Kirkland & Ellis LLP ("Kirkland" or the "Firm") adheres to the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework (the "Safe Harbor Frameworks") concerning the transfer of personal data from the (i) European Economic Area (EEA) (which includes the member states of the European Union (EU) plus Iceland, Liechtenstein, and Norway), and (ii) Switzerland, respectively, to the United States, including the respective Safe Harbor Privacy Principles, as set forth by the U.S. Department of Commerce (the "Principles").
Safe Harbor Principles
Scope: This Policy applies to all "personal data," defined as information that:
- is received by the Firm's U.S. offices from (i) the Firm's EU offices (directly or through affiliated entities, and references herein to the Firm's EU offices shall be deemed to include their affiliated entities), and (ii) the Firm’s clients;
- is about, or pertains to, a specific individual in the EEA or Switzerland;
- can be linked to that individual (also referred to as the "data subject"); and
- is recorded in any form, including on-line, off-line, and manually processed data.
Kirkland complies with the Principles, subject to the limitations and exceptions, in each case, as set forth below.
Notice: Where Kirkland collects personal data directly from individuals in the EEA or Switzerland (i.e., excluding clients that are not individuals), Kirkland will inform such individuals about (i) the purposes for which it collects and uses personal data about them, (ii) the types of non–agent third parties to which Kirkland discloses that information, (iii) the choices and means, if any, Kirkland offers individuals for limiting the use and disclosure of personal data about them, and (iv) the means to contact Kirkland. Notice will be provided in clear and conspicuous language when individuals are first asked to provide personal data to Kirkland, or as soon as practicable thereafter, and in any event before Kirkland uses or discloses the information for a purpose other than that for which it was originally collected. Consent for personal data to be collected, used, and/or disclosed in certain ways may be required in order for an individual to obtain or use the Firm's services. Such consent is provided through employment consent forms, engagement letters, and similar documents. Although in most cases it is anticipated that personal data to which this Policy applies will be collected or processed by Kirkland & Ellis International LLP, if Kirkland's U.S. offices directly collect such personal data they will do so in accordance with the Principles and this Policy.
Choice: Where acting as a data controller (i.e., the person or entity that determines the purposes for which, and the manner in which, any personal data is processed), Kirkland will offer individuals the opportunity to choose (opt-out) whether their personal data is (i) to be disclosed to a non-agent third party, or (ii) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal data, Kirkland will give individuals the opportunity to affirmatively and explicitly (opt-in) consent to the disclosure of such personal data to a non-agent third party or the use of such personal data for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Because Kirkland processes personal data at the direction of the Firm’s clients, we typically have no direct relationship to the individuals whose personal data the Firm receives in connection with client engagements. Kirkland may disclose personal data to (i) agents as provided herein, and (ii) non-agent third parties for the purposes of, and as directed by, the client in connection with which that personal data was collected.
Onward Transfer: Kirkland will use reasonable efforts to obtain assurances from its agents that they will safeguard personal data consistent with this Policy. Where Kirkland has knowledge that an agent is using or disclosing personal data in a manner contrary to this Policy, Kirkland will take reasonable steps to prevent or stop the use or disclosure.
Security: Kirkland will take reasonable precautions to protect personal data in its possession from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
Data Integrity: Kirkland will use personal data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. To the extent necessary, Kirkland will take reasonable steps to ensure that personal data is relevant to its intended use, accurate, complete, and current.
Access: Upon request, Kirkland will grant individuals reasonable access to personal data that it holds about them in the Firm’s role as data controller. In addition, Kirkland will take reasonable steps, subject to the limitations and exceptions set forth below, to permit individuals to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete. For information that the Firm holds as a data processor, the Firm will direct the individual to the data controller. If an individual becomes aware that information the Firm maintains about that individual is inaccurate, or if an individual would like to update or review his or her information, the individual may contact the Firm using the contact information set forth below. The individual will need to provide sufficient identifying information, such as name, address, and birth date. The Firm may request additional identifying information as a security precaution. In addition, the Firm may limit or deny access to personal data where providing such access would be unreasonably burdensome or expensive in the circumstances, or as otherwise permitted by the Principles. In some circumstances, the Firm may charge a reasonable fee, where warranted, for access to personal data.
Enforcement: Kirkland will conduct compliance audits of its relevant privacy practices to verify adherence to this Policy. Any partner or employee who Kirkland determines is in violation of this policy may be subject to disciplinary action up to and including termination of employment.
Dispute Resolution - Human Resource Data: Any questions or concerns regarding the use or disclosure of Kirkland's human resource data should be directed to the Firm's HR Director or the Director of Administration. Kirkland will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data by reference to the Principles and this Policy. For unresolved complaints related to Kirkland's human resources data for partners and employees in the EU offices, Kirkland will cooperate with the European Data Protection Authorities (DPAs).
Dispute Resolution - Client Data: Any questions or concerns regarding the use or disclosure of client-related personal data should be directed to the Firm at firstname.lastname@example.org. Kirkland will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data by reference to the Principles and this Policy. Unresolved complaints made pursuant to the Safe Harbor Frameworks will be submitted to the alternative dispute resolution provider JAMS for arbitration.
Limitations of the Principles and this Policy: Adherence by Kirkland to the Principles and this Policy will be limited as permitted by the Principles: (i) to the extent necessary to meet national security, public interest, or law enforcement requirements, (ii) by statute, government regulation, or case law that creates conflicting obligations or authorizations, provided that, in exercising any such authorization, the Firm’s non-adherence is limited to the extent necessary to meet the overriding legitimate interests the Firm furthers, or (iii) if the effect of the EU Directive on Data Protection (the "Directive"), EU Member State law, or the Swiss Federal Act on Data Protection (FADP) is to allow exceptions or derogations, provided the Firm applies such exceptions or derogations in comparable contexts. Further, because Kirkland is a law firm providing legal advice, adherence to certain of the Principles (including Notice, Choice and Access), is limited with respect to personal data that the Firm processes and uses in certain respects, including, but not limited to, the establishment of a legal claim or defense or the representation of a client's interests and rights in an acquisition, merger, joint venture or other transaction. Personal data may also be subject to ethical duties of confidentiality.
The Firm's U.S. offices do not disclose personal data to third parties except in accordance with the Principles and this Policy. The following are examples, but not an exhaustive list, of situations where disclosure or transfer would be permitted in accordance with this section:
- The disclosure involves personal data of a client and is permitted by applicable law (including U.S. court rules governing lawyers' duty of confidentiality to their clients) such as:
- when information generally known in the local community or in the trade, field or profession to which the information relates;
- when information is disclosed with such client's informed consent;
- when disclosure is impliedly authorized to advance the best interests of the client and is reasonable and customary;
- when it is necessary or advisable to prevent reasonably certain death or substantial bodily harm;
- when it is necessary or advisable to prevent the client from committing a crime;
- when it is necessary or advisable to withdraw an opinion the Firm issued where the Firm believes the opinion is being used to further a fraud;
- when it is necessary or advisable to secure legal advice about the Firm’s compliance with the law;
- when it is necessary or advisable to defend the Firm against an accusation of wrongful conduct or to collect a fee;
- when it is necessary or advisable to respond to a subpoena served on the Firm or otherwise to comply with law; and
- when the client has offered material evidence to a tribunal that is false and disclosure is necessary as a remedial measure.
- The disclosure involves personal data of a data subject that is not a client and one of the following applies:
- the data subject intentionally made the information public;
- the data subject has given the Firm consent to make the disclosure; or
- the Firm’s duty of confidentiality to a client combined with the Firm’s professional obligation to provide competent representation and not prejudice the client during a representation preclude the Firm from seeking consent from the data subject, for example:
- the Firm represents a company in a transactional matter that requires transfer of employee or other individuals' personal data in the company's possession to prospective buyers or investors for the purposes of their due diligence, provided the client has given its consent to do so;
- the Firm represents a company in a litigation or government investigation and assists the company in responding to a subpoena where responsive company documents include employee or other individuals' personal data that the client has transferred to the Firm.
- Whether the data subject is a client or not:
- a law or regulation such as the Patriot Act or law enforcement requirement states that the Firm is obligated to disclose the information;
- disclosure is necessary or advisable to protect the rights, safety, or property of the Firm or others;
- the disclosure is to another Kirkland office or to persons or entities providing data processing or other services on the Firm’s or the individual's behalf (each a "transferee"), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
- subscribes to the Principles;
- is subject to the Directive or another adequacy finding; or
- agrees in writing that is will provide at least the same level of privacy protection as is required by the relevant Principles; or
- the disclosure is otherwise permissible under the Directive.
- Permitted transfers of personal data, either to third parties or within Kirkland, include the transfer of data from one jurisdiction to another, including transfers to and from the United States.
Contacts for Questions and Concerns
Questions and concerns regarding this Policy should be directed to the Firm at email@example.com.
This Policy may be amended from time to time, consistent with the requirements of the Principles.
Last Updated: May 30, 2014