EU-US Privacy Shield
& Swiss-US Privacy Shield Policy

Effective as of 9 April 2018

1. Introduction

Greenberg Traurig, P.A., Greenberg Traurig, P.C. and Greenberg Traurig, LLP (“GT”, “we”, “our”) has chosen to participate in the Privacy Shield, and to certify its adherence to the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework, and their respective Principles, and Supplemental Principles (collectively, the “Principles”).

This Privacy Shield Policy (“Shield Policy”) outlines GT’s general policy and practices for implementing the Principles.  It describes the types of Personal Data (defined below) that GT collects or receives from clients and third parties (other than GT’s employees) located in the European Union or European Economic Area (collectively “EEA”) or Switzerland, how the Personal Data is collected, used and retained, and the rights and choices granted to the Data Subjects to whom this Personal Data pertains, regarding access to Personal Data about them and the accuracy, retention, and protection of Personal Data about them. 

2. Scope and Application

By adopting this Shield Policy and registering with the US Department of Commerce Privacy Shield, GT agrees to subject its compliance to the regulatory enforcement of the Federal Trade Commission (“FTC”) or any other statutory body empowered to enforce compliance with the Principles. To learn more about the Privacy Shield program, please visit www.privacyshield.gov

Evidence of GT’s participation can be found at: https://www.privacyshield.gov/list.  GT will only display its EU-U.S. Privacy Shield certification marks or make other references to its compliance when it is in compliance with each Principle.

This Shield Policy supplements all other GT policies, practices, and procedures, including any general privacy notice, confidentiality agreement, client privacy notice, engagement letter or other similar letters or agreements with a client, and the rules of Professional Conduct, and professional standards. 

If there is any conflict between the terms of this Shield Policy and the Principles, with respect to the collection or processing of Personal Data of Data Subjects located in the EEA or Switzerland by GT, the Principles shall govern. 

GT will be and remain responsible under the Principles for any act or omission of any third party that it engages to process Personal Data on its behalf that are inconsistent with the Principles, unless GT proves that it is not responsible for the event giving rise to the damage.

3. Definitions

Applicable Data Protection Law” means all applicable data protection laws, rules and regulations and regulatory guidance, including any national implementing legislation relating to privacy and data protection, including but not limited to applicable United States federal and state data privacy and data breach notification laws, the European Union General Data Protection Regulation (“GDPR”), and the Swiss Federal Act on Data Protection. 

Data Subject” means an identified or identifiable natural person that is in the EEA or Switzerland. 

EEA” means the European Union and the European Economic Area. 

Identifiable Natural Person” means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal Data” means any information relating to a Data Subject that is recorded in any form. 

Sensitive Data” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or concerning health, sex life or sexual orientation. Or genetic or biometric data when used for the purpose of uniquely identifying a natural person. 

4. Collection of Personal Data for the Provision of Legal Services 

GT provides legal services to natural persons and entities located throughout the world.  In the regular course of providing legal services, GT collects, analyzes and reviews Personal Data of Data Subjects in the EEA or Switzerland either as a data processor, on behalf and at the request of its clients, adverse parties, or other parties to legal matters as necessary, as well as a data controller, on its own behalf. 

The data collected includes the Personal Data of clients, client’s personnel, parties adverse to clients, their respective personnel, legal or technical experts, or other parties to legal matters. 

GT collects this data in the regular course of the provision of legal services for one or more of the following reasons:

  • The collection and processing are necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request for the Data Subject before entering into a contract;
  • The collection and processing are necessary for compliance with a legal obligation to which GT or GT’s client, as a data controller, is subject; or
  • The collection and processing are necessary for the purposes of the legitimate interests pursued by GT or GT’s client or a third party, as a data controller, and such interests override the interests or fundamental rights and freedoms of the Data Subject.

If the data is “Sensitive Data”, GT collects this data, as a data controller or a data processor at the request of its client, only when the processing is necessary for the establishment, exercise or defense of legal claims. 

In all cases above, GT collects this data in the regular course of providing legal services, and as needed for such services, GT transfers or provides this Personal Data to its clients, adverse parties, tribunals, courts, government agencies, legal or technical experts, vendors, service providers, and other third parties.   

If GT directly collects Personal Data, it does so in accordance with this Shield Policy and the Principles. If a client transfers Personal Data to GT, GT ensures that such transfer is permissible under applicable law. These transfers are completed in accordance with applicable laws, and only to the extent that they are not prohibited or restricted by applicable law. 

5. Collection of Personal Data for Direct Marketing Purposes

GT may also collect the names, contact information, and interests in specific legal issues of natural persons, such as potential clients, current clients, prospective clients, business contact and other third parties for direct marketing purposes. 

GT collects this data as a data controller (directly or through third party service providers) in the regular course of its business for its legitimate interests. 

In all cases above, GT collects this data in the regular course of its business operations, and GT transfers or provides this Personal Data to service providers, and other third parties as necessary to effect the contemplated marketing activities. 

If GT uses such Personal Data for direct marketing or e-marketing purposes, GT does so in compliance with the Applicable Data Protection Laws. 

GT ensures that such uses and transfers are permissible under applicable law, that they are completed in accordance with Applicable Data Protection Laws, and only to the extent that they are not prohibited or restricted by Applicable Data Protection Laws. 

6. Compliance with the Principles

When collecting and processing Personal Data of Data Subjects as described above, GT complies with the following Principles

A. Notice
GT will provide clear and conspicuous notice to inform clients, and Data Subjects where applicable, of the types of Personal Data that it collects, receives, uses, processes, shares, disclose or retains, and the types of third parties to which GT may disclose Personal Data.
 

GT will inform clients, vendors and service providers that it participates in the Privacy Shield. Such notice may be provided in contracts, on its websites or otherwise.

B. Choice

When GT acts as a data controller, GT will offer Data Subjects the opportunity to choose (opt out) whether Personal Data about them is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the Data Subjects.  It will do so in a clear and conspicuous manner and will provide a readily available mechanism to exercise choice.

For Sensitive Data, GT will obtain affirmative express consent from Data Subjects if such information is to be used for a purpose other than those for which it was originally collected or subsequently authorized. 

GT will treat as Sensitive Data any Personal Data received from a third party where the third party identifies and treats it as sensitive.

C. Onward Transfer
GT will not disclose Personal Data to third parties except as provided below, unless GT is required by law or the Rules of Professional Conduct, or when compelled by tribunals, courts, or government agencies, or to meet national security or law enforcement requirements, and only in accordance with the Principles.
 

When transferring Personal Data to a third party acting as a controller, GT will comply with the Notice and Choice Principles.  GT will enter into a contract with the third-party controller. The contract will provide that such data may only be processed for limited and specified purposes consistent with this Shield Notice and will require the recipient to provide the same level of protection as the Principles.  The contract will require that the recipient notify GT if it determines that it can no longer meet this obligation and that it cease processing or takes other reasonable and appropriate steps to remediate. 

When transferring Personal Data to a third party acting as an agent, GT will: (i) transfer the data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data in a manner consistent with GT’s obligations under the Principles; (iv) require the agent to notify GT if it determines that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a copy of the relevant provisions of such contract to the US Department of Commerce upon request. 

D. Data Security
GT will maintain appropriate physical, electronic, and administrative measures, including education and training of its personnel, designed to help safeguard and secure Personal Data. 

Personal Data collected or displayed through a website, or that is transmitted between GT offices, will be protected in transit by standard encryption processes. 

GT will maintain reasonable steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. However, GT cannot guarantee the security of information on or transmitted through the Internet.

E. Purpose Limitation
GT will collect and process only the Personal Data that is relevant for the purposes of processing. 

GT will not process Personal Data in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the Data Subject.

F. Data Integrity
GT will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. 

G. Data Retention
GT will retain Personal Data in a form identifying or making identifiable the Data Subject only for as long as it serves a purpose of processing identified in this Shield Notice. 

GT will have the right to process Personal Data for longer periods of time for archiving in the public interest and for statistical analysis as provided in the Principles. 

H. Access 
Upon proper proof of their identity, Data Subjects will have the right to obtain access to the Personal Data about them in GT’s custody or control.  They will have the right to obtain the rectification of inaccurate data concerning them, and the right to have incomplete data completed, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the Data Subject or as otherwise restricted by law. Individuals may contact GT using the contact information provided in the “How to Contact Us” below.

I. Accountability
GT will maintain a mechanism for assuring its compliance with the Principles. GT uses both self-assessment and third-party assessments.  At least once a year, GT will certify that this Shield Policy is accurate, comprehensive, prominently displayed, implemented and in conformity with the Principles.

GT will monitor adherence to the Principles and address questions and concerns regarding their adherence. Personnel who violate GT’s privacy policies may be subject to a disciplinary process. 

J. Recourse and Enforcement
Each Data Subject will have the right to raise a complaint by contacting GT using the contact information provided in the How to Contact Us below. GT will respond to a complaint within 45 days.
 

If an issue cannot be resolved by our internal dispute resolution mechanism, GT has chosen American Arbitration Association of New York, Commercial Arbitration Section (“AAA”) to be its independent recourse mechanism provider based in the U.S. for the Privacy Shield and the Swiss Federal Act of Data Protection, and GT agrees to be bound by its decision. Individuals may contact Courtney Park at Greenberg Traurig, LLP The Shard, Level 8, 32 London Bridge Street, London, SE1 9SG, by phone: (44203) 349-8727 or by email: parkc@gtlaw.com. If GT or AAA determines that GT did not comply with this Policy, GT will take appropriate steps to address any adverse effects and to promote future compliance. 

For any complaints that cannot be resolved with GT directly or through AAA, GT has chosen to cooperate with EEA supervisory authorities (“SA”) and comply with the information and advice provided to it by an informal panel of SA in relation to such unresolved complaints as further described in the Privacy Shield Principles, specifically including, but not limited to, human resources data. Please contact us as stated in the “How to Contact Us Section” to be directed to the relevant SA contacts. 

Data subjects also have access to a binding arbitration option in order to address residual complaints not resolved by any other means, as set forth in the Principles. 

If GT becomes subject to a U.S. court order or other order based on non-compliance with the Principles, GT shall make public any relevant sanctions or other findings.

7. Limitation of the Application

GT’s adherence to the Principles and this Shield Policy will be limited as permitted by the Principles: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; or (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations.  However, in exercising such authorization, GT’s non-adherence will be limited to the extent necessary to meet the overriding legitimate interests of the Data Subjects. Where the option is allowable under the Principles and/or U.S. law, GT will opt for the higher protection where reasonably possible.

8. Adherence to the Supplemental Principles

GT adheres to the Supplemental Principles, as applicable, as follows.  

A. Sensitive Data. In the regular course of its business, from time to time, GT obtains Sensitive Data because the processing is necessary: (a) to carry out employment law obligations on behalf of a client, (b) because it is in the vital interest of the Data Subject or another person, (c) for the defense of legal claims, or (d) because the Sensitive Data is manifestly made public by the Data Subject.

B. Journalistic Exceptions. GT does not engage in journalistic activity other than though its newsletters and blogs. 

C. Secondary Liability. In limited circumstances, GT will, on behalf of others, transmit, route, switch or cache information such that the secondary liability exception applies. 

D. Performing Due Diligence and Conducting Audits. GT participates in audits or conducts due diligence on behalf of its clients. Attorneys engaged in due diligence understand that they may process data without knowledge of the Data Subject only to the extent and for the period necessary to meet the requirements or other circumstances in which the Principles would prejudice the legitimate interests of the organization. Therefore, the exception does apply to GT. 

E. Supervisory Authorities. GT commits to cooperate with the EEA Supervisory Authorities and the Swiss Data Protection Authority. 

F. Self-Certification. GT will apply for and maintain its Privacy Shield certification in accordance with the applicable U.S. Department of Commerce’s protocol. 

G. Verification. GT will verify its compliance with the Principles through self-assessment. GT will provide Privacy Shield training to its personnel who may have access to Personal Data and will retain records of its implementation of the Principles and make them available as required. 

H. Access. GT will provide adequate mechanisms for Data Subject access to the Personal Data the GT holds about them.  

I. Human Resources Data. If GT receives human resources data of Data Subjects collected in the context of an employment relationship, GT will respect the national laws of the applicable EEA member state or Switzerland where the data was collected or processed before the transfer and will further respect any conditions for or restrictions pertaining to transfer.  

J. Obligatory Contracts for Onward Transfers. Except as otherwise stated in this Shield Notice, and as permitted by the Principles, GT will enter into written contracts with any third party to which it intends to transfer Personal Data before transferring such data. The contract will specify that the Personal Data may only be processed for limited and specified purposes consistent with the Shield Notice and other notices provided to the Data Subject and that the recipient will provide the same level of protection as stated in the Principles.  

K. Dispute Resolution and Enforcement. GT will meet its obligations for dispute resolution and enforcement through enrollment with AAA for alternative dispute resolution and agreeing to cooperate with the FTC and the U.S. Department of Commerce. GT will cooperate with any EEA Supervisory Authority or the Swiss Data Protection Authority, as may be necessary. If GT is subject to any enforcement effort, it will cooperate quickly and fully. 

Individuals are encouraged to raise any complaint they may have with GT by sending it to the attention of Courtney Park, parkc@gtlaw.com before proceeding to alternative dispute resolution. GT will respond to a Data Subject promptly and in any case within 45 days from receipt of a complaint. 

L. Choice – Timing of Opt-Out. Due to the nature of the legal services GT provides, it may be difficult for GT to provide Data Subjects with the option to opt-out in all circumstances, such as when the disclosure or use of data is required by law, compelled by a court, or subject to mandatory government disclosure. GT does not use Personal Data for marketing or other commercial purposes beyond the delivery of legal services to its clients. 

M. Travel Information. In the course of providing legal services, from time to time, GT receives airline passenger reservation and other travel data, including frequent flyer, hotel reservation details, and special requests as necessary. When this travel data is transferred from the EEA or Switzerland, GT will respect the law of the EEA Member State in which it is operating or that of Switzerland, as applicable, and will comply with any special conditions for the handling of such data.

N. Pharmaceutical and Medical Products. In the course of providing legal services, from time to time, GT receives Personal Data used for pharmaceutical or medical research. GT will anonymize such Personal Data when appropriate, and will use the data only for the establishment, exercise or defense of legal claims or whenever responding to requests from courts when they are acting in their judicial capacity. If the use of the Personal Data is inconsistent with the general research purposes for which the Personal Data was originally collected, or to which the Data Subject has consented subsequently, GT will obtain new consent. GT may rely upon the exception allowing Personal Data from clinical trials to be transferred to the U.S. for regulatory purposes, consistent with notice and choice principles. 

O. Public Record and Publically Available Data. GT will apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability, to Personal Data collected from publicly available sources and public records. 

P. Access Requests by Public Authorities. GT will comply with lawful requests for data from law enforcement and national security agencies. 

9. Information Subject to Other Policies

GT is committed to following the Principles for all Personal Data of Data Subjects within the scope of the Privacy Shield. Information obtained from or relating to clients or former clients is further subject to the terms of any privacy notice to the client, any engagement letter or other similar letters or agreements with the client, the Rules of Professional Conduct, and applicable laws and professional standards.

10. Amendment

GT may amend this Policy from time to time by posting a revised policy at http://www.gtlaw.com or on any website that replaces this site. GT will only amend this Shield Policy in a manner consistent with the Principles.

11. Questions and Comments

Any questions, inquiries, or complaints regarding this Shield Policy or GT’s participation and compliance with the Privacy Shield may be directed to: 

Courtney Park
Greenberg Traurig, LLP
The Shard, Level 8
32 London Bridge Street
London, SE1 9SG  

Tel: (44203) 349-8727
Email: parkc-gtlaw.com  

Complaints about GT’s adherence to the Principles may also be directed to the FTC.