GDPR Client Privacy Addendum

1. Introduction

This GDPR Privacy Addendum supplements the information in the Foley & Lardner LLP Client Privacy Notice and applies to Clients and Related Entities who are located in the European Economic Area.  

This GDPR Client Privacy Addendum (the “GDPR Client Privacy Addendum”) supplements the information contained in the Foley & Lardner LLP Client Privacy Notice and applies solely to all Clients and Related Entities who are located in the European Economic Area, the United Kingdom, or Switzerland. We adopt this GDPR Client Privacy Addendum to comply with the General Data Protection Regulation (2016/679) and any implementing acts of the foregoing by any of the member states of the European Economic Area, the United Kingdom, or Switzerland (collectively, “GDPR”) and any terms defined in the GDPR or our Client Privacy Notice have the same meaning when used in this GDPR Client Privacy Addendum. This GDPR Client Privacy Addendum takes precedence over anything contradictory in our Client Privacy Notice. 

2. Data Controller, Data Protection Officer, and Representative

Foley and our Clients are independent data controllers of the Personal Data provided to Foley in connection with a matter. Foley has appointed a Data Protection Officer and a representative in the European Union. 

Foley and its Clients are independent data controllers of the Personal Data we process. Foley has appointed a Data Protection Officer and a representative in the European Union in compliance with the General Data Protection Regulation. Foley, its Data Protection Officer, or its representative may be contacted in any manner set forth below in the “Contact Information” Section of this GDPR Client Privacy Addendum. 

3.  Information We Collect About Client’s and Related Entities and How We Collect It

The Personal Data that Foley collects about Clients and Related Entities is described in our Privacy Notice

The Personal Data Foley collects and the ways that we collect it about our Clients and Related Entities is described in our Privacy Notice. The Personal Data we collect from our Clients may be required to enter into a contract for our services. Failure to provide any Personal Data about a Client or a Related Entity may impact Foley’s ability to provide our Client with representation in the Matter.

4. Lawful Basis for Processing Our Clients’ and Related Entities’ Personal Data

We have a lawful basis for our processing of Personal Data, including processing for our legitimate interests (when balanced against an individual’s rights and freedoms), to fulfill our obligations pursuant to our contract with our Clients, as required by law, and with our Clients or Related Entities consent. 

The processing of our Clients’ and Related Entities’ Personal Data is lawful only if it is permitted under the GDPR. We have a lawful basis for each of our processing activities (except when an exception applies as described below):

• Consent. Our Clients or Related Entities our Clients or Related Entities consent to our collection, use, and sharing of such Personal Data as described in our Client Privacy Notice and this GDPR Client Privacy Addendum when they provide us with Personal Data. 
  
• Legitimate Interests. We will process Personal Data as necessary for our legitimate interests or the legitimate interests of our Clients, Related Entities, or other third parties. These legitimate interests are balanced against our Clients’ and Related Entities’ interests and rights and freedoms and we do not process Personal Data if the affected individuals’ interests or rights and freedoms outweigh these legitimate interests. Our legitimate interests are to: facilitate communication between Foley and our Client and other Related Entities; to bill and collect our legal fees, to comply with the applicable Rules, including Rules relating to client confidentiality; and to provide our legal services to our Clients; 
  
• To Fulfill Our Obligations to our Client’s under our Contract. We process our Clients’ Personal Data in order to fulfill our obligations to our Clients pursuant to our contract with our Clients to provide our legal services;
  
• As Required by Law. We may also process Personal Data when we are required or permitted to by law; to comply with government inspections, audits, and other valid requests from government or other public authorities; to respond to legal process such as subpoenas and other similar discovery requests; or as necessary for us to protect our interests or otherwise pursue our legal rights and remedies (for instance, when necessary to prevent or detect fraud or other criminal and tortious activities, defend litigation, and manage complaints or claims). We may also process Personal Data as required to comply with the applicable Rules, including Rules related to client confidentiality. 

5.  Special Categories of Information

We may process some Personal Data considered sensitive when necessary for the establishment, exercise, or defense of the legal claims of our Clients or to otherwise provide our Client with our legal services.

Some Personal Data processed by Foley may be considered sensitive, including personal data that reveals an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade unions membership, or personal data concerning such an individual’s health or data concerning such an individual’s sex life or sexual orientation or history of criminal convictions. Foley processes this information only to the extent necessary for the establishment, exercise, or defense of the legal claims of our client and to perform our legal services related to the Matter or as otherwise provided under applicable law.  

6. Automated Decisions Making

We generally do not use Personal Data with any automated decision making processes.

Foley does not use Personal Data with any automated decision making process, including profiling, which may produce a legal effect concerning the individual or similarly significantly affect the individual.

7.  Clients’ and Related Entities’ Rights Regarding Their Information and Accessing and Correcting Their Information

Clients and Related Entities may have certain rights under the GDPR, including the right to access and update their Personal Data, restrict how it is used, transfer certain Personal Data to another controller, withdraw the Client’s or Related Entities consent at any time, and the right to have us erase certain Personal Data about our Client or Related Entity. However, Clients’ and Related Entities’ rights may be limited as a result of our role as attorneys, including when we have a claim of legal privilege. Clients and Related Entities also have the right to complain to a supervisory authority about our processing of their Personal Data. 

The GDPR may provide our Clients and Related Entities with certain rights with regards to our processing of their Personal Data. However, in our role as attorneys, these rights may be limited in whole or in part when a claim of legal privilege applies, or when we are unable to comply for the prevention, investigation, detection, or prosecution of criminal offenses, or the execution of criminal penalties. These rights may also be limited in some jurisdictions as a result of our professional obligations of confidentiality. Subject to these limitations, some or all of the following rights may be available under applicable law:

• Access and Update. Clients and Related Entities may review and change their respective Personal Data by contacting us at the Contact Information below or by contacting the Client’s relationship partner of any changes or errors in any Personal Data we have about the Client or a Related Entity to ensure that it is complete, accurate, and as current as possible. We may also not be able to accommodate a Client’s or a Related Entities request if we believe it would violate any law or legal requirement or cause the information to be incorrect. 
  
• Restrictions. Clients and Related Entities may have the right to restrict our processing of their Personal Data under certain circumstances. In particular, Clients and Related Entities can request that we restrict our use of it if the Client or the Related Entity contests its accuracy, if the processing of the Client’s or a Related Entity’s Personal Data is determined to be unlawful, or if we no longer need the applicable Client’s or Related Entity’s Personal Data for processing but we have retained it as permitted by law. 
  
• Portability. To the extent the Personal Data provided to Foley is processed based on the Client’s or a Related Entity’s consent and that we process it through automated means, Clients and Related Entities may have the right to request that we provide them a copy of, or access to, all or part of such Personal Data in structured, commonly used and machine-readable format. Clients and Related Entities also have the right to request that we transmit this Personal Data to another controller, when technically feasible. 
  
• Withdrawal of Consent. To the extent that our processing of a Clients or Related Entities Personal Data is based on their consent, such Client may have the right to withdraw their consent by terminating the Client’s engagement with Foley. Withdrawing consent will not, however, affect the lawfulness of the processing based on the Client’s or a Related Entity’s consent before its withdrawal, and will not affect the lawfulness of our continued processing that is based on any other lawful basis for processing the Client’s or a Related Entity’s Personal Data. 
  
• Right to be Forgotten. Clients may, under circumstances defined by applicable law, have the right to request that we delete all of the Client’s and applicable Related Entities’ Personal Data. We cannot delete the Client’s and Related Entities’ Personal Data except by also terminating our representation of our Client in the Matter, and we will only terminate such representation when we are permitted to do so under applicable law. We may not accommodate a request to erase information if we believe the deletion would cause the information to be incorrect, or would violate any law or legal requirement, including any obligations for law firms to retain Client and Related Entity Information, which may include such retention for conflicts of interests purposes and financial records requirements. We may also retain your Personal Data when necessary for the Firm’s establishment, exercise, or defense of legal claims. In all other cases, we will retain our Client’s and the appliable Related Entities’ Personal Data as set forth in this policy. In addition, we cannot completely delete our Client’s and the applicable Related Entities’ Personal Data as some data may rest in previous backups. These will be retained for the periods set forth in our document retention and information governance policies. 
  
• Complaints. Clients and Related Entities may have the right to lodge a complaint with the applicable supervisory authority in the country that they live in, the country they work in, or the country where they believe their rights under applicable data protection laws have been violated. However, before doing so, we request that Clients and Related Entities contact us directly in order to give us an opportunity to work directly with them to resolve any concerns about their privacy. 
  
• How Clients and Related Entities May Exercise Their Rights. Subject to the limitations described above, Clients and Related Entities may exercise any of the above rights by contacting us through any of the methods listed under Contact Information. If a Client or Related Entity contacts us to exercise any of the foregoing rights, we may ask them for additional information to verify their identity. We reserve the right to limit or deny our Client’s or Related Entity’s request if they have failed to provide sufficient information to verify their identity or to satisfy our legal and business requirements, including any claim of legal privilege or pursuant to our obligation of professional secrecy or other equivalent obligations, where we are permitted to do so under applicable law. Please note that if a Client or a Related Entity makes unfounded, repetitive, or excessive requests (as determined in our reasonable discretion) to access their Personal Data, they may be charged a fee subject to a maximum set by applicable law.

8.  Consent to Processing of Personal Data in the United States

We may process our Clients’ and Related Entities’ Personal Data outside of their home country, including to the United States. We only do this when we are legally permitted to do so and when we have appropriate safeguards in place to protect our Clients’ and Related Entities Personal Data. 

If a Client or a Related Entity is located in the European Economic Area (“EEA”), in order to provide our legal services to our Clients, we may send and store Clients’ and Related Entities’ Personal Data outside of the EEA, including to the United States. Accordingly, their Personal Data may be transferred outside the country where they reside or are located, including to countries that may not or do not provide an equivalent level of protection for Clients’ and Related Entities’ Personal Data. Clients’ and Related Entities information may be processed and stored in the United States and United States federal, state, and local governments, courts, or law enforcement or regulatory agencies may be able to obtain disclosure of their information through the laws of the United States. By using our legal services, our Clients represent that they have read and understood the above and hereby consent to the storage and processing of Personal Data outside the country where the Client or Related Entity resides or are located, including in the United States and that they have obtained all necessary consents and have all necessary rights to provide Foley with such Personal Data. 

Clients’ and Related Entities’ Personal Data is transferred by Foley to another country only if it is required or permitted under applicable data protection law and provided that there are appropriate safeguards in place to protect their Personal Data. To ensure that Clients’ and Related Entities’ Personal Data is treated in accordance with our Client Privacy Notice and this GDPR Client Privacy Addendum when we transfer it to a third party, Foley uses Data Protection Agreements between Foley and all other recipients of their data when appropriate and necessary and that include, where applicable, the Standard Contractual Clauses adopted by the European Commission (the “Standard Contractual Clauses”). The European Commission has determined that the transfer of Personal Data pursuant to the Standard Contractual Clauses may provide for an adequate level of protection of our Clients’ and Related Entities’ Personal Data, but may need to be supplemented with additional measures on a case-by-case basis. The Standard Contractual Clauses have been supplemented in this way when we believe it to be appropriate and necessary. Under these Standard Contractual Clauses, our Clients’ and Related Entities’ have the same rights as if their data was not transferred to such third country, however these rights may be limited on occasion due to our role as attorneys as may be permitted by applicable law or rules of professional responsibility. Clients and Related Entities may request a copy of the Data Protection Agreement by contacting us through the Contact Information below. 

9. Data Retention Periods

We retain our Clients’ and Related Entities’ Personal Data in accordance with our internal document retention policies. Unless instructed otherwise, we may keep all information related to a Matter for at least ten (10) years following the conclusion of the Matter. We may also keep our Clients’ and Related Entities’ information for a longer period:

• on our backup and disaster recovery systems;
• for as long as necessary to protect our or our Clients’ legal interests; and
• to comply with other legal requirements or obligations under the Rules of Professional Conduct.

Foley retains our Clients’ and Related Entities’ Personal Data in accordance with our internal document retention policies, including for the period we represent our Client in the Matter. We may also retain Personal Data for a minimum of ten (10) years following the conclusion of the Matter. After this time, we may retain our Clients’ and Related Entities’ Personal Data and other information:

• for as long as necessary to comply with any legal requirement; 
  
• on our backup and disaster recovery systems in accordance with our backup and disaster recovery policies and procedures;
  
• for as long as necessary to protect our or our Clients’ legal interests or otherwise pursue our legal rights and remedies; 
  
• to comply with our obligations under the Rules of Professional Conduct; and
  
• for data that has been aggregated or otherwise rendered anonymous in such a manner that Clients and Related Entities are no longer identifiable, indefinitely.

10.  Changes to this GDPR Client Privacy Addendum

Foley & Lardner LLP reserves the right to amend this GDPR Client Privacy Addendum at our discretion and at any time and as described in our Client Privacy Notice. When we make changes to this GDPR Client Privacy Addendum, we will post the updated notice on this webpage and update the notice’s effective date. Our Client’s continued use of our legal services following the posting of changes constitutes their acceptance of such changes.

11. Contact Information

Clients and Related Entities may contact our Data Protection Officer through the contact information below. If a Client or Related Entity wishes to contact us, they must contact both us and our representative through the contact information below. 

If Clients or Related Entities have any questions about our processing of their Personal Data, or have any requests related to their Personal Data pursuant to applicable laws, please contact or Data Protection Officer at the contact information below. If Clients or Related Entities have any questions, concerns, complaints or suggestions regarding our Client Privacy Notice, this GDPR Client Privacy Addendum, or otherwise need to contact us, please contact both us (or our Data Protection Office) and our representative in the European Union at the contact information below. 

To Contact Foley (Controller)
Foley & Lardner LLP
Attn: Office of the General Counsel/Privacy Officer
321 N. Clark Street, Suite 2800
Chicago, IL 60654
United States
+1 (833) 701-1071
[email protected]

To Contact Our Data Protection Officer 
Joseph Edmondson
Foley & Lardner LLP
777 E. Wisconsin Avenue
Milwaukee, WI 53202-5306
United States
+1 (414) 271-2400
[email protected]