

EkAnalytics EktGUID

Permanent

These cookies provide alternative web analytics to Google which are used by our Content Management System (the platform on which our website is built).

1 year after last visit

Microsoft

Nmstat

Permanent

This is an ASP.net cookie which is used to track the sequence of pages a visitor looks at during a visit.

1000 days

Technically necessary?

No.

Opt-out

You have the right to opt out from the usage of cookies by us by activating the “do-not-track”-option of your browser.

For Google analytics cookies, you can opt-out by installing the Google Analytics opt-out browser add-on.

We partner with third parties to provide you with connections to certain social networks, such as Google, Twitter and LinkedIn (cf. 2.4.). By engaging with third-party plug-ins and widgets on our website, such third parties may place session or persistent cookies or similar technologies on your browser. These technologies may provide to the third parties information about your visit so that they can present you with advertisements and services which may be of interest to you. As we are not responsible for the use of such cookies and do not gather any information in that regard, the use of these cookies is subject to third party’s own cookie policies:

  • Google: policies.google.com/privacy
  • Twitter: twitter.com/privacy
  • LinkedIn: linkedin.com/legal/privacy-policy

 

In this section of our Notice, we inform you about the processing of personal data in relation to providing our legal advice and services on a Matter and how we ensure compliance with the GDPR (or other applicable legal requirements with equivalent effect). Where we operate in jurisdictions with Data Protection Legislation which is substantially different to the GDPR (such as in the United States of America), these descriptions and in particular the outlined rights and obligations and limitations to processing do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.

 

Data Controller

The data processing in the context of providing legal advice on a given Matter will ordinarily be controlled by the Freshfields Entity that is instructed and provides its services on that Matter. Where several Freshfields Entities work together on a Matter, they normally act as individual controllers for the respective work done on that Matter by them, as they will ordinarily be providing their advice in respect of the relevant jurisdiction where they are based. If they should however act as joint controllers, Freshfields Bruckhaus Deringer LLP is designated as a single point of contact for data subjects under the GDPR.

(A)             You can see here the Freshfields Entities through which we practise law in the relevant jurisdiction.

Description and purposes of the processing, categories of personal data processed

We process personal data in relation to a Matter (“Matter Data”) for certain specific purposes, including:

  • to provide our advice to our clients, and to handle the Matter;
  • to comply with our applicable legal and regulatory obligations in the jurisdictions where we practise (e.g. to carry out conflict and Know Your Customer (or KYC) checks);
  • for operational purposes (e.g. internal record keeping, accounting, billing and tax compliance);
  • to fulfil certain legal obligations (e.g. where applicable, disclosure obligations and compliance with court orders).

Whose personal data do we process in the course of handling a Matter?

Depending on the nature of the Matter, we may process personal data of various categories of data subjects, including:

  • clients and their respective officers, agents and staff;
    • counterparties / contractual partners of our clients and their respective officers, agents and staff;
    • other advisers, consultants and professional experts who are involved in the Matter and their respective officers, agents and staff;
      • our partners and staff;
      • third parties such as court officers, witnesses and other natural persons who are involved in the Matter.

What types of personal data are processed as Matter Data?

The Matter Data can include various types of personal data, depending on the nature of the Matter and the information that is provided to, or obtained by, us in the course of that Matter. The types of personal that we typically process in relation to a Matter include client contact and communication data.

Depending on the Matter, we also process “special categories of personal data” according to Art. 9(1) GDPR (e.g. health data) and personal data relating to criminal convictions and offences or related security measures according to Art. 10 GDPR. We of course limit the processing of personal data and in particular sensitive personal data to the necessary minimum.

 

Legal basis for the processing and legitimate interests for the processing

  • Our processing of Matter Data, is ordinarily based on our legitimate interests to provide our services and advice to our clients. This processing is necessary for the pursuit of our client’s legitimate interest to obtain legal advice and representation;
  • We also have a legitimate interest to process Matter Data in order to comply with certain obligations related to the operation of our business such as maintaining our accounts, and for record keeping, billing and tax compliance purposes; and
  • We also process Matter Data to meet our legal and regulatory obligations under Applicable Laws.

 

We process special categories of personal data  (as necessary): for the establishment, exercise or defence of legal claims; based on your consent;  for employment and social security law purposes; in relation to personal data which has been made public by a data subject; and/or  for reasons of public interest in connection with a statutory provision.

Sources of personal data

In the context of a Matter, our clients ordinarily provide us with the personal data that we need to handle the Matter in our capacity as their legal advisors.

However, we may also obtain certain personal data from other sources (for example for KYC purposes) such as public registers and databases, court and public records, and our communication with third parties and other advisors involved in the Matter.

Recipients

In the course of our work on a Matter, as a global law firm we may, where necessary and subject to appropriate terms regarding confidentiality and data protection, share Matter Data:

  • with our offices and associated undertakings that are part of Freshfields Bruckhaus Deringer across the world;
  • if required, on a case-by-case basis, with other professional advisers including those working with us on a Matter (for example law firms from our “StrongerTogether” network);
  • with other parties providing goods or services to us for the purpose of supporting our work on a Matter (e.g. providers of legal technology) or in connection with the administration of the activities of Freshfields Bruckhaus Deringer in the ordinary course of its business; and/or
  • with our professional advisers and insurers where it is required for them to provide their services to us.

Transfer of personal data to third countries or international organisations

As a global law firm, we share Matter Data within Freshfields Bruckhaus Deringer (e.g. where multiple Freshfields Bruckhaus Deringer offices are involved in a Matter). Adequate safeguards for personal data transfers within Freshfields Bruckhaus Deringer (and where necessary with other third parties working with or for us on a Matter) will be ensured: through standard contractual clauses; with your consent; or on the basis that the transfer is otherwise compliant with Data Protection Legislation. Additionally, within Freshfields Bruckhaus Deringer we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

In this section of our Notice, we inform you about the processing of personal data in relation to promoting our services and how we ensure compliance with the GDPR (or other applicable legal requirements with equivalent effect). Where we operate in jurisdictions with Data Protection Legislation which is substantially different to the GDPR (such as in the United States of America), these descriptions and in particular the outlined rights and obligations and limitations to processing do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.

Controller

Data processing activities in the context of global business development initiatives are generally controlled by Freshfields Bruckhaus Deringer LLP.

Data processing activities in the context of local business development initiatives are ordinarily controlled by the respective Freshfields Entity.

If different Freshfields Entities act as joint controllers, Freshfields Bruckhaus Deringer LLP is designated as a single point of contact for data subjects under the GDPR.

Description and purposes of the processing

In the conduct of our business we engage in different business development activities with current and potential clients and other relevant third parties. For these purposes, we process certain “business development data” such as:

  • contact information (e.g. name, work address, telephone numbers, e-mail, position):
  • data on (marketing) preferences and fields of interest; and/or
  • data on past participation in marketing initiatives.

This data is either provided directly by the relevant data subject or by other business contacts and sources (e.g. business information services, public registers).

Legal basis for the processing and legitimate interests for the processing

The processing is based on our legitimate interest to pursue business development initiatives, or, as the case may be, in order to take steps at the request of a data subject prior to entering into a contract.

Recipients

As a global firm in the conduct of our business, we share certain business development data within Freshfields Bruckhaus Deringer.

On a case-by-case basis, we may also share certain business development data with our business partners (for example law firms from our “StrongerTogether” network) and certain other parties that assist us with our business development activities in the ordinary course of our business (e.g. marketing services providers).

Transfer of personal data to third countries or international organisations

As a global law firm, we may share business development data within Freshfields Bruckhaus Deringer and with certain third parties supporting us with the administration of our activities in the ordinary course of our business. Adequate safeguards for personal data transfers within Freshfields Bruckhaus Deringer (and where necessary with certain other third parties) will be ensured: through standard contractual clauses; with your consent; or on the basis that the transfer is otherwise compliant with Data Protection Legislation. Additionally, within Freshfields Bruckhaus Deringer we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

 

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

Possible consequences of failure to provide personal data

Where we collect business development data directly from you, you continue to retain full discretion over how and what you disclose to us. There are no negative consequences if you do not provide us business development data.

Controller

Generally, data processing activities in the context of newsletters and update services (e.g. RSS news feeds and social media news feeds) are controlled by Freshfields Bruckhaus Deringer LLP.

Data processing in the context of local newsletters or other update services are ordinarily controlled by the respective Freshfields Entity.

If different Freshfields Entities act as joint controllers, Freshfields Bruckhaus Deringer LLP is designated as a single point of contact for data subjects under the GDPR.

Description and purposes of the processing

If you have signed up or otherwise agreed to receive newsletters or other update services, we will process your contact data (e.g. name, e-mail) to provide those services to you.

To further optimise the user experience and in particular to tailor the information provided to you, we process information on your specified preferences, if any, and in some instances, follow your consumption of material (user statistics).

All newsletter activities and other update services serve marketing purposes and business development.

Legal basis for the processing and legitimate interests for the processing

The processing is based on our legitimate interests to pursue business development activities, or, as the case may be, for the performance of a contract according.

In other cases, we may ask you for your explicit consent for the processing.

Recipients

As a global firm in the conduct of our business, we share certain business development data within Freshfields Bruckhaus Deringer.

On a case-by-case basis, we may also share certain business development data with our business partners (for example law firms from our “StrongerTogether” network) and certain other parties that assist us with our business development activities in the ordinary course of our business (e.g. marketing services providers).

Transfer of personal data to third countries or international organisations

As a global law firm, we share data within Freshfields Bruckhaus Deringer. Adequate safeguards for personal data transfers within Freshfields Bruckhaus Deringer will be ensured: through standard contractual clauses; with your consent; or on the basis that the transfer is otherwise compliant with Data Protection Legislation. Additionally, within Freshfields Bruckhaus Deringer we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

 

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

Possible consequences of failure to provide personal data

There are no negative consequences if you do not provide us the above mentioned personal data. However, without providing your personal data, you cannot receive our newsletter or other update services.

In this section of our Notice, we inform you about the processing of personal data in relation to our career portal and recruitment and how we ensure compliance with the GDPR (or other applicable legal requirements with equivalent effect). Where we operate in jurisdictions with Data Protection Legislation which is substantially different to the GDPR (such as in the United States of America), these descriptions and in particular the outlined rights and obligations and limitations to processing do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.

Controller

Generally, data processing activities in the context of our career portal are controlled by Freshfields Bruckhaus Deringer LLP. Other processing activities regarding the assessment of your application are controlled by the relevant Freshfields Entity to which your job application is submitted through the online career portal.

If different Freshfields Entities act as joint controllers, Freshfields Bruckhaus Deringer LLP is designated as a single point of contact for data subjects under the GDPR.

Description and purposes of the processing

You may apply for a vacancy via our online application portal.

 

Browsing without registration

We keep our portal up to date. You will find current job opportunities on this page. You can browse through them without registration.  The section of our Notice regarding the use of our website applies (please see section 2.1).

 

Register with the online application portal

The first step to submit an online application is to register with our online recruitment system. This will give you the opportunity to (for example) save job offers that may be of interest to you in the section “My Jobpage”. At this point we only ask you for your basic contact data, e.g. name and e-mail address.

 

Completing and submitting your application

To complete and submit an application, we ask you to provide us with certain “applicant data” e.g.:

  • name;
  • address;
  • e-mail;
  • education/qualifications/certificates; and/or
  • former employers.

We use that applicant data:

  • to evaluate and select candidates;
  • to set up and conduct interviews and tests;
  • to evaluate and assess the results of those interviews and test; and/ or
  • if otherwise needed in the recruitment processes.

We may carry out pre-employment vetting, including but not limited to credit reference and criminal record checks, address verification, confirmation of academic qualifications, and requesting employer or other references.

We may also use your information for reporting purposes when required to do so by law and for statistical purposes.

We only use this data if you approve the submission of the application.

Sources of data (if not obtained directly from you)

Generally, all applicant data is obtained directly from you.

When carrying out pre-employment vetting, we also obtain data from third parties (e.g. former employers or other references, academic institutions) or public registers (e.g. criminal records).

Legal basis for the processing and legitimate interests for the processing

The processing is generally based on us taking steps at your request as the data subject prior to entering into a contract with you.

Some applicant data collected directly from you or through public registers, is processed to ensure compliance with certain of our legal / regulatory obligations (e.g. criminal record checks).

If we need to process special categories of personal data, we will ask for your consent if necessary.

Recipients

Internally, your personal data will only be processed by the Freshfields Entity or office which posted the job offer (and to which you have applied) and by the human resources/ personnel department of that Freshfields Entity.

Your application and any other information that you provide to us will be held on systems operated on our behalf by the Oracle Corporation (500 Oracle Parkway, Redwood Shores, CA, 94065, USA), and will be stored in the UK and other countries inside Europe.

The Oracle Corporation is under contract with us to ensure that your information is protected to standards required by us in accordance with applicable Data Protection Legislation and is only processed in accordance with our instructions.

Transfer of personal data to third countries or international organisations

As a global law firm, we may share data within Freshfields Bruckhaus Deringer. Adequate safeguards for personal data transfers within Freshfields Bruckhaus Deringer (and where necessary with other third parties) will be ensured: through standard contractual clauses; with your consent; or on the basis that the transfer is otherwise compliant with Data Protection Legislation. Additionally, within Freshfields Bruckhaus Deringer we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these reasons legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

Your basic contact data will be erased if you cancel your user account.

Your applicant data will be stored for a period sufficient to enable us to review your application. If your application is not successful or if you withdraw your application, your application data will be erased, unless further retention can be based on other legal grounds (e.g. for the exercise of our legal rights, or compliance with Applicable Laws).

If you, at your discretion, give us your specific consent, we will store your application information in our e-recruitment system for a period of 18 months counting from your last visit. If you do not log into your profile in the 18-month period, your application information will be automatically removed. If you withdraw your consent prior to the expiration of the 18-month period, we will erase your personal data immediately.

If your application is successful, any data provided through this recruitment system may be further processed for (or in relation to) your future employment with us, and to allow us to carry out the monitoring activities required of us as an equal opportunities employer. For further information on the processing of your personal data in the employment context, you will be able to refer to the internal privacy notice accessible to our staff via our intranet (our “Wiki”).

Applicants should note that they have the right to access, modify or erase any information concerning their personal profile in compliance with applicable Data Protection Legislation. You may access or modify your personal details via the online portal through which you submitted your application.

Possible consequences of failure to provide data

There are no negative consequences if you do not provide us the above mentioned personal data. However, incomplete or incorrectly completed applications cannot be considered. Without providing your personal data it will not be possible to progress the application and the application will be closed.

In this section of our Notice, we inform you about the processing of personal data in relation to our alumni network and how we ensure compliance with the GDPR (or other applicable legal requirements with equivalent effect). Where we operate in jurisdictions with Data Protection Legislation which is substantially different to the GDPR (such as in the United States of America), these descriptions and in particular the outlined rights and obligations and limitations to processing do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.

Controller

All processing of personal data in the context of our social media tool for alumni (the “Freshfields Alumni Network”) on our website is controlled by Freshfields Bruckhaus Deringer LLP.

Description and purposes of the processing

You can sign up to our Freshfields Alumni Network to keep in contact with us and your former colleagues. When filling out the registration form, we ask you for contact data (name, private address and e-mail), current employment data (such as current company name, job title, business contact details) and information regarding your time at Freshfields (such as office and department at departure, role title). We use this social media tool and the data you provide to us when filling out the registration form to create a network of valuable business contacts. The Freshfields Alumni Network also serves recruiting purposes.

The registration form also provides the possibility to subscribe to different newsletters and updates. For further information on data processing activities in the context of these newsletters and updates, please see above under 4.2.

Legal basis for the processing and legitimate interests for the processing

The processing in the context of our Freshfields Alumni Network is based on our legitimate interests to pursue our business interest of developing and maintaining a network of business contacts and to recruit highly skilled employees.

Recipients

We share the above-mentioned personal data, in particular contact data, with other Freshfields Entities.

Transfer of personal data to third countries or international organisations

As a global law firm, we may share your data within Freshfields Bruckhaus Deringer. Appropriate safeguards for personal data transfers within Freshfields Bruckhaus Deringer will be ensured through standard contractual clauses.

Additionally, we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

Possible consequences of failure to provide personal data

There are no negative consequences if you do not provide us the above mentioned personal data. However, without processing the above mentioned personal data, you cannot use our social media tool for alumni.

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it. Generally, we erase your personal data in regard to our Freshfields Alumni Network as soon as possible after your withdrawal from this network.

In this section of our Notice, we inform you about the processing of personal data in relation to communications between you and us and how we ensure compliance with the GDPR (or other applicable legal requirements with equivalent effect). Where we operate in jurisdictions with Data Protection Legislation which is substantially different to the GDPR (such as in the United States of America), these descriptions and in particular the outlined rights and obligations and limitations to processing do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.

Controller

If you use the contact options on our website, the respective data processing is controlled by Freshfields Bruckhaus Deringer LLP (cf. 2.1). Single Freshfields Entities may be controller if you contact them directly.

If different Freshfields Entities act as joint controllers, Freshfields Bruckhaus Deringer LLP is designated as a single point of contact for data subjects under the GDPR.

Description and purposes of the processing

 

We offer you the possibility to contact us via e-mail or our contact form. We will process your personal data (such as your name, address, telephone number) to respond to you request and save them for potential further inquiries. Also, the content of the communication will be processed by us for the purpose of responding to your request.

Legal basis for the processing and legitimate interests for the processing

The processing of your data in the context of our communications with you (e.g. via a contact form or by e-mail) is based on our legitimate interests to respond to your requests or queries, or otherwise to communicate with you.

Recipients

We share the above-mentioned personal data, in particular contact data, with those Freshfields Entities, offices or departments your request is aimed at.

Transfer of personal data to third countries or international organisations

As a global law firm, we may share your data within Freshfields Bruckhaus Deringer. Appropriate safeguards for personal data transfers within Freshfields Bruckhaus Deringer will be ensured through standard contractual clauses.

Additionally, we have in place binding firm-wide data protection and information security policies which govern our internal data processing activities.

Possible consequences of failure to provide data

You are not obliged to provide us with your personal data. However, we need the relevant data to contact you and respond to your request or query.

Retention period

We retain personal data only for as long as there is a legitimate reason or other legal ground to do so, and will keep these legal bases under review. If there is no longer a legal ground for the data to be retained, we will erase personal data securely, or in some cases anonymise it.

If you are an individual whose personal data, and the processing of that personal data by the relevant Freshfields Entity, are subject to the application of the GDPR, you have certain rights. These rights are identified below together with a brief, non-exhaustive explanation. Where your personal data and the processing of your personal data are not subject to the GDPR these rights do not necessarily apply and nothing in this Notice may be interpreted to establish rights or obligations that go beyond what is mandated by the respectively applicable Data Protection Legislation.

If you have any questions in relation to this Notice, or wish to assert any of your rights, please contact us using the contact details included below. To protect your rights and your privacy and to validate communications received in relation to this Notice, we may request a confirmation and proof of your identity.

 

Your rights

What do they mean for you?

The right to object to the processing

You have the right to object to the processing of your personal data in certain situations.

The right to information

You have the right to be informed whether and to what extent we process your data.

The right of access

Subject to certain exceptions you have the right to obtain a confirmation as to whether or not we process your personal data, and if we do, request access to your data.

The right to rectification

If the personal data that we process is incomplete or incorrect, you have the right to request their completion or correction at any time.

The right to deletion

 

Subject to certain exceptions if you consider that we should stop processing some or all of your personal data, you have the right to request its deletion. However, there may well be reasons why an immediate deletion may not be possible (for example where retention is required to meet legal or regulatory obligations).

The right to restrict the processing

 

You have the right to request that we restrict the processing of your personal data in certain situations:

  • If you contest the accuracy of your personal data, you may request that its processing is restricted while we verify its accuracy.
  • If the processing of your personal data is considered unlawful, but you do not require the deletion of your personal data.
  • If we no longer need the data for the purposes of its processing, but you need it for the establishment, exercise or defence of legal claims.
  • If you object to our processing of your data based on our legitimate interests, or where the processing is based on Art. 6(1) (e) GDPR.

The right to data portability

 

Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format.

Rights in relation to automated decision making and profiling

 

You have the right to object to decisions based exclusively on the automated processing of your personal data.

The right to withdraw your consent

If your personal data is processed on basis of your consent, you have the right to withdraw your consent at any time. The withdrawal of your consent does not affect the lawfulness of processing based on consent before its withdrawal.

  • If you wish to exercise your rights you can get in touch with us by contacting:

 

 

The Data Privacy Officer

(Legal Department)

Freshfields Bruckhaus Deringer LLP

65 Fleet Street, London EC4Y 1HS

Telephone: +44 20 7716 4000

Email: dataprivacy@freshfields.com

 

  • You also have the right to lodge a complaint:
  • by using the contact details above; and/or
  • with a competent supervisory authority.

Term

Definition

Applicable Laws

Means all applicable laws, rules, orders, ordinances, regulations, statutes, requirements, codes and executive orders of any governmental or judicial authorities, each as amended, extended or re-enacted from time-to-time.

Cookies

A ‘cookie’ is a small file of letters and numbers that is stored on your browser or the hard drive of your computer if you agree. Cookies contain information that is transferred to your computer's hard drive.

Controller

Means the entity which alone, or jointly with others, determines the purposes and means of the processing of personal data.

Data Protection Legislation

Refers to the applicable laws, rules and regulations relating to the processing of personal data, including, where applicable, the GDPR (and any laws, rules and regulations implementing the foregoing).

Freshfields Bruckhaus Deringer LLP

Refers to Freshfields Bruckhaus Deringer LLP, a limited liability partnership registered in England and Wales with registered number OC334789, and registered office at 65 Fleet Street, London EC4Y 1HS.

Freshfields Bruckhaus Deringer

 

Refers to the international legal practice operating through  Freshfields Bruckhaus Deringer LLP, and its associated undertakings in the USA (Freshfields Bruckhaus Deringer US LLP), in Hong Kong (Freshfields Bruckhaus Deringer Hong Kong Partnership), in Japan (Freshfields Bruckhaus Deringer Law Office and Freshfields Bruckhaus Deringer Foreign Law Office), in Singapore (Freshfields Bruckhaus Deringer Singapore Pte. Limited), in Italy (Studio Legale associato a Freshfields Bruckhaus Deringer) and by means of a number of other associated entities (each a “Freshfields Entity”).

Freshfields Entity

Refers to Freshfields Bruckhaus Deringer LLP and each other entity associated with Freshfields Bruckhaus Deringer LLP. The identity of the Freshfields Entities which together make up Freshfields Bruckhaus Deringer may change from time-to-time. You may access here the most up-to-date information regarding our various offices.

GDPR

Means the EU-General Data Protection Regulation (Regulation (EU) 2016/679) including its implementing national legislation.

Matter

 

Means a matter in respect of which we agree to provide our advice or services to a client.

Matter Data

Has the meaning given to this concept in section 3 of this Notice (Advising our clients).

Personal data

Means any information relating to an identified or identifiable living person.

Processing

Means anything that is done to, or with, personal data (including obtaining, recording, holding, disclosing, transmitting, making available, using or deleting those data).

Special categories of personal data

Means (as per Art. 9 GDPR) personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Standard contractual clauses

 

Are a set of contractual provisions that are recognised and approved by the European Commission (decision 2004/915/EC) as offering appropriate safeguards for transfers of personal data outside the European Economic Area.

Supervisory authority

Means an independent public authority which is established pursuant to Art. 51 GDPR.

Third country

Means a country which is not a member of the European Union or the European Economic Area, or which does not benefit from an “adequacy decision” by the European Commission.