It is the policy of Sullivan & Cromwell to deal with your personal information responsibly and in accordance with the requirements of applicable data protection laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This notice explains how we do that.
In this notice, “Sullivan & Cromwell” refers to Sullivan & Cromwell LLP and its affiliated partnerships from time to time. Sullivan & Cromwell LLP is a limited liability partnership registered under the laws of the State of New York.
Nothing stated in this notice is intended to, nor will it, establish a client-attorney relationship with persons reading it. Information provided to us in the course of any attorney-client relationship enjoys a special status and may be protected by confidentiality, the attorney-client privilege, the attorney work product doctrine and other similar protections (whether in the United States or elsewhere). Nothing in this notice detracts from any of the protections that attach to such information.
We operate an Alumni Network which can be accessed only by registered alumni and current Sullivan & Cromwell lawyers. A privacy notice specific to members of the Alumni Network using that service is available at https://alumni.sullcrom.com/privacy.
In addition, a privacy notice specific for individuals applying for employment with Sullivan & Cromwell is available at https://www.sullcrom.com/pre-hire-recruitment-privacy-notice.
The personal information we collect
We may collect personal information from you in the course of our business, including through your use of our website, when you contact or request information from us, when you engage us to provide legal services or as a result of your relationship with any member of our personnel or our clients.
The personal information that we process includes:
- Basic identifying information, such as your name, your preferred form of address, the company you work for, your job title or position, your gender, and geolocation data
- Contact information, such as your postal and email addresses, and phone and fax number(s)
- Financial information, such as bank account information needed to process payments
- Technical information, such as information from your visits to our website or in relation to electronic communications we send to you, your unique personal identifier, your
- Information you provide to us in connection with meetings and events we organize, including access and dietary requirements
- Identification and background information we collect as part of our client acceptance procedures (which may be provided by third parties)
- Personal information provided to us by or on behalf of our clients or generated by us in the course or providing legal services to them
How we collect personal information
- We collect information as part of our business acceptance procedures. Those procedures include anti-money laundering, conflict, sanctions and general reputational and financial checks. This information may be provided by you or by third parties
- We collect information as necessary in the course of providing legal services
- We collect information from monitoring use of our website
- We collect information from monitoring email communications we send and receive
- We receive personal information provided to us directly, for example when you speak on the telephone with any of our personnel or you register to receive communications from us
- We may collect or receive information about you from other sources. For example we may use publicly available sources or third-party vendors to allow us to maintain the accuracy of contact details we hold for you or provide missing information
- We collect information as part of our due diligence procedures when entering into contracts with suppliers or vendors
We use the information that we collect in a number of ways, including:
- To provide legal services to our clients
- To manage our business and our commercial relationships with our clients, suppliers and vendors
- To market our services. We do this in a variety of ways, including sending S&C announcements, legal memoranda, publications and details of seminars and other events. You may choose at any time not to receive marketing materials from us by emailing us at [email protected]
- To fulfill our legal and regulatory obligations, including reporting obligations and in connection with potential or actual legal or regulatory proceedings or investigations
- For the purposes of recruitment
- To provide and improve this website, including auditing and monitoring its use, to provide users with a customized experience, and
- To provide information requested by you
- In connection with the administration of events
- To analyze whether event invitations and other emails sent by S&C have been successfully sent or have been opened
The grounds on which we process personal information
We process personal information on one or more of the following grounds:
- For the legitimate business purposes described above
- On the basis of consent from the relevant individual
- To perform a contract, including a contract to provide legal services
- For the establishment, exercise or defense of legal claims or proceedings
- To comply with legal and regulatory obligations
Sullivan & Cromwell has offices around the world.
Personal information that is given to a Sullivan & Cromwell office may be transferred to one or more other offices in our network (including any office we may open in the future).
We may also share your personal information with third parties in accordance with contractual arrangements in place with them, including:
- other organizations involved in matters for our clients, including local counsel, accountants or auditors, and technology service providers such as data room and case management services
- suppliers or vendors who provide support services to us, such as translation, photocopying or document review
- IT service providers
- organizations who assist us or work alongside us in hosting or organizing events or seminars
- our own professional advisers and auditors
The information sharing described above may involve a transfer of your information from a location within the European Economic Area (the “EEA”) to outside the EEA, or from outside the EEA to a location within the EEA. The level of information protection in countries outside the EEA may be less than that offered within the EEA. We will implement appropriate measures to ensure that your personal information nevertheless remains protected and secure in accordance with applicable data protection laws. EU standard contractual clauses are in place between all Sullivan & Cromwell entities that share and process personal data.
Protecting personal information
We use a variety of technical and organizational measures to help protect your personal information from unauthorized access, use, disclosure, alteration or destruction consistent with applicable data protection laws. These measures are reviewed periodically by external assessors who confirm and certify our operations. Accordingly, we hold certificate #IS 585222 and operate an Information Security Management System which complies with the requirements of ISO/IEC 27001:2013.
Individuals’ rights regarding their personal information
The GDPR and other applicable data protection laws provide certain rights for data subjects. Broadly speaking you have, or may have, the right (as more fully provided in applicable data protection laws):
- to request details of the information we hold about you and how we process it
- to have your personal information rectified if it is inaccurate or deleted
- to restrict our processing of your personal information
- to withdraw a previously provided consent to processing of your personal information
- to stop unauthorized transfers of your personal information to a third party
- to have your personal information transferred to another person
- to complain about our processing of your personal information to a local supervisory authority
Rights regarding personal information for California residents
Pursuant to the California Consumer Privacy Act (CCPA), California residents receive certain rights with respect to their personal information, as described below. These rights are not absolute and are subject to certain exceptions more fully set forth in the CCPA. California residents have the right not to receive discriminatory treatment from us for the exercise of the privacy rights conferred by the CCPA.
Right to know about personal information collected, disclosed, or sold
Each California resident has the right to request, subject to certain exceptions described in the CCPA, that we disclose to that resident:
- the categories of personal information we have collected about them,
- the categories of sources from which the personal information is collected,
- the business or commercial purpose for collecting or selling the personal information,
- the categories of third parties with whom we have shared the personal information, and
- the specific pieces of personal information we have collected about them (collectively, a “Request to Know”).
In the past twelve months we have collected, and in the future we will continue to collect, the categories of personal information cited in the section entitled “The personal information we collect” above. We collect this information from the sources described in the section entitled “How we collect personal information” above, use this information as described in the section entitled “How we use personal information” above, and share this information with third parties as described in the section entitled “Sharing personal information” above.
We do not sell your personal information.
Right to request deletion of personal information
Each California resident has the right to request the deletion of their personal information that we collect or maintain (a “Request to Delete”), subject to certain exceptions set forth in the CCPA. To make such a Request to Delete, you can either call us at our toll free number (1-888-558-1505), or fill out our request form here.
Process for verifying requests of California residents
In order to protect your privacy and security, prior to completing any Request to Know or Request to Delete that you may submit, we must verify your identity. We will verify your identity by asking you to provide certain data that we have already collected from you to confirm that they match our records. In certain instances, additional verification steps may be required.
California residents have the right to designate an authorized agent to make a request under the CCPA on their behalf. Prior to completing a request made by such an authorized agent, we require that you provide your authorized agent with written permission to submit such a request and require that you or your authorized agent provide us with a copy of such written permission. Additionally, we require that you verify your identity pursuant to the procedure described above.
Keeping personal information
We retain personal information of different types, or relating to different categories of people, for different periods, taking into account its business purpose. For example, information about individuals who have applied for employment with us will be retained for a shorter period than information about individuals who have actually worked for us.
The periods for which we retain information are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used. We take into account legal and regulatory provisions which require information to be retained for a minimum period. We also consider the limitation periods for taking legal action and good practice in the legal industry.
If you have any questions on the matters covered in this policy, please contact our Data Protection Officer, Craig Jones at [email protected].
This policy was last updated on December 30, 2019.