Effective: May 25, 2018
These disclosures (the “Disclosures”) supplement the Ropes & Gray Privacy Notice
The Disclosures apply only to our processing of personal data within the scope of the General Data Protection Regulation (“GDPR”) from one or more of the European Union Member States plus Iceland, Lichtenstein and Norway (together known as the “European Economic Area” or “EEA”).
We retain personal data pursuant to our records retention program, for as long as is necessary for the purposes set out in the Ropes & Gray Privacy Notice, unless a longer period is required under applicable law or is needed to resolve disputes or protect our legal rights, in accordance with the principles set forth in Article 5(1) of the GDPR.
The criteria used to determine the period for which personal data about you will be stored varies depending on the legal basis under which we process such personal data:
For a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of the data subjects.
For the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the limitation period for legal claims that could arise from the contractual relationship.
For the duration of time we are legally obligated to keep the information.
For the period of time necessary to fulfill the underlying agreement with you, subject to your right, under certain circumstances, to have certain personal data about you erased (see Data Subject Rights below).
We may face any threat of legal claim and in that case, we may need to apply a “legal hold” that retains information beyond our typical retention period. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.
Transfers of information across borders
Any information that you provide to us is stored and processed in, and transferred between, any of the countries in which Ropes & Gray and its agents, contractors and affiliated organizations have offices, in order to enable Ropes & Gray to use that information as set out in this Privacy Notice. This includes countries such as China, Hong Kong, Japan, South Korea, the United Kingdom and the United States.
Not all of these countries have data protection laws equivalent to those in force in the EEA. Except the United Kingdom, which is currently in the EU, the European Commission (in the EU) has yet to make a decision of adequacy in relation to the protection given to personal data in any of the other listed countries. In order to ensure the protection of your personal data we have put in place European Commission approved Standard Contractual Clauses between each of the Ropes & Gray entities.
We seek to use reasonable organizational, technical and administrative measures to protect personal data within our firm. Unfortunately, no data transmission or storage system can be guaranteed to be secure at all times. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contact Us” section below.
Data Subject Rights
Individuals from the EEA whose personal data we process subject to the GDPR have certain rights as required by law, including the right of access, erasure and data portability, as well as the right to rectification, to restrict processing, to withdraw consent, and to object to processing as follows.
Individuals have the right to know if we are processing personal data about them and, if so, to access and obtain a copy of personal data about them, as well as information relating to the processing of that data.
Individuals have the right to have us correct or update any personal data about them that is inaccurate or incomplete without undue delay.
Individuals have the right to restrict or limit the ways in which we process personal data about them where the accuracy of the personal data is contested by them, where data has been obtained by us unlawfully, where the individual has objected to our processing of the data (see right of objection below) and we are considering whether to cease processing, or where we no longer need to process the personal data.
Individuals have the right to object to our processing of their personal data where we are relying on legitimate interests as our legal basis and their rights override our legitimate interests in processing their personal data. Individuals also have the right to object to our processing of their personal data for direct marketing purposes.
Withdrawal of Consent
Where we rely on consent as the basis for processing personal data, individuals have the right to withdraw their consent.
Individuals have the right to request deletion or erasure of their personal data in a number of circumstances where required by law. These include where we no longer require the personal data for the purposes for which it was collected, the individual has withdrawn consent or, where we are relying on legitimate interests as a legal basis, and the individual’s rights override our legitimate interests.
Individuals have the right to obtain a copy of the personal data we hold about you in a structured machine-readable format and to have it transmitted to another controller. This right only occurs where we are relying on your consent or performance of a contract as our legal basis and the processing is carried out automatically.
Make a Complaint
Individuals also have the right to make a complaint about our personal data handling practices to their local Supervisory Authority.
To assert one of your legal rights described in these Disclosures, or if you have questions about these Disclosures or our data handling practices, please email firstname.lastname@example.org or write to:Ropes & Gray International LLP
60 Ludgate Hill
London EC4M 7AW