skip to main content

This Data Processing Agreement ("DPA") applies to the processing of information by you on behalf of Paul, Weiss, Rifkind, Wharton & Garrison LLP (“Paul, Weiss,” “us,” “our,” or “we”) and pursuant to the document(s) setting out the details and specifications for an engagement or project between you and Paul, Weiss ("Agreement") under which you provide us certain services ("Services"). This DPA is subject to the terms of the Agreement.


  • A. "Claims" means third party claims and lawsuits.
  • B. "Client" means any Person (as defined below) who employs or retains Paul, Weiss to render legal services, including legal advice or legal representation.
  • C. "Confidential Information" means any and all information or materials disclosed to you by or at the request of Paul, Weiss, its Clients, or its Representatives (as defined below) that are not generally available to the public and that are reasonably treated as confidential by Paul, Weiss, its Clients, or its Representatives whether disclosed before or after the effective date of the Agreement or whether disclosed orally, electronically, or in writing, including, but not limited to, names and information related to Clients of Paul, Weiss; provided, however, that "Confidential Information" does not include information that can be shown by you (1) to have been obtained by you from a source (other than Paul, Weiss, its Clients, or its Representatives) that is not bound by any confidentiality agreement, privilege, or fiduciary duty to maintain the confidentiality of such information; (2) to be generally known and readily available to the public in substantially the same form through no fault of or unauthorized disclosure (whether directly or indirectly) by you; or (3) to have been developed independently by you or your Representatives without use of or access to the Confidential Information disclosed under this DPA.
  • D. "Data Privacy Laws" means (1) the EU General Data Protection Regulation 2016/679 (“GDPR”); (2) the California Consumer Privacy Act of 2018 (“CCPA”); and (3) all other laws concerning the protection of Personal Data (as defined below). Other terms in this DPA that have meanings ascribed to them in Data Privacy Laws, including, but not limited to, "Data Controller," "Data Processor," and “Data Subject” shall carry the meanings set forth under the GDPR, unless otherwise defined.
  • E. “Information” means all information Processed (as defined below) by you on behalf of us, and includes Confidential Information and Personal Data.
  • F. “Information Security Incident” or “ISI” means an act or circumstance in which there is any unauthorized activity that threatens the confidentiality, integrity, or availability of Information. It includes any actual or suspected breach of security leading to the accidental or unlawful destruction, encryption, loss, alteration, unauthorized disclosure of, or access to Information transmitted, stored, or otherwise Processed.
  • G. "Losses" means all of a party's incurred damages, liabilities, judgments, settlements, and costs and expenses (including, but not limited to, the costs and expenses of any and all actions and demands, claims, assessments, judgments, settlements, and compromises relating thereto and the costs and expenses of attorneys and other professionals' fees and expenses incurred in the investigation or defense thereof or the enforcement of rights).
  • H. "Person" means an individual, a corporation, a partnership, a limited liability company, an association, a trust, or any other entity or organization of any kind, including, but not limited to, a governmental authority or agency.
  • I. "Personal Data" means any information that could reasonably be associated or linked, whether directly or indirectly, to an identified or identifiable living individual or household.
  • J. "Process," "Processes," "Processing," or "Processed" means either any activity that involves the use of Personal Data or as Data Privacy Laws may otherwise define process, processes, processing, or processed. It includes any operation or set of operations which is performed upon Personal Data or on sets of Personal Data, whether or not by automated means, such as adapting, aligning, altering, collecting, combining, consulting, destroying, disclosing, disseminating, erasing, organizing, recording, restricting, retaining, retrieving, selling, sharing, storing, structuring, transmitting, using, or otherwise engaging with Personal Data.
  • K. "Representatives" means, as to any party, the affiliates or subsidiaries of such party and the directors, officers, employees, attorneys, accountants, consultants, financial advisors, other advisors, and other service providers, agents, and representatives of such party, its affiliates, or its subsidiaries; provided, however, that in no event shall either party be deemed to be a Representative of the other party.
  • L. “Third Party Processor” means any party that you authorize to Process Personal Data, including other Data Processors, sub-processors, and service providers.


  • A. To the extent that you Process Personal Data in the course of providing the Services, each party acknowledges: (1) for the purpose of the GDPR, Paul, Weiss is the Data Controller of the Personal Data and you are the Data Processor; (2) for the purpose of the CCPA, Paul, Weiss is the Business and you are the Service Provider (as those terms are defined under the CCPA); and (3) for the purpose of all other Data Privacy Laws, Paul, Weiss is the party who determines the means and purpose of the Processing of the Personal Data and you are the party Processing the Personal Data.


  • A. The subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data, and the categories of Data Subjects are set forth here and additionally in the Agreement.
    • 1. Subject-Matter of Processing: The subject-matter of the Processing is to render the Services under the DPA or the Agreement.
    • 2. Duration of Processing: The duration of the Processing is the duration of the provision of the Services under the DPA or the Agreement.
    • 3. Nature & Purpose of Processing: The nature and purpose of the Processing is in connection with the provision of the Services under the DPA or the Agreement, including, but not limited to, facilitating the provisioning of legal advice, representation, or services by Paul, Weiss to its Clients.
    • 4. Data Subjects: The categories of Data Subjects may include: Paul, Weiss's Clients and their personnel, officers, directors, board members, consultants, advisors, agents, clients, and business associates; Paul, Weiss personnel; or other Data Subjects whose Personal Data may be submitted to the Services.
    • 5. Personal Data Categories: The types of Personal Data Processed may include: individuals' names, titles, contact information (including address, telephone number, and email address), identification numbers, and other types of Personal Data submitted to the Services.
    • 6. Sensitive Personal Data Categories: In some cases, when applicable to a specific engagement or project with you, you may Process Sensitive Personal Data on behalf of Paul, Weiss. We consider Sensitive Personal Data to include (a) any data pertaining to or collected from children, (b) confidential identifying information, such as social security number, driver’s license number, or passport number, and (c) any data pertaining to an individual’s or household’s: biometrics; criminal record; disciplinary history; familial status; finances; genetics; immigration or residency status; mental or physical health status; political, religious, or philosophical beliefs; racial or ethnic origin; sex life; sexual orientation; social history; or trade union membership.


  • A. You acknowledge and agree to:
    • 1. Abide by applicable Data Privacy Laws;
    • 2. Treat all Personal Data as Confidential Information;
    • 3. Only Process that Personal Data in accordance with the documented instructions of Paul, Weiss to the extent required for the provision of the Services and to comply with your obligations under this DPA or the Agreement. You shall never Process the Personal Data in a manner inconsistent with Paul, Weiss's documented instructions;
    • 4. Immediately notify Paul, Weiss if, in your opinion, you can no longer meet your obligation to Process the Personal Data for the limited and specified purposes set forth under this DPA or the Agreement. At such time, you shall cease Processing or shall take other reasonable and appropriate steps to remediate any unauthorized Processing;
    • 5. Immediately notify Paul, Weiss if, in your opinion, any of Paul, Weiss's instructions infringe or would breach Data Privacy Laws; and
    • 6. Assist Paul, Weiss with undertaking an assessment of the impact of Processing that Personal Data, and with any consultations with a supervisory authority, if and to the extent an assessment or consultation is required to be carried out under Data Privacy Laws.


  • A. Taking into account the nature of the Processing, you shall assist Paul, Weiss by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Paul, Weiss's obligation to respond to requests by Data Subjects to exercise their rights laid down in applicable Data Privacy Laws.
  • B. If a Data Subject makes a written request to you to exercise any such rights, you shall forward the request to Paul, Weiss promptly and shall, upon Paul, Weiss's reasonable written request, provide Paul, Weiss with all cooperation and assistance reasonably requested by Paul, Weiss in relation to that request to enable Paul, Weiss to respond to that request in compliance with applicable deadlines and information requirements.


  • A. You agree that you will strictly protect and maintain the security of all Information and shall have in place a comprehensive security program for safeguarding all Information that complies with all applicable laws and regulations relating to information security, privacy, confidentiality, and nondisclosure.
  • B. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purpose of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, you shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the risk of unauthorized or unlawful Processing of Information, and of accidental or unlawful loss, alteration, unauthorized disclosure or destruction of, or damage to, Information.
  • C. You shall maintain written security policies that are fully implemented and applicable to the Processing of Information. At a minimum, such policies should include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Information, conducting appropriate background checks, requiring employees, vendors, and others with access to Information to enter into written confidentiality agreements, and conducting training to make employees, vendors, and others with access to the Information aware of information security risks presented by the Processing.
  • D. You shall compile and maintain a disaster recovery and business continuity plan so that you may continue to provide the Services to us in the event of a disaster. In addition, the plan will adequately address planning for pandemic and other circumstances that may result in material loss of availability of personnel.
  • E. You shall permit us or our representatives to assess your operations and comply with all reasonable requests by us to enable us to verify your compliance with your security obligations under this DPA or the Agreement.
  • F. You warrant that for the duration of the Agreement, and where applicable given the nature of the Services, you will maintain high availability in line with industry best practices for systems that contain Information or that support our business.
  • G. You shall maintain written procedures that are fully implemented and applicable to the handling of an Information Security Incident (“ISI”).
    • 1. You shall promptly notify Paul, Weiss, including by email to and, within thirty-six (36) hours of becoming aware of an ISI. Any such notification made to Paul, Weiss must include, per ISI, the following information:
      • a. A description of the nature of the ISI, including, where possible, a description of the impacted Information, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
      • b. Time, date, and location of the ISI;
      • c. The name and contact details of your information security officer, data protection officer, or another contact point where more information can be obtained;
      • d. Any other pertinent information regarding the ISI and its aftermath, including a description of the likely consequences and risks to Data Subjects; and
      • e. A description of the measures taken or proposed to be taken by you to address the ISI, including, where appropriate, measures to mitigate its possible adverse effects.
    • 2. In the event of an ISI, you shall (a) coordinate with us to take all necessary steps to minimize the impact of the ISI; (b) cooperate with us in managing the response to the ISI, including, but not limited to, providing us, our Representatives, or our impacted Clients with all necessary information, documents, and access; (c) provide us with all cooperation and assistance reasonably requested to enable us to perform a thorough investigation into the ISI, to formulate a correct response, to take suitable further steps in respect of the ISI, and to notify the relevant supervisory authority and relevant Data Subject(s) (as applicable); and (d) promptly use your best efforts to prevent a recurrence of any such ISI.
    • 3. You agree that you shall not inform any third party of any ISI without first obtaining our written consent other than to inform a complainant that the matter has been forwarded to us. You agree that we shall have the sole right to determine (a) whether notice of the ISI is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies, or others as required by law or regulation; (b) the contents of such notice; and (c) whether any remediation may be offered to affected individuals and the nature and extent of any such remediation.
    • 4. You agree to maintain and preserve all documents, records, and other data related to the ISI subject to the terms of this DPA or the Agreement.


  • A. Before disclosing or providing access to Personal Data to any of your personnel, employees, or other Representatives, you shall ensure that those persons:
    • 1. Have undergone appropriate training in data protection and the care and handling of Personal Data; and
    • 2. Are bound to hold the information in confidence to at least the same standard as required under this DPA (whether under a written agreement or otherwise).
  • B. With respect to use of Third Party Processors, you shall:
    • 1. Not engage a Third Party Processor without prior specific or general written authorization of Paul, Weiss and, in the case of general written authorization, inform Paul, Weiss of any intended changes concerning the addition or replacement of a Third Party Processor, thereby giving Paul, Weiss the opportunity to object to such changes. You shall remain fully liable for the performance of any such Third Party Processors;
    • 2. Before disclosing Personal Data to any Third Party Processor, enter into a written contract with that Third Party Processor under which the Third Party Processor agrees to comply with obligations equivalent to those set out in this DPA; and
    • 3. Ensure that any Third Party Processor is bound by data privacy obligations that are equivalent to those set out in this DPA (including, but not limited to, the obligation to implement appropriate technical and organizational measures) and supervise compliance thereof. Paul, Weiss may request that you audit the Third Party Processor or provide confirmation that such an audit has occurred to ensure compliance with Paul, Weiss's obligations imposed by you in conformity with this DPA.
  • C. You shall never sell, share, provide, transfer, disclose, retain, or use Personal Data for any purpose other than for the specific purpose of performing the Services.


  • A. You shall not transfer Personal Data to, or Process Personal Data in, any third country or territory without the prior written consent of Paul, Weiss (which consent may be conditional upon you or the relevant third parties entering into an agreement containing similar terms to this DPA with Paul, Weiss) unless (and for so long as):
    • 1. There has been a European Community finding of adequacy pursuant to Article 25(6) of Directive 95/46/EC or, after 24 May 2018, Article 45 of the GDPR in respect of that country or territory; or
    • 2. Paul, Weiss or you and the relevant importing entity are party to a contract in relation to the export of Personal Data incorporating standard contractual clauses in the form adopted by the European Commission under Decision 2021/914/EU, mechanisms issued by the UK Information Commissioner’s office including an international data transfer agreement or an international data transfer addendum to the European Commission’s standard contractual clauses, or an equivalent data transfer agreement meeting the requirements of Data Privacy Laws.
  • B. Where any relied-upon mechanism for cross-border transfers of Personal Data is subsequently modified, revoked, or found by a supervisory authority, court of competent jurisdiction, or other governmental authority to be an invalid means of complying with the restrictions on transferring Personal Data to a third country or territory as set out in Data Privacy Laws, the parties shall act in good faith to agree the implementation of an alternative solution to enable Paul, Weiss to comply with the provisions of Data Privacy Laws in respect of any such transfer.


  • A. You shall notify Paul, Weiss within thirty-six (36) hours if you receive any complaint, notice, or communication that relates directly or indirectly to the Processing of Personal Data, or to either party's compliance with Data Privacy Laws, and shall fully cooperate and assist Paul, Weiss in relation to any such complaint, notice, communication, or non-compliance.
  • B. Upon Paul, Weiss's reasonable written request, you shall provide all information necessary to demonstrate compliance with this DPA, and allow Paul, Weiss or an auditor appointed by Paul, Weiss to carry out audits, including inspections, whether physical or via remote access, of facilities, equipment, documents, and electronic data, relating to the Processing of Personal Data by you or any Third Party Processor, to verify compliance with this DPA.


  • A. Unless expressly stated otherwise in this DPA or the Agreement, upon termination of this DPA or the Agreement, you shall, and shall procure that each Third Party Processor shall, immediately cease to use the Personal Data and shall, at Paul, Weiss's option, return the Personal Data to Paul, Weiss or to a Data Processor nominated by Paul, Weiss or delete the Personal Data and all copies and extracts of the Personal Data unless required to retain a copy in accordance with any laws.
  • B. On expiration or termination of this DPA (however arising), this DPA shall survive and continue in full force and effect.


  • A. You acknowledge and agree to indemnify, defend, and hold harmless Paul, Weiss and its respective Representatives from and against any and all Losses incurred in connection with third party Claims to the extent arising out of or resulting from any breach of this DPA or of Data Privacy Laws by or through you or your Representatives, including costs of enforcing any right to indemnification hereunder and costs of pursuing any insurance providers arising out of or resulting from such Claims. It is understood and agreed that no party's failure or delay in exercising any right, power, or privilege hereunder shall operate as a waiver thereof, nor shall any single or partial exercise thereof preclude any other or further exercise thereof or the exercise of any other right, power, or privilege hereunder.


  • A. We may occasionally update this DPA. If we make significant changes, we will post the changes and update the revision date. To the extent permitted under applicable law, by providing us the Services thereafter, you consent to our updates to this DPA. We encourage you to periodically review this DPA for the latest information on our privacy practices.


Contacting Us

If you ever have any questions or comments about this agreement or any of its contents, please contact us at and we will be pleased to assist you.


© 2024 Paul, Weiss, Rifkind, Wharton & Garrison LLP

Privacy Policy