Clifford Chance is committed to respecting and protecting your privacy.
This privacy statement explains how we collect, store and use your personal data in compliance with applicable data protection law including, where relevant, (as amended from time to time) the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"), the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 No. 419 ("UK GDPR") and the UK Data Protection Act 2018. Additional supplemental provisions relating to specific offices are set out at the end of this statement.
Who we are
Clifford Chance is a global law firm with its headquarters in London. Clifford Chance LLP controls the collection and processing of any personal data that you provide to us in relation to this website. Where services are provided to you by other entities within the Clifford Chance group, the entity providing the service will be the data controller. This notice applies to all such entities. This notice applies to all entities listed in our office directory.
Terms used in this privacy statement have the meanings given to them in the EU GDPR unless otherwise stated. Any reference to:
- "we", "us" or "our" should be understood as a reference to Clifford Chance LLP or the other entities within the Clifford Chance group; and
- "you" or "your" should be understood as a reference to a data subject whose personal data we process for the purposes described in this privacy statement.
For the avoidance of doubt, this privacy statement.is not a contract and does not itself create any legal rights or obligations.
If you have any questions about us processing your personal data, contact us via our website form.
How we collect personal data
We may collect personal data:
- directly from you when you engage with us
- indirectly from third-party sources including your organisation, your representatives, publicly available sources, our service providers other Clifford Chance entities;
- our clients, when we handle personal data for the purpose of providing our services;
- regulatory bodies; and
- and other companies providing services to us.
When we collect personal data directly from you it is your decision whether to provide data. If you do not provide data, it may hinder your use of, or make it not possible to use, our services or products, not allow you to remain in contact with us, to enter into contracts/agreements with us, to participate in our programmes, or to exercise your rights. If you provide information to us about another person, you must ensure that you comply with any legal obligations that may apply to your provision of the information to us, and allow us, where necessary, to share that information with our service providers.
How we use your personal data
How we use your personal data depends on the nature of your relationship with us. How we use your personal data and our legal basis for doing so, including where applicable our legitimate interest is explained below.
We will only use your personal data when applicable law allows us to. Depending on the nature and purposes of processing being carried out, our basis for processing may include:
- pursuing our legitimate interest or those of a third party. Under the EU GDPR and the UK GDPR, the lawful basis of such processing is Article 6(1)(f) of the EU GDPR (or equivalent provisions in the UK GDPR) (i.e. the processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests, fundamental rights and freedoms which require protection of personal data);
- complying with legal obligations. Under the EU GDPR and the UK GDPR, the lawful basis of such processing is Article 6(1)(c) of the EU GDPR (or equivalent provisions in the UK GDPR) (i.e. the processing is necessary to discharge a relevant legal or regulatory obligation to which we are subject); and
- performance of a contract. Under the EU GDPR and the UK GDPR, the lawful basis of such processing is Article 6(1)(b) of the EU GDPR (or equivalent provisions in the UK GDPR) (i.e. the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract).
Generally, we do not rely on consent as a legal basis for processing your personal data, although we will obtain your consent before sending third party direct marketing communications to you, or where your consent is otherwise required under applicable law. You have the right to withdraw your consent at any time by contacting us using the details set out under "Contacting Us" below.
We do not sell your personal information. We do not envisage your personal data will undergo any automated decision making.
To the extent that our processing of your personal data is subject to data protection legislation other than the EU or UK GDPR, the relevant legal basis are explained in the Supplementary Provisions.
Visitors to our website, microsites and users of our Client Portal
When you visit our website or microsites, we automatically collect, store and use technical information about your equipment and your interaction with our website. This information is sent from your computer to us using cookies.
Read more about our use of cookies in our cookies notice.
We process personal data including login credentials to provide access to and manage our premium tools and restricted areas. We do so either because you have consented to their use or because we have a legitimate interest in:
- providing you with access to the information, tools and services offered via our website;
- reviewing, developing and improving our premium services; and
- managing our website and online services including monitoring compliance with our terms of use.
Thought leadership, briefings, podcasts and events
We collect personal data which is provided by you when you sign up to receive news services or briefings, attend an event or interact with us as a client. This includes contact information including name, email, telephone number and address; professional information including marketing preferences and other relevant information including meal preferences, feedback and survey responses. This information is stored in our customer relationship management systems.
We process information in connection with our thought leadership, briefings, podcasts and events:
- to send you newsletters, email briefings and other information that may be of interest to you;
- to invite you to events that we and our partners organise, to operate our events and to facilitate networking opportunities; and
- to manage your communication preferences, including, if you opt out, to operate suppression lists to ensure that you do not receive marketing communications from us.
Depending on our relationship with you, our legal basis for processing may be:
- you have consented to receiving marketing communications from us
- we have a business relationship with you, or your organisation and we have a legitimate interest in communicating with you; or
- to respect your rights (which are explained below) and to comply with our legal obligations.
Former Clifford Chance people
If you have previously been employed by, or have been a partner at, Clifford Chance, we may continue to process personal data that was collected before and during your working relationship with us. This data includes contact and biographical information, financial information, compensation and benefits information, employment/personnel records (including job title, contract information, training records, renumeration, performance information), photographs, webinars and podcasts.
We may process this data because we have a legitimate interest in maintaining records, to provide you with references, to publicise our activities, and to conduct data analytics studies to review and better understand our workforce. We may also use this information to establish, exercise or defend legal claims and to comply with our regulatory and legal obligations (including in relation to applicable tax and employment law).
We may continue to process special category data, including race, ethnicity and health-related information, where necessary and permitted by applicable law, to fulfil our legal obligations or exercise rights in connection with employment, social security or social protection law; to establish, exercise or defend legal claims or where it is in the public interest to do so.
We do not share personal data with third parties following your employment, contractual relationship or partnership with us except as necessary to fulfil ongoing legal or contractual obligations.
Alumni
If you are invited to join our alumni programme, we will use your name, contact information, role information and other relevant information to keep in touch with you and help you maintain contact with other alumni, to share news and success stories, to invite you to alumni events, and to share news and insights with you. We use this information because we have a legitimate interest in maintaining ongoing relationships with our alumni.
Clients and those whose personal data we process in connection with our professional services
When our clients engage us to provide legal advice and services, business may collect personal data, including name, contact information, financial information and other information relevant to the services we provide. This information may be collected directly from you, supplied by your organisation or provided by another source. We use this information for the purposes of:
- conducting due diligence, including on-boarding, compliance checks (including anti-money laundering and conflict checks) and other on-boarding processes;
- managing our client relationships and providing legal advice and services including working with counterparties, providers of related services (such as litigation support, translation and other specialist services);
- operating and giving you access to our legal technology tools;
- managing billing, payments and financial records; and
- responding to requests from regulators.
We use information about our clients (and their representatives) to fulfil our contractual, legal and regulatory obligations or because we have a legitimate interest in processing the information to provide our services and manage our business relationships.
When we provide legal advice and services to clients, we may also process the personal data of individuals whose information is relevant to the matter(s) on which we are instructed for example, when we advise on a business transaction, a regulatory investigation or we represent a client in a legal dispute. When we process personal data collected from or on behalf of our clients to provide legal advice and services, we process this data subject to obligations of client confidentiality and legal professional privilege, as well as the terms of our engagement with our client.
We only process special category data where processing is necessary to provide our clients with advice regarding their obligations or rights in the field of employment or social security; where we are subject to a legal obligation to do so or where it is necessary to do so to establish, exercise or defend legal claims.
Applicants, work experience, open days
When you apply for a job, for work experience or an internship, to attend an open day or a vacation scheme, we will ask you for information relevant to your application. We ask all applicants to apply via our recruitment system where a specific privacy statement is available. We do not accept applications submitted by other means.
Visitors to our premises
If you visit one of our buildings, we may collect information that we need to identify you, to create a record of your visit and for visitor pass use (if issued) and to complete necessary security checks. We may also collect your image on CCTV. We use this information to maintain physical security and manage access to our offices. If you use our guest Wi-Fi, we will collect relevant information to maintain the security of the Wi-Fi service. We process information about visitors to our premises to comply with legal obligations and because we have a legitimate interest in maintaining the security of our network and buildings.
People who contact us
We collect contact and related information when you contact us via our website, by email or by telephone. We process this information because we have a legitimate interest in responding to enquiries.
Suppliers and other third parties
If you provide goods or services to us, we maintain contact information, information regarding the goods or services you provide to us and billing and financial information, including billing address, bank account and payment information. We use this information to manage our supplier relationships and to comply with our contractual and legal obligations. We may also use this information to establish, exercise or defend legal claims.
Sharing and transferring your personal data
We treat your personal data with respect and do not share it with third parties except as follows:
- We may share your personal data with our Clifford Chance offices located around the world in connection with our internal business processes and for the purposes listed in this Privacy statement. When we share personal data within the Clifford Chance group, we have in place an intra-group data transfer and security agreement that incorporates appropriate data transfer provisions, including the EU and UK Standard Contractual Clauses.
- We may share personal data with our suppliers and service providers who process personal data on our behalf to provide or support the services described in this Privacy statement and with other legal specialists, including barristers, mediators, arbitrators, consultants, experts and other law firms.
- We may share personal information, where necessary, with courts, law enforcement regulatory authorities and government officials, where it is necessary to provide legal services, as permitted by applicable law or as required under applicable law (in which case we will notify you, unless we are prohibited from doing so or it is not possible or reasonable to do so).
- We may also share your personal data where you have consented to us doing so.
Any such transfers will comply with our obligations under applicable data protection laws. Some of these parties may process your personal data in accordance with our instructions and others will themselves be responsible for their use of your personal data.
Protection and retention of your personal data
We are committed to protecting your personal data and have implemented appropriate technical, physical and organisational security measures to protect personal data.
We operate a robust information security international programme and hold ISO27001 and SOC II certificates. We are also certified to ISO 27701, reflecting our commitment to privacy information management. This certification demonstrates that our privacy policies, procedures, and practices meet the rigorous standards set forth by the International Organization for Standardization (ISO) for the establishment, implementation, maintenance, and continuous improvement of the Privacy Information Management System (PIMS).
This certification complements our existing ISO 27001:2022 certification and provides a framework for integrating data privacy into our information security management system. It demonstrates our capability to address data privacy requirements effectively.
We do not keep your personal data for any longer than is necessary to fulfil the purpose for which we collected it, to comply with any legal, regulatory or reporting obligations or to assert or defend against legal claims.
Your rights in relation to your personal data
To the extent that our processing of your personal data is subject to the GDPR or other data protection legislation with data subject rights, you may have rights which are explained below. To exercise these rights, please contact us at dataprivacy@cliffordchance.com.
- You have the right to ask us for a copy of your personal data. This right is subject to applicable law and relevant exemptions.
- You can ask us to correct or complete any inaccurate or incomplete personal data.
- You can (in certain circumstances) ask us to delete your personal data. We may be unable to delete your data if we are legally obliged to retain it.
- You can (in certain circumstances) object to our processing of your personal data or ask us to "restrict" our use of it.
- If you have consented to our processing of your personal data, you can withdraw your consent.
- You have the right to ask that personal data which you have provided to us be provided to you in machine readable format if we process that data using automated means, you have consented to its use or so that we can enter into a contract with you.
We aim to respond to all legitimate rights requests within the relevant statutory time limits; however, where permitted by law, we may take longer if the request is complex.
Complaints
We respect your rights and want you to be comfortable with our use of your personal data. If you have a complaint or concern about how we use your personal data, we would like to work with you to resolve it. You can report a concern or ask us a question by contacting the Data Privacy team. You also have the right to make a complaint to your local data protection authority using their website. If you are unsure as to who is your local data protection authority, please contact us.
How to contact us
If you have any queries regarding anything mentioned in this Privacy statement or want to exercise any of the rights mentioned, please contact us at:
Email: dataprivacy@cliffordchance.com or website.feedback@cliffordchance.com
Supplementary provisions
Clifford Chance is an international law firm with offices in multiple jurisdictions. In some jurisdictions, the rights, protections, obligations and definitions imposed by applicable law are different to those that apply under the GDPR. This Privacy statement should be read in the context of applicable law and interpreted accordingly.
In particular, the following supplementary provisions apply:
China
This section outlines specific provisions under the China Personal Information Protection Law ("PIPL") that apply to our processing of personal data in China.
Sensitive personal information: Under the PIPL, "Special Category Data" is referred to as "sensitive personal information" and refers to personal information that, once leaked or illegally used, will easily lead to infringement of human dignity or harm to the personal or property safety of a natural person. This includes biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and personal information relating to minors under 14.
Legal bases for processing personal information: We will only process personal information of individuals in China based on the following legal bases as prescribed under the PIPL: the consent of the data subject; where the processing is necessary for performance of a contract with a data subject, internal employment rules/policies, or a collective contract in accordance with the laws and regulations; where the processing is necessary for performance of legal duties or compliance with legal obligations; where the processing is necessary to respond to public health incidents, or to protect the life, health, and property safety of natural persons in an urgent situation; where the processing is necessary for the public interest to carry out news report and public opinion supervision within a reasonable scope; when processing personal information which is publicly disclosed by the individual himself or herself, or by other persons legally, within a reasonable scope; and other provisions required by the laws and regulations.
Separate consent: In cases of personal information sharing, sensitive personal information processing, public disclosure of personal information, and cross-border data transfers, we will obtain separate consent, in addition to general consent, from the data subject in accordance with the requirement under the PIPL.
Cross-border transfer of personal information: Where we provide personal data to Clifford Chance entities outside China, we will rely on the CAC-approved standard contract which we have entered into with the overseas Clifford Chance entities.
Sharing of information with foreign law enforcement and regulatory authorities: Where it is necessary to share personal information with foreign law enforcement or regulatory authorities, we will obtain prior approval from the Chinese government as required under the PIPL and the China Data Security Law.
** Last updated November 2023