Last Updated: July 1, 2020
Berry Appleman & Leiden LLP is a limited liability partnership organized under the laws of the State of California and has offices in Austin, TX, Boston, MA, Dallas, TX, Houston, TX, McLean, VA, San Francisco, CA, New York, NY, Chicago, IL and Washington DC (together referred to as “BAL” or “we”, “our”, or “us”).
Global Privacy Team
Berry Appleman & Leiden LLP
2400 N. Glenville Dr., Bldg A
Richardson, TX 75082
To contact the Data Protection Officer, click here.
Summary of Key Points
|What information we collect||We collect information about you in connection with your registration, use, purchase or inquiries about our services.|
|How we use your information||We use your information to provide our services, operate our sites and applications, create business insights and comply with law.|
|How we share your information||We have a contract with your employer or immigration sponsor, who is our corporate client, and we share your information with them. Depending on the nature of the services we are providing, we also may engage third party providers and vendors to facilitate the provision of services with respect to foreign governments and may share your data to those providers as well (e.g. through our Alliance program).We do not sell or share information with third parties so that they can independently market their own products or services directly to you.|
|Marketing and your choices||We may use your information to market to you, and will respect your choices about how we communicate marketing to you.|
|International transfers||We transfer your information outside of your home country as permitted by law. Regardless of where your personal data is transferred, it is protected in accordance with the Privacy Shield Principles. While BAL continues to comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, data transfers of personal information to the United States from the EU and Switzerland will be based primarily on the European-Commission-approved standard contractual data protection clauses.|
|Your rights||You have the right to be informed of how we are processing your information and to access, correct, delete or object, upon request and free of charge, to our use of your information, to the extent required by law.|
If you have any questions or complaints about BAL and privacy, or to exercise your rights, please contact the data protection office at email@example.com, or at:
Global Privacy Team
What information we collect
Account information for Cobalt® online tool
If you contact us, register with our Cobalt® online tool or receive services from us, we collect information about you. In order to use such online tool, you may give us information, or your employer or immigration sponsor may send it to us. This may include your name, email address, phone numbers, employer and employment details, education history, and physical addresses. In the event that you are an existing client, we may collect a combination of such information as needed. Depending on the destination country, we may also require passport and visa number and details, government identifiers, gender, date of birth, nationality, ethnicity, race, former addresses, marital history, criminal background, disability, financial details, other information relating to health, religion, spouse and parental details. If we provide services for your family or companions, we may collect similar information about them.
Categories of personal information collected in the prior twelve months
We may collect the following categories of information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:
- Identifiers, such as: a real name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.
- Records, such as the following types of information: bank account number, credit card number, debit card number, signature, physical characteristics or description, telephone number, state identification number, insurance policy number, and any other financial information.
- Internet or other electronic network activity information, such as, browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.
- Employment information, such as professional or employment-related information.
- Inferences drawn from any of the information identified in this subdivision to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Categories of sources
We may collect all categories of personal information listed above from the following categories of sources:
Source One: we collect personal information directly from you and/or your household that you provide us. Personal information is required to use certain features available on our sites, for example, to create a Cobalt® online account, contact us via email, phone, or our contact us form (where we may retain your message’s content and our response), submit job application materials, receive or request data from us (e.g., via whitepapers, catalogs, and newsletters).
Source Two: we collect personal information automaticallywhen you access our sites. For example, we may collect information such as the websites you visit before or after you visit our sites, pages you click on our sites, IP address, search requests, browser type, operating system, data and time you visit our sites, the amount of time spend on our sites, and the device you use to access our sites.
- Account activity:we may collect data about how you use (i) your Cobalt®online account; (ii) our sites when you are logged into your account. We may combine data automatically collected from you with other personal information about you.
Source Three: we collect personal information we get from third parties and public sources.If BAL is handling your visa or immigration matter, we may obtain personal information about you from your employer, our client, and from public sources. Such public sources may include, but are not limited to, social media sites such as LinkedIn, Facebook, Instagram, Google Scholar and other internet searches. The personal information we may collect and process will depend on the specific nature of an engagement and the services we are providing, such as:
- Addresses, telephone numbers, email addresses, and other contact details
- Age/Date of birth
- Country of residence
- Familial/relationship situation
- Information relating to education and qualifications
- Information relating to employment
- Other information connected to health
- Criminal records or similar details
Purpose for collecting personal information
We may use all categories of personal information listed above for the following business purposes:
- As stated or agreed to at the point of collection. We may use personal information for the purposes stated or agreedto (or as is obvious) at the point of collection. For example, we use personal information to respond to your questions, comments, or complaints. We may also use personal information as requested or consented by you.
- Administration. We use personal information for administrative purposes, such as managing your accounts, facilitating transactions, to inform our business strategies, to understand our sites’ demographics and user preferences, for evaluating applications, and managing profiles.
- Website management. We use personal information for management of our sites, such as troubleshooting problems, improving the content and functionality of our sites, statistical and other analyses of our sites, and to customize our sites to you and our users.
- Advertising. We may use personal information to send you promotions or to perform targeted advertising, to notify you of new services, products or programs, to notify you of new features of our sites, to notify you of changes to our terms or this policy, and for other similar communications.
California’s Do Not Track Signals Requirement
WE DO NOT ALTER OUR DATA COLLECTION AND USE PRACTICES IN RESPONSE TO DO NOT TRACK SIGNALS. WE CURRENTLY DO NOT HONOR “DO NOT TRACK” REQUESTS.
How we use your information
When we process personal information about you, we do so as necessary to provide the products and services you and your employer or immigration sponsor use, to operate our business, to meet our contractual and legal obligations, to protect the security of our services, systems and customers, or to fulfil other legitimate interests to provide the Cobalt site and the services that we have been engaged to provideas described in this policy.
- Provide our products and services to you or to our corporate clients
We use your information to provide our immigration, consulting, business insights, and other related services to you or at the direction of your employer or immigration sponsor, to comply with our agreements with them, to communicate about our products and services, and to help them ensure compliance with their policies.
- Operate websites and mobile applications
We use device data to monitor and improve the performance and content of our services, provide updates, analyse trends and usage in connection with our services, and measure whether our site content is effective.
- Operate and improve our business
We use your information for compliance with our company policies and procedures, for accounting and financial purposes, to detect or prevent fraud or criminal activity, and to perform, analyse and improve our business and services.
- Complying with law
Some of the activities we undertake are necessary to comply with our legal or other obligations as a business service provider of legal advice. Under certain circumstances, we may be required by law to provide personal data to law enforcement agencies, courts or others in connection with claims and other litigation; to comply with state public records law, or an anti-terrorism request.
How and with whom we share your personal information
Your employer or immigration sponsor
Our services to you are typically provided under the terms of our service agreements with your employer or immigration sponsor. We share your information with them to allow them to manage their immigration needs and assure compliance with their policies. At the request of your employer or immigration sponsor, we may also share information with their vendors. In the event that our client wishes to engage alternative legal advisers, we may transfer your personal information to those advisors to ensure continuity of business.
With our business partners and partner network
If your immigration request takes you to countries serviced by one of our local network partners, they may have access to your account information, immigration plans and other information necessary to provide you with the services you or your employer or immigration sponsor may request.Sharing with these local partners is in accordance with the Privacy Shield Principles which mandate privacy and security measures for the transfer of information wherever they may be located.
Immigration authorities in destination countries
We share information with immigration authorities (for example consulates and other government or law enforcement agencies), and their vendors as necessary to provide immigration and related services to you and your employer.
Vendors and third party providers
We share information with vendors that perform functions on our behalf, such as vendors offering notarization, translation, authentication, and legalization services, visa and passport providers, third party providers to facilitate the provision of services with respect to foreign governments (e.g., through our Alliance program), mobile application and software developers, and vendors who provide IT support, data hosting and marketing and communication services. These vendors process your information only as necessary to perform their functions as instructed in our contracts with them. Information regarding the ways in which our Alliance program (Deloitte LLP) collects, uses and shares personal information when providing immigration services to you outside of the United States can be found on Deloitte’s GlobalAdvantage Privacy Statement.
We combine data from many people to create aggregated statistics that do not identify you personally. We use this data to understand business trends and insights, and we may share them with third parties.
Business transfersfor change in ownership
- In the event that we sell or buy any business or assets, we may transfer your personal information to the seller or buyer of such business or assets.
- If BAL assets are acquired by a third partypersonal information may be one of the transferred assets.
As permitted or required by law
We share personal information when we think it’s reasonably necessary to protect ourselves and the people who use our services, enforce agreements, respond to emergencies and comply with law.
In exceptional circumstances, we may share personal information with government agencies other than immigration authorities and other third parties if we believe it is reasonable and necessary to comply with law, regulation, legal process or governmental request; to enforce our agreements, policies and terms; to protect the security of our services; to protect BAL or the public from harm or illegal activities; or to respond to an emergency.
We may also share personalinformation with other parties as directed by you or subject to your consent.
We do not sell personal information.
We do not sell information to third parties so that they can independently market their own products or services directly to you.
Before transferring your personal information to third parties, we will require the third party to maintain at least the same level of privacy and security for your personal information that we do. We remain liable for the protection of your personal information within the scope of our Privacy Shield certification that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.
Marketing and your choices
- BAL may use your personal Information to communicate with you via email or direct mail to inform you about newsworthy topics and upcoming events that may be of interest to you. For example, BAL would like to use your email address to send you the firm's Legal Update newsletter or to send you an announcement concerning an upcoming seminar. When collecting your personalinformation for this use BAL will seek your consent to being contacted in this way. If you would like us to stop sending you these marketing messages, you may update your email preferences by using the “Unsubscribe” link found in emails we send to you or by contacting us.
- We also send you messages that are essential for our services; for example, we may communicate with you about questions we have in drafts relating to your immigration case, to service your account, to fulfil your requests or otherwise as required by law. Some of these services contain information presented to you as part of our service relationship with your employer or immigration sponsor (for example, messages that help you comply with their business policies). If you opt out of marketing messages, you will continue to receive these service messages.
How we protect and store your information
We maintain reasonable administrative, technical, and physical security measures to protect your information from unauthorized access and use. We retain your information only as long as needed to provide our services and for legitimate business purposes, unless we are required by law or regulation or for litigation and regulatory investigations to keep it for longer periods of time.
Use and disclosure of de-identified or aggregated information
We may collect, use, share, transfer and otherwise process de-identified and aggregated information that we receive or create for any purposes in our sole discretion, in compliance with applicable laws. We are the sole and exclusive owner of such de-identified and aggregated information, including if we de-identified personal information so that it no longer is capable of identifying an individual.
For the purposes described here, it may be necessary to transfer your information to jurisdictions outside of your home country including to countries that may not provide the same level of data protection as your home country. Recipients are likely to be located in any jurisdiction where you may be traveling. To protect your information, transfers will be made as permitted by applicable law, including, where necessary, being subject to appropriate contractual clauses. Regardless of where we process your information, we protect it in the manner described in this privacy statement and in accordance with applicable law.
BAL LLP continues to participate in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. BAL is committed to subjecting all personal information received from EU member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List.
BAL is responsible for the processing of personal information it received, under each Privacy Shield Framework, and subsequently transfered to a third party acting as an agent on its behalf. BAL complies with the Privacy Shield Principles for all onward transfers of personal information from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal information received or transferred pursuant to the Privacy Shield Frameworks, BAL is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, BAL may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Please note that while BAL continues to comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, data transfers of personal information to the United States from the EU and Switzerland will be based on the European-Commission-approved standard contractual data protection clauses.
Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through BAL’s internal processes, BAL has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
BAL keeps personal information for as long as necessary to provide our products and services, fulfil requested transactions, or for other essential purposes such as complying with our legal obligations, preventing fraud, resolving disputes and enforcing our agreements. Because these needs can vary for different data types in the context of different services, actual retention periods may vary. Here are some of the factors we have considered to set retention times:
- How long do we need the personal information to develop, maintain and improve our services, keep our systems secure, prevent fraud, and store appropriate business and financial records.
- Have you asked us to stop using your data? Where we can delete the data, we will process it for only a short period after this to meet your request.
- Are we subject to a legal, regulatory or contractual obligation to keep the data? For example, we’re required to keep transaction data and other information that helps us carry out law firm record requirements. We may also need to comply with government orders to preserve data relevant to an investigation or retain data for the purposes of litigation.
Social Media Links
Our sites are general audience sites not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we obtain actual knowledge that any personal information we collect has been provided by a child under the age of 13, we will promptly delete that information. If a parent or legal guardian learns that their child provided us with personal information without his or her consent, please contact us and we will make commercially reasonable attempts to delete such personal information.
If you have created an online account with us and would like to update the information you have provided to us, you can access your account to view and make changes or corrections to your information. You may also have the right to be informed of whether we are processing your personal information and to access, transfer, correct, delete or object, upon request and free of charge, to our use of your information. Please note that we may need to retain certain information for recordkeeping, to complete any transactions you began before your request, or for other purposes permitted by law.
Subject to certain limitations such as (a) exceptions permitted by applicable law and (b) verification of your identity, you may exercise the following rights with regard to your personal information:
- Right to access. You have a right to access any of the following which occurred in the prior 12-month period: (a) the categories of personal information we collected from you, (b) the categories of sources from which the personal information was collected, (c) the business or commercial purpose for collecting or selling your personal information, (d) the categories of third parties with whom we shared your personal information, and (e) the specific pieces of personal information we collected from you (i.e. "data portability"). You also have a right to access a list of categories of personal information we sold or disclosed for a business purpose in the last 12 months.
- Right to deletion. You have a right to request that we delete personal information we collected from you. We will comply with such request, and direct our service providers to do the same, subject to certain exceptions permitted by applicable law.
Lawfulness of processing
In many of the countries where we operate, data protection law requires us to process personal data only where we have an approved basis under the law. You have the right to understand what our legal bases are, so we explain them here. We use the following bases, depending on the activity we undertake:
Performing a contract
In most cases, the data we collect and the things we use it for are necessary for us to provide immigration services as requested by you or your employer or immigration sponsor.
- Provide you with our products and services
To provide immigration services to you and your family, to communicate with you about our products and services, provide customer services and manage your account. We may also use your personal information to complete background checks and confirm references as needed for immigration requirements.
- Provide our products and services to corporate clients
To provide our immigration, consulting, business insights, and other related services to your employer or immigration sponsor, to comply with our agreements with them, to communicate about our products and services, and to help them ensure compliance with their policies.
When we receive and process a request for our services, we are complying with GDPR Article 6(1)(b).
- Provide you with our products and services
Meeting our legitimate interests
We use personal data as necessary to meet our legitimate business interests. When we do, we make sure we understand and work to minimise its privacy impact. For example, we limit the data to what is necessary, control access to the data, and where we can, aggregate or de-identify the data.
Some examples of the data processing activities we undertake in our legitimate interests are:
- Preventing fraud and unauthorised use
- Communicating news and industry events to our current and prospective clients
- Developing and improving our products and services
- Accounting and financial purposes
- To perform, analyse and improve our business and services
- Operate websites and mobile applications
- Monitor and improve performance and content
- Compliance with our company policies and procedures
What is legitimate interest? Under GDPR Article 6(1)(f), companies have the ability to engage in activities without consent under a balancing test. Do we have legitimate interest in engaging gin the activity that is not outweighed by the interest or fundamental rights and freedoms of the data subject?
With your consent
In some cases, we process personal data with your specific and informed consent. We tell you in the service where you can make a choice or grant consent. If you have granted consent, you may withdraw it at any time to stop any further processing. In order to request this, please send us an email.
How to exercise your rights
To exercise your rights described in this policy, please submit your request to us by contacting us by the following methods:
More on submitting a request to delete your information.Subject to our verification of your identity as described below, you may submit your request to delete your information here: Privacy Request Form.
Who may exercise their rights.You may only make a request to exercise your rights on behalf of yourself. A parent or legal guardian may make a request on behalf of their child. If you are a California resident, only you or a person registered with the California Secretary of State that you authorize to act on your behalf may make a request related to your personal information. See the section titled "Authorized Agents" below for more information.
Verifiable consumer request.In order to verify your request, you must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information and you must describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
When we will respond. We will try to respond to your request within 45 days. If we require additional time, we will inform you of the reason and extension period. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. For data portability requests, we will select a format to provide your personal information to you. We may charge a fee to process or respond to your request if it is excessive, repetitive, or manifestly unfounded.
You have a right to not receive discriminatory treatment for exercising any of your rights as mentioned in this section.
Youmay designate an authorized agent to make a request on your behalf to exercise your rights by doing the following: (1) provide the authorized agent written permission to do so; and (2) verify your own identity (per the process stated above), as well as the identity of the authorized agent directly.
If you are in the EU
You have a number of rights under European lawconsisting of the right to:
- Request access to or correction of your personal information
- Object to the processing of your personal information
- Where you have granted consent for us to process your personal information, you can withdraw that consent at any time for future processing
- Under certain circumstances, you may be able to transfer the personal information you submitted to us to another company
- You can lodge a complaint with a data protection authority
To learn more or exercise these rights, contact us here.
If you have any questions or complaints about BAL and privacy, or to exercise your rights, please contact the data protection office at firstname.lastname@example.org, or at any of the following:
Global Privacy Team
Berry Appleman & Leiden LLP
2400 N. Glenville Dr., Bldg A
Richardson, TX 75082
In most cases, we will ask that you put a complaint in writing. We will investigate your complaint and will generally respond to you in writing within 30 days of receipt. If any complaint remains unresolved or if you are otherwise dissatisfied with the response that you receive from us, you may have the right to lodge a complaint with your regulator or the U.S. Department of Commerce.