Skip To The Main Content

Privacy Notice

Simpson Thacher & Bartlett LLP and its affiliated offices practicing under the Simpson Thacher & Bartlett name in other jurisdictions ("Simpson Thacher" or "we" or "our") are committed to respecting the privacy of all individuals, including job applicants, employees and visitors to our website (www.stblaw.com), as well as of our current and prospective clients.

Your visit to our website or our premises is subject to the following Privacy Notice (“Notice”). By visiting our website or entering our premises, you agree to this Notice, which may be updated by us at any time. If we update this Notice, we will post the updated document here and, where required by law or regulation, notify you by e-mail. Any such changes will be effective upon posting. We urge you to review the Notice each time you visit our website or one of our offices. If you do not agree with any provision of the Notice, you should not use our website or visit our offices.

This Notice sets out:

  • The types of personal data that Simpson Thacher collects, including from clients, individuals visiting our website, applying for employment with us, visiting our offices, and interacting with us in the normal course of our business;
  • The purposes and legal basis for our processing and use of individuals’ personal data;
  • Information regarding our marketing and individuals’ ability to withdraw their consent or otherwise object to marketing;
  • How we may process, disclose or use individuals’ personal data;
  • How we transfer personal data outside of the European Union (“EU”), Switzerland and United Kingdom (“UK”); and
  • Individuals’ rights with respect to our processing, use or disclosure of their personal data.

Queries regarding how (1) our policies may apply to your personal data; (2) to exercise your right to question or object to our use of your personal data, in accordance with applicable laws; or (3) to access, correct, or delete your personal data, should be sent to [email protected].

For the purposes of applicable data protection law, Simpson Thacher may be deemed to be a data controller of your personal data, including your personal data processed in the course of client transactions.

This Notice describes Simpson Thacher’s policies and procedures with respect to personal data. Any personal data collected, held, used or processed by Simpson Thacher is also subject to the relevant provisions of applicable local laws and/or Simpson Thacher policies in each jurisdiction where we have an office. We store personal data in the United States and in other countries that may not have data protection laws as protective as those in your location.

Personal Data We Collect

We collect and process the following personal data from you:

  • Identification information: such as name, identification number, date of birth, job title and function.
  • Contact information: including phone number(s), email address, mailing address.
  • Billing, Financial and Payment Data: including records of services obtained or considered, bank and other financial account information and other information necessary for processing payments, billing and invoicing, as well as fraud prevention.
  • Event registration or mailing list data: such as marketing and communications preferences and interests, subscriptions, downloads, dietary requirements and preferences (which may reveal information about your health and/or religious background).
  • Legal and regulatory compliance data: as required for purposes such as know your client, anti-money laundering, and market abuse regulations requirements, or as part of our client onboarding process, which may include passport or other identification and due diligence data.
  • Technical Information: including information collected during your visits to our website(s), the Internet Protocol (IP) address, browser type and version, device type, time zone setting, browser plug-in types and versions, operating system and platform. To learn more about our use of cookies please refer to our cookies policy.
  • Audio, electronic, visual, or similar information: including photographs and CCTV footage.
  • Physical Access Data: relating to details of your visits to our offices.
  • Job applicant data: including identification data, contact information, résumé and other data provided by you or third parties (e.g. recruiters, law school career offices) on our website, online recruitment portal (where applicable) or offline in connection with job openings, which may be subject to additional local requirements based on the country or state for which the position is advertised.
  • Sensitive or regulated personal data: In the course of your relationship with us, we may collect and process certain sensitive or regulated personal data or information that is protected under applicable law relating to you when relevant to providing our legal services (this could include information about racial and ethnic backgrounds, gender, marital status, political opinions, religious beliefs, union membership, physical or mental health, information regarding sexual orientation and background or details of criminal offenses, or biometric data).
  • Any other personal data that you provide to us relevant to the provision or receipt of services, including in relation to any of your employees, customers or vendors.

We may supplement the information that you provide to us with information that we receive or obtain from other sources, such as from our personnel, clients, advisers, partners, and agents, third parties with whom we interact and publicly available sources.

We collect personal data about:

  • our current and prospective clients and their staff and employees;
  • our service providers and business partners and their staff and employees;
  • individuals who attend, or express interest in attending, our events or subscribe to newsletters and other email updates we provide;
  • third parties in connection with client transactions (for example, information about the staff of a company that will be acquired by a client); and
  • visitors to our website and offices.

Sources of Personal Data

We obtain personal data from a number of sources, including through our website (including website analytics, see Cookies and Similar Technology below), online questionnaires and forms, and other information provided directly to us, including by email or in conversation with our lawyers, legal or other advisers, consultants and other professional experts, complainants, correspondents and enquirers, and suppliers and service providers of any of the above, as well as directly from you. In addition, we obtain personal information from third-party sources, such as our clients, other law firms, service providers, and governmental entities.

Information About Other People: If you provide information to us about any person other than yourself, such as your employees, suppliers, shareholders or directors, you must ensure that they understand how their information will be used and disclosed, and that they have given their permission for you to disclose it to us and for you to allow us, and our outsourced service providers, to use and disclose it as set forth above.

Processing of Personal Data

The laws in certain jurisdictions require companies to disclose the legal ground they rely on to use, process or disclose personal data. To the extent those laws apply, our legal grounds are as follows We process the personal data referred to above for the following purposes and on the below legal bases:

  • We use identification information, contact information, job applicant data, billing, financial and payment data, and legal and regulatory compliance data to fulfil a contract, or take steps linked to a contract, including:
    • providing legal services to our clients;
    • verifying your identity;
    • processing payments from you; and
    • communicating with you regarding the legal services provided.
  • We use identification information, contact information, billing, financial and payment data, job applicant data, event registration or mailing list data, legal and regulatory compliance data, technical information, physical access data and sensitive or regulated personal data as required to conduct our business and pursue our legitimate interests, in particular:
    • providing legal services to our clients, and responding to any comments, feedback or complaints they may send us;
    • promoting our services to clients and potential clients, advising them of news and industry updates, and hosting or administering events;
    • monitoring use of our website, to help us improve and protect our services and website, both online and offline;
    • protecting the security of and managing access to our physical premises;
    • investigating any complaints about our website or our services; and
    • in connection with legal claims, and for compliance, regulatory and investigative purposes.
  • We use identification information, contact information, job applicant data, event registration or mailing list data and technical information where you give us consent:
    • we may send you direct marketing in relation to our services;
    • we may use cookies and similar technologies in accordance with the information below and the information provided to you as to when those technologies are used; and
    • we will use personal data that you give us solely for the purpose we explain at the time you give us such consent.
  • We use identification information, contact information, billing, financial and payment data, legal and regulatory compliance data, technical information, physical access data and sensitive or regulated personal data for other purposes to comply with applicable laws in the local jurisdictions where we operate, regulations, subpoenas, legal process, governmental investigations or inquiries, including:
    • undertaking compliance checks on current and potential clients and other third parties as part of our legal, regulatory and professional obligations (including anti-money laundering obligations);
    • as necessary or appropriate to protect the rights, property, security, and safety of us, our employees, our consumers, our information systems, and the public; and
    • to cooperate with government or law enforcement authorities conducting an investigation.
  • We use job applicant data in order to take the necessary steps at the request of the job applicant in the context of recruitment prior to entering into a contract or other employment relationship (and, as necessary to comply with legal, regulatory and corporate governance requirements related to our hiring and personnel):
    • to screen identify and evaluate candidates for positions;
    • record-keeping related to the hiring process;
    • analyzing the hiring process and outcomes; and
    • conducting background checks.
    • Please note that if you are hired by Simpson Thacher, this data will be transferred to our employee records for the purposes of your employment and subject to our policies with respect to the processing of employee data, which will be provided to you upon the commencement of your employment.

In certain circumstances, we will not be able to provide legal services to clients if we are not provided with all relevant personal data.

Marketing Communications and Withdrawing Consent

We may contact you with information about services or events that might be of interest to you. Where necessary in compliance with applicable law, at the time that you provide your personal data to us, you will be given the opportunity to indicate whether or not you agree for us to use your personal data to tell you about such services and events.

You will always be able to withdraw your consent to allow us to process your personal data, although we may still have other legal grounds for processing your data, such as those set out above. In some cases, we are able to send you marketing materials without your prior consent, where we rely on our legitimate interests, but you have an absolute right to opt-out of receiving future marketing materials at any time. You can do this by following the instructions in the email communication you receive, or by contacting us at [email protected].

Disclosure of Your Personal Data

We have the right to disclose your personal data with trusted third parties including:

  • Legal or other advisers, consultants and other professional experts, complainants, correspondents and enquirers, and suppliers and service providers of any of the above, and each of their associated businesses;
  • Business partners, suppliers and sub-contractors in connection with the performance of any contract we enter into with them or you. We take reasonable steps to ensure that our personnel protect your personal data and are aware of their information security obligations; and
  • Analytics and search engine providers that assist us in the improvement and optimization of our website.

We may also share your personal data with (or transfer your personal data to) third parties:

  • If we sell or buy any businesses or assets or merge any business into or with that of another person, in which case we may disclose your personal data to the prospective counterparty in such transaction and such data may be one of the assets transferred in such transaction;
  • To comply with applicable laws, regulations, subpoenas, legal process, governmental investigations or inquiries, to cooperate with law enforcement, to assert or defend legal claims, and to protect our and others rights, property, or safety we may share data with the appropriate law enforcement, regulatory or government agency; and
  • For the purposes of crime and fraud prevention and remediation we may share data with law enforcement, regulatory or government agencies and/or independent regulatory bodies.

We will not sell or share any personal data to any other person.

Transfers of Personal Data Outside the EU, Switzerland and UK

Simpson Thacher is an international law firm with multiple offices and affiliated entities across a number of global jurisdictions. As such, personal data may be transferred to a country which may not provide the same protections to personal data as the country in which you reside. In particular, personal data from the EU, Switzerland or UK will be transferred to, and processed in or shared across computer networks or otherwise with our offices in the United States and, in certain instances, where necessary to provide our services or conduct operations in a given instance, it may be shared with individuals in our others offices as necessary.

To provide adequate protection for these transfers in accordance with EU, Swiss and UK data protection law, Simpson Thacher has executed the appropriate contractual clauses based on and conforming to the European Commission approved standard contractual clauses and the UK Information Commissioner’s International Data Transfer Addendum. To obtain further information on the mechanisms that we have put in place to safeguard the transfer of your personal data to countries outside of the EU, Switzerland and the UK, please contact us at [email protected].

Your Rights

Depending on where you live, you have various rights with respect to our use, processing and sharing of your personal data. Please note that there are exceptions to some of these rights, so that requests may be denied if, for example, making the information available to you would reveal personal data about another person, or if we are legally prevented from disclosing such information.

  • Access: You may have the right to request a copy of the personal data that we hold about you. You may be entitled to see the personal data held about you. If you wish to do this, please contact us at [email protected].
  • Accuracy: We aim to keep your personal data accurate, current, and complete. We encourage you to contact us at [email protected] to let us know if any of your personal data is not accurate or changes.
  • Objecting/Deletion: You may also have the right to object to processing of your personal data and to ask us to block, delete or restrict your personal data subject to certain exceptions. If this right applies, once we receive your request and verify your identity, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies under applicable law.
  • Portability: You may have the right to request that your personal data is provided to you, or to another data controller, in a commonly used, machine-readable format.
  • Complaints: If you believe that your data protection rights may have been breached, you may have the right to lodge a complaint with the applicable supervisory or regulatory authority. If you are in the EU, if you believe that we have not complied with applicable data protection laws, including the GDPR, you also have the right to lodge a complaint with the local data protection authority, such as the Data Protection Commission (“DPC”) in Ireland. Please click here for a list of the data protection authorities in the EU member states. If you are in Switzerland, please click here for information on how to contact the Federal Data Protection and Information Commissioner. If you are in the UK, please click here for information on how to contact the Information Commissioner's Office if you would like to lodge a complaint.

To exercise the access, accuracy, data portability, objection and deletion rights described above, please submit a request to us by emailing us at [email protected].

Please note that there may be exceptions to these rights under applicable law.

Only you, or a person that you authorize to act on your behalf, may make a request related to your personal information. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative of such person.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We may be unable to comply with your request or provide you with personal information if you do not take the foregoing actions. Making a request does not require you to create an account with us. We will use personal information provided in a request only to verify your identity or authority to make the request.

How Long We Keep Your Personal Data

We retain personal data for as long as necessary to provide legal services, conduct operations and in accordance with our data retention policies, unless we have deleted personal data in response to a request to delete. We may retain personal data for longer if it is necessary to comply with legal or reporting obligations, resolve disputes, collect fees, or as permitted or required by applicable law. We may also retain personal data in a deidentified or aggregated form so that it can no longer be associated with an individual person. To determine the appropriate retention period for personal data, we consider various factors such as the amount, nature, and sensitivity of the data, the potential risk of unauthorized access, use or disclosure, the purposes for which we process personal data and applicable legal requirements.

When we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.

In general, where we process personal data in connection with the provision of legal services, we keep the data for 10 years from the date the matter is closed.

Where we process personal data to comply with our legal obligations (for example, "know-your-client" information processed for anti-money laundering purposes), we will retain the data for as long as the client has open matters, and for 10 years from the date the last matter is closed.

Cookies and Similar Technologies

What are they?

Cookies are small pieces of information sent by a web server to a web browser which allows the server to uniquely identify the browser on each page. Other tracking technologies are also used which are similar to cookies. This can include pixel tags and tracking URLs.

All these technologies are together referred to in this Policy as “Cookies”. Please note that if you delete or disable Cookies from us, you may not be able to access certain areas or features of our website.

How do we use Cookies?

The types of Cookies that we use on our website, and the purposes for which they are used, are set out below:

  • Strictly necessary Cookies: These Cookies are essential to enable you to move around our website and use its features, such as accessing secure areas. Without these Cookies, any services on our website you wish to access cannot be provided.
  • Analytical/performance Cookies: These Cookies collect information about how you and other visitors use our website, for instance, which pages you go to most often, and if you get error messages from web pages. We use data from these Cookies to help test designs and to ensure that a consistent look and feel is maintained on your visit to the website. All information these Cookies collect is aggregated and is used only to improve how a website works.
    • We use Google Analytics, a web analytics service provided by Google, Inc. (“Google”), to track our website usage and activity anonymously. Google Analytics uses Cookies, and the information generated by such Cookies about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information on our behalf for the purpose of evaluating your use of our website, compiling reports on website activity and providing to us other services relating to website activity and internet usage. Google will not associate your IP address with any other data held by Google. You may refuse the use of Cookies by selecting the appropriate settings on your browser. However, please note that if you do this, you may not be able to use the full functionality of this website. Furthermore you can prevent Google’s collection and use of data (Cookies and IP address) by downloading and installing the browser plug-in available under: https://tools.google.com/dlpage/gaoptout?hl=en-GBM
    • Further information concerning the terms and conditions of use and data privacy can be found at:
      http://www.google.com/analytics/terms/gb.html
      https://www.google.de/intl/en_uk/policies/
  • Functionality Cookies: These Cookies allow our website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These Cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customize. They may also be used to provide services you have asked for, such as watching a video. Additionally, these Cookies can be used to allow an optional service to function. The information these Cookies collect may be anonymized and these Cookies cannot track your browsing activity on other websites.
  • Pixel tags: These are also known as a clear GIF or web beacon. These are invisible tags placed on certain pages of our website but not on your computer. When you access these pages, pixel tags generate a generic notice of that visit. They usually work in conjunction with Cookies, registering when a particular device visits a particular page. If you turn off Cookies, the pixel tag will simply detect an anonymous website visit.
  • Tracking URLs: These are used to determine from which referring website our website is accessed.

How long do we keep Cookie information for?

Category

Cookie Name

Retention period

Analytical

__utma

2 years

Analytical

__utmb

30 minutes

Analytical

__utmc

Session

Analytical

__utmt

10 minutes

Analytical

__utmz

6 months

Analytical

nmstat

2 years 9 months

Analytical

vuid

2 years

Functional

__cf_bm

30 minutes

Functional

lastTeamFilter

Session

Functional

ShoppingCartCode

6 months

Strictly necessary

ai_session

30 minutes

Strictly necessary

ai_user

1 year

Strictly necessary

ARRAffinity

Session

Strictly necessary

ARRAffinitySameSite

Session

Strictly necessary

ASP.NET_SessionId

Session

Strictly necessary

AWSALBCORS

7 days

If you do not want to accept any non-essential Cookies, or only want to allow the use of certain Cookies, you can update your cookie settings at any time by refreshing your browser history and rejecting the placement of Cookies on our website. You can also use your browser settings to withdraw your consent to our use of Cookies at any time and delete Cookies that have already been set.

To find out more about Cookies please visit: www.allaboutcookies.org or see www.youronlinechoices.eu, which contains further information about behavioral advertising and online privacy.

Do Not Track

We do not track visitors of the website over time and/or across third party websites to provide targeted advertising and therefore do not respond to Do Not Track (“DNT”) signals. However, some third party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser allows you to set the DNT signal so that third parties (particularly advertisers) know you do not want to be tracked. You should consult the help pages of your browser to learn how to set your preferences so that websites do not track you.

ADDITIONAL INFORMATION FOR CALIFORNIA CONSUMERS

The California Consumer Privacy Act or “CCPA,” as amended (Cal. Civ. Code § 1798.100 et seq.) provides consumers who reside in California with certain rights with respect to their personal information (referred to elsewhere in this policy as “personal data”). This subsection concerning the CCPA applies solely to individuals who are residents of the State of California. Any terms defined within the CCPA have the same meaning when utilized within this subsection.

  • Categories of Personal Information Collected: In the past 12 months, we have collected the following categories of personal information: identifiers, characteristics of protected classifications under California or U.S. federal law, professional and employment-related information, education information, commercial information, internet and electronic network activity, inferences, sensitive personal information, and other categories of personal information that relate to or are reasonably capable of being associated with you. For additional details about the personal information we collect, please see “Personal Data We Collect” above.
  • Business or Commercial Purpose for Collecting and Using Personal Information: We collect and use personal information for the purposes described in the “Processing of Personal Data” section above.
  • Categories of Sources of Personal Information: We collect personal information directly from you and from the sources described in the “Sources of Personal Data” section above.
  • Categories of Personal Information Disclosed and Categories of Third-Party Recipients: In the past 12 months, we have disclosed identifiers, employment data, commercial information, and internet and electronic network activity to the following categories of recipients: clients, cloud service providers, consultants, data analytics providers, bar associations, internet service providers, data storage providers, and operating systems and platforms. We also disclosed professional and employment-related information, education information and certain sensitive personal information to clients, cloud service providers and consultants. For additional information on how we disclose personal information, see “Disclosure of Your Personal Data” section above.
  • Sharing and Sales of Personal Information: We do not sell or share your personal information (as “sell” and “share” are defined in the CCPA), though we do disclose personal information to our affiliates, service providers and other vendors as described above. We also do not have actual knowledge that we have sold or shared personal information of minors under age 16.
  • Uses and Disclosures of Sensitive Personal Information. We do not use or disclose your sensitive personal information for purposes that, with limited exceptions, are not necessary in order to provide our products and services as are reasonably expected by an average consumer requesting those goods and services.
  • Retention of Personal Information: Please see “How Long We Keep Your Personal Data” above.

Your Consumer Rights as a California Consumer

Subject to certain limitations, California consumers have the right to (1) request to know more about the categories and pieces of personal information we collect, use, and disclose, (2) request deletion of your personal information, (3) request correction of your personal information, and (4) not to be discriminated against for exercising these rights, including an applicant’s right not to be retaliated against for the exercise of their CCPA rights. California consumers or their authorized agents may make such a request by calling +1 (833) 490-0071 or by emailing us at [email protected]. We will verify your request by asking you to provide information sufficient to confirm your identity, such as your name, email address, and information about your interactions with us. If you would like to use an authorized agent to exercise your rights, we may request evidence that you have provided such agent with power of attorney, or that the agent otherwise has valid signed authority to submit requests on your behalf, and ask that you verify your identity directly with us.

We may not be able to respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. 

Additionally, you will need to describe your request with sufficient detail to allow us to review, understand, assess, and respond. We will not use the personal information we collect from an individual to determine a verifiable request for any other purpose, except as required or permitted by law.

We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt, but we may require an extension of up to forty-five (45) additional calendar days to respond and we will notify you of the need for the extension. 

California’s Shine the Light Law

California Civil Code Section 1798.83, known as the “Shine The Light” law, permits our customers who are California residents to request and obtain from us a list of what personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. Under Section 1798.83, we currently do not, and have not in the preceding calendar year, disclosed any personal information with third parties for their direct marketing purposes.

Changes to our Privacy Notice

Any changes we may make to our Notice in the future will be posted on this page and/or, where required by law or regulation, notified to you by e-mail.

Governing Law and Forum

To the extent required by applicable data protection laws, this Notice shall be governed by the laws of the applicable jurisdiction and any dispute relating to this Notice shall be resolved in the applicable courts. In all other cases, the laws of the State of New York govern this Notice and any dispute relating to this Notice shall be resolved in the state or federal court with competent jurisdiction in New York County, New York. If any provision of this Notice is held to be unenforceable, such provision will be reformed only to the extent necessary to make it enforceable.

If you have any questions or comments about this Notice, you can email us at [email protected] or write to us at Chief Information Officer, Simpson Thacher & Bartlett LLP, 425 Lexington Avenue, New York, New York 10017.

Last updated: December 2022