Last Updated April 2024

Transparency is important to us at Cohen & Gresser. That’s why our Privacy Policy (the “Policy”) aims to be clear about the types of information we collect, what we do with that information, and our data protection and storage practices.

We take your privacy very seriously. Please read this privacy policy carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities if you have a complaint.

The Policy describes our privacy practices regarding information collected from our website, social media and other sources, and HTML-formatted emails that link to the Policy, as well as your choices with regard to use, access, and amendments of information relating to you as an identified or identifiable natural person (“Personal Data”). We collect some Personal Data automatically, for example some limited website or social media interactions when personal data is involved. If this occurs, this information is used for statistical purposes only. Otherwise, all of your Personal Data is given directly to us by you.

Clients of this firm should read this policy alongside our Terms of Business, which provide further information on confidentiality in respect of clients and outline our approach to storage of Personal Data including sharing and deletion in due course.

We only share this information with other Cohen & Gresser entities and to third parties to the extent necessary to help us serve you under a contract for services, to market our legal services to you more effectively, or to comply with our legal obligations. By using our website, interacting with us on social media, clicking on our HTML-formatted emails, or by providing Personal Data to us in any other way, you agree to the collection and processing of your Personal Data as set out in this Policy.

Please note that we do not request, collect, or otherwise process Personal Data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation.

1. How do we collect and process your Personal Data

1.1 Information you provide We collect the Personal Data you voluntarily provide to us from time to time via email or other means of communication, in particular when:

  • we (or a member of our firm) handle a legal matter on your behalf and need to take your Personal Data as part of providing services to you; or
  • we (or a member of our firm) otherwise enter into a business relationship with you; or
  • you give your business card to a member of our firm;
  • you apply for a position at our firm;
  • you send an email to us (or a member of our firm) for any reason.

Such Personal Data may include your first/last name, date of birth, address, company/organization name, your functions, telephone numbers, email address, country, type of assistance required and/or your message, CV, letter of motivation, letter of recommendation, qualifications, etc. Such information is used for the following purposes:

  • Engaging with you to assess whether or not we can provide legal services to you or your business, organization, etc;
  • Answering your inquiries and requests, including questions regarding our firm and policies, requests for marketing communications, and recruitment queries;
  • During the course of our business, including in relation to legal services and advice;
  • Contact you via marketing communications, such as client alerts, press releases, and event invitations;
  • Updating our contact lists to ensure accurate information and areas of interest;
  • Recruitment purposes;
  • Improving our services, including through data analytics, audits, and fraud detection.

This processing is necessary:

  • for the provision of our services and the fulfillment or performance of an agreement with you; or
  • for our other legitimate purposes under applicable laws, including but not limited to complying with our Anti-Money Laundering, Sanctions, and professional rules.

Personal Data is retained as long as necessary in order to fulfil the purpose for which it is processed, and no longer than is necessary to comply with any legal or statutory purpose. We delete Personal Data periodically and you should note we may delete Personal Data without notice to you.

Where the Money Laundering Regulations 2017 (MLR 2017) apply we must identify and verify our client’s identity. We will ask questions designed to achieve identification and in some cases to ensure the funds for your instruction are from legitimate sources of funds and your wealth has been obtained lawfully.

1.2 Direct marketing We may, from time to time, send you direct communications including news regarding our firm, invitations to events or articles written by our attorneys. You must communicate an email address in order to subscribe to any of our newsletters and client alerts. You can choose to unsubscribe at any time, either by clicking on the link provided at the bottom of our newsletters or client alerts, or by sending us a request to that effect.

1.3 Information collected automatically and cookies When you visit our website, the following information about your visit is automatically collected by us:

  • your computer’s or mobile device’s operating system;
  • the application or software that you used to access our website;
  • your Internet Protocol (“IP”) address;
  • the time you accessed our website;
  • the device type with which you accessed our website;
  • your browser type and language configuration;
  • the website you visited before accessing our website;
  • the pages visited and how long each page was accessed for.

Our website may also contain social media features, such as a LinkedIn ‘Follow’ button. These features may collect your IP address and the page of origin from our website and may set a cookie to enable the feature to function properly. The aim of the automatic collection and processing of the information described above is to obtain visit statistics in order to improve our website and your experience as a client or user of our website. In particular, we use IP addresses to analyze trends, administer the website, and gather broad demographic information for aggregate use. Such Personal Data is processed to further our legitimate purposes including to enable us to enhance our website and social media features for the benefit of our clients and the firm. Personal Data is retained as long as necessary in order to fulfill the purpose for which it is processed, and no longer than is necessary to comply with any legal or statutory purpose.

1.4 Cookies A cookie is a piece of data stored on your device containing information related to your visit on our website. You may, at any time, modify, delete, or block the cookies stored on your device when visiting our website. Please note that some functionality of the website may be impaired as a result.  Please refer to your browser’s documentation to learn how to proceed. The use of cookies facilitates the operation of the website and improves the website. By visiting the website without disabling this function, you expressly consent to the use of cookies. The storage duration of cookies differs depending on the cookie, but is never longer than ninety (90) days.

1.5 Third Party

We may also collect information from publicly accessible sources, e.g. Companies House or HM Land Registry, directly from a third party, e.g.:

  • sanctions screening providers;
  • credit reference agencies;
  • client due diligence providers;

from a third party with your consent, e.g.:

  • your bank or building society, another financial institution or advisor;
  • your company or employing entity, any professional body or pension administrators;
  • your doctors, medical and occupational health professionals;

our information technology (IT) systems, e.g.:

  • via our case management, document management and time recording systems;
  • from door entry systems and reception logs;
  • through automated monitoring of our websites and other technical systems, such as our computer networks and connections, CCTV and access control systems, communications systems, email and instant messaging systems.

1.6 Common Data Collection Examples

The table below summarizes the Personal Data we collect, or may collect, in respect of client instructions. The table below is illustrative, and thus not exhaustive,  so the general commentary above applies but these examples are designed to aid your understanding of our use of Personal Data. If you are unsure of how it applies in your case please ask us.

Personal data we will collect Personal data we may collect depending on why you have instructed us
Your name, address and telephone number Your National Insurance and tax details
Information to enable us to check and verify your identity, e.g. your date of birth or passport details for anti-money laundering and sanctions compliance Your bank and/or building society details
Electronic contact details, e.g. your email address and mobile phone number Details of your professional online presence, e.g. LinkedIn profile
Information relating to the matter in which you are seeking our advice or representation Details of your spouse/partner and dependents or other family members, e.g. if you instruct us on a matter when such details are required
Information to enable us to undertake a credit or other financial checks on you Your employment status and details including salary and benefits if relevant to the instruction of the firm to assist you in a legal matter
Your financial details so far as relevant to your instructions, e.g. the source of your funds if you are instructing on a purchase transaction Your nationality and immigration status and information from related documents, such as your passport or other identification, and immigration information, e.g. if you instruct us on a matter to which these details are relevant such as sanctions compliance or challenges
Information about your use of our IT, communication and other systems, and other monitoring information using website cookies Your employment records including, where relevant, records relating to sickness and attendance, performance, disciplinary, conduct and grievances, e.g. if you instruct us on matter related to your employment or in which your employment records are relevant
Your racial or ethnic origin, gender and sexual orientation, religious or similar beliefs, e.g. if you instruct us on discrimination or sanctions challenge piece of litigation

We collect and use this personal data to provide services to you. If you do not provide personal data we ask for, it may delay or prevent us from providing those services.

2. Links to third party sites and Google Analytics

Our website contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage you to read the privacy statements of each and every website that collects Personal Data. Please note that we use a tool called “Google Analytics” to collect information about the use of our website. Google Analytics collects website use information regarding how often users visit the website, what pages they visit when they do so, and what other sites they used prior to coming to our website. We use the information we get from Google Analytics to improve our website. Google Analytics collects only the IP address assigned to you on the date you visit our website, rather than your name. Google’s ability to use and share information collected by Google Analytics about your visits to the website is restricted by the Google Analytics Terms of Use and the Google Privacy Policy. You can prevent Google Analytics from recognizing you on return visits to the website by disabling cookies on your browser.

3. Sharing with third parties

As members of a global firm, we will share your Personal Data with other Cohen & Gresser entities throughout the world including therefore our entities in the United States, the European Union and the United Kingdom (Our Locations). We may disclose your Personal Data to another Cohen & Gresser entity (i) for purposes of outsourcing one or more of the functions described above; (ii) to confirm or update information provided by you; or (iii) for other purposes disclosed at or before the time the information is collected. We may also share your Personal Data with some selected third parties including software providers and vendors who may be based in any of Our Locations (or locations such as, but not limited to, the European Economic Area (EEA), when the data will be secured to levels consistent with the security in Our Locations and with the UK GDPR:

  • when legally required to do so; or
  • when utilizing third party vendors to host and secure – but not process – data during the regular course of doing business.

4. Transfers

We operate our services through Cohen & Gresser LLP in the United States. This means that your Personal Data is processed and stored on a server located in the United States. By accessing our website or otherwise voluntarily providing us with information, you consent to having your data transferred and processed in the United States.

In order to ensure the lawfulness of these transfers, we have executed and implemented the European Commission Standard Contractual Clauses for controller-to-controller transfers set by Decision 2004/915/EC and/or we will follow the UK GDPR and/or from 12 October 2023,UK-US Data Bridge. The Standard Contractual Clauses by the EC provide for adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights, and are fully implemented by all entities of Cohen & Gresser and the UK-US Data Bridge adopts adequate measures to protect data between non-EU countries.

5. Security measures

We attempt to protect against the loss, misuse and alteration of your Personal Data and have implemented reasonable administrative, technical, and physical measures to protect your Personal Data, both online and offline. While we have strict procedures in place to safeguard your Personal Data, we cannot guarantee the safety of Personal Data or any transfer of such data which takes place outside of C&G networks. If you have specific questions regarding our security measures, please email

As a general rule, we will keep your Personal Data in our matter file (electronic) for at least seven (7) years from the conclusion of your matter, in case you, or we, need to bring or defend any complaints or claims.

6. Rights with regard to your Personal Data

You have the following rights regarding your Personal Data processed by us.

(a) Right of access: You may request access to your Personal Data that we collect and process about you. This is called a data subject access request and you can make a request about your Personal Data by writing to us using the contact details below.  We may require further information from you in order to verify your identity before giving you access to or disclosing any Personal Data to you.  Should you request such an access, we will provide you with a copy of all your Personal Data in our possession as well as all legally required information, including:

  • the purposes of the processing;
  • the categories of Personal Data concerned;
  • the recipients to whom the Personal Data have been or will be disclosed;
  • the duration of storage of the Personal Data; and
  • further information on your rights regarding your Personal Data.

(b) Right to data portability: You have the right to data portability of your Personal Data. This right differs from your right to access, since it only relates to the Personal Data you provided us with (for example, automatically collected data is not included). This right allows you to receive this Personal Data in a structured, commonly used and machine-readable format in order for you to be able to transfer this Personal Data to another data controller or processor.

(c) Right to rectification: You may, at any time, request that we rectify inaccurate or incomplete Personal Data concerning you, and we will proceed accordingly and promptly.

(d) Right to deletion (‘right to be forgotten’): You may request the deletion of your Personal Data provided that one of the following conditions apply:

  • your Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • there is no statutory or legal basis requiring us to maintain your Personal Data;
  • you withdraw your consent for the processing and there is no other legal ground for the processing (this only relates to the Personal Data collected via the contact form or for our newsletter purposes. Please note for client data we are obligated by legislation or by our professional indemnity insurance or regulatory obligations to retain some data even after consent is withdrawn and will do so under the legitimate interest basis);
  • you exercise your right to object to the processing of your Personal Data, as detailed in section 6.5;
  • your Personal Data was unlawfully processed; or
  • your Personal Data has to be erased to comply with a legal obligation to which we are subject.

(e) Right to object: Where your personal situation justifies it, you may object to the processing of your Personal Data by us when this processing is carried out in our legitimate interests. You may also, at any time, object to the processing of your Personal Data by us when this processing is carried out for marketing purposes.

(f) Right to restriction of processing: You may ask for the restriction of the processing of your Personal Data when one of the following applies:

  • where you dispute the accuracy of your Personal Data, you can request the restriction of the processing of your Personal Data for the period required to verify your claim;
  • where the processing is unlawful, you may choose to request the restriction of the use of your Personal Data instead of requesting its erasure;
  • if we no longer need your Personal Data for the purpose of the processing, but you require this data for the establishment, exercise or defense of legal claims; or
  • where you objected to the processing of your Personal Data carried out in our legitimate interests, you may request the restriction of this processing while we investigate your claim.

If and when you notify us of a rectification or deletion of your personal data or a restriction of processing, we will attempt to notify each recipient to whom your Personal Data has been disclosed (unless this proves impossible or involves a disproportionate effort).

(g) Right to lodge a complaint: Please note that you always have the right to lodge a complaint regarding a breach of your rights in relation to your Personal Data with the competent supervisory authority.

7. Children and minors

Children under the age of 18 are not eligible to use our website or to provide their Personal Data to us in any way. We recognize the privacy interest of children. In accordance with the relevant provisions of the Children’s Online Privacy Protection Act, a federal law in the United States, we do not knowingly collect any information, including any personally identifiable information, from anyone under 13 years of age. Our website and services are directed to persons who are at least 13 years old or older.

8. Changes to this Policy

When necessary, we will make changes to the Policy.  When we do so, we will note the date of update at the top of the Policy, and the changes are effective as of that date. If you have any questions relating to the changes we make to the Policy, please email

Contact us / Exercise your rights

If you have any questions regarding this Policy or wish to exercise one of your rights detailed above, including to make a subject access request, please email You may also contact us in writing at: Attn: Privacy Group Cohen & Gresser LLP, 800 Third Avenue New York, New York 10022 or by telephone on +1 212 957 7600.