GDPR Information Page

Last Updated: March 9, 2022

At Willkie Farr & Gallagher LLP (“Willkie,” “we,” “our” or “us”), we take our ethical, professional and legal duties to protect the information that you provide us very seriously. We take all reasonable steps to ensure the data you provide us is secure, and will only process any personal data you provide us to provide you the legal services you have requested.

This page is designed to provide clients and prospective clients with information about the way Willkie complies with the European Union’s (“EU”) General Data Protection Regulation (“GDPR”) as part of our provision of legal services that involve the processing of Personal Data that is subject to the requirements and obligations of GDPR.

Please familiarize yourself with this information, and if you have further questions please contact us at:

Willkie’s GDPR Principles

  • As our client or prospective client, you are the “data controller” for any Personal Data of EU resident individuals (the “Data Subjects”) you provide to us as part of our attorney-client relationship (“Client Personal Data”). We generally expect that any processing you ask us to do will be consistent with the principles for personal data processing set forth in Art. 5 of GDPR, though we recognize that in some instances we may need to work with you to ensure compliance with applicable laws and requirements.
  • With respect to Willkie’s processing of Client Personal Data, Willkie will only process such data on your instructions (including instructions you have provided us in writing, over email or over other forms of communication), and will not process it for any purpose other than the provision of legal services to you. Unless we are prohibited from doing so by applicable law, we will promptly notify you if: (i) we receive a request for disclosure of Client Personal Data from a law enforcement, regulatory or other governmental authority; or (ii) we have concerns that an instruction you provide may violate applicable law or our professional responsibility standards.
  • Willkie personnel who have access to Client Personal Data are bound by a duty of confidentiality. Willkie will ensure that all our personnel: (i) do not process Client Personal Data except on instructions from Client, unless they are required to do so by law; and (ii) receive training regarding the proper handling of Client Personal Data.
  • Willkie will not disclose Client Personal Data to anybody – including any of its personnel or any third party – except as necessary to provide you with legal services, to comply with a subpoena, court order, law enforcement or government or regulatory request or other legal process, or with your prior written consent.
  • Willkie will implement and maintain reasonable technical and organizational measures to protect Client Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or processing in accordance with Article 32 of the GDPR.
  • Willkie will notify you in writing of any Personal Data Breach (as such term is defined in the GDPR) without undue delay, and will provide all reasonable assistance to clients regarding any Personal Data Breach. Willkie will also provide reasonable assistance in relation to any obligations to notify Regulator(s) and affected individuals.
  • Willkie has adopted measures to assist you in complying with your obligations to respond to requests for exercising Data Subjects’ rights under GDPR. Willkie will also notify you of any request made by a Data Subject to exercise any Data Subject right under the Regulation ("Data Subject Request") and will cooperate with you to execute your obligations.
  • Willkie will provide you with such cooperation as reasonably necessary to enable you to verify Willkie's compliance with GDPR in relation to Client Personal Data.
  • In the course of providing legal representation, Willkie endeavors to ensure that Client Personal Data remains in the EU. However, we may need to transfer Client Personal Data to the United States from time to time. In such instances, the Client Personal Data is transferred from the client to Willkie pursuant to standard contractual clauses for controller to processor transfers, as approved by the European Commission, which can be accessed here, or the International Data Transfer Agreement (“IDTA”), when finalized by the U.K.’s Information Commissioner’s Office. For Client Personal Data transferred from a Willkie office in the EU to a Willkie office in the US, the transfer takes place pursuant to the standard contractual clauses for controller to controller transfers or the appropriate IDTA.
  • Willkie may use subcontractors to process Client Personal Data. We will do so only pursuant to a written contract with the relevant subcontractor, and that contract will meet GDPR’s requirements and impose on the subcontractor the same obligations in respect of processing of Client Personal Data as are imposed on Willkie. Using a subcontractor for certain processing activities does not change our legal or ethical obligations to our Clients.
  • Finally, consistent with our existing data retention policies and applicable legal requirements, if you are no longer a client of Willkie, we will delete or return Client Personal Data on your request, save for those instances where we are required to retain such data for compliance with applicable law and our professional responsibility standards.
+ Continue Reading