Baker Botts L.L.P. (“Baker Botts”, “we”, or “us”) is an international law firm. We are committed to safeguarding the personal data that you provide directly to us, that we collect in the course of our business, or that we receive from you when you visit our website.
Please note, if you reply to one of our marketing emails or otherwise send a communication to us, that communication does not create an attorney-client relationship with us. Please do not send any information that you consider confidential unless and until we have agreed in writing to represent you with respect to a matter. Any information provided to us prior to an agreement may not be protected from disclosure and may not be subject to applicable privileges.
Personal data is any information that enables us to identify you and that is related to an identified or identifiable natural person, such as your name, identification number(s), business or residential address, certain commercial information, online identifiers, and educational and employment history. It does not include data that is anonymized or de-identified.
For personal data that we collect and process about you, the data controller—as that term is defined in the EU General Data Protection Regulation (GDPR)—is Baker Botts L.L.P., Baker Botts (UK) LLP, or Baker Botts (Belgium) LLP, depending on the entity with which you have principally interacted or with which you have a client or contractual relationship.
Baker Botts is not a data processor—as that term is defined in the GDPR—in the context of a client relationship.
From time to time, we collect and process the following types of personal data from you:
- Contact Data: this includes, for example, your name, your home or business address, your email address, your phone number, and your social media handles.
- Client Data: this includes, for example, personal data provided to us by or on behalf of our clients and personal data that we collect in the course of providing our services to our clients, such as personal data provided by third-parties.
- Technical Data: this includes, for example, personal data that we collect from you when you interact with our website, applications, and email communications, such as your IP address and device ID.
- Financial Data: this includes, for example, your bank account, payment card, and other related financial data.
- Recruitment Data: this includes, for example, your CV, professional history, educational background, and related qualifications.
- Marketing Data: this includes, for example, your preferences in receiving marketing or promotional information from us.
- Other Data: any other personal data that you provide to us and which can be reasonably used to identify you.
We collect personal data from you through a variety of sources. We strive to collect only personal data that is adequate, relevant, and limited to achieve the purpose(s) for which it was collected. We may from time-to-time provide you with supplemental information at the time we collect your personal data to address unique or situational collection needs.
Examples of a ways in which we collect your personal data include:
- Direct Interaction: you may provide us with your personal data when you interact with us, for example, by enquiring about our services, giving us your contact details, registering for one of our events, subscribing to our updates or promotional material, or engaging in any way with our partners, lawyers, and staff.
- Automated Technologies: we may collect personal data automatically when you visit our website through logging and analytics tools, cookies, or click on links in our emails.
- Private Third-Party Sources: we may collect personal data from private third-party sources, such as, for example, other law firms, banks, clients, recruitment agencies, regulators, certain governmental agencies, on or from social media platforms, other organizations that you may have dealings with, and electronic data sources.
- Publicly-Available Sources: we may collect personal data from publicly-available sources, including, for example, personal data available on the internet, from governmental agencies, or company registries.
We process and use your personal data to the extent permitted by applicable law. This means:
- We process your personal data if you have given us consent to process for one or more specific purposes;
- We process your personal data if it is necessary for the performance of a contract with you;
- We process your personal data if it is necessary for compliance with a legal obligation to which we are subject; and/or
- We process your personal data if it is necessary for the purposes of our or a third-party’s legitimate interests where those interests are not overridden by your interests or fundamental rights and freedoms that require protection of your personal data.
We principally rely on the legitimate interest basis for the provision of our legal services, including client inception and identification, the performance of our services, and for the administration and operation of Baker Botts. In addition, we principally rely on the legitimate interest basis for marketing and promoting relevant services to you, inviting you to relevant events, and providing you with our newsletters, updates, and legal and other information.
We share your personal data within Baker Botts and with our contracted third-party processors and/or service providers who assist us in the administration and operation of Baker Botts, and in providing our legal services to our clients. In addition, we share your personal data when required by law.
Third-party processors and service providers with whom we may share your personal data include:
- Our information technology and telecommunications service providers, including data centers and cloud storage providers.
- Our marketing service providers.
- Our corporate and litigation support service providers.
- Professional services organizations (e.g., law, accountancy, auditing, insurance, forensic, and company formation service providers).
- Expert witnesses and jury consultants.
- Cybersecurity service providers.
- Other service providers to whom we outsource aspects of the provision of our legal services and the administration and operation of Baker Botts.
- To another law firm, in the event of a sale or merger of Baker Botts.
- Business partners, such as those that co-host events with us.
- Third parties when we believe it is required by, or necessary to comply with, applicable law, such as opposing parties in litigation or in response to law enforcement requests.
If you are an EU or UK resident, you may have certain rights under applicable data protection laws in relation to your personal data, including the General Data Protection Regulation (GDPR) and the UK Data Protection Act of 2018 (DPA). Subject to certain exceptions and limitations, these rights include:
- The Right to Access: You have the right to request copies of your personal data we process about you.
- The Right to Rectification: You have the right to request that we correct personal data about you that is inaccurate, and to complete information that is incomplete.
- The Right to Erasure: You have the right to request that we erase your personal data if there is no further legal ground for processing such personal data.
- The Right to Data Portability: Under certain conditions, you have the right to request that the data controller transfer your personal data to another organization or directly to you.
In addition, the GDPR requires data controllers to separately and explicitly highlight that you have the right to object to any processing based on a data controller’s legitimate interests (upon which we routinely rely upon as our legal basis) on grounds relating to your particular situation. However, the data controller may demonstrate either compelling legitimate grounds for the processing that override your interests or demonstrate that the processing is based on the establishment, exercise, or defence of a legal claim, in which case the processing may continue.
Finally, you have the right to lodge a complaint with a supervisory authority, as explained more fully in the section, How to Contact Us.
Where our processing of your personal data is based on your consent for a specific purpose, you have the right to withdraw that consent. If you withdraw your consent, Baker Botts will no longer process your personal data for that specific purpose unless we have another legitimate basis for processing under applicable laws.
If you exercise your applicable rights, Baker Botts will not discriminate against you. Requests submitted pursuant to the GDPR or the DPA will be addressed within 30 calendar days. If more time is needed to respond, we will notify you.
If you are a resident of California, you may have certain rights under applicable data protection laws in relation to your personal data, including the California Consumer Privacy Act of 2018 (CCPA). Subject to certain exceptions and limitations, these rights include:
- The Right to Know. You have the right to request certain information about parties to whom we have disclosed or sold your personal data in the prior calendar year and a description of the categories of personal data shared.
- The Right to Data Portability. A subset of the Right to Know, this requires us to provide you the specific personal data about you that we collect and process in a portable and, to the extent technically feasible, readily-useable format that allows you to transmit the information to another entity without hindrance.
- The Right to Delete. Subject to exceptions, the right to delete requires us to delete or de-identify your personal data.
- The Right to Request a Record of Third-Party Direct Marketing Disclosures: Also known as the “Shine the Light” law, this permits California residents to request and obtain from us a list of what personal data we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties.
If you exercise your applicable California rights, Baker Botts will not discriminate against you. Requests to know, port, or delete your personal data will be honored within 45 days. Requests to opt-out of the sale of personal data will be honored, to the extent applicable, within 15 calendar days. Requests for a record of direct marketing disclosures will be honored within 30 calendar days. If more time is needed to respond, we will notify you.
Do Not Track. We use analytics systems and providers that may collect information about your online activities, and these services may provide some of this information, which may include personal data, to us. We do not currently process or comply with any web browser’s “do not track” signal or similar mechanisms. Note, however, that you may find information about how to opt-out of these analytics and/or block or reject certain tracking and cooking technologies in our Cookies Policy.
We may transfer personal data of EU residents to a third country outside the European Economic Area (EEA). The UK remains within the EEA until December 31, 2020. When we initiate a transfer, for example to one of our offices located in the United States, Moscow, Dubai, Riyadh, Hong Kong, or Beijing, or to one of our contracted processors or service providers located outside the EEA, we ensure that an equivalent level of protection is provided to your personal data through one or more of the following: (i) an adequacy decision from the European Commission; (ii) the EU-US Privacy Shield; (iii) use of the model contractual clauses approved by the European Commission; (iv) by use of applicable derogations outlined in Article 49 of the GDPR; and/or (v) with your consent.
By submitting your personal data to us, you consent to our transfer of that personal data outside the EEA should we need to do so.
For personal data transferred pursuant to standard contractual clauses, you may obtain copies of such clauses by contacting our EU Data Protection Officer as outlined in the section, How to Contact Us.
We have put in place physical, administrative, and organizational security measures to protect your personal data from being accidentally lost, used, altered, accessed, or disclosed in an unauthorized manner. We have put in place procedures to address suspected security breaches; however, no method of safeguarding information is completely secure. While we use measures designed to protect your personal data, we, unfortunately, cannot guarantee that our safeguards will be effective or sufficient. In addition, you should be aware that Internet data transmission is not always secure, and we cannot warrant that information you transmit to us is or will be secure.
We retain your personal data for as long as necessary to fulfil the purpose for which we collected it, including any legal, regulatory, tax, accounting, or reporting requirements, and to the extent we reasonably deem necessary to protect our rights, property, or safety, and the rights, property, and safety of our users and other third parties. For details on the retention periods applicable to specific elements of your personal data, please contact us.
Our website and other services may contain links to other websites or otherwise direct you to a third party over which we have no control and whose privacy policies may differ from ours. You should consult the privacy policies or statements for those third parties and we do not accept any responsibility for their use of your personal data that you may provide.
Your personal data will not be used for automated decision-making by Baker Botts.
In addition to the applicable rights outlined, above, you have choices about how we communicate with you and how we process certain personal data about you.
- Communications Opt-Out. You may opt-out of receiving marketing, promotional, or other communications from us at any time by following the link in a marketing communication email or email us at [email protected].
- Cookies and Web Tracking. Consult our Cookies Policy for more information about how to control and/or opt out of certain cookies and web tracking technologies.
We do not promote, market, or direct our services to minors. As a result, we do not knowingly collect or solicit personal data from anyone under the age of 18. By using our site or by providing us your personal information, you represent that you are not under 18 years of age.
California or EU residents may contact us at [email protected].
In most cases, you will not have to pay a fee to access your personal data or to exercise your other rights. However, to the extent permitted by applicable law, we may either charge a reasonable fee or refuse to comply if your request is unfounded, repetitive, or excessive.
In most instances, we are legally required to request specific information from you, including personal data, to verify your request and identity. We may also contact you to ask for further information and clarification of a request to enable us to comply with it as quickly as possible. This is a security measure to ensure that your personal data is not disclosed to anyone not authorized to receive it. In addition, if you request that we provide you with specific pieces of personal data, we require you to sign a declaration under penalty of perjury that you are the data subject whose personal data is the subject of the request.
Finally, you may use an authorized agent to make a request under the CCPA on your behalf. If you designate an authorized agent to make an access or deletion request on your behalf (a) we may require you to provide the authorized agent written permission to do so, and (b) for access and deletion requests, we may require you to verify your own identity directly with us.
Baker Botts (UK) LLP
41 Lothbury, London EC2R 7HF
Attn: Privacy Officer
If you are resident in the EU, you also have the right to make a complaint about our processing of your personal data to your national supervisory authority for data protection. Alternatively, you may contact the United Kingdom Information Commissioner’s Office at www.ico.org.uk or by telephone on +44 (0)303 123 1113. If you do have a complaint, we would welcome the opportunity to discuss it with you before you contact your national supervisory authority or the United Kingdom Information Commissioner’s Office.