Privacy and Cookies

This Privacy Notice explains how Milbank LLP collects, uses and discloses personal information through our website, through marketing emails and social media platforms, in providing legal services to our clients and in dealing with our service providers.

Milbank LLP is committed to protecting your privacy and would like you to understand how we collect, use and disclose your personal information.

Personal Information We Collect

When we refer to “personal information” in this Privacy Notice, we mean any information that relates to an identified or identifiable individual.

We collect the following kinds of personal information:

  •  Information that you provide by completing forms on this website (such as requests for publications or registering for events appearing on this website) or when you contact us for information. This includes your contact details such as name, job title, employer (company, firm or organization), e-mail address, phone numbers and postal address, as well as business interest information such as types of information you are interested in receiving and practice areas of interest.
  • Details of your visits to this website, including requested web pages, forms, search requests and terms, publications and other resources that you access. We automatically record your page requests when you visit our website and the full Uniform Resource Locator (URL) clickstream to, through and from our website, as well as your IP address. Our website also uses cookies – please see the Cookies section below for further details.
  • Information that you provide in applying for a position with us, such as through the careers section of our website. This includes your contact details such as name, e-mail address, phone numbers and postal address, information about the position for which you are applying, information included in your CV and other information collected through our recruitment process.
  • Information that we receive from you or from others in relation to our provision of services to our clients.
  • Information that we receive when you interact with us via social media platforms such as LinkedIn or Twitter.
  • If you provide services to us (or if you work for a company that provides services to us), we collect your contact details such as name, e-mail address, phone numbers and postal address, as well as other information related to your role in providing those services.

How We Use Personal Information

This section of our Privacy Notice explains how we use the personal information that we collect about you. If we use your personal information for a new purpose, we’ll update this Privacy Notice and bring these changes to your attention.

We use personal information that we collect about you in the following ways:

  • To provide services to our clients.
  • To meet our legal and regulatory obligations, such as our obligations under ‘know your customer’ or anti-money laundering rules.
  • To respond to an application you make for a position with us. Some of the information that we collect for this purpose may include special categories of personal data under EU data protection law; our additional legal basis under EU data protection law for collecting and using this information is carrying out obligations and exercising rights in the field of employment.
  • To customize the way information on this website is presented to you.
  • To evaluate your user experience and improve the quality of our services.
  • To provide website content that is relevant and engages our audience.
  • To protect our information technology systems and data against fraud, unauthorized use and security threats.
  • If you join one or more of our mailing lists or request information from us, we will use the personal information you provide to send you the information you have requested.
  • If you register for an event, we will use your information for purposes of fulfilling your request.
  • To send you information (such as publications, legal updates, news and events) in which we believe you may be interested.
  • To receive services from our service providers and administer our relationship with them.
  • To enforce our contractual and other rights.

How We Disclose Your Personal Information

We disclose your personal information:

  • To third parties (such as other parties to transactions and their advisers) as necessary in providing services to our clients.
  • To companies who provide services to us, such as hosting and other information technology services.
  • In order to comply with applicable law and regulation, a legally binding request from a governmental or regulatory body or law enforcement agency, or any other legal obligation to which we are subject.
  • In order to detect or prevent fraud.
  • To enforce our contractual and other rights.

Cookies

Cookies are small text files that are stored on your computer or other device when you visit certain web pages. We use cookies to remember your settings for certain tools provided on this website and to provide us with information about how visitors use this website.

You can choose whether to accept or refuse most cookies on our website. Some cookies are necessary for our website to function, which means that we will need to set them if you want to use our website.

You can also disable cookies by activating the setting on your browser. However, if you select this setting some features of our website may not function properly. Details of the cookies that are used by this website are set out below:

Where we Store and Transfer your Personal Information

This website is hosted in the United States. If you are located in another country, any personal information that we collect about you through this website will be transferred to, and stored in, the United States.

Some of the service providers we use to store personal information are located in the United States or other countries that are not recognized under European Union data protection law as providing an adequate level of protection for personal data. In order to comply with European Union data protection law, we put in place agreements with these service providers based on standard contractual clauses approved by the European Commission. You can obtain a copy of these clauses from us – please see the Contact us section, below, for further details about how to contact us.

We may also transfer your personal information internationally in order to meet our legal or regulatory obligations, where this is necessary for the exercise, establishment or defense of legal claims, or in other circumstances permitted by applicable data protection law.

How We Protect Your Personal Information

In order to protect personal information, we maintain an Information Security Policy which includes various policies and standards related to passwords, remote access, access control, encryption, change management, electronic communications, business continuity, incident management, third party access, vendor management, physical security and acceptable use. We are ISO27001:2013 certified.

We employ multiple technology and security solutions to safeguard our networks and data. These include dual layer firewalls, web and email content inspection, scanning and filtering, antivirus software, malware protection, host intrusion detection and prevention, zero-day threat prevention and application control software. We support transport layer security (TLS) encryption for secure email communications. We also encrypt all firm-managed laptop, desktops and USB device hard drives. In some cases, data leak prevention is used to prevent data exfiltration.

We limit access to your personal information to only those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We maintain a security patching process where patches are periodically applied based on regular maintenance schedules or immediately, as needed, based on threat and vulnerability exploitation levels to ensure that personal data is protected adequately.

We have a cyber security incident response plan that addresses how to handle actual or potential cyber security breaches throughout their lifecycle. This includes internal and client communications plans and third-party breach notifications based on regulatory requirements and the nature and scope of each incident.

How Long We Keep Your Personal Information

We retain personal information in accordance with applicable law and regulation and our records retention policy based on these laws and regulations. The period for which we keep your personal information is determined by a number of criteria, including our legal and regulatory obligations, the purposes for which we are using the information, the amount and sensitivity of the information, and the potential risk from any unauthorized use or disclosure of the information.

Other Websites

This website contains links to websites operated by other companies. This Privacy Notice applies only to this website, so if you follow a link to any of these websites please make sure you read their privacy policies and notices.

Processing Subject to European Union Data Protection Law

If our collection, use or disclosure of your personal information is subject to the European Union General Data Protection Regulation (“GDPR”) (for example, if the personal information is collected or used by one of our European offices), you have a number of additional rights in relation to your personal information:

  • You can ask us to confirm what personal information we hold about you and to provide you with a copy of that information.
  • You can ask us to correct any personal information about you that is inaccurate.
  • You can ask us to delete your personal information where there is no legal basis for us to continue to hold that information.
  • You can ask us to stop using your personal information temporarily if you are objecting to our right to use it.
  • You can object to our using your personal information unless we can demonstrate a valid reason why we need to continue to hold that data.
  • You can object to our using your personal information for marketing purposes.
  • In circumstances where we process your personal information on the basis of your consent, you have the right to withdraw your consent at any time.
  • If we are processing your personal information on the basis of your consent or necessity for a contract, you can ask us to provide you with the personal information that you have provided to us, in a structured and commonly-used electronic format, or to transmit that information directly to another company if that is technically feasible.
  • You have the right to complain to a supervisory authority if you’re not happy with how we have handled your personal information – you can find a list of supervisory authorities here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm.

Please note that some of these rights may be subject to exceptions under European data protection law and national data protection law (such as exceptions to protect information that is subject to legal professional privilege).

Legal Basis for Processing Subject to the GDPR

If our use of your personal information is subject to the GDPR, we are required to explain our legal basis for our use of your personal information. We may use or otherwise process your personal information as follows:

  • To provide services to our clients: 

    (our legal basis under EU data protection law is our legitimate interest in providing legal services and/or our clients’ legitimate interests in receiving those legal services or, where our client is an individual, necessity for performance of a contract with the client or taking steps at the client’s request prior to entering into a contract)

  • To meet our legal and regulatory obligations, such as our obligations under ‘know your customer’ or anti-money laundering rules:
    (our legal basis under EU data protection law is that it is necessary to comply with our legal obligations)

  • To respond to an application you make for a position with us:

    (our legal basis under EU data protection law is that it is necessary for taking steps at your request prior to entering into a contract with you).
    Some of the information that we collect for this purpose may include special categories of personal data under EU data protection law; our additional legal basis under EU data protection law for collecting and using this information is carrying out obligations and exercising rights in the field of employment.

  • To customize the way information on this website is presented to you:

    (our legal basis under EU data protection law is our legitimate interest in improving the experience of visitors to our website)

  • To evaluate your user experience and improve the quality of our services:

    (our legal basis under EU data protection law is our legitimate interest in improving the experience of visitors to our website)

  • To provide website content that is relevant and engages our audience:

    (our legal basis under EU data protection law is our legitimate interest in improving the experience of visitors to our website)

  • To protect our information technology systems and data against fraud, unauthorized use and security threats:

    (our legal basis under EU data protection law is our legitimate interest in protecting our website and information technology systems and data)

  • If you join one or more of our mailing lists or request information from us, we will use the personal information you provide to send you the information you have requested:

    (our legal basis under EU data protection law is your consent, or our legitimate interest in sending you the information that you have requested)

  • If you register for an event, we will use your information for purposes of fulfilling your request:

    (our legal basis under EU data protection law is your consent, or our legitimate interest in fulfilling your request)

  • To send you information (such as publications, legal updates, news and events) in which we believe you may be interested:

    (our legal basis under EU data protection law is our legitimate interest in sending you information that may be useful to you)

  • To receive services from our service providers and administer our relationship with them:

    (our legal basis under EU data protection is our legitimate interest in receiving those services)

  • To enforce our contractual and other rights:

    (our legal basis under EU data protection is our legitimate interest in enforcing those rights)

California Consumers

If you are a California resident, the California Consumer Privacy Act (“CCPA”) may extend to you certain rights involving the collection, use, or disclosure of Personal Information, as defined elsewhere in this Privacy Notice, as well as information that is reasonably capable of being associated with you or your household.

Subject to exceptions outlined in the CCPA, these rights may include the following:

Access Rights

  • You can ask us to confirm what personal information we hold about you including:

    • The categories of personal information we collected about you;
    • The categories of sources from which the personal information is collected;
    • The categories of third parties with whom we share (if applicable) your personal information;
    • The specific pieces of personal information we collect about you.
    • You can ask us for a copy of this information in a readily useable format.
    • You can ask us to delete the personal information collected from you where there is no basis for us to continue to hold that information.
    • In circumstances where we use your personal information on the basis of your consent, you may withdraw your consent.
    • You have the right to not be discriminated against based on your decision to exercise any rights available to you under the CCPA.
    • Please note: Milbank does not sell Personal Information.

Categories of Personal Information Collected and/or Disclosed for Business Purposes in the past 12 months

The following categories of California Consumer Personal Information have been collected and/or disclosed for business purposes by Milbank in the past 12 months:

  • Identifiers (such as name, postal address, email address, etc.);
  • Information protected against security breaches (such as your name and financial account, driver’s license, social security number, user name and password, health/medical information); 
  • Protected classification information (like race, gender, ethnicity, etc.);
  • Commercial information; 
  • Internet or electronic network activity; 
  • Geolocation data; 
  • Audio or visual data;
  • Professional or employment related information; and
  • Education information.

Requests for access to your Personal Information can be submitted via the following methods:

Depending on the nature of your request, we may need to verify your identity before fulfilling your request.

Contact us

If you have any questions about this Privacy Notice or about any of the personal information that we hold about you, please contact:

55 Hudson Yards
New York, NY 10001-2163
privacy@milbank.com

We have also appointed a Data Protection Officer (DPO) for our European offices. You can contact our DPO by clicking here.

Changes to Our Privacy Notice

We regularly review this Privacy Notice. Any changes will be reflected within an updated version available on our website. Where appropriate, we may directly notify you of changes by email.