It is the policy of Sullivan & Cromwell to deal with your personal information responsibly and in accordance with the requirements of applicable data protection laws, including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This notice explains how we do that. In this notice, “Sullivan & Cromwell” refers to Sullivan & Cromwell LLP and its affiliated partnerships from time to time. Sullivan & Cromwell LLP is a limited liability partnership registered under the laws of the State of New York.
Nothing stated in this notice is intended to, nor will it, establish a client-attorney relationship with persons reading it. Information provided to us in the course of any attorney-client relationship enjoys a special status and may be protected by confidentiality, the attorney-client privilege, the attorney work product doctrine and other similar protections (whether in the United States or elsewhere). Nothing in this notice detracts from any of the protections that attach to such information.
We operate an Alumni Network which can be accessed only by registered alumni and current Sullivan & Cromwell lawyers. A privacy notice specific to members of the Alumni Network using that service is available at https://alumni.sullcrom.com/etc/tend4.php.In addition, a privacy notice specific for individuals applying for employment with Sullivan & Cromwell is available here.
We may collect personal information from you in the course of our business, including through your use of our website, when you visit any of our office buildings, when you contact or request information from us, when you engage us to provide legal services or as a result of your relationship with any member of our personnel or our clients.
The personal information that we process includes:
The personal information we collect may include special categories of data.
We use the information that we collect in a number of ways, including:
We process personal information on one or more of the following grounds:
Sullivan & Cromwell has offices around the world.
Personal information that is given to a Sullivan & Cromwell office may be transferred to one or more other offices in our network (including any office we may open in the future).
We may also share your personal information with third parties in accordance with contractual arrangements in place with them, including:
In some circumstances, we may also pass information to regulatory authorities, courts, tribunals, government agencies and law enforcement agencies. We may be required to disclose your information to comply with legal or regulatory requirements. Where possible, we will use reasonable efforts to notify you before disclosing your information, but we may be legally restricted from doing so.
The information sharing described above may involve a transfer of your information from a location within the European Economic Area (the “EEA”) to outside the EEA, or from outside the EEA to a location within the EEA. The level of information protection in countries outside the EEA may be less than that offered within the EEA. We will implement appropriate measures to ensure that your personal information nevertheless remains protected and secure in accordance with applicable data protection laws. EU standard contractual clauses are in place between all Sullivan & Cromwell entities that share and process personal data.
Sullivan & Cromwell LLP uses a private cloud hosted service for its document management system. The system utilizes state of the art security, encryption, event monitoring and disaster recovery.
We use a variety of technical and organizational measures to help protect your personal information from unauthorized access, use, disclosure, alteration or destruction consistent with applicable data protection laws. These measures are reviewed periodically by external assessors who confirm and certify our operations. Accordingly, we hold certificate #IS 585222 and operate an Information Security Management System which complies with the requirements of ISO/IEC 27001:2013.
The GDPR and other applicable data protection laws provide certain rights for data subjects. Broadly speaking you have, or may have, the right (as more fully provided in applicable data protection laws):
It is important to be aware that these rights may not be absolute. For example, if you withdraw your consent to our processing of your personal information, we may be able to continue to process your personal information to the extent required or otherwise permitted by law, in particular in connection with exercising and defending our legal rights or meeting our legal and regulatory obligations.
Pursuant to the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), California residents receive certain rights with respect to their personal information, as described below. These rights are not absolute and are subject to certain exceptions more fully set forth in the CCPA. California residents have the right not to receive discriminatory treatment from us for the exercise of the privacy rights conferred by the CCPA.
Each California resident has the right to request, subject to certain exceptions described in the CCPA, that we disclose to that resident:
To make such a Request to Know, you can either call us at our toll free number (1-888-558-1505), or fill out our request form here.
In the past twelve months we have collected, and in the future we will continue to collect, the categories of personal information cited in the section entitled “The personal information we collect” above. This includes the following categories of personal information set out in the CCPA: identifiers, personal information described in Section 1798.80 of the California Civil Code, characteristics of protected classifications under California or federal law, biometric information, Internet or other electronic network activity information, geolocation data, audio, electronic, visual, thermal, olfactory, or similar information, professional or employment-related information and sensitive personal information. We collect this information from the sources described in the section entitled “How we collect personal information” above, use this information as described in the section entitled “How we use personal information” above, and share this information with third parties as described in the section entitled “Sharing personal information” above.
We do not sell your personal information as defined under the CCPA or share your personal information for cross-contextual behavioral advertising purposes and we do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age. We do not use or disclose sensitive personal information for purposes other than those permitted purposes specifically identified in the CCPA and its implementing regulations.
Each California resident has the right to request the deletion of their personal information that we collect or maintain (a “Request to Delete”), subject to certain exceptions set forth in the CCPA. To make such a Request to Delete, you can either call us at our toll free number (1-888-558-1505), or fill out our request form here.
Each California resident has the right to request the correction of any inaccurate personal information that we maintain (a “Request to Correct”), subject to certain exceptions set forth in the CCPA. To make such a Request to Correct, you can either call us at our toll free number (1-888-558-1505), or fill out our request form here.
In order to protect your privacy and security, prior to completing any Request to Know, Request to Delete or Request to Correct that you may submit, we must verify your identity. We will verify your identity by asking you to provide certain data that we have already collected from you to confirm that they match our records. In certain instances, additional verification steps may be required.
California residents have the right to designate an authorized agent to make a request under the CCPA on their behalf. Prior to completing a request made by such an authorized agent, we require that you provide your authorized agent with written permission to submit such a request and require that you or your authorized agent provide us with a copy of such written permission. Additionally, we require that you verify your identity pursuant to the procedure described above.
We retain personal information of different types, or relating to different categories of people, for different periods, taking into account its business purpose. For example, information about individuals who have applied for employment with us will be retained for a shorter period than information about individuals who have actually worked for us. The periods for which we retain information are based on the requirements of applicable data protection laws and the purpose for which the information is collected and used. We take into account legal and regulatory provisions which require information to be retained for a minimum period. We also consider the limitation periods for taking legal action and good practice in the legal industry.
If you have any questions on the matters covered in this policy, please contact our Data Protection Officer, Craig Jones at DPO@sullcrom.com.
This policy was last updated on June 7, 2023.
We will use the personal data that we have collected for use in Japan for the following purposes:
In the ordinary course of our business, we may transfer information, including certain personal data (such as name, home address, business address, email address, phone number, job title, other contact details) that we have collected for use in Japan, between and among our offices around the world in order to achieve the purposes described above.
Also, in the ordinary course of our business, we may transfer such information to third parties in order to fulfill our obligations to our clients, personnel and other individuals.
Upon request by an individual whose personal data we have collected for use in Japan for disclosure, correction, addition, deletion, temporary suspension or termination of our use or transfer to third parties of the information, we will address such request in accordance with the applicable requirements under the Law Concerning Protection of Personal Information. We may charge a handling fee in respect of a request for disclosure of personal data.
Any request or inquiry about personal information we have collected for use in Japan should be directed to the office manager of our Tokyo office at email@example.com.
The Transparency in Coverage Rule, issued in 2020 by the U.S. Department of Health & Human Services, U.S. Department of Labor and U.S. Department of the Treasury
This link leads to the machine readable files that are made available in response to the federal Transparency in Coverage Rule and includes negotiated service rates and out-of-network allowed amounts between health plans and healthcare providers. The machine-readable files are formatted to allow researchers, regulators, and application developers to more easily access and analyze data.
Link: https://www.cigna.com/legal/compliance/machine-readable-files [app.connecting.cigna.com]
Sending an e-mail through this web site does not
create an attorney-client relationship. You should not
send us any information through this web site that you
would want treated confidentially.
Sending an e-mail through this web site does not create an attorney-client relationship. You should not send us any information through this web site that you would want treated confidentially.