Privacy Shield Privacy Policy


Introduction

Polsinelli PC, Polsinelli LLP in California (hereinafter, “the Firm” or “Polsinelli”) respects the privacy interests of all clients and third parties. Polsinelli has chosen to voluntarily participate in the Privacy Shield, and to certify its adherence to the EU-U.S. Privacy Shield Framework (“Privacy Shield”) and its Principles, including the Supplemental Principles (collectively, the “Principles”), as set forth by the Department of Commerce. Polsinelli also participates in the U.S.-Swiss Safe Harbor Framework, as applicable. If there is any conflict between the terms of this policy (“Privacy Shield Policy”) and the Principles, the Principles shall govern. Polsinelli is eligible to participate in the Privacy Shield because it falls under the jurisdiction of the Federal Trade Commission (“FTC”). To learn more about the Privacy Shield program, please visit www.privacyshield.gov.

This Privacy Shield Policy outlines Polsinelli’s general policy and practices for implementing the Principles, including the types of Personal Data (as defined herein) Polsinelli receives from our EU clients, how Personal Data is collected, used and retained, and affected individuals’ choices regarding the accuracy, retention and use of their Personal Data. In implementing this policy, Polsinelli has agreed to subject its compliance to the full breadth of regulatory enforcement of the FTC or any other statutory body empowered to enforce compliance with the Principles. Polsinelli will only display its EU-U.S. Privacy Shield certification marks or make other references to its compliance when it is in compliance with each Principle. Evidence of Polsinelli’s participation can be found at: https://www.privacyshield.gov/list.

This Policy supplements, but does not replace, all other policies, practices, and procedures in place at the Firm, including any confidentiality agreement, privacy notice to the client, engagement letter or other similar letters or agreements with a client, as well as applicable laws, the rules of Professional Conduct, and professional standards. Polsinelli affirms that while it understands that certification to the Privacy Shield is voluntary, effective compliance is compulsory. The Principles apply to Polsinelli immediately upon certification.

Polsinelli remains responsible and liable under the Principles if third party agents that it engages to process Personal Data on its behalf do so in a manner inconsistent with the Principles, unless Polsinelli proves that it is not responsible for the event giving rise to the damage.

Definitions

“Personal Data” means information that: (a) is within the scope of the EU Data Protection Directive (95/46/EC) or General Data Protection Regulation as applicable, (b) is received in the U.S. from the EU, EEA and Switzerland, and (c) is recorded in any form.

“Sensitive Information” means Personal Data that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.

Application of the Privacy Shield

Due to the global reach of Polsinelli’s legal services, Polsinelli sometimes collects, analyzes and reviews data that originates from the EU, EEA, or Switzerland on behalf of its clients, adverse parties, or other parties to legal matters as necessary. In turn, Polsinelli may transfer this data to its clients, adverse parties, tribunals, courts, government agencies, vendors, and other third parties to provide legal services, assist in providing legal services, or subject to a client request.

Statement of Purpose

Polsinelli processes Personal Data including client data, data of parties adverse to clients, or other parties to legal matters in order to provide legal services to its clients.

Compliance with the Principles


In providing legal services, Polsinelli may collect or receive a variety of information, including Personal Data, which Polsinelli maintains in accordance with the Principles as described below.

Notice

If a client transfers Personal Data (about its personnel or other data subjects) to us, it will need to ensure that such transfer to the Firm is permissible under applicable law. If the Firm directly collects such Personal Data, it will do so in accordance with the Principles.

Polsinelli shall provide clear and conspicuous notice to inform clients, and individuals where applicable, of the types of Personal Data it collects or receives, uses and retains, and the types of third parties to which Polsinelli may disclose that Personal Data. Polsinelli will inform its clients and business partners (such as vendors) that it participates in the Privacy Shield. Polsinelli may provide notice in a variety of manners, such as contractual language and a clear notification on its website.

Choice


As permitted by law, the Rules of Professional Conduct, or as limited by a court, tribunal, or other government agency, Polsinelli shall provide individuals with a choice and means for limiting the use and disclosure of their Personal Data. Subject to the limitations in the Principles and Supplemental Principles, individuals have the right to choose (opt out) whether their Personal Data is: (a) to be disclosed to a third party, or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized. Individuals may send opt out requests to Privacy@polsinelli.com.

Onward Transfer

The Firm does not disclose Personal Data to third parties except in accordance with the Principles, including as required by law, compelled by tribunals, courts, or government agencies, as required by Rules of Professional Conduct, or as otherwise required, including to meet national security or law enforcement requirements. The following examples are a non-exhaustive list of times where disclosure without express consent may be required or appropriate:
  • when disclosure is impliedly authorized to advance the best interests of the client and is reasonable and customary.
  • to prevent reasonably certain death or substantial bodily harm.
  • to prevent the client from committing a crime.
  • to withdraw an opinion we issued where we believe the opinion is being used to further a fraud.
  • to secure legal advice about our compliance with the law.
  • to defend ourselves against an accusation of wrongful conduct or to collect a fee.
  • to respond to a subpoena served on the Firm or otherwise to comply with law.
  • if the client has offered material evidence to a tribunal that is false and disclosure is necessary as a remedial measure.
Polsinelli shall ensure that any third-party vendor or provider to which Personal Data may be disclosed subscribes to the Principles or is subject to laws providing the same level of privacy protection as is required by the Principles, and agrees in writing to provide an adequate level of privacy protection.

In cases of onward transfer of Personal Data to third parties, Polsinelli is potentially liable for the acts or omissions of its third-party processors or sub-processors.

Data Security

Polsinelli takes reasonable steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction. The Firm has implemented appropriate physical, electronic, and administrative measures, including education and training of our personnel, designed to safeguard and secure Personal Data. Personal Data collected or displayed through a website, or that is transmitted between our offices, is protected in transit by standard encryption processes; however, Polsinelli cannot guarantee the security of information on or transmitted via the Internet.

Purpose Limitation & Data Integrity

Polsinelli agrees to limit Personal Data to the information relevant for the purposes of processing. Polsinelli will not process personal information in a way that is incompatible with the purposes for which it is collected or authorized by the individual.

To the extent practical, Polsinelli will take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. If an individual becomes aware that information we maintain about that individual is inaccurate, or if an individual would like to update or review his or her information, the individual may contact us using the contact information below. Individuals will be required to sufficiently verify their identity.

Access

As permitted by law, the Rules of Professional Conduct, or as otherwise allowed or practical pursuant to the Principles, individuals may access their Personal Data to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual or as otherwise restricted by law. Individuals may contact Polsinelli using the contact information below.

Recourse, Accountability, and Enforcement

Polsinelli provides a mechanism for assuring its compliance with the Principles. Polsinelli uses both self-assessment and third-party assessments, and at least once a year the Firm will certify that this Privacy Shield Policy is accurate, comprehensive, prominently displayed, implemented and in conformity with the Principles.

The Firm will monitor adherence to the Principles and address questions and concerns regarding their adherence. Personnel who violate the Firm’s privacy policies could be subject to a disciplinary process. 

Individuals may raise any complaints by contacting Polsinelli using the contact information below in the section regarding Dispute Enforcement and Resolution. Polsinelli will respond to an individual complaint within 45 days. If an issue cannot be resolved by our internal dispute resolution mechanism, Polsinelli has chosen the American Arbitration Association (“AAA”) to be its independent recourse mechanism provider based in the U.S. for the Privacy Shield and the Swiss Federal Act of Data Protection, and Polsinelli agrees to be bound by the decision. Individuals may contact Jason Cabrera at AAA, by phone: 011 (212) 484-3207 or by email: CarbreraJ@adr.org, to address complaints. More information about AAA is available at http://info.adr.org/safeharbor, and this dispute mechanism is offered at no cost to the individual. In the event that we or the AAA determine that we did not comply with this Policy, we will take appropriate steps to address any adverse effects and to promote future compliance. 

For any complaints that cannot be resolved with Polsinelli directly or through AAA, Polsinelli has chosen to cooperate with EU data protection authorities (DPAs) and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles), specifically including, but not limited to, human resources data. Please contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, a binding arbitration option will also be made available to you in order to address residual complaints not resolved by any other means. In the event Polsinelli becomes subject to a U.S. court order or other order based on non-compliance with the Principles, Polsinelli shall make public any relevant sanctions or other findings.

Limitation of the Application of the Principles


Adherence by Polsinelli to the Principles (and this Privacy Shield Policy) will be limited as explicitly permitted by the Principles: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; or (b) by statute, government regulation, or case law that create conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, Polsinelli’s non-adherence is limited to the extent necessary to meet the overriding legitimate interests. Where the option is allowable under the Principles and/or U.S. law, Polsinelli will opt for the higher protection where reasonably possible.

Adherence to the Supplemental Principles

Polsinelli will adhere to the Supplemental Principles, as applicable. 
  1. Sensitive Data. In the course of providing its legal services, Polsinelli may obtain sensitive data such as medical or health information, religious beliefs, or ethnic information. Certain portions of the Sensitive Information may not require affirmative consent because the processing is necessary: (a) to carry out employment law obligations on the Firm’s behalf or on behalf of a client, (b) because it is in the vital interest of the individual or another person, (c) for the defense of legal claims, or (d) because the Sensitive Information is manifestly made public by the individual.
  2. Journalistic Exceptions. Polsinelli does not engage in journalistic activity. 
  3. Secondary Liability. Polsinelli may, in limited circumstances, on behalf of others, transmit, route, switch or cache information such that the secondary liability exception applies.
  4. Performing Due Diligence and Conducting Audits. Polsinelli may participate in audits or conduct due diligence on behalf of the Firm’s clients. Attorneys engaged in due diligence understand that they may process information without knowledge of the individual only to the extent and for the period necessary to meet the requirements or other circumstances in which the Principles would prejudice the legitimate interests of the organization. Therefore, the exception does apply to Polsinelli.
  5. The Rule of Data Protection Authorities (DPA). Polsinelli has set forth the details on its adherence to the Principles, including its commitment to cooperate with the EU data protection authorities (“DPAs”), as more fully set forth above.
  6. Self-Certification. Polsinelli will apply for its Privacy Shield certification in accordance with the applicable Department of Commerce’s protocol.
  7. Verification. Polsinelli will verify its Privacy Shield compliance through, at least, self-assessment. Further, Polsinelli will audit its compliance with Privacy Shield. Polsinelli will provide training regarding this policy to its personnel who may have access to Personal Data, and will retain records on the Firm’s implementation of Privacy Shield and make them available as required.
  8. Access. Polsinelli understands that the right of access is fundamental to privacy protection. Polsinelli provides adequate mechanisms for access as stated above. 
  9. Human Resources Data. In the context of providing legal services, Polsinelli may receive human resources data from an organization in the EU collected in the context of an employment relationship. In such cases, Polsinelli will respect the national laws of the EU country where the information was collected or processed prior to transfer and will further respect any conditions for or restrictions pertaining to transfer. 
  10. Obligatory Contracts for Onward Transfers. Except as otherwise covered by the Limitation section above and as permitted by the Principles, Polsinelli shall ensure that a contract is in place between it and any third party entity or agent that participates in an onward transfer of Personal Data. The contract will specify that such Personal Data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as stated in the Principles. 
  11. Dispute Resolution and Enforcement. Polsinelli meets its obligations for dispute resolution and enforcement by enrolling with AAA for ADR and by cooperating with the FTC and the U.S. Department of Commerce. As set forth herein, Polsinelli will also cooperate with any DPA or DPA panel, as may be necessary. In the event Polsinelli is subject to any enforcement effort, it will cooperate quickly and fully. Individuals are encouraged to raise any complaint they may have with Polsinelli by sending it to the attention of Lisa Acevedo at lacevedo@polsinelli.com before proceeding to AAA. Polsinelli will respond to an individual within 45 days of receiving a complaint.
  12. Choice – Timing of Opt-Out. Due to the nature of the legal services the Firm provides, it may be difficult for Polsinelli to provide individuals the option to opt-out in all circumstances, such as when the disclosure or use of data is required by law, compelled by a court, or subject to mandatory government disclosure. Polsinelli does not use Personal Data for marketing or other commercial purposes beyond the delivery of legal services to its clients.
  13. Travel Information. Polsinelli may be the recipient of airline passenger reservation and other travel information, including frequent flyer, hotel reservation information, and special requests as necessary. When this travel information is transferred, Polsinelli will ensure that it will respect the law of the EU Member State in which it is operating and will comply with any special conditions for the handling of sensitive data.
  14. Pharmaceutical and Medical Products. Polsinelli may be the recipient of Personal Data used for pharmaceutical or medical research. When this information is transferred, Polsinelli understands that the Personal Data should be anonymized, when appropriate, and that Polsinelli or its clients may use the data for new scientific research activities if appropriate notice and choice have been provided. Further, Polsinelli affirms that if the use of the Personal Data is inconsistent with the general research purposes for which the Personal Data was originally collected, or to which the individual has consented subsequently, new consent will be obtained. Polsinelli and its clients may rely upon the exception allowing Personal Data from clinical trials to be transferred to the U.S. for regulatory purposes, consistent with notice and choice principles.
  15. Public Record and Publically Available Information. Polsinelli will apply the Privacy Shield Principles of Security, Data Integrity and Purpose Limitation, and Recourse, Enforcement and Liability, to Personal Data collected from publicly available sources and public records.
  16. Access Requests by Public Authorities. Polsinelli will comply with lawful requests for information from law enforcement and national security agencies.
Information Subject to Other Policies

The Firm is committed to following the Principles for all Personal Data within the scope of the Privacy Shield. Information obtained from or relating to clients or former clients is further subject to the terms of any privacy notice to the client, any engagement letter or other similar letters or agreements with the client, the Rules of Professional Conduct, and applicable laws and professional standards.

Questions or Inquiries

Any questions, inquiries, or complaints regarding this Policy or Polsinelli’s participation and compliance with the Privacy Shield may be directed to:

Lisa Acevedo
Privacy Officer
Polsinelli PC
161 N. Clark St.
Suite 4200
Chicago, IL 60601
011 (312) 463-6322
lacevedo@polsinelli.com 

Complaints about Polsinelli’s adherence to the Principles may also be directed to the FTC.

Amendment

We may amend this Policy from time to time by posting a revised policy on this website, at http://www.polsinelli.com/footer/privacy-policy, or a similar website that replaces this site. We will only amend our Policy in a manner consistent with the Principles.

This policy is immediately effective as of September 29, 2016.