Privacy Shield

General Statement

Gibson, Dunn & Crutcher LLP (“Gibson Dunn”) is an international law firm, with clients located throughout the world, including in the European Union (“EU”), the European Economic Area (“EEA”) and in Switzerland.  In representing such clients in transactional, litigation, or other matters, it is often necessary for the client to provide to Gibson Dunn information that is subject to data protection laws of the EU, the EEA and Switzerland.  This Privacy Shield Policy therefore applies to personal data transferred to the United States from the EU, EEA and Switzerland to protect such data.

Gibson Dunn complies with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal data transferred from the EU to the United States.

Gibson Dunn also adheres to the U.S.-Swiss Safe Harbor for personal data transferred from Switzerland to the United States and adheres to the Safe Harbor privacy principles contained therein.

Gibson Dunn has certified to the Department of Commerce that it adheres to the Privacy Shield Principles (including without limitation its principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement, and Liability). If there is any conflict between the policies in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the EU-U.S. Privacy Shield program, and to view our certification page, please visit The Federal Trade Commission (FTC) has jurisdiction over Gibson Dunn’s compliance with the Privacy Shield.

For the avoidance of doubt, the Privacy Shield Principles and this policy do not apply to data that is transferred to or within Gibson Dunn on any other legal basis (e.g. otherwise permitted under Art. 26 of Directive EC/95/46) or from any other source.

Gibson Dunn’s Handling Of Personal Data

For the purposes of this Privacy Shield Policy, Personal Data means personal data transferred to or within Gibson Dunn from the EU, EEA or Switzerland under the EU-U.S. Privacy Shield or the U.S.-Swiss Safe Harbor framework.

Gibson Dunn maintains the Personal Data it receives in secure on-line and off-line facilities.  Such information is not disclosed unless necessary or advisable to protect the rights, safety or property of Gibson Dunn or others; to conform to legal or regulatory requirements; or as required to protect the legitimate interests of its clients relating to Gibson Dunn’s representation of such clients.  Such data is not disclosed to third parties unless such disclosure is permitted under applicable law and only if the third party operates in accordance with Gibson Dunn’s strict data standards, and for the purposes of Gibson Dunn’s representation of its clients.

Gibson Dunn maintains strict security and confidentiality policies that govern all information any attorney or other personnel receives in the course of his or her employment or association with Gibson Dunn.  All attorneys and personnel are made aware of these policies and Gibson Dunn has in place procedures to train all attorneys and personnel in the implementation of these policies.  Failure to adhere to the privacy, security and confidentiality policies results in appropriate discipline.  Gibson Dunn has in place procedures for periodically conducting objective reviews of compliance with this Privacy Shield Policy.

Data Subjects

The Personal Data transferred from the EU, EEA or Switzerland may concern the following categories of persons:

  • Opponents, counterparties and prospective opponents and counterparties of clients and their affiliated entities (including their respective employees, agents, consultants, directors, officers, temporary, casual workers and direct and indirect shareholders, beneficial owners and the person(s) controlling them);
  • Clients, prospective and former clients of Gibson Dunn and their affiliated entities (including their respective employees, agents, consultants, directors, officers, temporary, casual workers and direct and indirect shareholders, beneficial owners and the person(s) controlling them);
  • Professional and personal contacts of partners, associates and other employees of Gibson Dunn;
  • Suppliers (including their employees, agents, consultants, directors, officers, temporary, casual workers and direct and indirect shareholders, beneficial owners and the person(s) controlling them);
  • Advisors, consultants, witnesses, other professionals and professional experts (including their employees, agents, consultants, directors, officers, temporary, casual workers and direct and indirect shareholders, beneficial owners and the person(s) controlling them);
  • Other persons involved in litigation, arbitration, investigations or transactional matters;
  • Dependents, associates and correspondents of the above persons affected by the data transfer.

Purposes Of Data Transfers

Personal data from the EU, EEA or Switzerland is transferred for the following purposes:

  • Legal Services (the provision of legal services including advice to, or acting on behalf of, clients and conducting litigation, arbitration, investigations and transactional matters). This includes the provision of legal services to clients in order to establish data rooms relating to transactions or projects, conducting document reviews and any disclosure or related exercise in any litigation or any Government or regulatory exercise or internal investigation conducted by or on behalf of Gibson Dunn and its clients;
  • Accounts & Records (including maintenance of accounts related to Gibson Dunn’s business activities; deciding whether to accept any person or entity as a client or supplier; keeping records of transactions; making financial or management forecasts);
  • Compliance with Gibson Dunn’s ethical, professional and legal obligations;
  • Compliance with Gibson Dunn’s anti-money laundering, risk management and other compliance protocols;
  • Marketing of Gibson Dunn’s services (including invitations to events and email alerts);
  • Storage, backup and administration of client files, HR data, and other data as described above.

Categories Of Data

The Personal Data transferred may concern the following categories of data:

  • Details of client’s personal and financial details and their intentions towards third party persons;
  • Details of client’s personnel and third parties who are business associates of Gibson Dunn’s clients, and details of those who correspond with those personnel;
  • Emails and other communications with third parties;
  • Contact details (e-mail address, fax and/or telephone numbers, mobile telephone number, business and/or residential address (in each case, in respect of both business and personal contact details)), billing information, payment history, job functions, details of associates/employees’ Personal Assistant/Secretary and internal personnel hierarchy and meeting / telephone attendance notes;
  • Evidence or materials that may potentially contain evidence relating to an actual or potential dispute (including emails);
  • Due diligence information and information relating to actual or prospective business, company or asset acquisitions.


The Personal Data transferred from the EU, EEA or Switzerland may be disclosed to the following recipients or categories of recipients:

  • Gibson Dunn’s partners, associates and employees who need to have access to such information;
  • Gibson Dunn’s data processors (including IT vendors, data center providers, document management and archiving contractors);
  • The courts, governmental authorities and third parties where Gibson Dunn is required to disclose such information by law or court, governmental or other authorized order;
  • Opponents and counterparties and their affiliated entities (and their counsel, advisers, consultants and other professional experts) where so instructed by its clients or where it is necessary or expedient to do so in order to carry out a client retainer;
  • Law enforcement agencies and other governmental authorities where it is necessary to comply with Gibson Dunn’s understanding of its ethical and professional duties or to prevent physical harm or financial losses;
  • Partners, associates and staff of Gibson Dunn for business development, client relations and marketing purposes.

In cases of onward transfer to third parties of Personal Data of EU individuals received under the EU-US Privacy Shield, Gibson Dunn may potentially be held liable, as set out in the EU-U.S. Privacy Shield Framework.

Verification Mechanism And Enforcement

Verification of Gibson Dunn’s Privacy Shield Policy will be through self-assessment and verified by the Office of the Executive Director of the Firm in a signed statement that will be updated annually and referenced on the Firm’s Internet.

Gibson Dunn’s Privacy Shield Policy concerning personal information received from the EU, EEA and/or Switzerland is accurate, comprehensive, fully implemented and prominently displayed on the Gibson Dunn’s internet website.

The Privacy Shield Policy is available at:

Choices and Means For Requesting Access, Correction, Amendment, Or Deletion Of Personal Data And/Or Limitations On The Use And Disclosure Of Personal Data

Persons to whom the Privacy Shield is applicable may request confirmation regarding whether Gibson Dunn is processing their personal data, request access to their personal data, and/or request that Gibson Dunn correct, amend, or delete their personal data if it is inaccurate or has been processed in violation of the Privacy Shield Principles.  Persons who have consented to Gibson Dunn’s collection, storage, transfer, disclosure to a third party, or other use of their personal information (hereinafter “Processing”) may withdraw that consent at any time and “opt out” from any future Processing.  To the extent, if any, that Gibson Dunn processes sensitive personal information (i.e., personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, or information specifying the sex life of the individual), Gibson Dunn will obtain your consent (i.e., request that you “opt in”) before Processing such data, except to the extent that such consent is not required under the Privacy Shield Principles.

For the foregoing purposes and for other questions, comments, requests, or inquiries regarding the Processing of your personal information by Gibson Dunn, please contact us via e-mail at:

or in writing to:

Gibson Dunn & Crutcher LLP
Attn.: Office of the General Counsel
Martin A. Hewett
1050 Connecticut Ave., NW
Washington, DC 20036
United States of America

Such questions, comments, requests, or inquiries may also be submitted by email to one of the local representatives for our offices in Europe, which are identified at:

All such requests will be handled in accordance with the Privacy Shield Principles and applicable laws, including applicable data protection and privacy laws.  Although Gibson Dunn makes good faith efforts to comply with such requests, there may be circumstances in which Gibson Dunn is unable to provide access to such information, comply with a request to amend, correct, or delete such information, and/or limit the disclosure or use of such information, including but not limited to where complying with the request would: (i) violate a privilege or protection (such as the attorney-client privilege) under applicable law; (ii) compromise confidentiality obligations or the privacy, proprietary, or other legitimate rights of Gibson Dunn, its clients, or other third parties; (iii) involve a burden or expense that would be disproportionate to the risks to the individual’s privacy; or (iv) violate applicable rules of professional responsibility or other applicable laws.  If Gibson Dunn determines that any such requests cannot be complied with for such a reason or reasons, Gibson Dunn will endeavor to provide you with an explanation of why that determination was made.  To protect your privacy, Gibson Dunn will take commercially reasonable steps to verify your identity before granting access to or making any changes to your personal information.

Dispute Resolution

Users are encouraged to contact us should there be a EU-U.S. Privacy Shield or U.S.-Swiss Safe Harbor-related (or general privacy-related) complaint.

For any complaints relating to Personal Data from the EU or Switzerland that cannot be resolved with Gibson Dunn directly, Gibson Dunn has committed to refer unresolved complaints under the Privacy Shield Principles and the U.S.-Swiss Safe Harbor Principles to an independent dispute resolution body based in the United States, JAMS. If you do not receive timely acknowledgement of your complaint from us, or if we have not resolved your complaint, please contact or visit for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Finally, under certain conditions, EU individuals may invoke binding arbitration before the Privacy Shield Panel.

Changes To The Privacy Shield Policy

Gibson Dunn’s Privacy Shield Policy may be amended from time to time, consistent with applicable data protection laws, Gibson Dunn’s legal obligations and professional duties and the then applicable Privacy Shield Principles. Gibson Dunn will make available on its website any new version of its Privacy Shield Policy.