Personal Data Protection Policy
The purpose of this Personal Data Protection Policy (‘Policy’) is intended to inform you, in a clear and complete way, as to how the law firm duvieusart ebel, avocats associés (‘duvieusart ebel’), collects, stores and uses data of a personal nature about you (‘Personal Data’) and the ways in which you can control this use and exercise your rights.
This Policy is subject to change to keep up to date with the law, regulations and decisions taken by supervisory authorities on the protection of data.
1. Scope of this Policy
This Policy applies to all Personal Data processing carried out by duvieusart ebel as part of its relations with its current clients, past or potential clients, its suppliers, users of its website and jobseekers.
This Policy also applies to all processing of Personal Data by individuals directly or indirectly involved in a file or court proceedings managed by duvieusart ebel.
2. Who is the data controller?
The data controller is:
duvieusart ebel, avocats associés located at L-1134 Luxembourg, 55 rue Charles Arendt.
For any information about this Policy and the protection of your Personal Data, please contact duvieusart ebel:
by e-mail: firstname.lastname@example.org
by post: duvieusart ebel, avocats associés – L-1134 Luxembourg, 55 rue Charles Arendt
by telephone: +352 27 44 95 41
by fax: +352 27 44 95 42
3. Personal Data collected by duvieusart ebel
‘Personal Data’ covers all information relating to an individual. This may be a person who could be identified directly or indirectly, notably due to his or her civil, physical, physiological, financial, cultural or social identity.
Particular categories of Personal Data may include details about racial or ethnic origin, political opinions, philosophical or philosophical religious beliefs, trade union membership, genetic or biometric data, health data, data concerning sexual life or sexual orientation and information about convictions and criminal offences (hereinafter ‘Sensitive Data’).
The Personal Data that duvieusart ebel keeps about you may include (among others) the following categories:
- login data;
- postal, e-mail addresses, telephone, fax and mobile phone numbers;
- marital status, identity, identification data, pictures…;
- economic and financial information (income, financial situation, tax situation, etc.);
- information on professional life;
- information on personal life;
- connection and location data (IP address, logs, …);
- financial data;
- Sensitive Data.
In certain circumstances and only when necessary, duvieusart ebel may collect Sensitive Data about you. This is particularly the case when duvieusart ebel is required to do so for lawful and regulatory purposes (e.g, to gather information about your convictions and criminal offences when so required by anti-money laundering laws) or to provide you with a specific service (e.g, to know your union affiliation to assist you in an employment law case).
4. Collection of your Personal Data by duvieusart ebel
duvieusart ebel may collect your Personal Data in different ways:
- Personal Data directly provided to duvieusart ebel:
duvieusart ebel collects personal data directly from its clients, prospective clients, business partners, beneficial owners, service providers, contracting parties, potential candidates and intermediaries, in particular in the context of job applications, professional meetings, your access to its website and general business.
- Personal Data obtained from third parties:
duvieusart ebel collects and processes Personal Data from publicly available sources such as the Internet, social networks or business registers.
In addition, duvieusart ebel may receive Personal Data from third parties as part of the services it provides or in connection with the legal requirements applicable to it.
duvieusart ebel only collects Personal Data that is relevant and strictly necessary with regards to the reason for it being processed.
5. Purpose of Personal Data processing
Your Personal Data is collected for specific and legitimate purposes.
Depending on the matter, your Personal Data may be used by duvieusart ebel:
- to provide legal services to its clients;
- to identify its clients, prospective clients, business partners, service providers, contacts and, for legal entities, check the identity of those authorized to represent them;
- to contact its clients, prospective clients, business partners, service providers, contacts, etc.;
- to check if there is a conflict of interests in relation to the representation of a client;
- to comply with its legal obligations in the combat against money laundering and the financing of terrorism, and in particular to check the source of any financing or funds in one of its files;
- to ensure the administrative management of its business (e.g, invoicing, accounting and recovery of sums due);
- to develop, operate, improve and manage its website;
- to send to its clients and prospective clients topical information, newsletters and invitations to its events;
- to process applications for a position at duvieusart ebel;
- to interact with the courts, regulatory and supervisory authorities;
- to ensure the recognition, exercise and defense of its rights in court;
- for any other purpose required by law.
No processing of your Personal Data can be undertaken without a specific purpose. If your Personal Data is necessary for purposes other than those initially determined, it may only be used if this new purpose is compatible with the original purpose and the law.
6. Legal basis for the processing of your Personal Data.
duvieusart ebel only processes your Personal Data if permitted by the law to do so.
duvieusart ebel will use your Personal Data in the following circumstances:
- when necessary to execute a contract or for pre-contractual steps taken at your request (e.g: for a job application, to handle a file and to share information relating to a file);
- to ensure the recognition, exercise and defence of duvieusart ebel’s clients in court (e.g: the processing of Sensitive Data under health law);
- to comply with the legal and regulatory requirements that apply to duvieusart ebel (e.g: to combat money laundering regulations);
- when the legitimate interests of duvieusart ebel (or those of a third party) may justify processing, provided that your human/basic rights do not prevail. duvieusart ebel takes into consideration and balances any potential impact on you (positive and negative) and your rights before treating your Personal Data for its legitimate interests. If duvieusart ebel’s processing of your Personal Data is based on its legitimate interests (e.g: dissemination of general legal information), you have the right to oppose this processing (see Section 13.6 of this Policy); and
- when you have given your express consent to the processing of your Personal Data (e.g, to distribute newsletters or general information), you have the right to withdraw your consent at any time (see Section 13.7 of this Policy).
7. Failure to provide with requested Personal Data
When duvieusart ebel needs to collect Personal Data to conclude or execute a contract that is binding on you, to provide you with the required services, or to ensure your defense, and you do not provide the Personal Data required, duvieusart ebel may refuse to provide or receive the services concerned.
In this event, duvieusart ebel will inform you of this at the time the Personal Data is requested.
8. Recipients of your Personal Data?
As your Personal Data is confidential, duvieusart ebel may only communicate it to the following recipients:
- duly authorized members of duvieusart ebel;
- duvieusart ebel’s service providers, for the purpose of the proper performance of the legal services provided by duvieusart ebel to his clients (e.g, bailiffs and notaries);
- duvieusart ebel’s service providers, so that duvieusart ebel’s activities operate successfully (e.g, third party administrative, IT, payment, insurance, data processing and debt recovery service providers);
- any person to whom or entity to which duvieusart ebel is required to communicate your Personal Data on the basis of a legal or regulatory requirements;
- any person to whom, or entity to which, duvieusart ebel is required to communicate your Personal Data in order to protect and defend your rights, or its own rights or those of its clients;
- any person that you have authorized to receive your Personal Data.
Other than as stated above, your Personal Data will not be shared with third parties.
duvieusart ebel requires any person to whom or entity to which your Personal Data is communicated, to respect the confidentiality and security of your Personal Data and to treat it in accordance with the law. duvieusart ebel only allows the recipients of your Personal Data to process it for specific purposes, in accordance with its instructions, and in no case for their own purposes.
9. Cross-border transfers of Personal Data
The recipients referred to in the Section 8 may be in countries other than the Grand Duchy of Luxembourg. However, your Personal Data will normally only be transferred within the European Economic Area or other countries recognized by the European Commission as providing an adequate level of personal data protection.
In the event of recourse to service providers located outside the European Economic Area, duvieusart ebel undertakes to check that appropriate safeguards have been put in place to ensure that your Personal Data is adequately protected, in particular under Internal Business Rules or standard contractual clauses adopted by the European Commission.
10. Personal Data storage
Your Personal Data is stored by duvieusart ebel in its premises and in Luxembourg by our external service provider.
Personal Data contained in the e-mails that we exchange are stored in Luxembourg by our external service provider.
11. What safeguards for the protection of your Personal Data have been put in place?
duvieusart ebel strives to protect and secure your Personal Data to ensure that it remains confidential and to prevent it from being deformed, damaged, destroyed or disclosed to unauthorised third parties.
duvieusart ebel has put technical and organisational measures in place to ensure that Personal Data is stored securely for the length of time necessary for the intended purposes in accordance with the law.
When the disclosure of your Personal Data to third parties is necessary and authorised, duvieusart ebel ensures that these third parties provide the same level of protection of your Data as that provided by duvieusart ebel. It also requires contractual guarantees from third parties so that, in particular, your Data is exclusively processed to the standard of security and confidentiality required and for purposes for which you have previously consented.
In the event of a proven breach of your Personal Data that may expose your rights and freedoms to a high level of risk, duvieusart ebel undertakes to communicate this breach to the competent supervisory authority and, where provided for by the law, to inform you, by a general circular or individual communication, depending on the circumstances.
12. Duration of Personal Data storage?
duvieusart ebel stores your Personal Data for so long as is necessary for the intended purposes, subject to the legal options of archiving, preserving or anonymizing certain data.
In particular, duvieusart ebel abides by the following retention periods for these few major Data Protection categories:
- Prospective client and business partner: as long as the person is active for no longer than ten years from the last contact with that person;
- Personal Data connection: one year from the last connection;
- Personal Data of job applicants: for as long as is necessary to process the job application and, in the event of a negative outcome, three years from the last contact.
13. Rights with regards to Personal Data
Subject to the limits provided by the law, you have the following rights with respect to your Personal Data:
- Right to access your Personal Data:
The right of access allows you to obtain from duvieusart ebel the confirmation that your Personal Data is or is not being processed, and, if it is, information on the terms and conditions of this processing.
You also have the right to receive a copy of your Data in a commonly used electronic format.
- Right to correct your Personal Data:
You have the right to ask duvieusart ebel to correct or update your Personal Data that is inaccurate, erroneous, incomplete or obsolete.
- Right to delete your Personal Data (‘right to be forgotten’)
Subject to the exceptions provided by the law (e.g. storage necessary to fulfil a legal obligation and duvieusart ebel’s legitimate interest in storing the Personal Data), you have the right to ask duvieusart ebel to delete your Personal Data, when one of the following reasons apply:
- your Personal Data is no longer necessary for the purposes for which it was collected and processed;
- you would like to withdraw your consent on which the processing of your Personal Data was based and no other justification for this processing exists;
- you have exercised your right to oppose the processing;
- you consider and can prove that your Personal Data have been the subject of unlawful processing;
- your Personal Data must be deleted pursuant to a legal obligation.
- Right to limit the processing of your Personal Data
You have the right to ask duvieusart ebel to limit the processing of your Personal Data, in the following cases:
- When you dispute the accuracy of your Personal Data, the processing is limited for the length of time necessary to check the accuracy of this Data and to correct it, if necessary;
- when you can prove that the processing of your Personal Data is illegal but that you oppose the deletion of your Personal Data and instead require that its use be limited;
- when duvieusart ebel no longer needs your Personal Data but it is still necessary for your rights to be recognised, exercised or defended in court;
- when you object to the processing of your Personal Data based on duvieusart ebel’s legitimate interest, the processing is limited for so long as necessary to check whether the legitimate grounds pursued by duvieusart ebel prevail over your legitimate interests.
If processing is limited, your Personal Data may, with the exception of being stored, only be processed with your consent:
- -or the recognition, exercise or defense of rights in court; or
- for the protection of rights of another individual or a legal entity; or
- in the public interest.
- Right to portability of your Personal Data
- You have the right to receive your Personal Data in a format that is commonly used, structured and machine-readable, and
- you have the right to transmit this data to another data controller or to ask duvieusart ebel to transmit it to another data controller, provided that:
- the processing of your Personal Data is based on your consent or on the execution of a contract;
- the processing is carried out through an automated process.
- Right to oppose the processing of your Personal Data
You have the right to oppose at any time, for reasons relating to your particular circumstances, that duvieusart ebel processes your Personal Data for its legitimate interests or for statistical purposes.
duvieusart ebel will be required to stop any processing of your Personal Data, except to demonstrate that:
- there are legitimate and compelling reasons for the processing that prevail over your rights and freedoms; or
- the processing is required for rights to be acknowledged, exercised or defended in court.
You also have the right to object at any time to the processing of your Personal Data for purposes of commercial prospecting. duvieusart ebel will immediately stop processing of your Personal Data for such purposes.
- Right to withdraw your consent to the processing of your Personal Data
When duvieusart ebel processes your Personal Data on the basis of your consent, this may be withdrawn at any time by sending a request using the contact details indicated in Section 2 of this Policy.
The withdrawal of your consent is valid only for the future and cannot therefore call into question the lawfulness of the processing carried out before this withdrawal.
- Right to file a complaint to a supervisory authority
If, despite the efforts of duvieusart ebel to preserve the confidentiality of your Personal Data, you consider that your rights have not been respected, you have the option to file a claim with a supervisory authority, notably in the State of your habitual residence, place of work or where the breach has been committed.
In the Grand Duchy of Luxembourg, the competent authority is the national commission for the protection of data (CNPD) (Service des plaintes, 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette).
14. Exercise of your rights
For any further information about this Policy or on how to exercise your rights, you can send duvieusart ebel a letter, accompanied by evidence of your identity, to the contact details mentioned in Section 2.
duvieusart ebel undertakes to reply to you as soon as possible, and in any event within one month of receipt of your request.
If necessary, this period may be extended by two months, taking into account the complexity and number of requests addressed to duvieusart ebel. In this event, you will be informed of this within one month of receipt of your request and will be given the reasons for the delay.
If duvieusart ebel does not agree to your request, it will inform you of the reasons for this and you will have the opportunity of sending a complaint to a supervisory authority and lodging an appeal with a court with jurisdiction.