Privacy Notice for London Candidates
Thank you for your interest in Cooley. When you apply for a position at Cooley, whether as an employee or worker, we need to gather personal information from you and other sources. This notice details how we process your personal information – including the types of information we collect, the sources from which we collect your personal information, the purposes for which we collect your personal information, how long we retain your personal information and your rights with respect to the personal information we collect.
We will process your personal information in compliance with applicable data protection laws and principles. In particular, we will:
- Process your personal information only in a fair, lawful and transparent way.
- Collect your personal information only for valid purposes, which we identify in this notice.
- Limit our processing of your personal information to the purposes we describe in this notice and not use your personal information in any way that is incompatible with those purposes.
- Make sure your personal information is accurate and kept up to date.
- Keep your personal information only so long as necessary for the purposes we describe in this notice.
- Ensure your personal information is kept securely.
This notice is intended to meet our duties of transparency under the UK’s implementation of the General Data Protection Regulation (UK GDPR). It is important you read this notice so you are aware of how and why we are using your personal information, your rights and how the law protects you. This notice does not form an operative part of any future contract you may have with Cooley and is not intended to create any employment relationship between you and Cooley.
You should be aware that if you fail to provide certain personal information when requested, we may not be able to perform steps necessary to enter into a contractual relationship with you, or we may be prevented from complying with our legal obligations (such as to ensure the health and safety of our employees, workers and contractors).
We may update this notice from time to time. If we do, we will provide you with and/or make available a revised notice.
Who we are
Cooley UK is a limited liability partnership (LLP) law firm incorporated in England and Wales. The UK office is an affiliate of Cooley LLP, a global law firm headquartered in the United States with offices around the world. For more information about Cooley and details of how to contact us, please review the About and Contact us sections on cooley.com webpages.
What personal information we collect about you when you apply for a role at Cooley
All the personal information we collect – both from you and from third parties about you – is outlined in the table below.
| Category of personal information collected | What this means |
| Identity data | First name, middle name(s), surname, title, national identification and/or passport number, national insurance number, driver’s licence, photographs |
| Contact data | Your home address, work address, email address, telephone number(s) |
| Biographical data | First name, middle name(s), surname, maiden name, marital/civil partnership status, title, date of birth, gender, ethnicity, nationality, education history, professional history, professional qualifications and memberships, references, information relating to references such as referees’ names and contact details, information contained within letters of application and CVs, language proficiencies and other skills, certifications, certification expiration dates, information necessary to complete background checks |
| Immigration data | National identification and/or passport number, details of residency and/or work permit and other information that would allow us to verify your eligibility to work in the UK |
| Engagement data | Title and description of your prior roles, department, work location, dates of prior employment/engagement, employment/engagement status and type (e.g., full-time/part-time), terms of employment/engagement, contracts, work history (current, past or prospective), training and learning program participation, termination date(s) and reason, length of service, willingness to relocate, current salary, desired salary, employment/engagement preferences, information necessary to complete background checks, drug and/or alcohol tests and other screens permitted by law, information gathered through testing processes and assessments administered by Cooley or a third party |
| Facilities data | Information about your access to Cooley offices and facilities (e.g., keycard scans, computer login data when on the office network, security camera footage) |
| Other data | This might include data not listed above that you provide to us, such as feedback and survey responses where you choose to identify yourself. |
Personal information from third-party sources
In addition to the personal information we collect from you directly, in certain circumstances, we also may collect personal information from third-party sources. Please see below for a list of the types of third-party sources from which we may collect your personal information (including whether the source of that personal information is publicly available):
- Agencies or recruiters that refer you to us
- Job board websites you may use to apply for a job with us
- Previous employers, companies or persons, when they provide us with references
- Professional references that you identify and authorise us to contact
- Providers of background checks, credit checks or other screening services (where permitted by law)
- Your social media profiles or other publicly available sources (information gathered from these sources is publicly available)
How we use your personal information – and why
In respect of each of the purposes for which we use your personal information, the UK GDPR requires us to ensure that we have a “legal basis” for that use. Most commonly, we will rely on one of the following legal bases:
- Where we need to take steps at your request before entering into a contract with you (contractual necessity)
- Where we need to comply with a legal or regulatory obligation (compliance with law)
- Where it is necessary to protect your or another person’s vital interests (vital interests)
- Where it is necessary for our legitimate interests, and your interests and fundamental rights do not override those interests (legitimate interests) – more detail about the specific legitimate interests pursued in respect of each purpose we use your personal information for is set out in the table below
- Exceptionally, with your consent (consent)
The table below shows – at a very high level – how we may use your personal information and the relevant legal bases we rely upon for that use.
In the appendix to this notice, we have set out in detail the purposes for which we may use your personal information, the legal bases we rely on in respect of each such purpose (including details of any legitimate interests pursued, where applicable) and the categories of personal information typically used for the relevant purpose.
| Purpose | Legal basis |
| Precontractual performance – We may process your personal information (including sharing it with third parties, where appropriate) where necessary to take precontractual steps relating to your potential employment or engagement, including managing the recruitment process and taking any associated steps you may request before entering into any contract with you. | Contractual necessity |
| Talent management – We may process your personal information (including associated sharing with third parties, where appropriate) for talent management purposes, including for the purposes of considering your job application and determining whether, and on what terms, to make an offer to employ or engage you. | Legitimate interests |
| Business operation and improvement – We may process your personal information (including sharing it with third parties, where appropriate) to operate and improve our business. | Legitimate interests |
| Facilities management – We may process your personal information (including sharing it with third parties, where appropriate) to operate, manage and secure our premises and facilities, and to monitor your attendance at our premises and facilities. | Legitimate interests |
| Health screening – We may process your personal information by requiring health screenings to access our premises to help protect the health and safety of you, staff, representatives of Cooley and its affiliates, and others (such as other visitors). | Depending on the circumstances: compliance with law or legitimate interests |
| Protection of health and vital interests – We may process your personal information to protect your vital interests or those of a third party. | Vital interests |
| Compliance and protection – We may process your personal information (including sharing it with third parties, where appropriate) for compliance and protection purposes (including the establishment, exercise or defence of legal claims). | Depending on the circumstances: compliance with law or legitimate interests |
| Data-sharing in the context of corporate events – We may process and disclose your personal information in the context of actual or prospective corporate events. | Legitimate interests |
| Privacy protective steps – We may create aggregated, de-identified and/or anonymised data from your personal information. | Legitimate interests |
| Further uses – In some cases, we may use your personal information for further uses, in which case we will ask for your consent to use your personal information for those further purposes (if they are not compatible with the initial purpose for which the information was collected). | Consent or the original legal basis where the relevant further use is compatible with the initial purpose |
In addition to establishing a legal basis, where we use any ‘special categories’ of personal information (e.g., your health data), we also have to satisfy an additional condition to process such personal information because it is considered to be more sensitive in nature. The condition that may apply will depend on the circumstances and the purposes of the relevant processing. However, as examples of conditions that we may rely upon:
- We may need to process that data to carry out our legal obligations or to exercise rights in connection with employment and social security and social protection law (employment-related legal obligations).
- We may need to process that data because it is necessary for reasons of substantial public interest (e.g., for some equal opportunities monitoring, preventing or detecting unlawful acts, etc).
- We may need to process that data because it is necessary for the establishment, exercise or defence of legal claims (including a regulatory, administrative or any out-of-court procedure) and seeking advice.
Who we share your personal information with
As part of our business, and in relation to your application, we may share your personal information with certain third parties. Please see the list below for information about the categories of such third-party recipients:
Affiliates – Cooley LLP and its affiliates
For example, this may occur:
- To enable Cooley to operate shared infrastructure, systems and technology.
- As part of our reporting activities on our performance.
- In the context of a business reorganisation or restructuring exercise.
Service providers – Providers of services to Cooley or its affiliates
For example, this may involve sharing of personal information with such providers for the purposes of:
- Human resources
- Travel, transportation and accommodation
- IT systems and support, as well as information and physical security
- Background checks and other screenings
Professional advisers – Accountants, auditors, lawyers, insurers, bankers and other professional advisers
Parties involved in corporate events – We may disclose personal information in the context of actual or prospective business transactions. For example, we may need to share certain personal information with prospective counterparties and their advisers. We also may disclose your personal information to an acquirer, successor or assignee of Cooley as part of any merger, acquisition, sale of assets or similar transaction, and/or in the event of an insolvency, bankruptcy or receivership in which personal information is transferred to one or more third parties as one of our business assets. Please note: We would always look to take steps to minimise the amount and sensitivity of any personal information shared in these contexts, where possible and appropriate.
Compliance and protection-related sharing – We may need to, or may have a legitimate interest in, sharing your personal information with entities that regulate or have jurisdiction over us (such as regulatory authorities, public bodies and judicial bodies). We also may share your personal information in the context of protecting our, your or others’ rights, privacy, safety or property (including by establishing, making and defending legal claims).
Data transfers
We may share your personal information with third parties that are based outside the UK (including with certain of our affiliates) in connection with the processing of personal information described in this notice. In such circumstances, their processing of your personal information will involve a transfer of your personal information to countries based outside the UK. Whenever we transfer your personal information outside the UK, we try to ensure a similar degree of protection is afforded to it by making sure that at least one of the following mechanisms is implemented:
- Transfers to territories with an adequacy decision. From time to time, we may transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information by the UK government.
- Transfers to territories without an adequacy decision. We may transfer your personal information to countries that have not been deemed to provide an adequate level of protection for personal information by the UK government – provided that, in these cases:
- We may use specific appropriate safeguards, which are designed to give personal information effectively the same protection it has in the UK – e.g., the UK’s International Data Transfer Agreement or International Data Transfer Addendum to the European Commission’s ‘Standard Contractual Clauses’.
- In limited circumstances, we may rely on an exception, or ‘derogation’, which permits us to transfer your personal information to such country despite the absence of an ‘adequacy decision’ or ‘appropriate safeguards’ – e.g., reliance on your explicit consent to that transfer, or because it is necessary for the establishment, exercise or defence of legal claims (including a regulatory, administrative or any out-of-court procedure) and seeking advice.
You can contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the UK. You may have the right to receive a copy of the appropriate safeguards under which your personal information is transferred. You can make a request by contacting us using the contact details on cooley.com.
How we keep your personal data secure
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We limit access to your personal information to those employees and other staff who have a business need to have such access. All such people are subject to a contractual duty of confidentiality.
We have put in place procedures to deal with any actual or suspected personal information breach. In the event of any such breach, we have systems in place to work with applicable regulators. In addition, in certain circumstances (e.g., where we are legally required to do so) we may notify you of breaches affecting your personal information.
How long we store your personal data
Cooley’s retention periods for personal information are based on business needs and legal requirements. We retain personal information for as long as is necessary for the processing purpose(s) for which it was collected, as set out in this notice and any other permissible, related purposes. For example, we may retain certain information to comply with regulatory requirements regarding the retention of such data, or in the event a litigation hold is imposed.
When personal information is no longer needed, we either irreversibly anonymise the data (and we may further retain and use the anonymised information) or securely destroy the personal information.
No automated decisions
Cooley does not envisage that you will be subject to decisions or profiling that will have a significant impact on you based solely on automated decision-making.
Your rights relating to your personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information. This right exists where we are relying on a ‘legitimate interest’ (defined above) as the legal basis for our processing, and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you – for example, if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information. We will provide to you, or a third party you have chosen, your personal information which you initially provided to us in a structured, commonly used, machine-readable format. Note that this right only applies to personal information we process by automated means which you initially provided consent for us to use, or where we used the information to perform a contract with you.
- Withdraw consent. This right only exists where we are relying on consent to process your personal information.
If you want to exercise any of the rights described above, please contact us using the contact details on cooley.com.
We may need to request specific information from you to help us confirm your identity and verify your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We also may contact you to ask you for further information to assist us in responding to your request.
Typically, you will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, except in relation to withdrawal of your consent (see above), we may charge a reasonable fee if your request is clearly unfounded or excessive, or we may refuse to comply with your request in these circumstances.
Please also note that in certain circumstances the rights above will not apply and/or in certain circumstances some categories of personal information will be exempt from the scope of those rights. We will notify you where this is the case.
We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than one month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
We have appointed a data protection officer (DPO) to oversee compliance with this notice. If you have any questions about this notice or how we handle your personal information, please contact our DPO.
If you would like to make a complaint regarding this notice, you can contact us using the contact details on cooley.com. We will reply to your complaint as soon as we can.
If you feel that your complaint has not been adequately resolved, please note that the UK GDPR also gives you the right to make a complaint directly to the UK Information Commissioner’s Office:
Information Commissioner’s Office
Water Lane, Wycliffe House
Wilmslow – Cheshire SK9 5AF
Telephone: +44 303 123 1113
Website: https://ico.org.uk/make-a-complaint/
Your obligations
You should keep your personal information up to date and inform us of any significant changes to your personal information. If you provide us with the personal information of a referee or any other individual as part of your application, it is your responsibility to inform them of the use (including transfer and disclosure) of that personal information by Cooley for the purposes set out in this notice.