Privacy Statement
Last Updated: March 29, 2021
McGuireWoods respects your privacy and is committed to protecting your personal data. This Privacy Statement describes how we look after your personal data collected by us when you visit our website, or which we otherwise receive or collect from you in the course of our operations and client services as an international legal practice. It also describes certain privacy rights and data protection laws that may apply to you.
It is important that you read this Privacy Statement together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Privacy Statement supplements other, more targeted notices and is not intended to override them.
Contents
Who we are
What personal data do we collect from you?
Why do we collect personal data from you?
How long do we keep your data?
Sharing your personal data
What rights do I have in relation to my personal data?
What are my rights as a California resident under CCPA?
How do you protect my personal data?
What if I do not want to provide my personal data?
Amendments to this Privacy Statement
Who We Are
McGuireWoods is an international law firm providing legal services to our clients. This Privacy Statement refers to McGuireWoods LLP and McGuireWoods London LLP, referred collectively as “McGuireWoods,” “we” or “us.” For further details concerning the structure and offices of McGuireWoods, please view our Legal Notices on our website.
We are committed to protecting your privacy. If you have questions about this Privacy Statement or other data protection matters concerning McGuireWoods, you can contact us at [email protected]. Additional contact information for McGuireWoods LLP and McGuireWoods London LLP is provided below.
Data controllers
For the purposes of data protection under the General Data Protection Regulation and any applicable national implementing laws, regulations, secondary or other legislation (collectively, the GDPR), the legal entities overseeing the processing of your personal data are McGuireWoods LLP and McGuireWoods London LLP. To clarify the essence of the arrangement by which McGuireWoods collects and processes personal data, both legal entities are considered data controllers in their own right. On occasion, for certain processing activities, one of the entities may act as a data processor for the other. There may also be processing activities for which we would be considered joint data controllers in that we may jointly determine the purposes and means by which your personal data is processed by us.
Data protection officers
McGuireWoods LLP’s privacy officer in the United States is Stephen Allred, who can be contacted at [email protected], or by mail at McGuireWoods LLP, Gateway Plaza, 800 East Canal Street, Richmond, Virginia 23219-3916. For purposes of the GDPR, McGuireWoods LLP, in its capacity as a controller of processing activities that are subject to the GDPR, has appointed McGuireWoods London LLP to be its representative within the European Union. Their contact details are email: [email protected], phone: +44 20 7632 1600.
McGuireWoods London LLP appoints the following individual as its data protection officer:
Mehboob Dossa
McGuireWoods London LLP
5 New Street Square
London EC4A 3BF
United Kingdom
[email protected]
Clients, prospects, candidates, providers and other individuals in the EU (or whose personal data is otherwise subject to the GDPR) should contact the data protection officer for the controller with whom they have actively engaged. If you have privacy or data protection questions in connection with the website, please contact us.
What Personal Data Do We Collect From You?
McGuireWoods only collects personal data required to serve the purpose for which it was collected. The type of personal data we collect will depend upon the nature of your relationship with us (e.g., whether you are a client, prospect, candidate, provider, or visitor to our website or office), the purpose for which the data is required, and our legal and regulatory obligations.
The categories of personal data we may collect from clients, prospects, job candidates, providers, and visitors to our website, offices and firm events are described under “More Information,” below. We collect this information in connection with services we provide to clients, from our firm website and blogs, software that we use to register you for events, software we maintain for marketing our services. We may also collect this information from you when you visit our offices or attend our events.
Types of data collected
Clients
As a client of ours, the information we collect from you may include the following:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- a copy of your driver’s license or other suitable documentation to identify you;
- information pertaining to your legal matters with which we are assisting you;
- your bank account details should we need to transfer funds to you;
- professional information such as job titles, previous roles, and professional experience and qualifications;
- details regarding your attendance at firm events and activities;
- health-related information (such as dietary requirements, disability access, medical conditions, etc.) in connection with your participation at our events and activities; and
- information as required by regulatory “know your client,” anti-money laundering, or “proceeds of crime” legislation. Some of this information we may request or obtain from third-party sources.
Prospects
As a prospective client or other business prospect for McGuireWoods, the information we collect from you may include the following:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- professional information such as job titles, previous roles, and professional experience and qualifications;
- details regarding your attendance at firm events and activities;
- health-related information (such as dietary requirements, disability access, medical conditions, etc.) in connection with your participation at our events and activities; and
- information as required by regulatory “know your client,” anti-money laundering, or “proceeds of crime” legislation. Some of this information we may request and/or obtain from third-party sources.
Third parties
In connection with the provision of our services, we collect and process different personal data depending on the services being provided, the individuals involved in each of our client matters, and the third parties with whom we communicate, obtain data from, or otherwise deal with in connection with the services we provide to our clients.
Job Candidates
As a job candidate looking to join McGuireWoods, the information we collect from you may include the following:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- your racial or ethnic origin, gender identity, sexual orientation, religious or similar beliefs in order to undertake equal opportunity monitoring and reporting in the public interest;
- information regarding your criminal and disciplinary records (if any), including from background checking authorities, agencies and any regulators, to carry out our legal and regulatory obligations;
- information from credit reports and the like to the extent permitted by law;
- details of your references, including names, mailing addresses, email addresses, and phone numbers;
- information about your previous academic and/or employment history, including job titles, previous roles, and professional experience and qualifications, as well as details of any conduct, grievance or performance issues, appraisals, time and attendance, from references obtained about you from previous employers and/or education providers;
- information regarding your academic and professional qualifications;
- your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information;
- a copy of your driver’s license or other suitable documentation to identify you and verify your identity;
- information we may request and/or obtain from third-party sources, such as from disciplinary records, recruiters, social media, or your references.
Providers
From providers of goods and services to McGuireWoods, we collect limited information that could be considered personal data. The information we collect from you may include the following:
- your name and contact details (i.e., address, home and mobile phone numbers, email address);
- your bank account details should we need to transfer funds to you.
Visitors to the website
As a visitor to our main internet site, www.mcguirewoods.com, or any other website or web address operated by or on behalf of McGuireWoods that links to this Privacy Statement (the website), we collect information that you submit to us when you interact with features of the site such as subscribing to news alerts or signing up to attend firm-sponsored events. When you do this we collect:
- your name and contact details (i.e., address, home and mobile phone numbers, email address).
In addition to collecting information you provide, our website automatically collects the following information for purposes of analytics:
- your internet protocol (IP) address; your login data, browser type and version; time zone setting and location; browser plug-in types and versions; operating system and platform; and other technology on the devices you use to access the website.
More information can be found within our Cookies Policy.
This website is not intended for children and we do not knowingly collect data relating to children via the website.
Visitors to our offices
As a visitor to a McGuireWoods office, we may capture the following information about you:
- contact details (including names, postal addresses, email addresses and telephone numbers);
- images captured by our offices’ CCTV cameras.
Why Do We Collect Personal Data From You?
McGuireWoods collects and processes your personal data in connection with its business as a provider of legal and ancillary services and to pursue our related legitimate interests and rights, including the promotion and marketing of our services. We collect this data in order to keep track of clients and prospective clients, share relevant content including market the firm’s capabilities, provide invitations to relevant events and registration for those events, and distribute relevant content.
We collect personal data from the following sources:
- clients, including personal data of employees and other agents of our clients;
- prospects, including prospective clients and individuals to whom we promote or market our services;
- third parties, including opposing parties, co-parties, witnesses and other individuals involved in matters for which we provide legal services to our clients, and providers of services and other individuals as a result of providing our services to our clients;
- job candidates, including prospective employees or other workers in connection with job applications and prospective partners in connection with consideration for partnership;
- providers, including vendors, suppliers, consultants, advisers and business partners;
- visitors to our website; and
- visitors to our offices.
The personal data we collect is processed in compliance with relevant data protection laws and regulations. For California-specific guidance, please click here.
Purpose and legal basis for processing
When processing your personal data, the purpose and legal basis include the following, to the extent that they apply to you:
- to perform client services (including litigation, transactions, regulatory advice, assistance and representation, corporate formation, structure, governance and compliance services), to fulfill our contractual obligations toward you, on the basis of our legitimate interests or our clients’ legitimate interests, and to provide the best client service we can;
- to support our business processes (including our information technology, electronic communications and electronic documents storage, management and transmissions), to fulfill our contractual obligations toward you, or, if not applicable, on the basis of our legitimate interests to provide the best client service we can, to support our business operations, administration, IT services, and network security, and to prevent fraud;
- to safeguard your personal data and our IT system with appropriate security, on the basis of your and our legitimate interest for such security;
- to exchange information, conduct due diligence, answer your questions, take steps required to enter into a contract with you, or for the purposes of our legitimate interests to protect our legal rights and a third party’s rights, or, on the basis of your consent;
- for our recruitment purposes, including in the context of a selection and recruitment procedure, to take steps prior to entering into an employment relationship or contract with you or on the basis that it is our legitimate interest to use your personal data in such a way to ensure that we can make the best recruitment decisions — we will not process any special categories of personal data except where we are able to do so under applicable legislation or with your explicit consent;
- to keep you up to date with McGuireWoods events, activities and news that may be of interest to you, on the basis of your consent, or for our legitimate interests to use your personal data for marketing purposes;
- to present the website and its content in the best possible way for you and on your computer, on the basis of our legitimate interests to keep our website updated and relevant, to develop our outreach and business operations, and to develop marketing strategy;
- for business transactions such as a merger, acquisition by another company, or sale of all or a portion of our assets on the basis of our legitimate interests to sell or expand our business operations; and/or
- to comply with legal and regulatory requirements applicable to us (including the need to prevent and combat money laundering).
Where the processing of your personal data is based on your consent only, you have the right to withdraw this consent at any time. We will then erase your personal data and stop processing it so long as we are not prohibited from doing so by applicable law.
Marketing
You may receive marketing communications from us if you are an existing client, if you provided us with your consent, or where we are pursuing a legitimate interest and have a lawful right to do so and, in each case, you have not opted out of receiving that marketing communication. You can ask us to stop sending you marketing messages at any time by following the unsubscribe links on any marketing message sent to you or by contacting [email protected] at any time.
How Long Do We Keep Your Data?
Your personal data is kept for the time required to pursue the purposes for which it was collected and processed, including for the purpose of satisfying any applicable legal, professional, contractual, regulatory, accounting or reporting requirements unless you have requested deletion and we have honored that request.
If you request that we stop sending you marketing materials, we will continue to keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.
California residents have special rights with respect to our retention of personal information. These are described here.
We will retain your personal data only for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, legitimate administrative or operational purposes, and any reporting requirements. In determining data retention periods, we take into consideration local laws, contractual obligations, our professional duties to our clients, our reasonable business requirements, and your expectations and requirements.
When it is no longer necessary to retain your personal data, we will securely delete or, in some circumstances, anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further statement to you. Any such anonymization would be performed in accordance with, and where allowed by, applicable law.
Sharing Your Personal Data
This website is hosted in the United States. Personal data that is voluntarily provided on or via this website or online, via electronic communication, or otherwise to McGuireWoods, may be maintained or accessed in servers or files located in the United States.
To provide legal services and effectively run our business, we may need to share your personal data as permitted by law. Transfer of personal data may occur internally between McGuireWoods offices, to our providers as necessary to provide our services, or to public and regulatory bodies in the event we are required to do so. These transfers may involve international transfer of your personal data to our McGuireWoods offices (including our offices located outside the European Economic Area ( EEA)) and data centers or those of our providers or public and regulatory bodies.
We do not sell the personal information we collect about you to third parties. We may, however, share your personal information with service providers or third parties in accordance with the business purposes set out in this Privacy Statement. At this time, the firm’s website does not have the ability to respond to “Do Not Track” signals sent by individual users’ web browsers.
Categories of recipients
Your personal data may be transferred to the following categories of recipients:
- service providers we have retained to perform services on our behalf or on behalf of a client in connection with specific legal services we are providing for the client;
- public authorities if we are required to do so by law or legal process, in response to a request from government authorities, or if we believe disclosure is necessary to prevent personal harm or financial loss.
We reserve the right to transfer your personal information in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will require that the transferee use the personal data you have provided in a manner consistent with our privacy policy and the applicable legal framework.
International transfer of your personal data
Subject to the terms of any engagement agreement or other agreement that we have with you, we allow McGuireWoods’ offices, branches and associated firms, to access your personal data, and may allow access to your personal data, or parts of it, to our service providers required to obtain the services we need to operate our business or to provide legal services to our clients.
McGuireWoods LLP (based in the United States) and McGuireWoods London LLP share infrastructure, personnel and providers of services in connection with the services we provide and marketing activities that we undertake. McGuireWoods LLP also provides client and support services to McGuireWoods London LLP and other offices located outside the EEA. As a result, McGuireWoods LLP and its offices in the United States will receive and have access to your personal data.
Many of our third-party service providers are based outside the EEA so their processing of your personal data will involve a transfer of your personal data outside the EEA.
Whenever we transfer your personal data out of the EEA, where required by law, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Please contact us if you want further information on the specific mechanisms we use when transferring your relevant personal data out of the EEA.
What Rights Do I Have in Relation to My Personal Data?
Depending on the facts and circumstances related to the personal data we collect or obtain about you – including, for example, the nature of the information we process, where you are located or reside, or whether we obtain the information in connection with legal services we provide to our clients – you may have rights regarding the personal data we hold about you afforded under relevant data protection laws. These may include the right to request information about, or access to, the personal data we hold, and rights to complain about how we handle your personal data. McGuireWoods is committed to honoring rights you have been afforded under data protection laws while ensuring that such rights are exercised in accordance with our other legal and ethical obligations.
California residents have special rights with respect to personal information. These are described here.
Right to request under the GDPR
Under certain European data protection laws and certain conditions, you may have the right to request from McGuireWoods, among other things:
- access to certain information concerning your personal data and the way we are processing it;
- rectification of inaccurate or incorrect personal data;
- erasure or restriction of inaccurate, incorrect personal data or personal data unlawfully processed;
- to stop certain processing, at any time, on grounds relating to your particular situation, including profiling, and to stop any processing, at any time, where it relates to direct marketing;
- to receive your personal data in a structured, commonly used and machine-readable format, enabling you to transmit the personal data to another data controller.
For more information on the full extent of your rights or to exercise your rights, please contact your local data protection officer by mail or e-mail at the addresses indicated above with a brief explanation of your request. When exercising any of those rights, please let us:
- have enough information to identify you;
- have proof of your identity and address (a copy of your driver’s license or passport and a recent utility or credit card bill); and
- know the information to which your request relates.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask for further information in relation to your request to speed up our response.
If you would like to unsubscribe from any email publication you can also click on the ‘unsubscribe’ button at the bottom of the relevant email publication. It may take up to 10 days for you to be removed from the applicable distribution list.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
Right to complain under the GDPR
We hope that we can resolve any query or concern you raise about our use of your personal data. However, if you believe your personal data is unlawfully processed by McGuireWoods under applicable European data protection laws, you may lodge a complaint with the relevant supervisory authority where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns or telephone: 0303 123 1113.
What are my rights as a california resident under the California Consumer Privacy Act (“ccpa”)?
California Privacy Rights
Beginning January 1, 2020, California residents may exercise certain privacy rights pursuant to the California Consumer Privacy Act of 2018 (“CCPA”). Your right to submit certain requests as a California resident are described below. Please note that when submitting a request, you will be asked to provide information to verify your identity before action is taken. You may designate an authorized agent to make the requests below on your behalf. An authorized agent must submit proof to us that he or she has been authorized by you to act on your behalf, and you will need to verify your identity directly with us.
Right To Request More Information
As a California resident, you have the right to request more information regarding the following, to the extent applicable:
- The categories of personal information we have collected about you.
- The categories of sources from which we have collected your personal information.
- The business or commercial purpose why we collected or, if applicable, sold your personal information.
- The categories of third parties with whom we shared your personal information in the past 12 months.
- The specific pieces of personal information we have collected about you.
- The categories of personal information that we have shared with third parties about you for a business purpose.
You may submit a request for the information above by calling us at 1-800-775-2202, or emailing us at [email protected]. McGuireWoods LLP will evaluate all requests for information under all applicable laws and confidentiality protections or restrictions that apply to the firm, its clients, its employees, or to other third parties whose data the firm collects. McGuireWoods LLP will not provide any information if it would otherwise violate governing law or legal protections that apply to such data, including without limitation any applicable privileges. In connection with submission of your request, we will take steps to verify your identity, and you will need to verify your identity before action is taken.
Right to Request Deletion of Your Personal Information
You also have the right to request that we delete your personal information collected or maintained by us. Once we receive your request, we will let you know what, if any, personal information we can delete from our records, and we will direct any service providers with whom we shared your personal information also to delete your personal information from their records. There may be circumstances where we cannot delete your personal information or direct service providers to delete your personal information from their records. For example, if we need to: (1) retain your personal information to complete a transaction or provide goods or services; (2) detect security incidents; (3) protect against unlawful activities; (4) identify, debug or repair errors; or (5) comply with a legal obligation. You may submit a request to delete your personal information by calling us at +1 800 775 2202, emailing us at [email protected]. McGuireWoods LLP will not delete any information if it would otherwise violate law or legal protections that apply to such data, including any applicable privileges. In connection with submission of your request, we will take steps to verify your identity and you will need to verify your identity as required under California law before action is taken.
Verification of Requests
Upon submission of a request for information or a request to delete information, we will take reasonable steps to confirm that the person submitting the request to know or request to delete is the person to whom the information relates, and to prevent unauthorized access or deletion of information. The specific steps taken to verify the identity of the requesting person may vary based on the nature of the request, including the type, sensitivity and value of the information requested, the risk of harm posed by unauthorized access or deletion, the likelihood that fraudulent or malicious actors may seek the information, the robustness of personal information provided to verify your identity, the nature of our business relationship with you, and available technology for verification.
We will generally try to avoid requesting additional information from you for the purpose of verification. However, we may need to do so if we cannot verify your identity based on the information already maintained by us. If we request additional information to verify your identity, it will be for that purpose only, and will be deleted as soon as practical after processing the request, except as otherwise provided by law.
The following generally describes the verification processes we use:
- For requests to know categories of personal information, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you with reliable data points maintained by us.
- For requests to know specific pieces of personal information, we will verify your identity to a reasonably high degree of certainty by matching at least three data points provided by you with reliable data points maintained by us. We will also require a declaration, signed under penalty of perjury, that the person requesting the information is the person whose information is the subject of the request. We will maintain all signed declarations as part of our records.
- For requests to delete personal information, we will verify your identity to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm posed by unauthorized deletion. We will act in good faith when determining the appropriate standard to apply.
If there is no reasonable method by which we can verify your identity, we will state so in response to a request to know or delete personal information, including an explanation of why we have no reasonable method to verify your identity. As indicated above, McGuireWoods LLP will not delete any information if it would otherwise violate law or legal protections that apply to such data, including any applicable privileges.
Right to Non-Discrimination for the Exercise of California Resident’s Privacy Rights
By exercising any of the above listed privacy rights conferred by the California Consumer Privacy Act of 2018, you have the right not to receive discriminatory treatment by us. This means that, consistent with California law, we will not deny providing goods or services to you, charge you different prices or provide a different level or quality of goods and services to you unless those differences are related to the value of your information.
How Do You Protect My Personal Data?
McGuireWoods employs industry-standard best-practice protection to safeguard the personal data it collects.
Security measures
McGuireWoods has implemented security-by-design infrastructure utilizing technologies such as firewalls, intrusion detection systems, anti-malware detection, data loss prevention, zero day threat protection, and endpoint encryption. Our security measures include:
- Offering encrypted email using Transport Layer Security (TLS) within Microsoft Exchange. Other types of encryption are also available.
- Delivering systems that guarantee confidentiality screening for specific lawyers and matters pertaining to certain clients. This screening capability is also available for any matter for which higher levels of confidentiality are required by clients. This provides only individuals who have a “need to know” access to information about client matters.
- Providing a secure, encrypted file transfer solution, known as MWFiles, that allows very large files to be transferred back and forth between McGuireWoods and clients.
- Requiring multifactor authentication for remote access into McGuireWoods’ systems for all employees.
- Utilizing external security experts to conduct annual security audits of our environment, including penetration testing and social engineering testing.
- Performing regular security audits of McGuireWoods’ service providers to ensure client information is handled with appropriate safeguards.
- Employing advanced threat intelligence to stay abreast of emerging threats in the ever-changing security landscape.
Conducting weekly vulnerability assessments of all McGuireWoods systems to ensure that new threats are addressed quickly and completely.
What if I do not Want to Provide My Personal Data?
For clients of McGuireWoods, prospects, job candidates, and providers, it is in your discretion to provide personal data to us. However, for us to enter into a contract with you, or other professional, employment or business relationship with you, we will need to obtain certain information, including personal data that may be necessary or legally required. If you do not provide us with all or some of the personal data we request, we may be prevented from entering into a contract with you, providing you with legal services, hiring you for employment, or sending you marketing information or other communications that you have requested.
For users of the website, providing your personal data is purely voluntarily. Not providing such data may only prevent you from receiving information from McGuireWoods. Analytical information captured during your visit to our website is described in our Cookies Policy, which you can review here.
Amendments to this Privacy Statement
McGuireWoods may update this Privacy Statement from time to time, and we reserve the right to do so to comply with applicable data protection laws. The effective date of this Privacy Statement is noted at the top of this page. We encourage you to review this page periodically. If we make material changes to the way that we collect, use or share personal data that you have provided, we will post the revised Privacy Statement on our website.