Effective Date: January 1, 2023
This Privacy Statement describes the practices of Alston & Bird LLP (“Alston & Bird”, “we” or “us”) with respect to personal information we collect through our Web sites and mobile applications that display or link to this Privacy Statement (the “Sites”).
Collection of Personal Information
We collect personal information that you voluntarily provide when you visit our Sites. For example, we collect information about you when you:
- Sign up to receive advisories, articles, announcements or other communications;
- Register for an event;
- Apply for a job with Alston & Bird; or
- Submit a comment or question or otherwise communicate with us through the Sites.
The personal information we collect may include your first and last name, street address, telephone number, email address, communication preferences, password, and other information you submit through the Sites. If you apply for a job through our Sites, we may gather additional information about you, such as your resume, cover letter, work history, reference information, education information, information required to complete a background check and any other information you elect to provide us (e.g., career objectives, willingness to relocate, awards or professional memberships).
How We Use Personal Information Collected through the Sites
We use personal information we collect through our Sites to contact you, to provide you with information that you have requested, to provide additional information which we believe may be of interest to you, to perform an activity you have requested (such as to register you for an event or to evaluate an application for a job opportunity), to enhance or improve the Sites, for security purposes, or otherwise to operate our business.
Sharing of Personal Information
We may share personal information with third parties in the following circumstances:
- When authorized by you.
- With third party service providers retained to perform services on our behalf. These service providers are not authorized to use or disclose the information except as necessary to provide services to us.
- If we are required to do so by law or pursuant to legal process, or in response to a request from law enforcement authorities or other government officials.
- When we believe disclosure is necessary or appropriate to prevent physical harm or financial fraud or theft, or in connection with an investigation of suspected or actual illegal activity.
- In connection with the sale or transfer of all or a portion of our business or assets to a third party.
Your Choices and Rights
We maintain administrative, technical and physical safeguards for the Sites designed to protect against loss, misuse or unauthorized access, disclosure, alteration or destruction of the personal information we collect through our Sites. The use of the Internet creates inherent information security risks, and we are not able to guarantee the security of our Sites.
Your personal information will not be stored for longer than necessary for the purposes for which they were collected or as required under applicable retention policies and/or in accordance with applicable law. Our retention policies reflect local statute of limitation periods and legal obligations of Alston & Bird.
Transfers of Personal Information
We may transfer the personal information we collect through the Sites to countries with laws that may be deemed not to provide the same level of data protection as the laws in the country in which you reside. Please note that our primary data processing facilities are located in the United States of America. By submitting personal information through the Sites, you consent to the transfer of personal information as described in this Privacy Statement.
The Sites may include links to sites operated by external third parties. The inclusion of a link to a third party site does not imply our endorsement of the site or the products and services offered at such site. Please note that this Privacy Statement does not apply to any such third-party sites. You should consult the privacy policies of each site you visit.
Additional Notice for California and Virginia Consumers
This part of our Privacy Statement applies to consumers who reside in the State of California or Virginia.
We describe the personal information we have collected from consumers in the twelve (12) months preceding the effective date of this Privacy Statement in the part of our Privacy Statement titled “Collection of Personal Information.” The information we have obtained includes the following:
- Identifiers such as a real name, postal address, telephone number, Internet Protocol address, email address, password, social security number, driver’s license number, or other similar identifiers.
- Personal information described in subdivision (e) of Section 1798.80 (California Customer Records statute). This means any information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, identifiers listed above.
- Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
- Electronic, visual or similar information.
- Professional or employment-related information.
- Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99).
- Inferences drawn from any of the information identified in this Additional Notice to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes (e.g., we may collect this information in connection with website analytics or job applications).
- Sensitive personal information such as social security number, driver’s license number, or passport number in each case as further described above in the relevant categories.
We collect this personal information when you use our Sites. For more information, please see “Collection of Personal Information” above.
Disclosures of Personal Information about California or Virginia Consumers
We have not disclosed to other businesses or third parties any personal information for monetary or other valuable consideration within the twelve (12) months preceding the effective date of this Privacy Statement.
We have disclosed personal information to our service providers for business purposes in the prior twelve (12) months. The information we have disclosed for business purposes may include some or all of the categories listed above. For more information about the categories of entities to which we have disclosed this information and the purposes for which we have disclosed the information, please see “Sharing of Personal Information” above.
Use of Personal Information about California or Virginia Consumers
We use the personal information we collect about California and Virginia consumers for the purposes disclosed within the this Privacy Statement. For more information, please see “How We Use Personal Information Collected through the Sites” above.
The business purposes for which we may use personal information about California and Virginia consumers include:
- Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with California and Virginia law and other applicable standards;
- Helping to ensure security and integrity to the extent the use of a consumer’s personal information is reasonably necessary and proportionate for these purposes;
- Debugging to identify and repair errors in our systems;
- Short-term, transient use including non-personalized advertising shown as part of a consumer’s current interaction with us;
- Performing services on our behalf on behalf of another, including maintaining or servicing accounts, providing customer service, processing or fulfilling transactions, verifying identity information, processing payments, and other services.
- Undertaking internal research for technological development and demonstration.
- Conducting activities to verify, enhance, and maintain the quality or safety of services or devices which we may own, control, or provide.
We may also use the information we collect for our own or our service providers’ other operational purposes, purposes for which we provide you additional notice, purposes disclosed elsewhere in this Privacy Statement, or for purposes compatible with the context in which the personal information was collected.
We do not collect or process sensitive personal information for the purpose of inferring characteristics about consumers.
Your Privacy Rights
If you are a California or Virginia resident, you have certain rights in the information listed in this Additional Notice, subject to applicable exclusions, limitations, and conditions of applicable law. You may exercise these rights free of charge except as otherwise permitted under applicable law. These rights are as follows:
- Right to Delete. You have the right to request that we delete personal information that we have collected about you. Please note if you have requested a service that requires the use of your personal information, we may not be able to provide that service if you choose to delete your personal information.
- Right to Access. You may request that we disclose to you:
- whether we are processing personal information about you;
- the categories of personal information we have collected about you;
- the categories of sources from which the personal information is collected;
- our business or commercial purpose for collecting, selling, or sharing personal information;
- the categories of third parties to whom we disclose personal information;
- the specific pieces of information we have collected about you;
- the categories of personal information about you, if any, that we have sold or shared and the categories of third parties to which we have sold or shared the information, by category or categories of personal information for each category of third party to whom we sold or shared the personal information; and
- the categories of personal information about you that we disclosed for a business purpose and the categories of recipients to whom we disclosed the information for a business purpose.
As used above, “sale,” “sold,” “selling,” “shared,” and “sharing” have the meanings provided in the California Consumer Privacy Act of 2018 and the Virginia Consumer Data Protection Act, each as amended.
- Right to Correct. You have the right to request that we correct inaccurate personal information that we have collected about you.
- Right to Appeal. If you are a Virginia resident and we decline to take action on a request that you make in accordance with the foregoing to exercise the foregoing privacy rights, then you may appeal our decision by directly responding to our denial decision email or as provided below under “Requests to Exercise Your Rights.”
Requests to Exercise Your Rights
You may request to exercise these rights by:
- Submitting a request through https://www.alston.com/en/resources/california-rights-request-submission-form; or
- Calling us toll-free at 866-852-0559.
As required or permitted under applicable law, please note that we may take steps to verify your identity before granting you access to information or acting on your request to exercise your rights. We may limit our response to your exercise of the above rights as permitted under applicable law. We may not discriminate against you in response to your exercise of the above rights, including by:
- Denying goods or services to you;
- Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
- Providing a different level of quality of goods or services to you; or
- Suggesting that you will receive a different price or rate for goods or services or a different level of quality goods or services.
You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission to act on your behalf. We will require the agent to provide proof of that written permission. We may require you to verify your own identity in response to a request, even if you choose to use an agent, to the extent permitted by law. Your agent may contact us as provided above under “Requests to Exercise Your Rights” to make a request on your behalf.
Do Not Track
Please note that our Sites are not designed to respond to “do not track” requests from Web browsers.
Changes and Questions
Alston & Bird may revise this Privacy Statement from time-to-time. Please check this page periodically for changes. If you have questions about this Privacy Statement or our practices with respect to personal information, please send your request to email@example.com.
EU and UK General Data Protection Regulation (GDPR)
This Privacy Notice (“Notice”) describes how Alston & Bird collects and uses your Personal Data pursuant to the EU General Data Protection Regulation and the United Kingdom General Data Protection Regulation (hereafter, unless otherwise stated, referred to together as “GDPR”) and other applicable data protection and privacy legislation. It tells you what Personal Data we collect, why we need it, how we use it and what safeguards are in place to keep it secure.
“Alston & Bird” “we” “us” and “our” refers to Alston & Bird (City) LLP and its affiliate in the US, Alston & Bird LLP, to the extent that its affiliate is subject to the GDPR.
“Alston & Bird Personnel” means Alston & Bird’s prospective, present and past partners, employees, consultants and agency staff, and people connected to such persons.
“Personal Data” means information about individuals (including you), and from which such individuals could be identified.
“You” means individuals whose Personal Data we process, including but not limited to, Alston & Bird’s clients, Alston & Bird’s client personnel, counter-parties, counter-party personnel, other solicitors / advisors, witnesses, suppliers, supplier personnel, job applicants and individuals to whom we send marketing communications. “You” does not include Alston & Bird Personnel.
Alston & Bird is the Data Controller in relation to your Personal Data and is committed to protecting the privacy rights of individuals, including your rights.
Data Protection Manager
Alston & Bird is not required under the GDPR to appoint a Data Protection Officer and, following a detailed analysis, does not consider it appropriate to do so on a voluntary basis.
Alston & Bird has however, appointed a Data Protection Manager (“DPM”), who is responsible for overseeing Alston & Bird’s compliance with the GDPR and any other applicable data protection legislation and regulation. The DPM can be contacted at firstname.lastname@example.org.
In addition, our Compliance Officer for Legal Practice (“COLP”) oversees compliance with our professional responsibilities and with legislative requirements.
How does Alston & Bird obtain your Personal Data?
In some circumstances, we may obtain your Personal Data from you directly including through your use of this website or a job application but, more typically, we will obtain your Personal Data from a third-party source, for example, we may collect information from our clients / our clients’ personnel, agents and advisors, other law firms / advisors which represent you, the company for whom you work, other organisations / persons with whom you have dealings, government agencies, credit reporting agencies, recruitment agencies, information or service providers and publicly available records.
What about Personal Data which you provide to Alston & Bird?
If you provide information to us about someone else (such as one of your associates, directors or employees, or someone with whom you have business dealings) you must ensure that you are entitled to disclose that information to us and that, without our taking any further steps, we may process that information in accordance with this Notice.
What Personal Data does Alston & Bird collect from and about you?
We collect and use different types of Personal Data about you, which will vary in type and detail depending on the circumstances and purpose of processing. Please consider the following illustrative and non-exhaustive examples:
- Personal Data about you: name, address, date of birth, marital status, nationality, race, gender, preferred language, job title, work life and restrictions and / or required accommodations, possibly about your family life;
- Personal Data to contact you at work or home: name, address, telephone, and e-mail addresses;
- Personal Data which may identify you: photographs and video, passport and / or driving license details, electronic signatures;
- Personal Data to process any payment we might need to make to or receive from you: bank account details, HMRC numbers and references (where applicable); and
- Personal Data to monitor your use of our website: IP address, traffic and location information, weblogs and other communication information.
Why do we need to collect and use your Personal Data?
We need to collect and use your Personal Data for a number of reasons, the primary purpose being to provide legal advice and services to our clients and which may involve the use of your Personal Data in the following (non-exhaustive) ways:
- to contact you if you are involved in a matter we are undertaking for a client, whether in your professional or personal capacity;
- to carry out investigations, risk assessments and client due diligence;
- to analyse the practices of your employer or other organisations and / or persons with whom you have dealings;
- to review, draft and disclose correspondence and other documents, including court documents;
- to instruct third-parties on behalf of our clients; and
- for comparison / analytical purposes and to formulate legal opinions and provide advice.
We may also process your Personal Data for effective business management purposes which may involve the use of your Personal Data in the following (non-exhaustive) ways:
- to engage and contact suppliers;
- to carry out internal reviews, investigations, audits;
- to conduct business reporting and analytics;
- to advertise and market the services that we provide;
- to help measure performance and improve our services;
- for recruitment purposes;
- for regulatory and legislative compliance and related reporting; and
- for the prevention and detection of crime.
What is Alston & Bird’s legal basis for processing your Personal Data?
Under the GDPR, Alston & Bird must identify a lawful basis for processing your Personal Data which may vary according to the type of Personal Data processed and the individual to whom it relates.
– Performance of a contract with you (where applicable):
Alston & Bird is entitled to process the Personal Data it requires in order to fulfil its obligations under its contract with you. This will be the relevant legal basis if you are an individual client or supplier / other individual with a direct contractual relationship with Alston & Bird.
– Legitimate interests of Alston & Bird or a third-party:
We process some of your Personal Data on the basis that it is in our legitimate interests and / or the legitimate interests of a third-party to do so. This will primarily concern the processing of Personal Data that is necessary to provide legal advice and services to our clients. Alston & Bird’s legitimate business interest in such instances is the proper performance of its function as an authorised and regulated provider of legal services. Alston & Bird’s clients also have a legitimate interest (and more general right in law) in obtaining legal advice and services.
Alston & Bird’s broad interest in the provision of legal services as a basis for processing your Personal Data, and our clients’ corollary interest in the receipt of such services, can be broken down into more discreet categories which may include, but are not limited, to:
- the interest in contacting individuals relevant to Alston & Bird’s work and our clients’ matters, which may involve the use of your Personal Data;
- the interest in reviewing documents and correspondence that have been disclosed to Alston & Bird, Alston & Bird’s clients and third-parties, which may contain your Personal Data;
- the interest in reviewing and analysing all evidence available to Alston & Bird and its clients, which may contain your Personal Data;
- the interest in adducing legal arguments, creating documents and correspondence, which may contain your Personal Data;
- the interest in disclosing documents and correspondence, which may contain your Personal Data, to various parties in the furtherance of Alston & Bird’s clients’ objectives;
- the interest in instructing third-parties on behalf of Alston & Bird’s clients;
- the interest in receiving payment from Alston & Bird’s clients and third-parties and to facilitate payments to and from Alston & Bird’s clients and third-parties; and
- in order to allow for all of the above, the secure management and storage of your Personal Data, within our IT environment and hard-copy filing systems.
Alston & Bird may also process your Personal Data on the basis that it is necessary for its legitimate business interests in the effective management and running of Alston & Bird which may include, but is not limited to: engaging suppliers and supplier personnel; ensuring that its systems and premises are secure and running efficiently; for regulatory and legislative compliance, and related auditing and reporting; for insurance purposes; for recruitment / hiring purposes; for marketing purposes; and to facilitate, make and receive payments.
– Compliance with a legal obligation to which Alston & Bird is subject:
In certain circumstances, Alston & Bird must process your Personal Data in order to comply with its legal obligations. This might include, but is not limited to, Personal Data required: for tax and accounting purposes; for conflict checking purposes as required by the common law and Alston & Bird’s regulators; and for Alston & Bird to fulfil its compliance and other obligations under relevant legislation / regulation.
Special category and criminal records Personal Data
If Alston & Bird processes your criminal records Personal Data or special category Personal Data relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, health data, biometric data or sexual orientation, we will obtain your explicit consent to those activities unless this is not required by law (because, for example, it is processed for the purpose of exercising or defending legal claims, or we are permitted to process the data as attorney-at-law) or the information is required to protect your health in an emergency. Where we are processing Personal Data based on your consent, you have the right to withdraw that consent at any time.
We may use your contact details to send you marketing materials, provided we are permitted to do so by law. You always have the right to unsubscribe from any marketing. You can do so by clicking on the relevant link in the next email we send you, or by contacting the DPM using the details provided.
Who receives your Personal Data?
We may disclose your Personal Data to third-parties if, but only when, we have a legal basis to do so. Such recipients include but are not limited to: co-counsel, other solicitors / barristers / experts / foreign law firms whom we instruct on your behalf; Alston & Bird’s insurance brokers and underwriters; Alston & Bird’s bank, auditors and accountants; Alston & Bird’s outsourced IT providers and other suppliers; HMRC or the Belgian Tax authority; the UK SRA; Belgian bar associations; the UK Law Society; the other side / other parties on any given matter (lay and solicitor).
How do we protect your Personal Data?
We have security arrangements in place that are designed to guard against unauthorised access, improper use, alteration, destruction or accidental loss of your Personal Data. We take appropriate organisational and technical security measures and have rules and procedures in place that are designed to ensure that any Personal Data we hold is not accessed by anyone unauthorised to access it. We have in place, and abide by, a specific information security policy about the security standards used to protect your Personal Data.
When we use third-party organisations to process your Personal Data on our behalf, they must also have appropriate security arrangements, and must comply with our instructions and contractual requirements concerning the processing of Personal Data and instructions and must ensure compliance with the GDPR and any other relevant data protection legislation.
Is your Personal Data transferred to “third countries” and, if so, what safeguards are in place?
We may transfer your Personal Data to organisations located in countries other than the one in which the Personal Data was collected. In particular, we may transfer your Personal Data to the UK, to the U.S., or to Belgium or another country in the EEA.
In addition to the security arrangements mentioned above in relation to our engagement of third-party organisations, we will ensure that your Personal Data is adequately protected, for example, by using a contract for the transfer which contains specific data protection provisions.
The transfer of your Personal Data from Alston & Bird (City) LLP to Alston & Bird LLP will constitute a transfer to a “third country” and, accordingly, the relevant entities have contracted on such a basis. If you wish to see a copy of this contract, please contact the DPM.
How long will your Personal Data be retained by Alston & Bird?
It is our policy to retain your Personal Data for the length of time required for the specific purposes for which it is processed by Alston & Bird and which are set out in this Notice. However, we may be obliged to keep your Personal Data for a longer period, for example, where required by our legal and regulatory obligations or in order to ensure we have effective back-up systems. In such cases, we will ensure that your Personal Data will continue to be treated in accordance with this Notice, restrict access to any archived Personal Data and ensure that all Personal Data is held securely and kept confidential.
What are your rights?
The GDPR generally affords individuals a right to access their Personal Data, to object to the processing of their Personal Data, to rectify, to erase, to restrict and to port their Personal Data.
We have specific procedures in place in relation to Subject Access Requests (“SARs”) that you may be entitled to make. Put simply, a SAR is a request made by you which requires us to provide you with details of your Personal Data which we hold and process and a description of how we process it. Any questions or requests should be put in writing to the DPM.
There are exceptions to the rights of individuals in relation to their Personal Data and, particularly when we are processing your Personal Data for the purpose of providing legal advice to our clients, your rights may be limited. We will, at all times, respect your Personal Data and seek to be as transparent as possible but please be aware that, in some instances, we may be restricted from even acknowledging that we process your Personal Data.
How to make a complaint
If you are unhappy with the information provided in this Notice or have concerns about the way in which Alston & Bird processes your Personal Data you may in the first instance contact the DPM, and if you remain dissatisfied then you may complain directly to the relevant supervisory authority in the country of your habitual residence, your place of work, or of an alleged infringement of the GDPR.