This policy is intended to be consistent with (and supplement) our obligations under applicable laws, including the Gramm-Leach-Bliley Act, a 1999 US federal financial law (hereinafter referred to as “the GLB Act”), and the EU General Data Protection Regulation (“GDPR”).
Information We Collect and How We Use It
Steptoe may collect various types of personal information directly from you and third parties such as clients, prospective clients, former clients, accountants, financial advisors, insurance agents, banking institutions, and other advisors. Steptoe collects personal information when you, your organization, or a third party that holds your personal information retains Steptoe to provide legal advice or other services; when you, your company, or a third party that holds your personal information makes inquiries regarding our services; when you use the Steptoe website or provide personal information during Steptoe events and webinars; when you provide us with your personal information at professional events or other events; when you or a person who holds your personal information provide information to us for the purpose of recruitment; and when you or your organization provides or offers services to us.
Examples of personal information that we collect are contact information, such as name, physical and email address; financial data, such as bank account or credit card information, accounts receivable or payable balance information, personal balance sheet, and income information; services information, including business information necessary for us to perform services requested by our clients; user data and usage information collected by the Steptoe website or provided by you when using our electronic services; marketing data, including information provided by you about your preferences for marketing material and updates on legal developments; professional information, including job title, previous positions, employment history, academic record, awards, and membership in professional organizations; and other screening and due diligence information, such as information we are legally or professionally required to collect from third parties when evaluating whether we can provide you or your organization services. Steptoe sometimes collects nonpublic personal information that you, your organization, or a third party with your personal information provides to our Firm for the purpose of providing services. Nonpublic information can include the fact that an individual is or has been a client.
We use your personal data for a number of purposes and activities, such as to provide legal advice and other services for our clients; to evaluate prospective clients in accordance with our professional and legal obligations; to manage our business relationships with our clients and service providers; to analyze and improve the Steptoe website and our marketing services and communications; to evaluate and interview job applicants, service providers, or other third parties; to comply with our legal obligations, including conducting due diligence, know-your-client, and other compliance obligations; and responding to legal requests for information or court orders; and to protect and manage our business, including analyzing and improving data security, acquiring insurance and managing liability, assessing compliance with our policies, and defending our legal rights. We will not use your personal data to take any automated decision affecting you, or create profiles other than those described above.
We use your personal data only when necessary to enter or perform a contract with you; when necessary to comply with our legal or regulatory obligations; where necessary to pursue our or a third party’s legitimate interests, provided that your fundamental rights and freedoms do not outweigh that interest; or where you have provided your consent. Our legitimate interest in processing your data is to provide legal services to our clients in accordance with applicable law and our professional responsibilities; to secure prompt repayment of fees, costs, and debts; and to promote and market our legal and other client services.
We may also use your personal information to provide you information about legal developments and to conduct other marketing activities. These activities may involve emails, other online content, and invitations to physical meetings. You may opt out of receiving such communications at any time.
Sharing Your Information
Steptoe does not sell or otherwise share personal information with third-party marketers offering their products and services. Accordingly, you do not need to take any action to prevent disclosure.
We do not disclose any nonpublic personal information about clients, prospective clients, or former clients except as required or permitted by law; as required to provide services to our clients; or in limited situations in which we must defend our legal rights. Under US federal law and GDPR, we are generally permitted to disclose nonpublic personal information under certain circumstances such as: (a) when you consent; (b) when disclosure is necessary to carry out a transaction that you have requested; (c) pursuant to our or a third party’s legitimate interests, provided that your fundamental rights and freedoms do not outweigh that interest; or (d) to comply with a properly authorized subpoena or similar legal process. Even if applicable law permits us to disclose your nonpublic personal information, we will not disclose such information unless we are permitted to do so under the Rules of Professional Conduct of the District of Columbia or other applicable jurisdiction.
Attorneys, unlike many others who handle your personal information, are subject to Rules of Professional Conduct, often referred to as “ethical rules.” These ethical rules limit an attorney’s disclosures of information obtained in the course of representing clients in ways that are more restrictive than applicable laws. The GLB Act and GDPR may permit disclosures in circumstances in which disclosure would be prohibited, absent your consent, by such ethical rules. As attorneys, we are bound by such ethical rules, without regard to the GLB Act or GDPR. This means that, even if applicable law would permit us to disclose nonpublic information about you, we will not do so if such disclosure would violate these ethical rules.
Protecting the Confidentiality of Nonpublic Personal Information
We value your trust and handle information about you with care. It is our policy to restrict access to personal information about you. To protect your personal information, Steptoe maintains physical, electronic, and procedural safeguards to avoid unauthorized disclosure.
Rights Regarding Your Information
You may request access to, correction or deletion of your personal information held by Steptoe. We will consider any such request seriously, although we may choose not to delete information where it is necessary for compliance with our professional obligations or provision of services to others, or we otherwise have a substantial need to retain the data. You may also have rights (including under GDPR, where applicable, and subject to conditions) to restrict or to object to processing of your data and to portability of your data to other service providers. You may exercise any of these rights by contacting us as described below.
Retention of Information
We keep personal information obtained during the course of client representations for a period of time that is consistent with our professional responsibilities and that is reasonably necessary for the purpose for which the data was collected and to protect and defend Steptoe against legal claims.
For other types of personal information, we will retain the data until no longer reasonably necessary for the purposes for which it was collected or until consent to hold the data is revoked, provided that there is no other basis for us to hold the information and the deletion of the personal information is legal and consistent with our professional responsibilities.
In our activities outside the United States and/or involving persons located outside the United States, we comply with the privacy laws applicable to those activities, which may impose obligations in addition to those of US law.
For activities in the European Union or involving EU residents, we comply with GDPR, including by obtaining consent for processing of personal information. Steptoe has a number of offices and may transfer your personal information to a foreign jurisdiction that does not provide a similar level of protection for that data. In such circumstances, Steptoe will ensure that safeguards are applied on your data, such as the use of specific contracts approved by the European Commission.
If you have any questions about our privacy practices or if you feel that we have not handled information about you properly, please contact us at +1 202 429 3000, or firstname.lastname@example.org so that we may address your inquiry or issue.