Version last updated on 25th May 2018.
Copyright © 2018 Elvinger Hoss Prussen
Introduction and summary
In the context of our services and for the purposes as described herein, we collect, receive and otherwise process personal information (i.e. any information related to living individuals) about existing and former clients, prospects, counterparties, adverse parties, lawyers, advisers, service providers, suppliers, regulators, public authorities, and other persons including (when any of the latter are not natural persons) their respective representatives, members, staff members and agents, whether or not we have a contractual relationship with any of them or the entity they represent or work for (“you”, “your” and more generally together the “data subjects”).
By clients and prospects we mean natural persons acting in their own right or representing, or working for or on behalf of, any undertaking (irrespective of form or jurisdiction and including any entity which forms part of the group of companies to which the client or prospect belongs) to whom we provide or are likely to provide services (irrespective of whether done on a pro-bono basis or for remuneration).
Given the nature of our business and our related activities, it is difficult to provide an exhaustive description of all the personal information we process. The information set out herein is prepared on a "best efforts" basis and we endeavour to provide you with as much detail as possible. In certain circumstances the information may be limited given the professional secrecy rules we are subject to in our capacity as a Luxembourg law firm admitted to the Luxembourg Bar.
We will inform you if, as a result of your refusal to provide certain information or the exercise of the rights afforded to you by law (as further described below) this might result in the termination of our business relationship and the contract we may have with you or if there may be other consequences for you.
1. Who is the controller of your personal information?
As required by applicable data protection legislation, we inform you that we are (in most cases) the controller of the personal information we collect, receive and otherwise process about you as described below. Such legislation includes Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and any other national or supranational statutory law applicable to us (together the “data protection legislation”).
We may also act as a processor in specific circumstances where we receive strict and detailed instructions to process personal information on behalf of third parties.
For any questions about our processing of personal information you may contact us at the following address: email@example.com .
2. Where do we obtain personal information?
We are likely to obtain personal information in paper form or through electronic means from one or more of the following sources (and combinations thereof).
|Sources of personal information about you||Comments/Examples|
|Yourself||When you contact us directly as data subject or indirectly through persons you instruct to contact us in your name and/or on your behalf or when you provide us with your contact details, we will obtain the personal information from you.
This will typically be the case when you contact us to request services from us. Personal information will comprise at least your contact details but can also comprise any information you will provide us with in relation to the subject matter.
|Third parties||This includes our clients, prospects, counterparties, adverse parties, lawyers, advisers, service providers, suppliers, regulators, public authorities, whether or not we have a contractual relationship with any of them or the entity they represent or work for.
Typically, anyone with whom we have a business relationship may provide us with personal information relating to you. Personal information will comprise any information such third parties provide us with in relation to the subject matter, such as documents regarding the legal matters for which our advice is requested or which have to be shared with us in the context of a transaction (including physical or virtual data rooms), advice, legal analysis or (potential or actual) litigation.
|Public sources and other sources||This includes public registers (such as trade and companies registers and intellectual property registers, sanctions lists), social media, subscription-based services or databases (such as World-Check™) or other publicly available sources (internet, brochures, directories etc).|
Whilst obtaining certain personal information is or might be of importance in relation to certain types of services we provide (for instance litigation matters or preparation and filings of applications where personal information is of relevance) it will be less important for other types of services (for instance general legal advice where personal information does not affect the advice itself, without prejudice to our “know-your-customer” obligations).
We cannot always control the extent of personal information that is provided or made accessible to us by you and third parties. Files, documents, agreements and correspondence (without limitation as to the type of support) that are provided to us may contain personal information that we have not specifically requested or do not need for the intended purpose. In addition, and as a result of our legal and regulatory obligation to keep such information, we will nevertheless store such personal information in our electronic information system or paper form files. We may also have access to data rooms comprising personal information that is not all relevant to us.
You should, and we encourage that any third party should, only provide us with information that is relevant for the intended purpose. Consequently, you should not provide us with documents, agreements, correspondences and information which is not relevant for the intended purpose unless personal information contained therein is redacted, removed, pseudonymised, anonymised or otherwise made unavailable to us prior to providing us (including by way of remote access) with the latter.
We will assume that you and anyone who is providing us with personal information is doing so in compliance with laws and in particular with the applicable data protection legislation.
3. What personal information do we process?
The categories of personal information referred to below in relation to each identified category of data subjects may not be exhaustive. We are not able to control the extent of personal information that is provided or made accessible to us by you and third parties.
|Categories of personal information likely to be processed (*)||Categories of data subjects||Categories of personal information likely to be processed (*)|
|Groups 1 and 2||
||Current and former directors, employees, officers, committee members, members of managing bodies, interns, secondees, direct and indirect shareholders, ultimate beneficial owners, members, investors, partners of or other persons having an interest (either economically or otherwise) in the legal person concerned|
|Group 1||Lawyers, advisers, service providers, suppliers (other than the service providers with whom we have a direct contractual relationship)
|Current and former directors, employees, officers, committee members, members of managing bodies, interns, secondees, direct and indirect shareholders, ultimate beneficial owners, members, investors, partners of or other persons having an interest (either economically or otherwise) in the legal person concerned|
|Group 1||Regulators, public authorities, public institutions, notaries, bailiffs, professional organisations||Current and former directors, employees, officers, committee members, members of managing bodies, interns, secondees, members,|
In addition to any other personal information provided or made accessible to us by you and third parties, the categories of personal information we process include:
|Categories of personal information||Examples (not exhaustive)|
|Private and professional contact details||Telephone number and (email) address (on business card, email signature block)|
|Personal identification data||Last and first names, national identification number, ID card, signature|
|Electronic identification data||IP addresses, cookies, connection times to our website|
|Public offices held||Positions at municipal, provincial, regional, community or federal level, involvement in public committees, work reflexion groups|
|Memberships and position of members||Involvement in professional associations, charities, clubs, unions, groups|
|Education, training and qualification||Curriculum vitae, seniority, areas of practice|
|Picture and image/sound||Copy of ID card or passport, pictures taken and films made during events we organise or co-organise, sound track recording, telephone recording|
|Professional activities and employment||Curriculum vitae, hourly rates, publications, performance appraisal|
|Business contacts||Relationships with business partners, contact details of personal assistants and team|
|Composition of household||Marital status, name of spouse, number and names of children|
|Hobbies and interests||Sports, arts, culture, charities|
|Social and family contacts||Links with other persons and relatives|
|Travel and movement details||Taxi booking, travel arrangements, accommodation details|
|Health data||Dietary requirements, absences, sickness leave|
|Living and consumption habits||Use of media and means of communication (subscription to our newsletter via our website, visits on our website)|
|Categories of personal information||Examples (not exhaustive)|
|Identification data issued by public services||Copy of ID card or passport, tax number, social security number|
|Banking and financial identification data||Bank account number, allowances, aid, donations, subsidies|
|Income, assets, investments, savings, start and end dates of investments, investment income charges on assets||Bank statement, tax data, participation in a stock option plan, shareholdings, ownership of all types of assets|
|Debts, expenses||Debt collection matter, information about debts|
|Borrowings, mortgages and credits||Type of borrowing, amounts borrowed and outstanding, details of guarantees|
|Insurance details||Type of insurance, details of risks covered, insured amounts, status of contract|
|Pension details||Date of entry into pension scheme, details of exit, payments received and made, options, beneficiaries|
|Financial transactions||Due amounts, allocated credit, guarantees|
|Compensation||Details of compensation (remuneration, salaries), amounts paid, other kinds of compensation|
|Licences held||Driving licence, business licences|
|Immigration status||Visa details, work permit, residence or movement restrictions|
|Living and consumption habits||Lifestyle, habits, social contacts|
|Possessions||Real estate and others|
|Grievances, incidents, accidents||Information about any accident, incident, nature of damage, injuries, persons involved|
|Goods and services supplied||Details of goods and services supplied or rented|
|Accommodation||Hotel booking service, type of accommodation owned or rented, rent charges, building classifications, valuation details|
|Judicial data||Convictions, criminal records, court decisions|
|Political opinions, membership of trade unions or similar groups||Information about politically exposed person|
We may collect, receive and process sensitive information as part of our anti-money laundering and customer identification (know-your-customer – “KYC”) obligations and/or when performing certain types of legal assignments/mandates as requested from us. We do not operate dedicated processing of sensitive information per se. Except where we process sensitive information for the purpose of complying with a legal obligation, sensitive information directly received from the data subject is considered to have been received with the consent to use it in relation to the services requested from us. Where we receive sensitive information about a data subject from a third party we assume that the third party lawfully processes such sensitive information and is allowed to disclose such information to us for defending its interest or on the basis of the consent of the data subject.
4. What are the legal bases for and purposes of our processing?
We collect, receive, use, store, share, transfer and otherwise process personal information as follows:
|The processing is necessary for us to perform our contract with you or for requested pre-contractual steps||
|The processing is necessary to comply with our legal and regulatory obligations||
|The processing is necessary for our or a third party’s legitimate interests (as listed here) and where your interests do not override these interests*||
|The processing is necessary for our performance of a task carried out in the public interest or in our exercise of official authority||
|The processing is made with your consent||We may request your consent to process personal information about you for certain specific purposes or in certain specific circumstances. In cases where we process personal information on the basis of your consent, you may withdraw your consent at any time, without this affecting the processing carried out before such withdrawal and without prejudice to any retention or processing that may be required from us by law.|
5. Who do we share personal information with?
Depending on the nature and scope of our assignment, mandate or the service requested from us and in relation to our marketing activities, we may share personal information with the following recipients to the extent that such disclosure or transmission is deemed reasonably necessary or desirable for satisfying the purposes mentioned in section 4 above or at the specific legitimate request of our clients, the data subjects concerned or third parties with which we deal in the context of our services and marketing activities:
- our lawyers (including partners, counsel, associates, trainees, secondees), employees, service providers, agents, external consultants or other persons acting on our behalf (in Luxembourg and abroad, including in our offices notably in Hong Kong and any law firm with whom we work in exclusive association in the United States or when we travel abroad (including outside of the EU/EEA);
- our information technology service providers and consultants located in Luxembourg for hosting, back-up, and maintenance IT security and IT support purposes;
- external entities such as accountants, advisers, auditors or fiduciary firms and other service providers or other third parties related to our clients (in Luxembourg or abroad);
- our relevant clients in the course of providing services to them;
- client’s co-investors, co-shareholders, investment partners and directors, employees, officers, direct and indirect shareholders, ultimate beneficial owners, members of our client or any such other entity or persons (in Luxembourg or abroad) to whom our client directs or allows us to disclose personal information;
- lawyers, authorised employees, agents or other persons acting on behalf of correspondent law firms or counterpart law firms (in Luxembourg or abroad);
- third parties (in Luxembourg or abroad) with respect to a transaction, advice or project, including administrative, regulatory, governmental or judicial bodies, lawyers and any other third-party adviser or service provider of our clients and related persons, notaries public, bailiffs, courts;
- administrative, regulatory, governmental or judicial bodies in Luxembourg or abroad as may be required by the laws of any jurisdiction applicable to us;
- administrative, regulatory, governmental or judicial bodies in Luxembourg or abroad as may be required in the context of the provision of our services;
- third-party service providers who assist us in organising seminars and events and who host such events;
- third parties, on a confidential basis, for the purposes of collecting your feedback on our services (including legal directories).
6. Where do we transfer personal information?
Depending on the nature and scope of our assignment, mandate or the service requested from us and in relation to our marketing activities, we may transfer personal information abroad to the extent that such transmission is deemed reasonably necessary or desirable for satisfying the purposes mentioned in section 4 above, including outside of the European Union/European Economic Area, in countries not recognised by the European Commission as having an adequate level of protection for personal information.
Personal information may be sent to, or accessed from, any country where:
- it is necessary or useful in the context of our services;
- we travel (since we can access our files remotely through mobile devices or using a secure virtual private network);
- we have offices (in particular in Hong Kong) and we have a law firm with whom we work in exclusive association (in particular in the Unites States).
Depending on the circumstances, transfers will be made:
- in countries being granted an adequacy decision by the European Commission;
- according to appropriate safeguards (i.e. the entry into standard data protection clauses with the data importer or, in respect of transfers to the United Sates, to Privacy Shield self-certified entities);
- for the performance of the contract we have with the data subject or the implementation of pre-contractual measures taken at the data subject’s request;
- if necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
- if necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims (including for example to comply with the laws applicable to us, a governmental or a court’s injunction made to us);
- with the data subject’s explicit consent.
- You can obtain more information regarding the relevant safeguards we rely on by contacting us at firstname.lastname@example.org.
7. How long do we keep personal information?
We will keep personal information as long as necessary for satisfying the purposes for which it was collected, subject always to the legal periods of limitation and to the situations where the applicable laws require or allow that the personal information is retained for a certain period of time after the termination of the contractual or commercial relationship, such as:
- the legal obligation to keep accounting documents for a period of 10 years after the end of the accounting period to which they relate;
- the provisions of Article 2276 of the Luxembourg Civil Code providing for attorney’s discharge of liability (including the keeping of documents received from clients) 5 year after termination of the assignment, justifying that we keep documents relating to our mandates for that period;
- the contractual limitation of liability with respect to clients' mandates after 10 years as from the termination of the relevant contractual relationship, justifying that we keep documents relating to our mandates for that period;
- the obligation to keep identification documentation for a period of 10 years as from the termination of the relevant contractual relationship.
Without prejudice to the general nature of the foregoing, data subjects are informed that, in particular:
- personal information processed for the purpose of performing the services requested from us will be retained as long as we need to retain such personal information in order to fully accomplish our assignment without prejudice to the possibility of keeping records of such personal information based on the permitted legal limitation periods (either in civil or criminal law);
- personal information processed for the purpose of complying with our legal and regulatory obligations may be retained on the basis of the statutory limitation periods (either in civil or criminal law);
- personal information processed for the purpose of dealing with customer relationship management (will be kept for as long as necessary or useful for the performance of the services requested from us;
- personal information processed for the purpose of our marketing activities will be kept for as long as we receive no “opt-out” or “undeliverable” message;
- personal information processed for the purpose of issuing invoices will be kept on the basis of the aforementioned legal obligation to keep accounting documents for a period of 10 years after the end of the accounting period to which they relate.
We may also keep and process personal information after the termination of our contractual and commercial relationship for specific purposes such as the compliance with legal and regulatory obligations or the establishment, exercise or defence of legal claims.
Subject to the conditions of the Data Protection Legislation, and where relevant, data subjects may exercise the following rights:
- obtain from us confirmation as to whether or not personal information concerning them is being processed, and, where that is the case, access the personal information and relevant information in that regard;
- obtain from us without undue delay the rectification of inaccurate personal information concerning them and taking into account the purposes of the processing, the right to have incomplete personal information completed;
- obtain from us that we erase personal information relating to them;
- ask for the restriction of the processing of personal information relating to them (i.e. the marking of stored personal information with the aim of limiting their processing in the future);
- request to receive personal information relating to them which they have provided to us on the basis of their contractual relationship with us in a structured, commonly used, machine-readable format, and to transmit it to another controller;
- on grounds relating to the data subjects’ particular situation, object at any time to the processing of personal information relating to them which is based on satisfying the legitimate interests we pursue; should this right be exercised, we shall no longer process the personal information unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
To exercise their rights, data subjects can send a written request to email@example.com.
Data subjects also have the right to address any claim relating to our processing of personal information relating to them to the relevant data protection supervisory authority, in Luxembourg the Commission Nationale pour la Protection des Données.
We expect you to inform us in writing and without undue delay of changes in the information you provided to us or others about you, so that we can keep it up to date.
10. How can you obtain more information?
For any question about our processing of personal information you may contact us at firstname.lastname@example.org.