Version last updated on 25th May 2018.
The reproduction by any means and in any form of the contents of this Privacy policy, in whole or in part, is strictly forbidden.
Copyright © 2018 Elvinger Hoss Prussen

Introduction and summary

This privacy policy is stated by Elvinger Hoss Prussen, société anonyme, registered with the Luxembourg Trade and Companies Register under number B209469 and with registered offices at 2, place Winston Churchill, L-1340 Luxembourg (“we”, “us” or “our”).
In the context of our services and for the purposes as described herein, we collect, receive and otherwise process personal information (i.e. any information related to living individuals) about existing and former clients, prospects, counterparties, adverse parties, lawyers, advisers, service providers, suppliers, regulators, public authorities, and other persons including (when any of the latter are not natural persons) their respective representatives, members, staff members and agents, whether or not we have a contractual relationship with any of them or the entity they represent or work for (“you”, “your” and more generally together the “data subjects”).
By clients and prospects we mean natural persons acting in their own right or representing, or working for or on behalf of, any undertaking (irrespective of form or jurisdiction and including any entity which forms part of the group of companies to which the client or prospect belongs) to whom we provide or are likely to provide services (irrespective of whether done on a pro-bono basis or for remuneration).
Without prejudice to more specific contractual arrangements we may have with you, this privacy policy aims to inform you of the sort of personal information we collect and receive, how we process it, why we do so and the legal basis for doing so, when we share it with others and the rights you and data subjects have in that respect as well as how to exercise them (see section 8 below "What are data subjects’ rights regarding their personal information?”).
Given the nature of our business and our related activities, it is difficult to provide an exhaustive description of all the personal information we process. The information set out herein is prepared on a "best efforts" basis and we endeavour to provide you with as much detail as possible. In certain circumstances the information may be limited given the professional secrecy rules we are subject to in our capacity as a Luxembourg law firm admitted to the Luxembourg Bar.
We need to collect and process certain personal information about you and others (including persons related to you) for the purposes of providing the services requested from us, entering into and performing a contract with you or with others, complying with our legal and regulatory obligations, maintaining our business relationships and as the case may be performing marketing activities about our services and for other purposes set out in this privacy policy.
We will inform you if, as a result of your refusal to provide certain information or the exercise of the rights afforded to you by law (as further described below) this might result in the termination of our business relationship and the contract we may have with you or if there may be other consequences for you.

1. Who is the controller of your personal information?

As required by applicable data protection legislation, we inform you that we are (in most cases) the controller of the personal information we collect, receive and otherwise process about you as described below. Such legislation includes Regulation (EU) 2016/679 of 27 April 2016 (the “GDPR”) and any other national or supranational statutory law applicable to us (together the “data protection legislation”).
We may also act as a processor in specific circumstances where we receive strict and detailed instructions to process personal information on behalf of third parties.
For any questions about our processing of personal information you may contact us at the following address: dataprotection@elvingerhoss.lu .

2. Where do we obtain personal information?

We are likely to obtain personal information in paper form or through electronic means from one or more of the following sources (and combinations thereof).

Sources of personal information about you Comments/Examples
Yourself When you contact us directly as data subject or indirectly through persons you instruct to contact us in your name and/or on your behalf or when you provide us with your contact details, we will obtain the personal information from you.
This will typically be the case when you contact us to request services from us. Personal information will comprise at least your contact details but can also comprise any information you will provide us with in relation to the subject matter.
Third parties This includes our clients, prospects, counterparties, adverse parties, lawyers, advisers, service providers, suppliers, regulators, public authorities, whether or not we have a contractual relationship with any of them or the entity they represent or work for.
Typically, anyone with whom we have a business relationship may provide us with personal information relating to you. Personal information will comprise any information such third parties provide us with in relation to the subject matter, such as documents regarding the legal matters for which our advice is requested or which have to be shared with us in the context of a transaction (including physical or virtual data rooms), advice, legal analysis or (potential or actual) litigation.
Public sources and other sources This includes public registers (such as trade and companies registers and intellectual property registers, sanctions lists), social media, subscription-based services or databases (such as World-Check™) or other publicly available sources (internet, brochures, directories etc).

Whilst obtaining certain personal information is or might be of importance in relation to certain types of services we provide (for instance litigation matters or preparation and filings of applications where personal information is of relevance) it will be less important for other types of services (for instance general legal advice where personal information does not affect the advice itself, without prejudice to our “know-your-customer” obligations).
We cannot always control the extent of personal information that is provided or made accessible to us by you and third parties. Files, documents, agreements and correspondence (without limitation as to the type of support) that are provided to us may contain personal information that we have not specifically requested or do not need for the intended purpose. In addition, and as a result of our legal and regulatory obligation to keep such information, we will nevertheless store such personal information in our electronic information system or paper form files. We may also have access to data rooms comprising personal information that is not all relevant to us.
You should, and we encourage that any third party should, only provide us with information that is relevant for the intended purpose. Consequently, you should not provide us with documents, agreements, correspondences and information which is not relevant for the intended purpose unless personal information contained therein is redacted, removed, pseudonymised, anonymised or otherwise made unavailable to us prior to providing us (including by way of remote access) with the latter.
We will assume that you and anyone who is providing us with personal information is doing so in compliance with laws and in particular with the applicable data protection legislation.
Therefore, we request you to disclose this privacy policy or its contents to any data subject whose personal information is disclosed to us (please read section 9 below “What do we expect from you?”).

3. What personal information do we process?

The categories of personal information referred to below in relation to each identified category of data subjects may not be exhaustive. We are not able to control the extent of personal information that is provided or made accessible to us by you and third parties.

(*) See the tables below for details on the groups of categories of personal information
Categories of personal information likely to be processed (*) Categories of data subjects Categories of personal information likely to be processed (*)
Groups 1 and 2
  • Clients
  • Clients' competitors, target companies, service providers, own clients and customers, affiliated companies, co-investors, investment partners, co-shareholders, co-members and regulatory authorities
  • Counterparties, adverse parties
Current and former directors, employees, officers, committee members, members of managing bodies, interns, secondees, direct and indirect shareholders, ultimate beneficial owners, members, investors, partners of or other persons having an interest (either economically or otherwise) in the legal person concerned
Group 1 Lawyers, advisers, service providers, suppliers (other than the service providers with whom we have a direct contractual relationship)
Prospects
Current and former directors, employees, officers, committee members, members of managing bodies, interns, secondees, direct and indirect shareholders, ultimate beneficial owners, members, investors, partners of or other persons having an interest (either economically or otherwise) in the legal person concerned
Group 1 Regulators, public authorities, public institutions, notaries, bailiffs, professional organisations Current and former directors, employees, officers, committee members, members of managing bodies, interns, secondees, members,

In addition to any other personal information provided or made accessible to us by you and third parties, the categories of personal information we process include:

Group 1  
Categories of personal information Examples (not exhaustive)
Private and professional contact details Telephone number and (email) address (on business card, email signature block)
Personal identification data Last and first names, national identification number, ID card, signature
Electronic identification data IP addresses, cookies, connection times to our website
Public offices held Positions at municipal, provincial, regional, community or federal level, involvement in public committees,  work reflexion groups
Memberships and position of members Involvement in professional associations, charities, clubs, unions, groups
Education, training and qualification Curriculum vitae, seniority, areas of practice
Picture and image/sound Copy of ID card or passport, pictures taken and films made during events we organise or co-organise, sound track recording, telephone recording
Professional activities and employment Curriculum vitae, hourly rates, publications, performance appraisal
Business contacts Relationships with business partners, contact details of personal assistants and team
Composition of household Marital status, name of spouse, number and names of children
Hobbies and interests Sports, arts, culture, charities
Social and family contacts Links with other persons and relatives
Travel and movement details Taxi booking, travel arrangements, accommodation details
Health data Dietary requirements, absences, sickness leave
Living and consumption habits Use of media and means of communication (subscription to our newsletter via our website, visits on our website)
Group 2  
Categories of personal information Examples (not exhaustive)
Identification data issued by public services Copy of ID card or passport, tax number, social security number
Banking and financial identification data Bank account number, allowances, aid, donations, subsidies
Income, assets, investments, savings, start and end dates of investments, investment income charges on assets Bank statement, tax data, participation in a stock option plan, shareholdings, ownership of all types of assets
Debts, expenses Debt collection matter, information about debts
Borrowings, mortgages and credits Type of borrowing, amounts borrowed and outstanding, details of guarantees
Insurance details Type of insurance, details of risks covered, insured amounts, status of contract
Pension details Date of entry into pension scheme, details of exit, payments received and made, options, beneficiaries
Financial transactions Due amounts, allocated credit, guarantees
Compensation Details of compensation (remuneration, salaries), amounts paid, other kinds of compensation
Licences held Driving licence, business licences
Immigration status Visa details, work permit, residence or movement restrictions
Living and consumption habits Lifestyle, habits, social contacts
Possessions Real estate and others
Grievances, incidents, accidents Information about any accident, incident, nature of damage, injuries, persons involved
Goods and services supplied Details of goods and services supplied or rented
Accommodation Hotel booking service, type of accommodation owned or rented, rent charges, building classifications, valuation details
Judicial data Convictions, criminal records, court decisions
Political opinions, membership of trade unions or similar groups Information about politically exposed person

We may collect, receive and process sensitive information as part of our anti-money laundering and customer identification (know-your-customer – “KYC”) obligations and/or when performing certain types of legal assignments/mandates as requested from us. We do not operate dedicated processing of sensitive information per se. Except where we process sensitive information for the purpose of complying with a legal obligation, sensitive information directly received from the data subject is considered to have been received with the consent to use it in relation to the services requested from us. Where we receive sensitive information about a data subject from a third party we assume that the third party lawfully processes such sensitive information and is allowed to disclose such information to us for defending its interest or on the basis of the consent of the data subject.

4. What are the legal bases for and purposes of our processing?

We collect, receive, use, store, share, transfer and otherwise process personal information as follows:

Legal bases Purposes
The processing is necessary for us to perform our contract with you or for requested pre-contractual steps
  • Perform the services requested from us, as agreed by way of an engagement letter, special terms or any other means and, where relevant, provision of the correlated services, from account and matter opening to invoicing through communication with administrative, regulatory, governmental or judicial bodies, other lawyers or law firms and any other third party adviser or service provider of our clients and related persons
  • Defend your interests
  • Communicate with other lawyers involved or to be involved in the matter for which you request our services
  • Communicate with the Bar Associations to which we or our lawyers are members
  • Process personal information about third parties to provide our services to our clients
The processing is necessary to comply with our legal and regulatory obligations
  • Verify your identity and those of persons related to you where necessary (KYC obligations) and comply with our anti-money laundering and counterterrorism financing obligations (including background checks such as consulting criminal record excerpts)
  • Prevent fraud
  • Comply with (i) the professional rules set out by the Bar Associations to which we or our lawyers are members, including in terms of conflict of interests and (i) any other laws and regulations, guidances and provide assistance in enforcement of laws or otherwise cooperate with relevant authorities.
The processing is necessary for our or a third party’s legitimate interests (as listed here) and where your interests do not override these interests*
  • Manage disputes, complaints and litigation in which we are involved
  • Defend our own interests in case of disputes, litigation or claims arising in relation to our services
  • Achieve maximum efficiency in our internal organisation, including from an administrative and information technology standpoint
  • Protect our tangible and intangible assets, including our premises, our information technology infrastructure and the content accessible thereon, our intellectual property rights and our reputation
  • Conduct internal or external audits
  • Ensure the maintenance of our IT systems or repairing any IT defects or failures; securing communication channels and IT systems
  • Organise marketing activities  and commercial communications, such as the distribution of newsletters, newsflashes and brochures or invitations to seminars and events, it being noted that data subjects have the right to object at any time and free of charge to such processing by unsubscribing or contacting the data officer at dataprotection@elvingerhoss.lu.
  • Organise meetings, seminars and events, for which we may process information about your dietary requirements, hobbies and family (e.g. to adapt our invitations to your interests)
  • Connect and communicate through social media
  • Improve our marketing activities and communication, including through our website by monitoring its use
  • Reorganise ourselves including through mergers, acquisitions or transfers of whole or parts of our business
  • Perform the services requested from us
The processing is necessary for our performance of a task carried out in the public interest or in our exercise of official authority
  • Exercise our role as auxiliary of justice
  • File, make declarations or report to legal authorities and similar bodies
  • Certify that copies of documents are true copies
The processing is made with your consent We may request your consent to process personal information about you for certain specific purposes or in certain specific circumstances. In cases where we process personal information on the basis of your consent, you may withdraw your consent at any time, without this affecting the processing carried out before such withdrawal and without prejudice to any retention or processing that may be required from us by law.

5. Who do we share personal information with?

Depending on the nature and scope of our assignment, mandate or the service requested from us and in relation to our marketing activities, we may share personal information with the following recipients to the extent that such disclosure or transmission is deemed reasonably necessary or desirable for satisfying the purposes mentioned in section 4 above or at the specific legitimate request of our clients, the data subjects concerned or third parties with which we deal in the context of our services and marketing activities:

  • our lawyers (including partners, counsel, associates, trainees, secondees), employees, service providers, agents, external consultants or other persons acting on our behalf (in Luxembourg and abroad, including in our offices notably in Hong Kong and any law firm with whom we work in exclusive association in the United States or when we travel abroad (including outside of the EU/EEA);
  • our information technology service providers and consultants located in Luxembourg for hosting, back-up, and maintenance IT security and IT support purposes;
  • external entities such as accountants, advisers, auditors or fiduciary firms and other service providers or other third parties related to our clients (in Luxembourg or abroad);
  • our relevant clients in the course of providing services to them;
  • client’s co-investors, co-shareholders, investment partners and directors, employees, officers, direct and indirect shareholders, ultimate beneficial owners, members of our client or any such other entity or persons (in Luxembourg or abroad) to whom our client directs or allows us to disclose personal information;
  • lawyers, authorised employees, agents or other persons acting on behalf of correspondent law firms or counterpart law firms (in Luxembourg or abroad);
  • third parties (in Luxembourg or abroad) with respect  to a transaction, advice or project, including administrative, regulatory, governmental or judicial bodies, lawyers and any other third-party adviser or service provider of our clients and related persons, notaries public, bailiffs, courts;
  • administrative, regulatory, governmental or judicial bodies in Luxembourg or abroad as may be required by the laws of any jurisdiction applicable to us;
  • administrative, regulatory, governmental or judicial bodies  in Luxembourg or abroad as may be required in the context of the provision of our services;
  • third-party service providers who assist us in organising seminars and events and who host such events;
  • third parties, on a confidential basis, for the purposes of collecting your feedback on our services (including legal directories).

6. Where do we transfer personal information?

Depending on the nature and scope of our assignment, mandate or the service requested from us and in relation to our marketing activities, we may transfer personal information abroad to the extent that such transmission is deemed reasonably necessary or desirable for satisfying the purposes mentioned in section 4 above, including outside of the European Union/European Economic Area, in countries not recognised by the European Commission as having an adequate level of protection for personal information.
Personal information may be sent to, or accessed from, any country where:

  • it is necessary or useful in the context of our services;
  • we travel (since we can access our files remotely through mobile devices or using a secure virtual private network);
  • we have offices (in particular in Hong Kong) and we have a law firm with whom we work in exclusive association (in particular in the Unites States).

Depending on the circumstances, transfers will be made:

  • in countries being granted an adequacy decision by the European Commission;
  • according to appropriate safeguards (i.e. the entry into standard data protection clauses with the data importer or, in respect of transfers to the United Sates, to Privacy Shield self-certified entities);
  • for the performance of the contract we have with the data subject or the implementation of pre-contractual measures taken at the data subject’s request;
  • if necessary for the conclusion or performance of a contract concluded in the interests of the data subject between the controller and another natural or legal person;
  • if necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims (including for example to comply with the laws applicable to us, a governmental or a court’s injunction made to us);
  • with the data subject’s explicit consent.
  • You can obtain more information regarding the relevant safeguards we rely on by contacting us at dataprotection@elvingerhoss.lu.

7. How long do we keep personal information?

We will keep personal information as long as necessary for satisfying the purposes for which it was collected, subject always to the legal periods of limitation and to the situations where the applicable laws require or allow that the personal information is retained for a certain period of time after the termination of the contractual or commercial relationship, such as:

  • the legal obligation to keep accounting documents for a period of 10 years after the end of the accounting period to which they relate;
  • the provisions of Article 2276 of the Luxembourg Civil Code providing for attorney’s discharge of liability (including the keeping of documents received from clients) 5 year after termination of the assignment, justifying that we keep documents relating to our mandates for that period;
  • the contractual limitation of liability with respect to clients' mandates after 10 years as from the termination of the relevant contractual relationship, justifying that we keep documents relating to our mandates for that period;
  • the obligation to keep identification documentation for a period of 10 years as from the termination of the relevant contractual relationship.

Without prejudice to the general nature of the foregoing, data subjects are informed that, in particular:

  • personal information processed for the purpose of performing the services requested from us will be retained as long as we need to retain such personal information in order to fully accomplish our assignment without prejudice to the possibility of keeping records of such personal information based on the permitted legal limitation periods (either in civil or criminal law);
  • personal information processed for the purpose of complying with our legal and regulatory obligations may be retained on the basis of the statutory limitation periods (either in civil or criminal law);
  • personal information processed for the purpose of dealing with customer relationship management (will be kept for as long as necessary or useful for the performance of the services requested from us;
  • personal information processed for the purpose of our marketing activities will be kept for as long as we receive no “opt-out” or “undeliverable” message;
  • personal information processed for the purpose of issuing invoices will be kept on the basis of the aforementioned legal obligation to keep accounting documents for a period of 10 years after the end of the accounting period to which they relate.

We may also keep and process personal information after the termination of our contractual and commercial relationship for specific purposes such as the compliance with legal and regulatory obligations or the establishment, exercise or defence of legal claims.

8. What are data subjects’ rights regarding their personal information?

Subject to the conditions of the Data Protection Legislation, and where relevant, data subjects may exercise the following rights:

  • obtain from us confirmation as to whether or not personal information concerning them is being processed, and, where that is the case, access the personal information and relevant information in that regard;
  • obtain from us without undue delay the rectification of inaccurate personal information concerning them and taking into account the purposes of the processing, the right to have incomplete personal information completed;
  • obtain from us that we erase personal information relating to them;
  • ask for the restriction of the processing of personal information relating to them (i.e. the marking of stored personal information with the aim of limiting their processing in the future);
  • request to receive personal information relating to them which they have provided to us on the basis of their contractual relationship with us in a structured, commonly used, machine-readable format, and to transmit it to another controller;
  • on grounds relating to the data subjects’ particular situation, object at any time to the processing of personal information relating to them which is based on satisfying the legitimate interests we pursue; should this right be exercised, we shall no longer process the personal information unless we demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

To exercise their rights, data subjects can send a written request to dataprotection@elvingerhoss.lu.
Data subjects also have the right to address any claim relating to our processing of personal information relating to them to the relevant data protection supervisory authority, in Luxembourg the Commission Nationale pour la Protection des Données.

9. What do we expect from you?

We expect you to inform us in writing and without undue delay of changes in the information you provided to us or others about you, so that we can keep it up to date.
If you provide us with personal information not relating to you (e.g. information about your respective representatives, staff members and agents, beneficial owners, shareholders, etc. or about any third party), you must first inform them about this fact and make sure they acknowledge that we can use such information as set out in this privacy policy. In particular, you must provide them with the information relating to their rights as data subjects. We assume that these third parties are informed of the processing of any personal information relating to them that we may carry out and of the disclosure of the same to third parties and countries as described herein and that, as far as necessary, you obtained these data subjects‘ prior written consent.

10. How can you obtain more information?

For any question about our processing of personal information you may contact us at dataprotection@elvingerhoss.lu.

11. How will we update this privacy policy?

Changes may occur in the way we process information. In case these changes oblige us to update this privacy policy, we will bring this to your attention and may do so by any means such as by email, letter, hyperlink to our website or otherwise. The latest version will always be available here.