Privacy Policy

PRIVACY POLICY of Schiltz & Schiltz S.A.
Last updated and effective as of 19 July 2018.

1. General

For Schiltz & Schiltz S.A. (a public limited company (société anonyme) incorporated under the laws of Luxembourg and registered with the Luxembourg Business Register (LBR) under number B 220251 and the Luxembourg Bar, whose registered office is at 24-26, Avenue de la Gare, L-1610 Luxembourg) as well as for its lawyers (hereinafter the “Company, we, us, our”), the protection of your privacy is a primary concern.

Through this Privacy Policy, we seek to inform any person, in particular our clients, whose personal data (i.e. any information relating to an identified or identifiable natural person; hereinafter “Personal Data”) are collected, stored or otherwise processed by us or on our behalf (hereinafter “you, your”) of the processing activities carried out.

Please note that the nature of our activities and the contexts in which Personal Data are processed by the Company make it difficult to provide you with a precise and exhaustive description of all processing activities carried out by the Company or on its behalf.

We thus prepared this Privacy Policy on a ‘best efforts’ basis with a view to provide you to with relevant information in a concise, transparent, intelligible and easily accessible form and we remain at your disposal in the event that you have any further question on the processing of your Personal Data. Please note that our endeavours to provide you with relevant information on the processing of your Personal Data are in any event limited by professional secrecy rules to which we and our lawyers are subject in our capacity as a law firm and lawyers admitted to the Luxembourg Bar.

2. Data controller & data protection officer

The Company is the legal entity responsible for the collection and processing of your Personal Data.

The Company has designated a data protection officer with a view to inform and advise the Company on how to protect your privacy. Our data protection officer can be contacted either by mail (schiltz@schiltz.lu) or via telephone (+352 45 64 80).

3. Personal Data collected and processed

3.1. General

The categories of Personal Data we collect and process depend on the specific context of each situation and the list reproduced below is in all likelihood not to be considered as exhaustive.

Please note that the Company is not in a position to control the volume, extent or nature of Personal Data which are provided to us by others. Taking this into account, we shall however endeavour to process your Personal Data only in compliance with applicable data protection principles (such as purpose limitation).

We furthermore wish to draw your attention to the fact that you as well as any other person shall only provide us with information that is necessary for the intended purpose (data minimisation) in compliance with applicable data protection legislation.

3.1. Categories of Personal Data processed

Depending on the context, the Personal Data we process may include:

  • private or professional contact information (e.g. address, email address, telephone or mobile phone number);
  • identification information (e.g. first and last names, date and place of birth, identification number or gender) as well as technological identification data (e.g. IP addresses, cookies (see below), time and location data of communications or website visits);
  • business information (e.g. job function, job title, department or location) or contextual professional information (participation in memberships or organisations);
  • financial information, including income, assets, charges and investments (e.g. bank account information, bank guarantees, deposits, debts, financial transactions, expenses, mortgage, pension details, remunerations, salaries (or other compensation paid), possessions (also real estate));
  • educational information (e.g. curriculum vitae) and professional records and activities;
  • health data (e.g. medical records, medical reports, sick leave, information on sexual orientation, illnesses, diseases, images, videos and sounds of surgical interventions);
  • insurance data (e.g. insurances subscribed, risks covered);
  • images, videos, sounds, texts and phone call conversations;
  • data on incidents and accidents (especially in the field of medical liability and insurance matters);
  • data concerning other aspects of your life, such as your political opinions, sex life, trade union memberships, immigration status, labour law status, pension status, goods and services used or made available, accommodation, private life habits (social and family life, such as the composition of households, your hobbies, habits and interests), licences held);
  • judicial data (criminal records, court decisions, convictions);
  • contractual information (i.e. any information provided by you for the performance of the Company’s contractual obligations).

3.3. The sources from which your Personal Data stem

The Company may collect your Personal Data directly from you, namely when you contact us or request us to carry out services on your behalf, as well as from other sources such as:

  • the Company’s service providers or business partners;
  • the Company’s clients or adverse parties;
  • other auxiliaries of justice (e.g. lawyers, bailiffs, etc.);
  • regulators or public authorities;
  • other third-party or publicly available sources (e.g. trade registers, directories, social media platforms).

3.4. Cookies and similar technology

The Company may use cookies. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

Cookies are typically stored on your computer’s hard drive. Information collected from cookies may be used by the Company to analyse trends, to administer its services and to evaluate their effectiveness. The Company may also use cookies or a technology known as web bugs or clear gifs, which are typically stored in emails to help us confirm your receipt of, and response to, its emails.

The service providers of the Company may also place cookies on the hard drive of your device. The Company’s service providers may analyse these data with a view to allow us to better understand your interests in the Company Services and to better serve those interests. Please note that data collected by use of cookies or similar technologies may be linked to and combined with any other data, including Personal Data, relating to you that the Company processes.

You can choose to deactivate cookies, however in such circumstances you will not be able to use parts of the Company Services which require cookies to be active.

3.5. Possible consequences of a refusal to provide your Personal Data

Please also note that a refusal to provide us with necessary Personal Data or the exercise of your data subject rights (as detailed below) may prevent you from using the Company Services, in whole or in part, and may lead to the termination of our business relationship.

4. Legal bases allowing to collect and process your Personal Data

Depending on the context of each specific situation, the collection and processing of your Personal Data by the Company is lawful as at least one of the following applies:

  • the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
  • the processing is necessary for compliance with a legal obligation to which the Company is subject (e.g. when storing Personal Data for compliance purposes or when complying with our AML and KYC obligations);
  • the processing is necessary for the performance of a task carried out in the public interest (namely when we exercise our role as auxiliary of justice);
  • the processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party and those legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject; such legitimate interests namely consisting in:
    • administering claims, preparing the legal defence of clients and third parties, resolving and managing disputes or litigation proceedings, protecting any interests, of whatsoever nature, whether tangible or not, of ourselves or others;
    • providing our clients with advice regarding their rights and obligations;
    • providing clients with information requested by them and with solutions to their questions;
    • performing the services we are requested to perform;
    • managing and administering the relationship with our clients and prospects;
    • ensuring the efficient functioning of the Company, including by managing, assessing and improving our internal organisation and functioning;
    • promoting the Company’s activities (e.g. marketing activities, commercial communications) and ensure the effective provision of the Company’s services (e.g. organise meetings or events), as those will allow the Company to generate profits and to attract new customers.
  • the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  • you have given your consent to the processing of your Personal Data;
  • the processing relates to personal data which are manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise or defence of legal claims;
  • the processing is necessary for statistical purposes;
  • the Personal Data is processed by a person subject to an obligation of secrecy.

5. Conditions applicable to your consent (if applicable)

Please note that if the processing of your Personal Data has been rendered lawful on the basis of your consent you have, at any time, the right to withdraw your consent to the processing of your Personal Data. The withdrawal of your consent shall however not affect the lawfulness of processing based on your consent before its withdrawal.

In case you are below the age of 16 years, the Company will, in accordance with applicable data protection legislation, only be allowed to process your Personal Data on the basis of your consent if and to the extent that such consent to the processing is also given or authorised by a holder of parental responsibility over you and the Company will make reasonable efforts to verify that a holder of parental responsibility over you is also consenting or giving his or her authorisation to the processing of your Personal Data as set out in the present Privacy Policy.

6. The purposes of the processing

The Company processes your Personal Data for various purposes, in particular:

  • to meet or comply with any applicable rules, laws, regulations, codes of practice or guidelines issued by any legal or regulatory bodies (including the Bar Associations to which the Company or its lawyers are members) which are applicable to the Company Services (e.g. respond to regulatory complaints, disclose facts to regulatory bodies, conduct audits and checks, perform due diligence, investigations and identity checks), in particular for compliance purposes (such as AML and KYC obligations);
  • to respond to requests from public and government authorities and in particular to respond to a verified request relating to a criminal investigation (e.g. subpoena, court order or substantially similar legal procedure) or alleged illegal activity or any other activity that may expose the Company or any of the Company’s service providers, or you to any legal proceeding or legal liability;
  • to prevent any harm, financial loss or any other risk for the Company or any of the Company’s service providers or any other individual or entity related to the Company and to prevent, detect and investigate, to analyse and manage commercial risks and to deal with actual or potential illicit or illegal acts (e.g. to pursue available remedies or limit the damages that the Company or its service providers may sustain);
  • to protect the Company, its operations and its contractual and legal rights and obligations or those of others as well as the rights, privacy, safety and property of the Company or others;
  • to perform the contract to which you are party or to take steps at your request prior to entering into a contract and to perform the services we are requested by you, our clients or third parties for the protection of their interests;
  • to exercise our role as auxiliary of justice and to communicate with other auxiliaries of justice (e.g. lawyers, bailiffs, etc.) involved or to be involved in a subject matter dealt with by the Company;
  • to administer claims, prepare the legal defence of clients and third parties, resolve and manage disputes or litigation proceedings, protect any interests, of whatsoever nature, whether tangible or not, of ourselves or others;
  • to provide our clients with advice regarding their rights and obligations, information requested by them and solutions to their questions, and perform the services we are requested to perform;
  • to ensure the efficient functioning of the Company, including by managing, assessing and improving our internal organisation and functioning;
  • to promote the Company’s activities (e.g. marketing activities, commercial communications) and ensure the effective provision of the Company’s services (e.g. organise meetings or events), as those will allow the Company to generate profits and to attract new customers;
  • to provide you with any other information regarding the Company and its services, to contact you and to send you administrative information, such as information concerning changes to the Privacy Policy or any other legally binding document;
  • to respect our labour law obligations and to perform the job or traineeship contract (e.g. payment of salaries and calculation of leave), as well as to serve our recruitment purposes;
  • to respond to inquiries and support needs and to fulfil other requests;
  • to prevent any data breach or circumvention of the Company’s security measures or to mitigate their possible adverse effects.
  • for troubleshooting and statistical and archiving purposes.

7. Keeping your Personal Data up-to-date

You shall ensure that all your Personal Data processed by the Company are accurate, complete, true, correct and up to date. The Company shall not be liable for keeping and processing inaccurate information in case that you did not respect your obligation to keep your Personal Data up-to-date.

8. Your data protection rights

8.1. General

To exercise your data protection rights outlined in this section, you can contact the Company by sending an email to schiltz@schiltz.lu or by contacting us via phone under the following number: +325 45 64 80.

Please make clear in your request which Personal Data you would like to access or to rectify or of which Personal Data you request the restriction of processing or their erasure.

Please be aware that your data protection rights are not absolute and it remains that, in accordance with applicable data protection laws, your rights may be withheld. In such event, the Company will provide you with the reasons for not complying with your request.

The Company is inclined to process your request as soon as reasonably practicable and the Company will provide you with information on actions taken without undue delay and in any event within one month of receipt of your request. This period may be extended by a further two months where necessary, taking into account the complexity and number of your request. In this event the Company will inform you of any such extension within one month of the receipt of your request, together with the reasons for the delay.

In the event the Company would decide to not comply with your request or has not processed your request within the aforesaid timeframe, you can lodge a complaint with the national supervisory authority (see point 16.) and you can seek a judicial remedy against the Company’s decision.

8.2. Your right to access, rectification, restriction of processing and erasure of your Personal Data & your right to data portability

You have, if applicable and within the limits of applicable data protection laws, the ability to request access to your Personal Data processed by the Company and to seek the rectification or erasure of your Personal Data or to request the restriction of their processing.

You have, within the limits of applicable data protection laws, the right to receive the Personal Data you have submitted to the Company in a structured, commonly used and machine-readable format and to transmit such Personal Data to another controller without hindrance. The Company will, where applicable and technically feasible, transmit your Personal Data directly to the data controller of your choice.

8.3. Your right to object

IN ACCORDANCE WITH APPLICABLE DATA PROTECTION LEGISLATION, YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME, TO THE PROCESSING OF YOUR PERSONAL DATA BY THE COMPANY, UNLESS:

  • THERE EXIST COMPELLING LEGITIMATE GROUNDS FOR SUCH PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS; OR
  • THE PROCESSING IS NECESSARY FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.

NOTWITHSTANDING THE FOREGOING, PLEASE BE AWARE THAT YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES. IN THIS EVENT, YOU MAY OPT-OUT OF SUCH PROCESSING BY SENDING AN EMAIL TO schiltz@schiltz.lu.

9. International transfers of Personal Data

As a matter of principle, the Company plans to process your Personal Data within the European Union. This shall, however, apply without prejudice to our right to transfer and process your Personal Data outside of the European Economic Area (i.e. in “third countries”) in accordance with the applicable legislation, namely if (depending on the context):

  • an adequate level of protection is ensured (i.e. that the European Commission has granted an adequacy decision to the third country or the international organisation concerned);
  • if appropriate safeguards are put into place (e.g. standard contractual clauses have been adopted);
  • (without prejudice to other possible derogations), the transfer or the set of transfers of your Personal Data to a third country or an international organisation concerned is lawful as at least one of the following conditions is met:
    • you have explicitly consented to the proposed transfer;
    • the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
    • the transfer is necessary for the conclusion or performance of a contract concluded in the interest of you between the Company and another natural or legal person;
    • the transfer is necessary for important reasons of public interest;
    • the transfer is necessary for the establishment, exercise or defence of legal claims.

Please be aware that in these hypotheses, the absence of an adequate level of protection for your Personal Data and of other appropriate safeguards entails the risk your Personal Data may be subject to laws and regulations which do not guarantee an equivalent level of protection for your rights and freedoms as it would normally be the case within the European Union and that – as a consequence – such transfer may entail negative consequences on the protection of your privacy.

10. Disclosure of Personal Data

10.1. General principles of disclosure

The Company may disclose your Personal Data to others in accordance with applicable laws and regulations, and in particular with a view to accomplish the purposes set forth in point 6. of the present Privacy Policy.

10.2. Categories of recipients

The Company currently discloses your Personal Data to the following categories of recipients:

  • our clients or any party related to our clients;
  • the Luxembourg Bar;
  • public and government authorities (e.g. judicial authorities such as courts and tribunals or the public prosecutor, the CCSS, CSSF, CNPD, tax authorities, etc.);
  • the Company’s service providers (e.g. IT support service providers, advisors, consultants, accountants, payroll providers, etc.);
  • auxiliaries of justice (e.g. lawyers, bailiffs, etc.);
  • any other third party, if such disclosure is necessary for the fulfilment of the purposes set forth in this Privacy Policy.

11. Security of Personal Data

The Company protects your Personal Data by using appropriate administrative, technical and organisational security measures to reduce the risks of loss, theft, misuse, unauthorised access, disclosure, destruction and alteration of your Personal Data. Please be, however, aware that today no processing, transmission or storage of data, including Personal Data – even in high security environments and notwithstanding any appropriate security measure – ensures an absolute protection and can for example be subject to hacks or attacks.

If you have reason to believe that your Personal Data is no longer secure, you shall immediately notify such risk to the Company by contacting us at schiltz@schiltz.lu.

12. External Websites

Occasionally, the Company’s website(s) (hereinafter “Company Website”) may provide references or links to, or facilitate access to other websites or other online services, including applications (hereinafter “External Websites“).

The Company does not control such External Websites or any of their content.

The Company shall in no way be responsible or liable for such External Websites to which the Company makes reference or provides a link thereto, whether directly or indirectly. The Company shall in particular be in no way responsible or liable for External Websites’ content, any information displayed thereon, policies, privacy standards, failures, promotions, products, any practice, services or actions and/or any damages, losses, failures or problems caused by, related to, or arising from those sites.

Please be aware that the inclusion of a link or any other reference within the Company Website does not imply endorsement of an External Website by the Company and it remains that such External Websites have separate and independent privacy policies. The Company consequently encourages you to review the policies, rules, terms, privacy practices and regulations of each site that you visit.

The Company seeks to protect the integrity of the Company Website and thus welcomes any feedback about External Websites referred to within the Company Website.

13. Storage of your Personal Data

Without prejudice to the Company’s right to further process your Personal Data for purposes that are not incompatible with the initial purpose, and subject to the Company’s own legal and regulatory obligations, the Company retains your Personal Data only for as long as necessary to fulfil the purposes described in the present Privacy Policy and as long as required by the laws of Luxembourg.

In this vein, the Company keeps client documents for at least 10 years as from the termination of the relevant contractual relationship.

14. Updates to this Privacy Policy

The present Privacy Policy has been made available to you prior to your use of the Company Services.

The Company reserves the right to revise, change, modify, update, supplement, add or remove parts of the Privacy Policy, at any time, in an exercise of its sole discretion. When the Company makes such changes to the Privacy Policy, the Company will notify such changes to you by making the amended Privacy Policy available on the Company’s website (hereinafter “amended Privacy Policy”). It is your responsibility to review the amended Privacy Policy.

15. Merger/Corporate Acquisition

If the Company merges with another company or entity, of whatsoever form, or is partially or entirely acquired by such company or entity, the acquiring company or entity shall have access to all your Personal Data in the Company’s possession. Without prejudice to the right to update the present Privacy Policy, the acquiring company or entity shall be bound by this Privacy Policy.

16. Questions or complaints

If you have questions or concerns about this Privacy Policy or seek additional information about the processing activities carried out by the Company when providing the Company Services, you can contact us via phone under the following number: +325 45 64 80 or write us by sending an email to schiltz@schiltz.lu.

If you do not feel satisfied with the response given or actions taken, you have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (the data protection authority in Luxembourg) having its seat at 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette (Luxembourg).

17. Applicable law & jurisdiction

The provision of the Company Services to persons in the European Union shall be governed by and construed in accordance with the laws of the Grand-Duchy of Luxembourg, excluding to the largest extent legally permitted by law any provisions of Luxembourg private international law as well as any provision of law that would result in the application of the law of a different jurisdiction. This shall be without prejudice to the protection of the mandatory provisions of the law of another Member State of the European Union that would be applicable in the absence of the present paragraph and that would under public order rules and principles have to prevail in Luxembourg.

Any disputes arising from the provision of the Company Services to persons in the European Union shall be submitted to the jurisdiction of the Courts of the district of Luxembourg-City (Grand-Duchy of Luxembourg).