Legal Notice

PRIVACY POLICY

We at bnt attorneys in CEE value your privacy and process all your personal data in compliance with GDPR and the data privacy laws. We are an international law firm with separate legal entities across multiple jurisdictions within the CEE region. The below privacy policy provides detailed information on processing of your personal data and applies to all the bnt entities. The local bnt entity (hereinafter – the “Law Firm”) that provides you the services / has legal relationship with you / you are in contact with is to be qualified as the data controller of your personal data described in this privacy policy. For more details on the bnt entities and the contact data where you can communicate with your respective data controller, please click on the list of the bnt entities here.

This privacy policy does not cover processing of personal data of (candidate) employees, (candidate) trainees, (candidate) attorneys at law and assistant attorneys (i.e. personnel of the Law Firm). Such processing falls under separate privacy policies which are presented directly to the personnel upon collection of their data.

Contents of the privacy policy:

  1. CATEGORIES OF PERSONAL DATA, PROCESSING PURPOSES AND LEGAL BASES
    1. Clients who themselves are natural persons
    2. Representatives (natural persons) of clients
    3. Service providers, who themselves are natural persons
    4. Representatives (natural persons) of service providers
    5. Persons who make inquiries (on paper, by e-mail, by phone, in person or other)
    6. Other persons whose data are obtained in the provision of legal services to customers
    7. Direct marketing
  2. SOURCES OF YOUR PERSONAL DATA
  3. SHARING OF YOUR PERSONAL DATA
  4. LOCATION OF PROCESSING
  5. HOW LONG WE KEEP YOUR DATA
  6. AUTOMATED DECISION-MAKING, PROFILING
  7. YOUR RIGHTS AS DATA SUBJECTS
  8. WHO TO CONTACT REGARDING PROCESSING OF YOUR PERSONAL DATA

1. CATEGORIES OF PERSONAL DATA, PROCESSING PURPOSES AND LEGAL BASES

1.1. Clients who themselves are natural persons

 This section covers cases where the data subject (a natural person) is him/herself a client of the Law Firm. For example – Mr. John Doe approaches the Law Firm and asks to be represented in a court dispute. Mr. John Doe himself signs a legal service contract with the Law Firm and becomes a client. In these and similar cases (i.e. where the data subject is him/herself a client) the following applies:

Personal data category Processing purpose Legal bases for processing
Identification data (e.g. name, surname, personal ID, position etc.) These personal data serve the purpose of concluding and performing the legal service agreement with the client.

 

Entering into contract with a data subject and performance of a contract (Article 6(1)(b) of the GDPR).

 

Contact details (e.g. address, e-mail address, telephone number, etc.)
Information about the legal services contract and its implementation (e.g. terms and conditions, invoices, reports etc.)

 

Financial data (bank account, transactions according to invoices etc.)
Any other data in the context of particular assignment (e.g. data present in correspondence and/or documents related to particular assignment)
Information provided in the “Know your client” questionnaire (when applicable) Under certain circumstances (e.g. depending on the type and value of assignment, geography of transactions etc.) the Law Firm could be obliged to require the client to fill out a “know your customer” questionnaire in order to comply with the statutory obligations on prevention of money laundering and terrorist financing. Compliance with a legal obligation (Article 6(1)(c) of the GDPR).
Client reference and feedback (e.g. Descriptions of legal matters dealt with, customer feedback about the services provided etc.) If the client agrees, the Law Firm uses reference to particular clients and/or particular assignments and/or client feedback to promote its business (e.g. to appear in the lists of top law firms in legal directories (e.g. Legal 500), as well as to publish project portfolios etc.) Client’s consent Article 6(1)(a)

1.2. Representatives (natural persons) of clients

 This section covers cases where the data subject (a natural person) is not him/herself a client of the Law Firm, but rather represents another subject which – in turn – is the client of the Law Firm. For example – Mr. John Doe is a managing director at a company, which wishes to acquire legal services from the Law firm. The company enters into a legal service contract with the Law Firm and thus becomes the client. Mr. John Doe puts his signature on the contract, conducts correspondence with the Law Firm on particular assignments, handles invoices, represents the client in other matters pertinent to implementing the contract. In these and similar cases (i.e. where the data subject represents another subject which – in its turn – is the client of the Law Firm) the following applies:

Personal data category Processing purpose Legal basis for processing
Identification data (e.g. name, surname, position etc.) These personal data serve the purpose of concluding and performing the legal service agreement with the client which the data subject represents.

 

Legitimate interest to enter into and perform a contract with the represented subject (Article 6(1)(f) of the GDPR)

 

Contact details (e.g. address, e-mail address, telephone number, etc.)
Any other personal data of the representative made available in the context of particular assignment (e.g. data present in correspondence and/or documents related to particular assignment)
Information provided in the “Know your client” questionnaire (when applicable) Under certain circumstances (e.g. depending on the type and value of assignment, geography of transactions etc.) the Law Firm could be obliged to require the client to fill out a “know your customer” questionnaire in order to comply with the statutory obligations on prevention of money laundering and terrorist financing. Representative might be required to disclose participation in other companies or similar personal information. Compliance with a legal obligation (Article 6(1)(c) of the GDPR).
Client reference and feedback (e.g. Descriptions of legal matters dealt with, customer feedback about the services provided etc.) If the client agrees, the Law Firm uses reference to particular clients and/or particular assignments and/or client feedback to promote its business (e.g. to appear in the lists of top law firms in legal directories (e.g. Legal 500), as well as to publish project portfolios etc.). Representative of the company may be asked to give feedback on behalf of the client. Data subjects consent Article 6(1)(a)

 1.3. Service providers, who themselves are natural persons

This section covers cases where the data subject (a natural person) is him/herself a service provider to the Law Firm. For example – Mrs. Jane Doe who works individually, provides translation services to the Law Firm under service contract between herself and the Law firm. In these and similar cases (i.e. where the data subject is him/herself a service provider) the following applies:

Personal data category Processing purpose Legal bases for processing
Identification data (e.g. name, surname, personal ID, self-employment certificate number, business certificate number, etc.) etc.) These personal data serve the purpose of concluding and performing the service agreement between the service provider and the Law Firm.

 

Entering into contract with a data subject and performance of a contract (Article 6(1)(b) of the GDPR).

 

Contact details (e.g. address, e-mail address, telephone number, etc.)
Information about the services agreement and its implementation (e.g. terms and conditions, invoices, reports etc.)
Financial data (bank account, transactions according to invoices etc.)
Any other data in the context of particular service assignment (e.g. data present in correspondence and/or documents related to particular service assignment)

1.4. Representatives (natural persons) of service providers

This section covers cases where the data subject (a natural person) is not him/herself a service provider of the Law Firm, but rather represents another subject which – in turn – is a service provider of the Law Firm. For example – Mrs. Jane Doe is a managing director at a company, which provides IT services to the Law firm. The company enters into a service contract with the Law Firm. Mrs. Jane Doe puts her signature on the contract, conducts correspondence with the Law Firm on particular service assignments, handles invoices, represents the service provider in other matters pertinent to implementing the service contract. In these and similar cases (i.e. where the data subject represents another subject which – in its turn – is a service provider to the Law Firm) the following applies:

Personal data category Processing purpose Legal basis for processing
Identification data (e.g. name, surname, position etc.) These personal data serve the purpose of concluding and performing the service agreement with the service provider which the data subject represents.

 

Legitimate interest to enter into and perform a contract with the represented subject (Article 6(1)(f) of the GDPR)

 

Contact details (e.g. address, e-mail address, telephone number, etc.)
Any other personal data of the representative made available in the context of particular service assignment (e.g. data present in correspondence and/or documents related to particular service assignment)

1.5. Persons who make inquiries (on paper, by e-mail, by phone, in person or other)

This section covers cases where the Law Firm receives any kind of inquiry, by whatever means, from a data subject, representing himself or on behalf of other entity.

Example 1: Mr. John Doe calls the Law Firm’s reception desk and asks to speak to a lawyer, because he saw an article in the Law Firm’s webpage and would like to inquire about his own situation, similar to the one, described in the article. After a brief conversation with a lawyer, having clarified the situation, Mr. John Doe decides not to pursue legal action.

Example 2: The Law Firm receives an e-mail by an auditor of one of the clients (together with authorization documents) asking to provide information about legal cases or legal claims toward the client, relevant for completing the audit.

Example 3: The law firm receives by registered mail a notice from the court about a scheduled court hearing, together with the identity and contact details the court secretary, who prepared the notice.

In these and similar cases (i.e. where the Law Firm receives any kind of inquiry, by whatever means, from a data subject, representing himself or on behalf of other entity) the following applies:

Personal data category Processing purpose Legal bases for processing
Identification data (e.g. name, surname, position, etc.) These personal data are necessary for the Law Firm in order to receive, handle and respond to inquiries.

 

Legitimate interest to receive, handle and respond to inquiries (Article 6(1)(f) of the GDPR)
Contact details (e.g. e-mail address, telephone number, etc.)
Content of the inquiry, any personal data provided in the context of particular inquiry follow-up communication Information about the services agreement and its implementation (e.g. data present in correspondence and/or documents related to particular inquiry.)

1.6. Other persons whose data are obtained in the provision of legal services to customers

 This section covers cases where the data subject has no direct contact with the Law Firm, but the Law Firm processes their personal data as a natural result of providing legal services to the clients.

Example 1: the client of the Law Firm enters into a business agreement with company “X” (company “X” is not a client of the Law Firm). Mr. John Doe is the managing Director of the company “X”. As such his personal data may appear in the business agreement with the client of the Law Firm.

Example 2: The Law Firm represents a client in a court dispute against Mrs. Jane Doe (Mrs. Jane Doe is not a client of the Law Firm). The Law Firm, representing the client in the dispute, will handle procedural documents which may contain personal data of Mrs. Jane Doe as party to the dispute.

In these and similar cases (i.e. where the data subject has no direct contact with the Law Firm, but the Law Firm processes their personal data as a natural result of providing legal services to the clients) the following applies:

Personal data category Processing purpose Legal bases for processing
Any personal data made available in the context of providing legal service to the client as per client’s assignment. (e.g. data present in correspondence, documents and any other information that is processed in the context of legal service under particular assignment.) These personal data are necessary for the Law Firm to provide legal service to the client as per client’s assignment.

 

Legitimate interest to provide legal services (Article 6(1)(f) of the GDPR)

1.7. Direct marketing

This section covers processing of personal data for the purposes of direct marketing.

Example 1: Law Firm sends newsletters to clients by e-mail.

Example 2: Law Firm calls a client and asks whether he would like to participate in a “Business Breakfast” event held by the Law Firm.

As regards processing of personal data for direct marketing, the following applies:

Personal data category Processing purpose Legal bases for processing
Identification data (e.g. name, surname, position, etc.) These personal data are used for the purposes of direct marketing when the client has given consent.

 

Data subject’s consent (Article 6(1)(a) of the GDPR)
Contact details (e-mail address, telephone number, etc.)

2. SOURCES OF YOUR PERSONAL DATA

Most of personal data the data subjects provide directly to the Law Firm.

However, there are cases where the Law Firm obtains personal data indirectly (not from the data subject him/herself), for example:

  • Sub-section 1.6. describes cases where the Law Firm comes to processes personal data in the course of providing legal services (for example personal data inherent in documents or correspondence related to particular assignment).
  • Being part of a network of law firms under the brand “bnt attorneys in CEE”, the Law Firm may receive some personal data from other law firms within the network (for example in complex cases that require cross-border collaboration).

3. SHARING OF YOUR PERSONAL DATA

3.1. Service providers

The Law Firm may share your personal data with third-party service providers, who provide services, necessary for the functioning of the Law Firm. Third-party providers may provide the following services to the Law Firm:

  • Data hosting
  • IT services
  • Accounting services
  • Communication services
  • Translation services
  • Marketing services

In order to protect the personal data, the Law Firm has entered into data processing agreements with the above-mentioned third-party service providers.

3.2. State authorities

The Law Firm may be required to transfer your personal data to local or state authorities, courts, other institutions depending on the scope of the legal services or the applicable statutory requirements.

3.3. Group companies

Personal data can be exchanged between the law firms that make up the law firm network of “bnt attorneys in CEE” if provision of requested legal services so requires (for example in complex cases that require cross-border collaboration).

4. LOCATION OF PROCESSING

 We primarily store and process Personal Data within the European Union. Nevertheless, it may at times be necessary that your Personal Data is transferred to and stored at a destination outside the European Union. This maybe the case when the legal service assignment so requires (for example –  legal service assignment may require collaboration with the “bnt attorneys in CEE” Minsk office). In other cases personal data may be processed by data processors (third-party service providers), operating outside the EU or using sub-processors that operate outside the EU.

 In cases where we transfer your personal data outside EU we base it on one of the following mechanisms:

  • an adequacy decision by the European Commission;
  • standard contractual clauses by the European Commission;
  • other safeguards (e.g. specific clauses or specific technical and organizational security measures set in data processing agreements).

5. HOW LONG WE KEEP YOUR DATA

The Law Firm will store the personal data in compliance with the applicable legislation and in conformity with the rules of the Bar Association. The Law Firm will retain your Personal Data for no longer than is necessary for the purposes for which they are collected and processed for.

The period for which the personal data is kept depends on number of criteria, including:

  • type of personal data;
  • whether there is any ongoing dispute (in order for the Law Firm (or the Law Firm’s client) to establish, exercise or defend against legal claims);
  • applicable legal obligations under laws and regulations to retain personal data for certain amount of time.

6. AUTOMATED DECISION-MAKING, PROFILING

While processing your personal data, the Law Firm does not engage  automated decision-making or profiling.

7. YOUR RIGHTS AS DATA SUBJECTS

You, as a data subject, may, at any time, exercise the following rights:

7.1. Right to access: you have the right to request access to any of your personal data which the Law Firm may processes. For example, you can ask to be informed on whether the Law Firm processes your personal data, what exact personal data of yours the Law Firm processes, for what purposes, on what legal bases, etc.

7.2. Right to rectification: you have the right to request the Law Firm to correct any of your personal data if it is inaccurate or incomplete.

7.3. Right to object: you are entitled to object to certain processing of personal data, including for example, the processing of your personal based on legitimate interest;

7.4. Right to erasure: you may request the Law Firm to erase your personal data if you consider that processing is unlawful.

7.5. Right to data portability: you may request that we provide you with your personal data in a structured, commonly used and machine-readable format. You may also request that the personal data is transmitted to another controller if it is technically feasible.

7.6. Right to withdraw your consent: in cases where the processing is based on consent, you have the right to withdraw your consent.

You also have the right to lodge a complaint with the data protection authority if you think that your personal data is being processed unlawfully or that the Law Firm has violated your rights.

8.WHO TO CONTACT REGARDING PROCESSING OF YOUR PERSONAL DATA

You can contact the Law Firm with any questions or requests regarding the processing of your personal data. Please use the contact details.