Privacy Policy
Baker Botts L.L.P.[1] (“Baker Botts”, “we”, or “us”) is an international law firm. We are committed to safeguarding the personal data that you provide directly to us, that we collect in the course of our business, or that we receive from you when you visit our website or submit a job application to us.
This privacy policy explains to you how we collect and process your personal data and your rights in relation to your personal data that we process. It is a global policy that applies to all Baker Botts’ offices.
Please note, if you reply to one of our marketing emails or otherwise send a communication to us, that communication does not create an attorney-client relationship with us. Please do not send any information that you consider confidential unless and until we have agreed in writing to represent you with respect to that matter. Any information provided to us prior to our agreement to represent you may not be protected from disclosure and may not be subject to applicable privileges.
Quick Links
Personal Data We Collect From or About You.
How We Collect Your Personal Data.
How We Use Your Personal Data.
How and to Whom We Share Your Personal Data.
Your United Kingdom, European and Singaporean Legal Rights.
Notice to California Residents.
International Transfer of Your Personal Data.
How We Protect Your Personal Data.
How Long We Retain Your Personal Data.
Third-Party Websites and Links.
Automated Decisions Using Your Personal Data.
Revisions to this Privacy Policy.
How to Exercise Your Privacy Rights.
Personal Data, Defined
Personal data is any information that enables us to identify you and that is related to an identified or identifiable natural person, such as your name, identification number(s), location data, certain commercial information, online identifiers, and educational and employment history. It does not include data that is anonymized or de-identified.
Data Controller
For personal data that we collect and process about you, the data controller—as that term is defined in both the UK and EU General Data Protection Regulations (collectively “GDPR”)—is Baker Botts L.L.P., Baker Botts (UK) LLP, Baker Botts (Belgium) LLP, or Baker Botts (Singapore) LLP, depending on the entity with which you have principally interacted or with which you have a client or contractual relationship.
Baker Botts is not a data processor—as that term is defined in the GDPR—in the context of a client relationship.
Personal Data We Collect From or About You
From time to time, we collect and process the following types of personal data from you:
- Contact Data: this includes, for example, your name, your home or business address, your email address, your phone number, and your social media handles.
- Client Data: this includes, for example, personal data provided to us by or on behalf of our clients and personal data that we collect in the course of providing our services to our clients, such as personal data provided by third parties.
- Technical Data: this includes, for example, personal data that we collect from you when you interact with our website, applications, and email communications, such as your IP address and device ID.
- Financial Data: this includes, for example, your bank account, payment card, and other related financial data.
- Recruitment Data: this includes, for example, your CV, professional history, educational background, and related qualifications.
- Marketing Data: this includes, for example, your preferences in receiving marketing or promotional information from us.
- Other Data: any other personal data that you provide to us and which can be reasonably used to identify you.
We may collect data that is not identifiable to you or otherwise associated with you, such as aggregated data, anonymized, or de-identified data. This is not personal data. However, to the extent this data is stored or associated with your personal data, we will treat it as personal data; otherwise, it is not subject to this Privacy Policy.
How We Collect Your Personal Data
We collect personal data from you through a variety of sources. We strive to only collect personal data that is adequate, relevant, and limited to achieve the purpose(s) for which it was collected. We may from time-to-time provide you with supplemental information at the time we collect your personal data to address unique or situational collection needs, for example through our terms of engagement when we agree to represent you.
Examples of a ways in which we collect your personal data include:
- Direct Interaction: you may provide us with your personal data when you interact with us, for example by enquiring about our services, giving us your contact details, registering for one of our events, subscribing to our updates or promotional material, or engaging in any way with our partners, lawyers, staff, or contractors.
- Automated Technologies: we may collect personal data automatically when you visit our website, including through the use of logging and analytics tools, such as cookies, click on links in our emails, or visit our offices, including through the use of security footage, such as through the use of CCTV.
- Private Third-Party Sources: we may collect personal data from private third-party sources, such as, for example, other law firms, banks, clients, recruitment agencies, regulators, certain governmental agencies, other organizations that you may have dealings with, and electronic data sources such as business information databases and providers.
- Publicly-Available Sources: we may collect personal data from publicly available sources, including, for example, personal data available on the internet, on or from social media platforms, from governmental agencies, or company registries.
How We Use Your Personal Data
We process and use your personal data to the extent permitted by applicable law. This means:
- We process your personal data if you have given us consent to process for one or more specific purposes;
- We process your personal data if it is necessary for the performance of a contract with you;
- We process your personal data if it is necessary for compliance with a legal obligation to which we are subject; and/or
- We process your personal data if it is necessary for the purposes of our legitimate interests where those interests are not overridden by your interests or fundamental rights and freedoms that require protection of your personal data.
We principally rely on the legitimate interest basis for the provision of our legal services, including client inception, onboarding and identification, the performance of our services, and for the administration and operation of Baker Botts. In addition, we principally rely on the legitimate interest basis for marketing and promoting relevant services to you, inviting you to relevant events, and providing you with our newsletters, updates, and legal and other information.
How and to Whom We Share Your Personal Data
We share your personal data within Baker Botts and with our contracted third-party processors and/or service providers who assist us in the administration and operation of Baker Botts, and in providing our legal services to and for our clients. In addition, we share your personal data when required by law.
Third-party processors and service providers with whom we may share your personal data include:
- Our information technology and telecommunications service providers, including data centers and cloud storage providers.
- Our marketing service providers.
- Our corporate and litigation support service providers.
- Professional services organizations (e.g., law, accountancy, auditing, insurance, forensic, information security, and company formation service providers).
- Expert witnesses and jury consultants.
- Cybersecurity service providers.
- Other service providers to whom we outsource aspects of the provision of our legal services and the administration and operation of Baker Botts.
- To another law firm, in the event of a sale or merger of Baker Botts.
- Business partners, such as those that co-host events with us.
We share personal data with third parties when we believe it is required by, or necessary to comply with, applicable law, such as opposing parties in litigation or transactions or in response to law enforcement, governmental, or judicial requests.
We do not sell or share your personal data to third parties for monetary or other valuable consideration and have not done so in the 12 months prior to the effective date of this privacy policy.
Your United Kingdom, European and Singaporean Legal Rights
If you are a UK, EU or Singapore resident, you may have certain rights under applicable data protection laws in relation to your personal data, including the UK and EU General Data Protection Regulation (collectively “GDPR”) or the UK Data Protection Act of 2018 (“DPA”). Subject to certain exceptions and limitations, these rights include:
- The Right to Access: You have the right to request copies of your personal data we process about you.
- The Right to Rectification: You have the right to request that we correct personal data about you that is inaccurate, and to complete information that is incomplete.
- The Right to Erasure: You have the right to request that we erase your personal data if there is no further legal ground for processing such personal data.
- The Right to Data Portability: Under certain conditions, you have the right to request that the data controller transfer your personal data to another organization or directly to you.
Please note that not all these rights may be capable of exercise, depending on where you reside. If you have any questions about your rights, please contact our Data Protection Officer, as explained in the section, How to Contact Us.
In addition, the GDPR requires data controllers to separately and explicitly highlight that you have the right to object to any processing based on the data controller’s legitimate interests (upon which we routinely rely as our legal basis) on grounds relating to your particular situation. However, the data controller may demonstrate either compelling legitimate grounds for the processing that override your interests or that the processing is based on the establishment, exercise, or defence of a legal claim, in which case the processing may continue.
Finally, you have the right to lodge a complaint with a supervisory authority, as explained more fully in the section, How to Contact Us.
Where our processing of your personal data is based on your consent for a specific purpose, you can withdraw that consent. If you withdraw your consent, Baker Botts will no longer process your personal data for that specific purpose unless we have another legitimate basis for processing under applicable laws.
If you exercise your applicable rights, Baker Botts will not discriminate against you. Requests submitted pursuant to the GDPR will be honored within 30 calendar days. If more time is needed to respond, we will notify you.
California Disclosures
These disclosures are provided by Baker Botts and apply solely to residents of the State of California (“consumers” or “you”) with respect to personal data, referred to herein as personal information, Baker Botts collects and processes as a business.
Any terms defined in the California Consumer Privacy Act of 2018, as amended from time to time, including by the California Privacy Rights Act of 2020 and its implementing regulations (“CCPA”) have the same meaning when used in these disclosures. These disclosures do not reflect our collection, use, or disclosure of California residents’ personal information, or data subject rights, where an exception or exemption under the CCPA applies.
We have set out below categories of personal information about California resident website visitors, clients, prospective clients, corporate representatives of our vendors and other partners, and job applicants and other potential employees. We do not sell, or share, for cross context behavioral advertising any personal information of California residents.
Personal Information Categories |
Personal Information |
Collection and Disclosure Purpose |
Collection Source |
Identifiers |
First and last name; telephone number; email address; physical address; unique personal identifier; online identifier; photos or images of you; certain government identifiers for job applicants (e.g., social security number, state identification number) |
To provide our services and other information.
For marketing and advertising purposes.
For business operations, management, performance, or contact purposes.
To process and review your job application.
For internal auditing, fraud prevention, and security purposes.
In response to law enforcement or legal requests or requirements.
In connection with a transfer in the event of a corporate sale or change of control.
|
You Your device(s) |
Personal information categories listed in California Customer Records statute (Cal. Civ. Code § 1798.80(e)) |
Identifiers (as described above); account credentials; bank account number; credit card number; financial information; education; and employment history; or other sensitive personal information only if it is actively provided to us |
To provide our services and other information.
For business operations, management, performance, or contact purposes.
For internal auditing, fraud prevention, and security purposes.
In response to law enforcement or legal requests or requirements.
In connection with a transfer in the event of a corporate sale or change of control.
|
You Service provider(s) Third parties |
Protected Classifications under California or federal law |
Only in connection with specific services or for job applicants: age, race; color; religion or creed, medical condition; physical or mental disability; gender identity; sexual orientation, veteran or military status; and health data |
To provide our services and other information.
For business operations, management, performance, or contact purposes.
To process and review your job application.
For internal auditing, fraud prevention, and security purposes.
|
You |
Commercial information |
Marketing requests or subscriptions; event / seminar registrations; content download |
To provide our services and other information.
For marketing and advertising purposes.
For business operations, management, performance, or contact purposes.
|
You Baker Botts Service provider(s) Third parties
|
Sensory Information |
Audio; surveillance information, such as call monitoring or recording and video surveillance; dietary preferences |
To provide our services and other information.
For marketing and advertising purposes.
For business operations, management, performance, or contact purposes.
For internal auditing, fraud prevention, and security purposes.
In response to law enforcement or legal requests or requirements.
|
You Baker Botts Service provider(s) |
Professional or employment information |
Only for job applicants: current or past job history; performance evaluations; professional address, telephone number, or email address; wage and benefit information; health and safety information (if relevant to your employment); job restrictions; workplace illness and injury information; disciplinary records; professional memberships; trade union memberships
|
For business operations, management, performance, or contact purposes.
To process and review your job application. |
You Baker Botts Service provider(s) Third parties |
Non-public education information per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99) |
Only for job applicants: education records such as grades; transcripts; class lists; student schedules; student identification codes; student financial information; student disciplinary records |
For business operations, management, performance, or contact purposes.
To process and review your job application. |
You Service provider(s) Third parties |
Internet or Other Similar Network Activity |
Browsing history; search history; information on your interaction with our Site via analytical and logging tools, application, or advertisement; IP address |
For business operations, management, performance, or contact purposes.
To provide our products, services, and other information.
For marketing and advertising purposes.
For internal auditing, fraud prevention, and security purposes.
|
You Your device(s) Service provider(s) Third parties |
Geolocation data |
Device location via IP address |
Your device(s) |
|
Inferences |
Preferences (e.g., marketing or communication preferences); certain inferences about a job applicant (e.g., preferences, characteristics, attitudes, intelligence, abilities, and aptitudes) |
You Baker Botts |
If you are a resident of California, you may have certain rights under applicable data protection laws in relation to your personal data, including the CCPA. Subject to certain exceptions and limitations, these rights include:
- The Right to Know. You have the right to request certain information about parties to whom we have disclosed or sold your personal data in the prior calendar year and a description of the categories of personal data shared.
- The Right to Data Portability. A subset of the Right to Know, this requires us to provide you the specific personal data about you that we collect and process in a portable and, to the extent technically feasible, readily-useable format that allows you to transmit the information to another entity without hindrance.
- The Right to Delete. Subject to exceptions, the right to delete requires us to delete or de-identify your personal data.
- The Right to Opt-Out. This right allows you to opt-out of the disclosure of your personal data when that disclosure (also known as a “sale” as defined in the CCPA) is made by us in exchange for valuable consideration (whether for money or otherwise). Though you may submit such a request, we do not sell or rent your personal data to third parties for monetary or other valuable consideration and have not done so in the 12 months prior to the effective date of this privacy policy.
- The Right to Request a Record of Third-Party Direct Marketing Disclosures: Also known as the “Shine the Light” law, this permits California residents to request and obtain from us a list of what personal data we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties.
If you exercise your applicable California rights, Baker Botts will not discriminate against you. Requests to know, port, or delete your personal data will be honored within 45 days. Requests to opt-out of the sale of personal data will be honored, to the extent applicable, within 15 calendar days. Requests for a record of direct marketing disclosures will be honored within 30 calendar days. If more time is needed to respond, we will notify you.
Notice to California Residents
Do Not Track. We use analytics systems and providers that may collect information about your online activities, and these services may provide some of this information, which may include personal data, to us. We do not currently process or comply with any web browser’s “do not track” signal or similar mechanisms. Note, however, that you may find information about how to opt-out of these analytics and/or block or reject certain tracking and cooking technologies in our Cookies Policy.
International Transfer of Your Personal Data
If you are a resident of the UK or the EU, we may transfer your personal data to a third country outside of the UK or the European Economic Area (EEA). When we initiate such a transfer, for example to one of our offices located in the United States, Dubai, Riyadh, or Singapore, or to one of our contracted service providers located outside the UK or the EEA, we ensure that an equivalent level of protection is provided to your personal data through one or more of the following: (i) an adequacy decision from the European Commission; (ii) use of the standard contractual clauses approved by the European Commission; (iii) use of the international data transfer agreement issued under s.119A of the UK’s DPA; (iv) by use of applicable derogations outlined in Article 49 of the GDPR; and/or (v) with your consent.
By submitting your personal data to us, you consent to our transfer of that personal data outside the UK or the European Economic Area should we need to do so.
For personal data transferred pursuant to standard contractual clauses or the international data transfer agreement, you may obtain copies of those clauses by contacting our Data Protection Officer as outlined in the section, How to Contact Us.
If you are a resident of Singapore, we may transfer your personal data to a third country outside Singapore. When we initiate such a transfer, for example to one of our offices located in the United States, London, Brussels, Dubai or Riyadh, or to one of our contracted service providers located outside Singapore, we ensure that we will comply with our obligations under the PDPA and that the recipient outside Singapore is bound by legally enforceable obligations to provide a standard of protection equivalent to that under the PDPA.
How We Protect Your Personal Data
We have put in place physical, administrative, and organizational security measures to protect your personal data from being accidentally lost, used, altered, accessed, or disclosed in an unauthorized manner. We have put in place procedures to address suspected security breaches and will notify you and any applicable regulator in the event of a compromise or breach of your personal data where we are legally required to do so.
However, no method of safeguarding information is completely secure. While we use measures designed to protect your personal data, we, unfortunately, cannot guarantee that our safeguards will be effective or sufficient. In addition, you should be aware that Internet data transmission is not always secure, and we cannot warrant that information you transmit to us is or will be secure.
How Long We Retain Your Personal Data
We retain your personal data for as long as necessary to fulfil the purpose for which we collected it, including any legal, regulatory, tax, accounting, or reporting requirements, and to the extent we reasonably deem necessary to protect our rights, property, or safety, and the rights, property, and safety of our users and other third parties. For details on the retention periods applicable to specific elements of your personal data, please contact our Data Protection Officer as outlined in the section, How to Contact Us.
Third-Party Websites and Links
Our website and other services may contain links to other websites or otherwise direct you to a third party over which we have no control and whose privacy policies may differ from ours. You should consult the privacy policies or statements for those third parties and we do not accept any responsibility for their use of your personal data that you may provide.
Automated Decisions Using Your Personal Data
Your personal data will not be used for automated decision-making by Baker Botts.
Your Choices
In addition to the applicable rights outlined, above, you have choices about how we communicate with you and how we process certain personal data about you.
- Communications Opt-Out. You may opt-out of receiving marketing, promotional, or other communications from us at any time by following the link in a marketing communication email or email us at [email protected].
- Cookies and Web Tracking. Consult our Cookies Policy for more information about how to control and/or opt out of certain cookies and web tracking technologies.
Minors
We do not promote, market, or direct our services to minors. As a result, we do not knowingly collect or solicit personal data from anyone under the age of 18. By using our site, you represent that you are not under 18 years of age.
Revisions to this Privacy Policy
Baker Botts reserves the right to revise or modify any part of this Privacy Policy from time to time. Please review the policy periodically to check for changes. For substantive revisions, we will ensure that the notice of revision, along with a summary of such revisions, is conspicuous and accessible.
How to Exercise Your Privacy Rights
You may contact us at [email protected].
In most cases, you will not have to pay a fee to access your personal data or to exercise your other rights. However, to the extent permitted by applicable law, we may either charge a reasonable fee or refuse to comply if your request is unfounded, repetitive, or excessive.
In most instances we are legally required to request specific information from you, including personal data, to verify your request and identity. We may also contact you to ask for further information and clarification of a request to enable us to comply with it as quickly as possible. This is a security measure to ensure that your personal data is not disclosed to any data subject(s) not authorized to receive it. In addition, if you request that we provide you with specific pieces of personal data, we require you to sign a declaration under penalty of perjury that you are the data subject whose personal data is the subject of the request.
Finally, you may use an authorized agent to make a request under the CCPA on your behalf. If you designate an authorized agent to make an access or deletion request on your behalf (a) we may require you to provide the authorized agent written permission to do so, and (b) for access and deletion requests, we may require you to verify your own identity directly with us.
How to Contact Us
If you have questions relating to this privacy policy or our processing of your personal data in United States, please contact our U.S. privacy officer at:
Email:
Postal:
Baker Botts L.L.P.
101 California Street
Suite 3200
San Francisco, CA 94111
Attn: Privacy Officer
If you have any questions relating to this privacy policy or our processing of your personal data outside of the United States, please contact our United Kingdom-based privacy officer at:
Email:
Postal:
Baker Botts (UK) LLP
Level 30
20 Fenchurch Street
London EC3M 3BY
United Kingdom
Attn: Data Protection Officer
If you are resident in the UK or the EU, you also have the right to make a complaint about our processing of your personal data to your national supervisory authority for data protection. Alternatively, you may contact the United Kingdom Information Commissioner’s Office at www.ico.org.uk or by telephone on +44 (0)303 123 1113. If you do have a complaint, we would welcome the opportunity to discuss it with you before you contact your national supervisory authority or the United Kingdom Information Commissioner’s Office.
Policy Date: December 7, 2023
[1] Baker Botts is used in this privacy policy to refer to Baker Botts L.L.P., Baker Botts (UK) LLP and Baker Botts (Belgium) LLP, and Baker Botts (Singapore) LLP, each of which is a separate entity.