1.1 Your privacy
Curtis, Mallet-Prevost, Colt & Mosle LLP (a limited liability partnership organized under the laws of the State of New York, USA) and its associated entities and offices practicing under the Curtis, Mallet-Prevost, Colt & Mosle name in other jurisdictions (including Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership established under English law) (collectively, “Curtis”) respect your concerns about privacy. The list of Curtis entities and offices, which are located outside as well as within the European Economic Area (“EEA”), is set out in the Legal Notices section of our website at http://www.curtis.com/.
With respect to human resources data received from European Union member countries and Switzerland, Curtis commits to cooperate with the EU Data Protection Authorities and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities/the Role of the Federal Data Protection and Information Commissioner and will comply with any advice given by such authorities.
1.2 Whose personal data Curtis processes in relation to use of our website, communications about our expertise and professional services, and client due diligence
In relation to communications about use of our website, our expertise and professional services, and client due diligence, Curtis holds, uses or otherwise processes personal data relating to our current, past and prospective clients, professional and other third parties that Curtis interacts with, or individuals connected with such parties. Like other law firms, we carry out client due diligence, including conflicts checks, on our (prospective or potential) individual clients and on officers and beneficial owners of our (prospective or potential) corporate clients and individuals who are, or who are officers or beneficial owners at, their respective counterparties, opponents or other adversaries and/or other individuals involved in our (prospective or potential) retainers.
1.3 What personal data Curtis processes, for how long, and why, in connection with:
Personal data in relation to the use of our website is held, used and otherwise processed by us as described in this Privacy Statement. You are able to browse the non-password-protected sections of Curtis’s website without actively providing us with your personal data. We do not collect personal data when you browse, such as your email address. However, when you access our website your computer’s browser may automatically provide us with certain information, including information about your computer’s browser type, operating system and IP address, as well as your access date and time and your referring and exiting URLs. You should also be aware that, while you are browsing Curtis’s website, Google Analytics compiles information about people’s browsers, devices, location, etc. While this does not identify you personally, it is nevertheless personal data (such as IP addresses) that Google compiles, which allows us to analyze our website traffic using Google Analytics. We also provide a third-party plugin on our website called AddThis, which enables users to share content from our website directly to social media platforms, which in turn may utilize their own cookies to collect data on the use of those platforms by our website visitors.
Cookies: Like many organizations, Curtis’s web servers (computers that host websites) place a “cookie” (a small data file) on the hard drive of your computer when you first connect to our site to identify the areas of our website that you have visited.
Web Beacons: This website may use a technology known as “web beacons” (also known as Internet tags, pixel tags and clear GIFs) that allow this website to collect web log information. A web beacon is a graphic on a web page or in an e-mail message designed to track pages viewed or messages opened. Web log information is gathered when you visit our website. The web server automatically recognizes some non-personal information, such as the date and time you visited our site, the pages you visited, the website you came from, the type of browser you are using, the type of operating system you are using, and the domain name and address of your Internet service provider. We may also include web beacons in promotional e-mail messages in order to determine whether messages have been opened.
Do Not Track Signals: Curtis does not track its users over time or across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals.
This website is not intended for, or designed to attract, individuals under the age of 18. We do not knowingly collect personal data from any individual under the age of 18. If you are under the age of 18, do not provide personal data of any kind.
Communications about our expertise and professional services
In relation to communications about our expertise and professional services, Curtis holds, uses or otherwise processes personal data relating to individuals such as contact details relating to names, titles, telephones, addresses, email or other electronic addresses, and organizational affiliations of our current, past and prospective clients, professional and other third parties that Curtis interacts with, or individuals connected with such parties, as well as other business contacts obtained by Curtis professionals in the ordinary course of their business. Such personal data in relation to communications about our expertise and professional services is typically held, used and otherwise processed by us as described in this Privacy Statement until the individual concerned asks us to cease processing his or her personal data.
Client due diligence
In connection with our (prospective or potential) engagement to provide legal services, like other law firms, we carry out client due diligence in relation to our individual (prospective or potential) clients and to individuals who are officers, directors, shareholders or otherwise associated with our (prospective or potential) corporate clients, as well as individuals who are counterparties, competitors, adversaries (or who are officers, directors or shareholders of corporate counterparties, competitors or adversaries) or are otherwise involved in our (prospective or potential) retainers. If you are an individual providing such personal data to us, Curtis acts as a data controller in relation to personal data forming part of: (i) the client due diligence information requested by us and provided by you or on your behalf; and/or (ii) information about you which is obtained from reputable public and private compliance data sources. Our legal bases for processing such data are: (1) the processing is necessary for compliance with a legal obligation to which a Curtis entity is subject; or (2) processing is necessary for the purposes of legitimate interests of a Curtis entity or a third party; or (3) any other lawful basis for processing such data under applicable laws and/or regulations. Such data may contain “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation. Our legal bases for processing special categories of personal data of an individual in connection with client due diligence are: (a) the processing relates to data which is manifestly made public by the individual to whom it relates; (b) the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or (c) any other lawful basis for processing such data under applicable laws and/or regulations. In addition, Curtis may, where appropriate, process data relating to an individual’s criminal offences or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.
Curtis may share personal data of individuals with the relevant authorities or regulators or with an investigator or other agent or sub-contractor acting on Cutis’s behalf but otherwise such personal data is not shared with third parties except where required by applicable laws and/or regulations, or where we instruct other law firms or professional service firms as part of the work we have been asked to do (in which case the disclosure may involve a transfer of personal data outside the EEA which will be legitimized on an ad hoc basis as described in sub-section 1.6(ii) below). We also give you notice in respect of transfers of personal data from Curtis entities and offices in the EEA to Curtis entities and offices outside the EEA as set out in sub-section 1.6(i) below.
We retain conflicts information relating to such personal data which may contain names, titles, contact details including addresses, email addresses, and or other electronic identifiers of individuals, as well as licensing information, registrations, property records, judicial records, criminal or regulatory records and other reports. This data is typically retained by us for up to ten years after the end of the (prospective or potential) client’s business relationship with Curtis, although we may hold it for a longer period where necessary to establish or defend legal claims or where the data needs to be held by us for applicable legal or regulatory reasons. Individuals whose personal data we process for the purposes of client due diligence, including conflicts of interests checks, have, or may have, the rights under the GDPR set out in section 1.8 (Rights that individuals have, or may have, in relation to their personal data which Curtis processes) below.
1.4 Legal bases for processing personal data with respect to use of our website, communications about our expertise and professional services, and client due diligence
Our legal bases for processing personal data with respect to use of our website and communications about our expertise and professional services are: (i) legitimate interests of a Curtis entity or a third party; or (ii) your consent. Our legal bases for processing personal data with respect to client due diligence are: (i) legitimate interests of a Curtis entity or a third party; (ii) complying with a legal obligation to which a Curtis entity is subject; or (iii) any other lawful basis for processing such data under applicable laws and/or regulations.
1.5 How we use personal data
We may share your personal data obtained through Curtis’s website among Curtis-affiliated entities and subsidiaries. We may also share your personal data with our agents or contractors in connection with services that these individuals or entities perform for Curtis. These agents or contractors are not authorized by us to use or disclose this personal data except as necessary to provide services for Curtis. We may, for example, provide your personal data to agents or contractors for hosting our databases, for data processing services, for processing online registration forms for events, or so that they can mail you information you requested. Curtis has responsibility for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Curtis shall remain responsible and liable under the Privacy Shield Principles if its agent processes such personal data on Curtis’s behalf in a manner inconsistent with the Privacy Shield Principles, unless Curtis proves that it is not responsible for the event giving rise to the damage.
We reserve the right to transfer any personal data we have about you in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to require that the transferee use personal data information you have provided through this website in a manner that is consistent with this Privacy Statement.
We may disclose personal data we have about you: (i) if we are required to do so by applicable laws or regulations, pursuant to legal process; (ii) in response to a request from regulators, supervisory bodies, courts, tribunals or law enforcement authorities or other government officials, including to meet national security requirements; or (iii) when we believe disclosure is reasonably necessary or appropriate to prevent physical harm or financial loss in connection with an investigation of suspected or illegal activity.
1.6 International transfers of personal data
(i) International transfers among Curtis entities and offices
Processing of personal data by Curtis involves international transfers of such personal data from Curtis entities and offices in the EEA or from Curtis entity’s office in Switzerland to Curtis entities and offices outside the EEA. The legal bases for such transfers are as follows:
To the extent that Curtis may transfer personal data which is protected by the GDPR to a recipient outside the EEA which is not a Curtis entity or a Curtis office, Curtis shall ensure that the country to which the data is transferred is protected by:
If the non-EEA country does not have either an adequacy decision or adequate safeguards, Curtis shall only transfer personal data if so permitted by the GDPR; for example, if:
We maintain administrative, technical and physical safeguards for the website designed to protect against loss, misuse or unauthorized access, disclosure, alteration or destruction of the personal data information we collect through our website. However, we cannot ensure or warrant the security of any information you transmit to the website or to us.
If you are an individual you have, or may have, one or more of the following rights under the GDPR:
Nothing in this Privacy Statement shall give any individual any right or rights which that individual does not have under the GDPR and/or any other applicable data protection laws.
2.1 Registration for certain informational material
Though no registration is required to use Curtis’s website and related services, Curtis does provide access to certain informational materials through third-party platforms, such as RSS feeds. As such, users may cancel or discontinue their registration to receive updates of such informational materials by removing the subscription through the relevant third-party provider. Any user requiring assistance with deregistration should contact email@example.com.
2.2 Additional services and links to other sites
2.3 Withdrawal of services
Curtis reserves the right to withdraw the Curtis website or to remove any content without notice at any time and for any reason.
3. Updates to this Privacy Statement
We may update or change this Privacy Statement from time to time. Any change to this Privacy Statement will become effective when we post the revised Privacy Statement on our website.
If we make any important changes to this Privacy Statement (relating to the information we collect, how we use it or why) we will highlight those changes at the top of the updated Privacy Statement and provide a prominent link to it for a reasonable length of time following the change.
We encourage you to periodically review this Privacy Statement to stay informed about how we collect, use, and share personal data.
4. How to contact us
If you have any questions or complaints about our Privacy Statement or our Privacy Shield-related (or general privacy-related) practices, please contact us by:
writing to us at:
Curtis, Mallet-Prevost, Colt & Mosle LLP
Curtis, Mallet-Prevost, Colt & Mosle LLP
5.1 Disputes generally
5.2 Dispute resolution
Individuals to whom the GDPR applies may report privacy complaints directly to their local Data Protection Authorities, such as, for example, the Information Commissioner’s Office (ICO) in the United Kingdom. Swiss citizens may report privacy complaints directly to the Swiss Federal Data Protection and Information Commissioner. You may also contact us to be directed to the relevant authorities.
Curtis has further committed to refer unresolved disputes relating to the use of its website or unresolved privacy complaints, including those arising under the Privacy Shield Principles, to an independent dispute resolution body based in the United States, JAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Curtis, please visit the JAMS website at https://www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint. This independent recourse mechanism by which your complaints and disputes can be investigated and expeditiously resolved will be provided at no cost to you. As a Privacy Shield participant, Curtis commits to binding arbitration at the request of an individual to address any complaint relating to our privacy notice or our information practices that has not been resolved by other recourse and enforcement mechanisms.
Curtis conducts periodic self-assessments to verify that the attestations and assertions it makes about its privacy practices are true and that such privacy practices have been implemented as presented. Curtis will take steps to remedy any problems arising out of failure to comply with the Privacy Shield Principles.
The Federal Trade Commission has jurisdiction to investigate claims against Curtis regarding possible unfair or deceptive practices and violations of laws or regulations covering privacy.