PRIVACY STATEMENT

1.1 Your privacy

Curtis, Mallet-Prevost, Colt & Mosle LLP (a limited liability partnership organized under the laws of the State of New York, USA) and its associated entities and offices practicing under the Curtis, Mallet-Prevost, Colt & Mosle name in other jurisdictions (including Curtis, Mallet-Prevost, Colt & Mosle LLP, a limited liability partnership established under English law) (collectively, “Curtis”) respect your concerns about privacy.  The list of Curtis entities and offices, which are located outside as well as within the European Economic Area (“EEA”), is set out in the Legal Notices section of our website at http://www.curtis.com/.  

  • This Privacy Statement forms part of our broader privacy policy and privacy notice and sets out what personal data we collect, hold, use or otherwise process, for what purposes and on what legal bases, with whom we may share it, where and on what basis it can be transferred outside the EEA in relation to: (i) use of our website; (ii) communications about our expertise and professional services; and (iii) conflict of interest searches and other client due diligence.  “Personal data” includes any information relating to an individual by which that individual can be identified, directly or indirectly, particularly by reference to an identifier such as the name, identification number, location data or an online identifier of that individual or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.  We act as data controller with regard to personal data Curtis processes in relation to the use of our website, communications about our expertise and professional services, and client due diligence.
     
  • This Privacy Statement also includes information regarding rights that individuals have, or may have, under the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data and Repealing Directive 95/46/EC (“GDPR”) in relation to their personal data which Curtis processes in relation to the use of our website, communications about our expertise and professional services, and client due diligence.
     
  • For our privacy policy in respect of legal updates, news alerts and other publications from Curtis relating to legal matters and invitations to events which Curtis may organize or sponsor from time to time (“Mailings”), please see our Mailings Privacy Policy at http://www.curtis.com/sitecontent.cfm?pageid=96.
     
  • For information regarding how we handle and process personal data in connection with job applications, please see the “Careers” section of our website at http://www.curtis.com/.
     
  • In addition, a privacy notice at http://www.curtis.com/sitecontent.cfm?pageid=98 sets out how we handle personal data in the course of, or in connection with, providing our legal services.


Curtis participates in the EU-US Privacy Shield and the US-Swiss Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from the European Union, EEA, and Switzerland.  We have committed to adhere to the Privacy Shield principles of notice, choice, onward transfer, security, data integrity, access, redress and enforcement (the “Privacy Shield Principles”).  To learn more about the Privacy Shield program and view Curtis’s certification, please visit http://www.privacyshield.gov.

With respect to human resources data received from European Union member countries and Switzerland, Curtis commits to cooperate with the EU Data Protection Authorities and/or the Swiss Federal Data Protection and Information Commissioner, as applicable, in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities/the Role of the Federal Data Protection and Information Commissioner and will comply with any advice given by such authorities.

1.2 Whose personal data Curtis processes in relation to use of our website, communications about our expertise and professional services, and client due diligence

In relation to communications about use of our website, our expertise and professional services, and client due diligence, Curtis holds, uses or otherwise processes personal data relating to our current, past and prospective clients, professional and other third parties that Curtis interacts with, or individuals connected with such parties.  Like other law firms, we carry out client due diligence, including conflicts checks, on our (prospective or potential) individual clients and on officers and beneficial owners of our (prospective or potential) corporate clients and individuals who are, or who are officers or beneficial owners at, their respective counterparties, opponents or other adversaries and/or other individuals involved in our (prospective or potential) retainers.

1.3 What personal data Curtis processes, for how long, and why, in connection with:

  • Use of our website
  • Communication about our expertise and professional services
  • Client due diligence


Use of our website

Personal data in relation to the use of our website is held, used and otherwise processed by us as described in this Privacy Statement. You are able to browse the non-password-protected sections of Curtis’s website without actively providing us with your personal data. We do not collect personal data when you browse, such as your email address.  However, when you access our website your computer’s browser may automatically provide us with certain information, including information about your computer’s browser type, operating system and IP address, as well as your access date and time and your referring and exiting URLs. You should also be aware that, while you are browsing Curtis’s website, Google Analytics compiles information about people’s browsers, devices, location, etc.  While this does not identify you personally, it is nevertheless personal data (such as IP addresses) that Google compiles, which allows us to analyze our website traffic using Google Analytics. We also provide a third-party plugin on our website called AddThis, which enables users to share content from our website directly to social media platforms, which in turn may utilize their own cookies to collect data on the use of those platforms by our website visitors.

Cookies: Like many organizations, Curtis’s web servers (computers that host websites) place a “cookie” (a small data file) on the hard drive of your computer when you first connect to our site to identify the areas of our website that you have visited.

Web Beacons: This website may use a technology known as “web beacons” (also known as Internet tags, pixel tags and clear GIFs) that allow this website to collect web log information. A web beacon is a graphic on a web page or in an e-mail message designed to track pages viewed or messages opened. Web log information is gathered when you visit our website. The web server automatically recognizes some non-personal information, such as the date and time you visited our site, the pages you visited, the website you came from, the type of browser you are using, the type of operating system you are using, and the domain name and address of your Internet service provider. We may also include web beacons in promotional e-mail messages in order to determine whether messages have been opened.

Do Not Track Signals: Curtis does not track its users over time or across third-party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals.

This website is not intended for, or designed to attract, individuals under the age of 18. We do not knowingly collect personal data from any individual under the age of 18. If you are under the age of 18, do not provide personal data of any kind.

Communications about our expertise and professional services

In relation to communications about our expertise and professional services, Curtis holds, uses or otherwise processes personal data relating to individuals such as contact details relating to names, titles, telephones, addresses, email or other electronic addresses, and organizational affiliations of our current, past and prospective clients, professional and other third parties that Curtis interacts with, or individuals connected with such parties, as well as other business contacts obtained by Curtis professionals in the ordinary course of their business. Such personal data in relation to communications about our expertise and professional services is typically held, used and otherwise processed by us as described in this Privacy Statement until the individual concerned asks us to cease processing his or her personal data.

Client due diligence

In connection with our (prospective or potential) engagement to provide legal services, like other law firms, we carry out client due diligence in relation to our individual (prospective or potential) clients and to individuals who are officers, directors, shareholders or otherwise associated with our (prospective or potential) corporate clients, as well as individuals who are counterparties, competitors, adversaries (or who are officers, directors or shareholders of corporate counterparties, competitors or adversaries) or are otherwise involved in our (prospective or potential) retainers. If you are an individual providing such personal data to us, Curtis acts as a data controller in relation to personal data forming part of: (i) the client due diligence information requested by us and provided by you or on your behalf; and/or (ii) information about you which is obtained from reputable public and private compliance data sources. Our legal bases for processing such data are: (1) the processing is necessary for compliance with a legal obligation to which a Curtis entity is subject; or (2) processing is necessary for the purposes of legitimate interests of a Curtis entity or a third party; or (3) any other lawful basis for processing such data under applicable laws and/or regulations. Such data may contain “special categories of personal data” of individuals, which includes data revealing an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data (such as passport photos and other ID photos) processed for the purpose of uniquely identifying an individual, data concerning health or data concerning an individual’s sex life or sexual orientation. Our legal bases for processing special categories of personal data of an individual in connection with client due diligence are: (a) the processing relates to data which is manifestly made public by the individual to whom it relates; (b) the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or (c) any other lawful basis for processing such data under applicable laws and/or regulations. In addition, Curtis may, where appropriate, process data relating to an individual’s criminal offences or confirmation of clean criminal record, if permitted and/or required by applicable laws and/or regulations.

Curtis may share personal data of individuals with the relevant authorities or regulators or with an investigator or other agent or sub-contractor acting on Cutis’s behalf but otherwise such personal data is not shared with third parties except where required by applicable laws and/or regulations, or where we instruct other law firms or professional service firms as part of the work we have been asked to do (in which case the disclosure may involve a transfer of personal data outside the EEA which will be legitimized on an ad hoc basis as described in sub-section 1.6(ii) below). We also give you notice in respect of transfers of personal data from Curtis entities and offices in the EEA to Curtis entities and offices outside the EEA as set out in sub-section 1.6(i) below. 

We retain conflicts information relating to such personal data which may contain names, titles, contact details including addresses, email addresses, and or other electronic identifiers of individuals, as well as licensing information, registrations, property records, judicial records, criminal or regulatory records and other reports. This data is typically retained by us for up to ten years after the end of the (prospective or potential) client’s business relationship with Curtis, although we may hold it for a longer period where necessary to establish or defend legal claims or where the data needs to be held by us for applicable legal or regulatory reasons. Individuals whose personal data we process for the purposes of client due diligence, including conflicts of interests checks, have, or may have, the rights under the GDPR set out in section 1.8 (Rights that individuals have, or may have, in relation to their personal data which Curtis processes) below.

1.4 Legal bases for processing personal data with respect to use of our website, communications about our expertise and professional services, and client due diligence

Our legal bases for processing personal data with respect to use of our website and communications about our expertise and professional services are: (i) legitimate interests of a Curtis entity or a third party; or (ii) your consent.  Our legal bases for processing personal data with respect to client due diligence are: (i) legitimate interests of a Curtis entity or a third party; (ii) complying with a legal obligation to which a Curtis entity is subject; or (iii) any other lawful basis for processing such data under applicable laws and/or regulations.

1.5 How we use personal data

Information and any personal data that are provided by your computer when you browse our website are used by Curtis for internal purposes (such as evaluation of site use, assessment and improvement of site performance and improvement of the functionality and services that we are able to offer). We do not use cookies to collect and distribute personal data information to third parties for marketing purposes.

We may share your personal data obtained through Curtis’s website among Curtis-affiliated entities and subsidiaries. We may also share your personal data with our agents or contractors in connection with services that these individuals or entities perform for Curtis. These agents or contractors are not authorized by us to use or disclose this personal data except as necessary to provide services for Curtis. We may, for example, provide your personal data to agents or contractors for hosting our databases, for data processing services, for processing online registration forms for events, or so that they can mail you information you requested. Curtis has responsibility for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Curtis shall remain responsible and liable under the Privacy Shield Principles if its agent processes such personal data on Curtis’s behalf in a manner inconsistent with the Privacy Shield Principles, unless Curtis proves that it is not responsible for the event giving rise to the damage. 

We reserve the right to transfer any personal data we have about you in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to require that the transferee use personal data information you have provided through this website in a manner that is consistent with this Privacy Statement.

We may disclose personal data we have about you: (i) if we are required to do so by applicable laws or regulations, pursuant to legal process; (ii) in response to a request from regulators, supervisory bodies, courts, tribunals or law enforcement authorities or other government officials, including to meet national security requirements; or (iii) when we believe disclosure is reasonably necessary or appropriate to prevent physical harm or financial loss in connection with an investigation of suspected or illegal activity.

1.6 International transfers of personal data

(i) International transfers among Curtis entities and offices

Processing of personal data by Curtis involves international transfers of such personal data from Curtis entities and offices in the EEA or from Curtis entity’s office in Switzerland to Curtis entities and offices outside the EEA.  The legal bases for such transfers are as follows:

  1. transfers of such personal data from Curtis’s offices in the EEA, and/or from the office in Switzerland, to Curtis New York in the USA are made on the bases of Curtis New York’s participation in the EU-US Privacy Shield and the US-Swiss Privacy Shield Framework respectively;
  2. transfers of such personal data from Curtis’s offices in the EEA to Curtis’s office in Switzerland are made on the basis of the European Commission’s adequacy decision which recognizes Switzerland as one of the countries that provide adequate protection for EU data protection purposes; and
  3. transfers of such personal data from Curtis’s offices in the EEA to Curtis’s offices outside the EEA and USA are made on the basis of the Standard Contractual Clauses (as approved by the European Commission from time to time) entered into by all Curtis entities.


(ii) International transfers of personal data by Curtis to third parties

To the extent that Curtis may transfer personal data which is protected by the GDPR to a recipient outside the EEA which is not a Curtis entity or a Curtis office, Curtis shall ensure that the country to which the data is transferred is protected by:

  1. an adequacy decision by the European Commission; or
  2. adequate safeguards.

If the non-EEA country does not have either an adequacy decision or adequate safeguards, Curtis shall only transfer personal data if so permitted by the GDPR; for example, if:

  1. the transfer is necessary for the performance of a contract between the individual whose personal data is being transferred and one or more Curtis entities, or the implementation of pre-contractual measures taken at the individual’s request;
  2. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the individual whose personal data is being transferred between the Curtis entities and another individual; or
  3. the transfer is necessary for the establishment, exercise or defense of legal claims.


1.7 How we protect your personal data

We maintain administrative, technical and physical safeguards for the website designed to protect against loss, misuse or unauthorized access, disclosure, alteration or destruction of the personal data information we collect through our website. However, we cannot ensure or warrant the security of any information you transmit to the website or to us.

1.8 Rights that individuals have, or may have, in relation to their personal data which Curtis processes

If you are an individual you have, or may have, one or more of the following rights under the GDPR:

  • the right to information about, and access to, your personal data;
  • the right to have your personal data rectified or completed;
  • the right to erasure of your personal data (“right to be forgotten”);
  • the right to restrict the processing of your personal data;
  • the right to object to the processing of your personal data;
  • the right to receive your personal data in a structured, commonly used and machine readable format and to have your personal data transmitted to another organization; and
  • the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you, or similarly significantly affects you.


To exercise any of the above rights, please email privacy@curtis.com to obtain, complete and return to us a Request Form.  Individuals to whom the GDPR applies also have a right to complain to the relevant data protection authorities; please refer to section 5.2 below.

Nothing in this Privacy Statement shall give any individual any right or rights which that individual does not have under the GDPR and/or any other applicable data protection laws.

2. Registration

2.1 Registration for certain informational material

Though no registration is required to use Curtis’s website and related services, Curtis does provide access to certain informational materials through third-party platforms, such as RSS feeds. As such, users may cancel or discontinue their registration to receive updates of such informational materials by removing the subscription through the relevant third-party provider.  Any user requiring assistance with deregistration should contact privacy@curtis.com.

2.2 Additional services and links to other sites

From time to time, we may provide links to other websites for your information or convenience or offer additional services through separate websites linked to this website. These websites operate independently from our website and may be subject to alternative terms of use, including terms concerning use of your personal data. We have not reviewed these third-party sites and do not control and are not responsible for any of these sites, their content or their privacy policies. Thus, we do not endorse or make any representations about them, or any information, software, or other products or materials found there, or any results that may be obtained from using them. If you decide to access any of the third-party sites listed on our website, you do so at your own risk.

2.3 Withdrawal of services

Curtis reserves the right to withdraw the Curtis website or to remove any content without notice at any time and for any reason.

3. Updates to this Privacy Statement

We may update or change this Privacy Statement from time to time. Any change to this Privacy Statement will become effective when we post the revised Privacy Statement on our website.

If we make any important changes to this Privacy Statement (relating to the information we collect, how we use it or why) we will highlight those changes at the top of the updated Privacy Statement and provide a prominent link to it for a reasonable length of time following the change.

We encourage you to periodically review this Privacy Statement to stay informed about how we collect, use, and share personal data.

4. How to contact us

If you have any questions or complaints about our Privacy Statement or our Privacy Shield-related (or general privacy-related) practices, please contact us by:

Emailing privacy@curtis.com

or

writing to us at:

Curtis, Mallet-Prevost, Colt & Mosle LLP
101 Park Ave
New York, NY 10178
United States of America
Attn: Privacy Officer

Curtis, Mallet-Prevost, Colt & Mosle LLP
99 Gresham Street
London EC2V 7NG
United Kingdom
Attn: Privacy Officer

5. Disputes

5.1 Disputes generally

We take your privacy concerns seriously. If you believe that Curtis has not adhered to this Privacy Policy, please contact Curtis as described in Section 4 above. In your correspondence, please describe in as much detail as possible the ways in which you believe that this Privacy Policy has not been complied with. We will respond to you within one month of receipt of your correspondence and will do our best to address your concerns. If you feel that your complaint has been addressed incompletely, we invite you to let us know for further investigation.

5.2 Dispute resolution

Individuals to whom the GDPR applies may report privacy complaints directly to their local Data Protection Authorities, such as, for example, the Information Commissioner’s Office (ICO) in the United Kingdom. Swiss citizens may report privacy complaints directly to the Swiss Federal Data Protection and Information Commissioner. You may also contact us to be directed to the relevant authorities.

Curtis has further committed to refer unresolved disputes relating to the use of its website or unresolved privacy complaints, including those arising under the Privacy Shield Principles, to an independent dispute resolution body based in the United States, JAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed by Curtis, please visit the JAMS website at https://www.jamsadr.com/eu-us-privacy-shield for more information and to file a complaint. This independent recourse mechanism by which your complaints and disputes can be investigated and expeditiously resolved will be provided at no cost to you. As a Privacy Shield participant, Curtis commits to binding arbitration at the request of an individual to address any complaint relating to our privacy notice or our information practices that has not been resolved by other recourse and enforcement mechanisms.

6. Enforcement

Curtis conducts periodic self-assessments to verify that the attestations and assertions it makes about its privacy practices are true and that such privacy practices have been implemented as presented. Curtis will take steps to remedy any problems arising out of failure to comply with the Privacy Shield Principles.

The Federal Trade Commission has jurisdiction to investigate claims against Curtis regarding possible unfair or deceptive practices and violations of laws or regulations covering privacy.

www.curtis.com