As at 31 May 2018
Version 2261 - 2018.05.31
The purpose of this Personal Data Protection Policy (‘Policy’) is intended to inform you, in a clear and complete way, as to how the law firm ChristmannSchmitt S.A.S. (‘ChristmannSchmitt’), in its capacity as data controller, collects, stores and uses data of a personal nature about you (‘Personal Data’) and the ways in which you can control this use and exercise your rights.
This Policy is subject to change to keep up to date with the law, regulations and decisions taken by supervisory authorities on the protection of data.
1. What is the scope of this Policy?
This Policy applies to all Personal Data processing carried out by ChristmannSchmitt as part of its relations with its current clients, past or potential clients, its suppliers, users of its website and jobseekers.
This Policy also applies to all processing of Personal Data by individuals directly or indirectly involved in a file or court proceedings managed by ChristmannSchmitt.
2. Who is the data controller?
The data controller is:
The law firm, ChristmannSchmitt S.A.S., a Luxembourg limited liability company, founded and with its registered office at L-2143 Luxembourg, 45 rue Laurent Ménager, registered at the Trade and Companies Register [‘RCS’] of Luxembourg under No. B 212 183, regulated by the Luxembourg Bar (List V).
For any information about this Policy and the protection of your Personal Data, please contact ChristmannSchmitt:
by e-mail: firstname.lastname@example.org
by post: Avocats associés ChristmannSchmitt S.A.S. , Service des Données personnelles, 45 rue Laurent Ménager, L-2143 Luxembourg
by telephone: +352 24 61 00 00
by fax: +352 24 61 00 01
3. What Personal Data does ChristmannSchmitt collect?
‘Personal Data’ covers all information relating to an individual. This may be a person who could be identified directly or indirectly, notably due to his or her physical, physiological, financial, cultural or social identity.
Particular categories of Personal Data include details about racial or ethnic origin, political opinions, philosophical or philosophical religious beliefs, trade union membership, genetic or biometric data, health data, data concerning sexual life or sexual orientation and information about convictions and criminal offences (hereinafter 'Sensitive Data').
The Personal Data that ChristmannSchmitt keeps about you may include the following categories:
- login data;
- information on professional life;
- information on personal life;
- connection and location data;
- financial data;
- Sensitive Data.
In certain circumstances and only when necessary, ChristmannSchmitt collects Sensitive Data about you. This is particularly the case when ChristmannSchmitt is required to do so for lawful and regulatory purposes (for example, to gather information about your convictions and criminal offences when so required by anti-money laundering laws) or to provide you with a specific service (for example, to know your union affiliation to assist you in an employment law case).
4. How does ChristmannSchmitt collect your Personal Data?
ChristmannSchmitt may collect your Personal Data in different ways:
- Personal Data directly provided to ChristmannSchmitt;
- ChristmannSchmitt collects personal data directly from its clients, prospective clients, business partners, beneficial owners, service providers, contracting parties, potential candidates and intermediaries, in particular in the context of job applications, professional meetings, your access to its website and general business;
- Personal Data obtained from third parties;
- ChristmannSchmitt collects and processes Personal Data from publicly available sources such as the Internet, social networks or business registers;
- In addition, ChristmannSchmitt may receive Personal Data from third parties as part of the services it provides or in connection with the legal requirements applicable to it.
ChristmannSchmitt only collects Personal Data that is relevant and strictly necessary with regards to the reason for it being processed.
5. Why is your Personal Data processed?
Your Personal Data is collected for specific and legitimate purposes.
Depending on the matter, your Personal Data may be used by ChristmannSchmitt:
- to provide legal services to its clients;
- to identify its clients, prospective clients, business partners, service providers, contacts and, for legal entities, check the identity of those authorised to represent them;
- to contact its clients, prospective clients, business partners, service providers, contacts, etc.;
- to check if there is a conflict of interests in relation to the representation of a client;
- to comply with its legal obligations in the combat against money laundering and the financing of terrorism, and in particular to check the source of any financing or funds in one of its files;
- to ensure the administrative management of its business (for example, invoicing, accounting and recovery of sums due);
- to develop, operate, improve and manage its website;
- to send to its clients and prospective clients topical information, newsletters and invitations to its events;
- to process applications for a post offered by ChristmannSchmitt;
- to interact with the courts, regulatory and supervisory authorities;
- to ensure the recognition, exercise and defence of its rights in court;
- for any other purpose required by law.
No processing of your Personal Data can be undertaken without a specific purpose. If your Personal Data is necessary for purposes other than those initially determined, it may only be used if this new purpose is compatible with the original purpose.
6. What is the legal basis for the processing of your Personal Data?
ChristmannSchmitt only processes your Personal Data if permitted by the law to do so.
ChristmannSchmitt will use your Personal Data in the following circumstances:
- when that is necessary to execute a contract or for pre-contractual steps taken at your request (for example: for a job application, to handle a file and to share information relating to a file);
- to ensure the recognition, exercise and defence of Christmann Schmitt’s clients in court (for example: the processing of Sensitive Data under health law);
- to comply with the legal and regulatory requirements that apply to ChristmannSchmitt (for example: to combat money laundering regulations);
- when the legitimate interests of ChristmannSchmitt (or those of a third party) may justify processing, provided that your human/basic rights do not prevail. ChristmannSchmitt takes into consideration and balances any potential impact on you (positive and negative) and your rights before treating your Personal Data for its legitimate interests. If ChristmannSchmitt's processing of your Personal Data is based on its legitimate interests (for example: dissemination of general legal information), you have the right to oppose this processing (see section 13.6 of this Policy); and
- when you have given your express consent to the processing of your Personal Data (for example, to distribute newsletters or general information), you have the right to withdraw your consent at any time (cf Section 13.7 of this Policy).
7. What are the consequences if you do not provide the Personal Data requested?
When ChristmannSchmitt needs to collect Personal Data to conclude or execute a contract that is binding on you and you do not provide the Personal Data required, ChristmannSchmitt may refuse to provide or receive the services concerned.
In this event, ChristmannSchmitt will inform you of this at the time the Personal Data is requested.
8. Who are the recipients of your Personal Data?
As your Personal Data is confidential, ChristmannSchmitt may only communicate it to the following recipients:
- duly authorised members of ChristmannSchmitt;
- ChristmannSchmitt’s service providers, for the purpose of the proper performance of the legal services provided by ChristmannSchmitt to his clients (for example: bailiffs and notaries);
- ChristmannSchmitt’s service providers, so that ChristmannSchmitt’s activities operate successfully (for example, third party administrative, IT, payment, insurance, data processing and debt recovery service providers);
- any person to whom or entity to which ChristmannSchmitt is required to communicate your Personal Data on the basis of a legal or regulatory requirements;
- any person to whom or entity to which ChristmannSchmitt is required to communicate your Personal Data in order to protect and defend its rights or those of its clients;
- any person that you have authorised to receive your Personal Data.
Other than as stated above, your Personal Data will not be shared with third parties.
ChristmannSchmitt requires any person to whom or entity to which your Personal Data is communicated, to respect the confidentiality and security of your Personal Data and to treat it in accordance with the law. ChristmannSchmitt only allows the recipients of your Personal Data to process it for specific purposes, in accordance with its instructions, and in no case for their own purposes.
9. Can your Personal Data be the subject of cross-border transfers?
The recipients referred to in the Section 8 may be in countries other than the Grand Duchy of Luxembourg. However, your Personal Data will normally only be transferred within the European Economic Area or other countries recognised by the European Commission as providing an adequate level of personal data protection.
In the event of recourse to service providers located outside the European Economic Area, ChristmannSchmitt undertakes to check that appropriate safeguards have been put in place to ensure that your Personal Data is adequately protected, in particular under Internal Business Rules or standard contractual clauses adopted by the European Commission.
10. Where is your Personal Data stored?
Your Personal Data is stored by ChristmannSchmitt at its registered office.
Personal Data contained in the e-mails that we exchange are stored in France by our service provider, OVH S.A.S.
11. What safeguards for the protection of your Personal Data have been put in place?
ChristmannSchmitt strives to protect and secure your Personal Data to ensure that it remains confidential and to prevent it from being deformed, damaged, destroyed or disclosed to unauthorised third parties.
ChristmannSchmitt has put in place technical and organisational measures in place to ensure that Personal Data is stored securely for the length of time necessary for the intended purposes in accordance with the law.
When the disclosure of your Personal Data to third parties is necessary and authorised, ChristmannSchmitt ensures that these third parties provide the same level of protection of your Data as that provided by ChristmannSchmitt. It also requires contractual guarantees from third parties so that, in particular, your Data is exclusively processed to the standard of security and confidentiality required and for purposes for which you have previously consented.
In the event of a proven breach of your Personal Data that may expose your rights and freedoms to a high level of risk, ChristmannSchmitt undertakes to communicate this breach to the competent supervisory authority and, where provided for by the law, to inform you, by a general circular or individual communication, depending on the circumstances.
12. For how long is your Personal Data stored?
ChristmannSchmitt stores your Personal Data for so long as is necessary for the intended purposes, subject to the legal options of archiving, preserving or anonymising certain data.
In particular, ChristmannSchmitt abides by the following retention periods for these few major Data Protection categories:
- Personal Data of a client, prospective client and business partner: as long as the person is active for no longer than fifteen years from the last contact with that person;
- Personal Data connection: one year from the last connection;
- Personal Data of job applicants: for so long as is necessary to process the job application and, in the event of a negative outcome, three years from the last contact.
13. What are your rights?
Subject to the limits provided by the law, you have the following rights with respect to your Personal Data:
The right to access your Personal Data
The right of access allows you to obtain from ChristmannSchmitt the confirmation that your Personal Data is or is not being processed, and, if it is, information on the terms and conditions of this processing;
You also have the right to receive a copy of your Data in a commonly used electronic format;
The right to correct your Personal Data
You have the right to ask ChristmannSchmitt to correct or update your Personal Data that is inaccurate, erroneous, incomplete or obsolete.
Right to delete your Personal Data (‘right to be forgotten’)
Subject to the exceptions provided by the law (for example: storage necessary to fulfil a legal obligation and ChristmannSchmitt's legitimate interest in storing the Data), you have the right to ask ChristmannSchmitt to delete your Personal Data, when one the following reasons apply:
- your Personal Data is no longer necessary for the purposes for which it was collected and processed;
- you would like to withdraw your consent on which the processing of your Personal Data was based and no other justification for this processing exists;
- you have exercised your right to oppose the processing;
- you consider and can prove that your Personal Data have been the subject of unlawful processing;
- your Personal Data must be deleted pursuant to a legal obligation.
Right to limit the processing of your Personal Data
You have the right to ask ChristmannSchmitt to limit the processing of your Personal Data, in the following cases:
- When you dispute the accuracy of your Personal Data, the processing is limited for the length of time necessary to check the accuracy of this Data and to correct it, if necessary;
- when you can prove that the processing of your Personal Data is illegal but that you oppose the deletion of your Personal Data and instead require that its use be limited;
- when ChristmannSchmitt no longer needs your Personal Data but it is still necessary for your rights to be recognised, exercised or defended in court;
- when you object to the processing of your Personal Data based on ChristmannSchmitt's legitimate interest, the processing is limited for so long as necessary to check whether the legitimate grounds pursued by ChristmannSchmitt prevail over your legitimate interests..
If processing is limited, your Personal Data may, with the exception of being stored, only be processed with your consent:
- for the recognition, exercise or defence of rights in court; or
- for the protection of rights of another individual or a legal; or
- in the public interest.
Right to portability of your Personal Data
You have the right to receive your Personal Data in a format that is commonly used, structured and machine-readable, and and you have the right to transmit this data to another data controller or to ask ChristmannSchmitt to transmit it to another data controller, provided that:
- the processing of your Personal Data is based on your consent or on the execution of a contract;
- the processing is carried out through an automated process.
Right to oppose the processing of your Personal Data
You have the right to oppose at any time, for reasons relating to your particular circumstances, that ChristmannSchmitt processes your Personal Data for its legitimate interests or for statistical purposes.
ChristmannSchmitt will be required to stop any processing of your Personal Data, except to demonstrate that:
- there are legitimate and compelling reasons for the processing that prevail over your rights and freedoms; or
- the processing is required for rights to be acknowledged, exercised or defended in court.
You also have the right to object at any time to the processing of your Personal Data for purposes of commercial prospecting. ChristmannSchmitt will immediately stop processing of your Personal Data for such purposes.
Right to withdraw your consent to the processing of your Personal Data
When ChristmannSchmitt processes your Personal Data on the basis of your consent, this may be withdrawn at any time by sending a request using the contact details indicated in Section 2 of this Policy.
The withdrawal of your consent is valid only for the future and cannot therefore call into question the lawfulness of the processing carried out before this withdrawal.
Right to file a complaint to a supervisory authority
If, despite the efforts of ChristmannSchmitt to preserve the confidentiality of your Personal Data, you consider that your rights have not been respected, you have the option to file a claim with a supervisory authority, notably in the State of your habitual residence, place of work or where the breach has been committed.
In the Grand Duchy of Luxembourg, the competent authority is the national commission for the protection of data (CNPD) (Service des plaintes, 1, avenue du Rock'n'Roll, L-4361 Esch-sur-Alzette).
14. How can you exercise your rights?
For any further information about this Policy or on how to exercise your rights, you can send ChristmannSchmitt a letter, accompanied by evidence of your identity, to the contact details mentioned in Section 2.
ChristmannSchmitt undertakes to reply to you as soon as possible, and in any event within one month of receipt of your request.
If necessary, this period may be extended by two months, taking into account the complexity and number of requests addressed to ChristmannSchmitt. In this event, you will be informed of this within one month of receipt of your request and will be given the reasons for the delay.
If ChristmannSchmitt does not agree to your request, it will inform you of the reasons for this and you will have the opportunity of sending a complaint to a supervisory authority and lodging an appeal with a court with jurisdiction.