Last updated and effective as of 19 July 2018.
For Schiltz & Schiltz S.A. (a public limited company (société anonyme) incorporated under the laws of Luxembourg and registered with the Luxembourg Business Register (LBR) under number B 220251 and the Luxembourg Bar, whose registered office is at 24-26, Avenue de la Gare, L-1610 Luxembourg) as well as for its lawyers (hereinafter the “Company, we, us, our”), the protection of your privacy is a primary concern.
Please note that the nature of our activities and the contexts in which Personal Data are processed by the Company make it difficult to provide you with a precise and exhaustive description of all processing activities carried out by the Company or on its behalf.
2. Data controller & data protection officer
The Company is the legal entity responsible for the collection and processing of your Personal Data.
The Company has designated a data protection officer with a view to inform and advise the Company on how to protect your privacy. Our data protection officer can be contacted either by mail (firstname.lastname@example.org) or via telephone (+352 45 64 80).
3. Personal Data collected and processed
The categories of Personal Data we collect and process depend on the specific context of each situation and the list reproduced below is in all likelihood not to be considered as exhaustive.
Please note that the Company is not in a position to control the volume, extent or nature of Personal Data which are provided to us by others. Taking this into account, we shall however endeavour to process your Personal Data only in compliance with applicable data protection principles (such as purpose limitation).
We furthermore wish to draw your attention to the fact that you as well as any other person shall only provide us with information that is necessary for the intended purpose (data minimisation) in compliance with applicable data protection legislation.
3.1. Categories of Personal Data processed
Depending on the context, the Personal Data we process may include:
- private or professional contact information (e.g. address, email address, telephone or mobile phone number);
- identification information (e.g. first and last names, date and place of birth, identification number or gender) as well as technological identification data (e.g. IP addresses, cookies (see below), time and location data of communications or website visits);
- business information (e.g. job function, job title, department or location) or contextual professional information (participation in memberships or organisations);
- financial information, including income, assets, charges and investments (e.g. bank account information, bank guarantees, deposits, debts, financial transactions, expenses, mortgage, pension details, remunerations, salaries (or other compensation paid), possessions (also real estate));
- educational information (e.g. curriculum vitae) and professional records and activities;
- health data (e.g. medical records, medical reports, sick leave, information on sexual orientation, illnesses, diseases, images, videos and sounds of surgical interventions);
- insurance data (e.g. insurances subscribed, risks covered);
- images, videos, sounds, texts and phone call conversations;
- data on incidents and accidents (especially in the field of medical liability and insurance matters);
- data concerning other aspects of your life, such as your political opinions, sex life, trade union memberships, immigration status, labour law status, pension status, goods and services used or made available, accommodation, private life habits (social and family life, such as the composition of households, your hobbies, habits and interests), licences held);
- judicial data (criminal records, court decisions, convictions);
- contractual information (i.e. any information provided by you for the performance of the Company’s contractual obligations).
3.3. The sources from which your Personal Data stem
The Company may collect your Personal Data directly from you, namely when you contact us or request us to carry out services on your behalf, as well as from other sources such as:
- the Company’s service providers or business partners;
- the Company’s clients or adverse parties;
- other auxiliaries of justice (e.g. lawyers, bailiffs, etc.);
- regulators or public authorities;
- other third-party or publicly available sources (e.g. trade registers, directories, social media platforms).
3.4. Cookies and similar technology
You can choose to deactivate cookies, however in such circumstances you will not be able to use parts of the Company Services which require cookies to be active.
3.5. Possible consequences of a refusal to provide your Personal Data
Please also note that a refusal to provide us with necessary Personal Data or the exercise of your data subject rights (as detailed below) may prevent you from using the Company Services, in whole or in part, and may lead to the termination of our business relationship.
4. Legal bases allowing to collect and process your Personal Data
Depending on the context of each specific situation, the collection and processing of your Personal Data by the Company is lawful as at least one of the following applies:
- the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
- the processing is necessary for compliance with a legal obligation to which the Company is subject (e.g. when storing Personal Data for compliance purposes or when complying with our AML and KYC obligations);
- the processing is necessary for the performance of a task carried out in the public interest (namely when we exercise our role as auxiliary of justice);
- the processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party and those legitimate interests are not overridden by the interests or fundamental rights and freedoms of the data subject; such legitimate interests namely consisting in:
- administering claims, preparing the legal defence of clients and third parties, resolving and managing disputes or litigation proceedings, protecting any interests, of whatsoever nature, whether tangible or not, of ourselves or others;
- providing our clients with advice regarding their rights and obligations;
- providing clients with information requested by them and with solutions to their questions;
- performing the services we are requested to perform;
- managing and administering the relationship with our clients and prospects;
- ensuring the efficient functioning of the Company, including by managing, assessing and improving our internal organisation and functioning;
- promoting the Company’s activities (e.g. marketing activities, commercial communications) and ensure the effective provision of the Company’s services (e.g. organise meetings or events), as those will allow the Company to generate profits and to attract new customers.
- the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
- you have given your consent to the processing of your Personal Data;
- the processing relates to personal data which are manifestly made public by the data subject;
- the processing is necessary for the establishment, exercise or defence of legal claims;
- the processing is necessary for statistical purposes;
- the Personal Data is processed by a person subject to an obligation of secrecy.
5. Conditions applicable to your consent (if applicable)
Please note that if the processing of your Personal Data has been rendered lawful on the basis of your consent you have, at any time, the right to withdraw your consent to the processing of your Personal Data. The withdrawal of your consent shall however not affect the lawfulness of processing based on your consent before its withdrawal.
6. The purposes of the processing
The Company processes your Personal Data for various purposes, in particular:
- to meet or comply with any applicable rules, laws, regulations, codes of practice or guidelines issued by any legal or regulatory bodies (including the Bar Associations to which the Company or its lawyers are members) which are applicable to the Company Services (e.g. respond to regulatory complaints, disclose facts to regulatory bodies, conduct audits and checks, perform due diligence, investigations and identity checks), in particular for compliance purposes (such as AML and KYC obligations);
- to respond to requests from public and government authorities and in particular to respond to a verified request relating to a criminal investigation (e.g. subpoena, court order or substantially similar legal procedure) or alleged illegal activity or any other activity that may expose the Company or any of the Company’s service providers, or you to any legal proceeding or legal liability;
- to prevent any harm, financial loss or any other risk for the Company or any of the Company’s service providers or any other individual or entity related to the Company and to prevent, detect and investigate, to analyse and manage commercial risks and to deal with actual or potential illicit or illegal acts (e.g. to pursue available remedies or limit the damages that the Company or its service providers may sustain);
- to protect the Company, its operations and its contractual and legal rights and obligations or those of others as well as the rights, privacy, safety and property of the Company or others;
- to perform the contract to which you are party or to take steps at your request prior to entering into a contract and to perform the services we are requested by you, our clients or third parties for the protection of their interests;
- to exercise our role as auxiliary of justice and to communicate with other auxiliaries of justice (e.g. lawyers, bailiffs, etc.) involved or to be involved in a subject matter dealt with by the Company;
- to administer claims, prepare the legal defence of clients and third parties, resolve and manage disputes or litigation proceedings, protect any interests, of whatsoever nature, whether tangible or not, of ourselves or others;
- to provide our clients with advice regarding their rights and obligations, information requested by them and solutions to their questions, and perform the services we are requested to perform;
- to ensure the efficient functioning of the Company, including by managing, assessing and improving our internal organisation and functioning;
- to promote the Company’s activities (e.g. marketing activities, commercial communications) and ensure the effective provision of the Company’s services (e.g. organise meetings or events), as those will allow the Company to generate profits and to attract new customers;
- to respect our labour law obligations and to perform the job or traineeship contract (e.g. payment of salaries and calculation of leave), as well as to serve our recruitment purposes;
- to respond to inquiries and support needs and to fulfil other requests;
- to prevent any data breach or circumvention of the Company’s security measures or to mitigate their possible adverse effects.
- for troubleshooting and statistical and archiving purposes.
7. Keeping your Personal Data up-to-date
You shall ensure that all your Personal Data processed by the Company are accurate, complete, true, correct and up to date. The Company shall not be liable for keeping and processing inaccurate information in case that you did not respect your obligation to keep your Personal Data up-to-date.
8. Your data protection rights
To exercise your data protection rights outlined in this section, you can contact the Company by sending an email to email@example.com or by contacting us via phone under the following number: +325 45 64 80.
Please make clear in your request which Personal Data you would like to access or to rectify or of which Personal Data you request the restriction of processing or their erasure.
Please be aware that your data protection rights are not absolute and it remains that, in accordance with applicable data protection laws, your rights may be withheld. In such event, the Company will provide you with the reasons for not complying with your request.
The Company is inclined to process your request as soon as reasonably practicable and the Company will provide you with information on actions taken without undue delay and in any event within one month of receipt of your request. This period may be extended by a further two months where necessary, taking into account the complexity and number of your request. In this event the Company will inform you of any such extension within one month of the receipt of your request, together with the reasons for the delay.
In the event the Company would decide to not comply with your request or has not processed your request within the aforesaid timeframe, you can lodge a complaint with the national supervisory authority (see point 16.) and you can seek a judicial remedy against the Company’s decision.
8.2. Your right to access, rectification, restriction of processing and erasure of your Personal Data & your right to data portability
You have, if applicable and within the limits of applicable data protection laws, the ability to request access to your Personal Data processed by the Company and to seek the rectification or erasure of your Personal Data or to request the restriction of their processing.
You have, within the limits of applicable data protection laws, the right to receive the Personal Data you have submitted to the Company in a structured, commonly used and machine-readable format and to transmit such Personal Data to another controller without hindrance. The Company will, where applicable and technically feasible, transmit your Personal Data directly to the data controller of your choice.
8.3. Your right to object
IN ACCORDANCE WITH APPLICABLE DATA PROTECTION LEGISLATION, YOU HAVE THE RIGHT TO OBJECT, ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION, AT ANY TIME, TO THE PROCESSING OF YOUR PERSONAL DATA BY THE COMPANY, UNLESS:
- THERE EXIST COMPELLING LEGITIMATE GROUNDS FOR SUCH PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS; OR
- THE PROCESSING IS NECESSARY FOR THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS.
NOTWITHSTANDING THE FOREGOING, PLEASE BE AWARE THAT YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR DIRECT MARKETING PURPOSES. IN THIS EVENT, YOU MAY OPT-OUT OF SUCH PROCESSING BY SENDING AN EMAIL TO firstname.lastname@example.org.
9. International transfers of Personal Data
As a matter of principle, the Company plans to process your Personal Data within the European Union. This shall, however, apply without prejudice to our right to transfer and process your Personal Data outside of the European Economic Area (i.e. in “third countries”) in accordance with the applicable legislation, namely if (depending on the context):
- an adequate level of protection is ensured (i.e. that the European Commission has granted an adequacy decision to the third country or the international organisation concerned);
- if appropriate safeguards are put into place (e.g. standard contractual clauses have been adopted);
- (without prejudice to other possible derogations), the transfer or the set of transfers of your Personal Data to a third country or an international organisation concerned is lawful as at least one of the following conditions is met:
- you have explicitly consented to the proposed transfer;
- the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of you between the Company and another natural or legal person;
- the transfer is necessary for important reasons of public interest;
- the transfer is necessary for the establishment, exercise or defence of legal claims.
Please be aware that in these hypotheses, the absence of an adequate level of protection for your Personal Data and of other appropriate safeguards entails the risk your Personal Data may be subject to laws and regulations which do not guarantee an equivalent level of protection for your rights and freedoms as it would normally be the case within the European Union and that – as a consequence – such transfer may entail negative consequences on the protection of your privacy.
10. Disclosure of Personal Data
10.1. General principles of disclosure
10.2. Categories of recipients
The Company currently discloses your Personal Data to the following categories of recipients:
- our clients or any party related to our clients;
- the Luxembourg Bar;
- public and government authorities (e.g. judicial authorities such as courts and tribunals or the public prosecutor, the CCSS, CSSF, CNPD, tax authorities, etc.);
- the Company’s service providers (e.g. IT support service providers, advisors, consultants, accountants, payroll providers, etc.);
- auxiliaries of justice (e.g. lawyers, bailiffs, etc.);
11. Security of Personal Data
The Company protects your Personal Data by using appropriate administrative, technical and organisational security measures to reduce the risks of loss, theft, misuse, unauthorised access, disclosure, destruction and alteration of your Personal Data. Please be, however, aware that today no processing, transmission or storage of data, including Personal Data – even in high security environments and notwithstanding any appropriate security measure – ensures an absolute protection and can for example be subject to hacks or attacks.
If you have reason to believe that your Personal Data is no longer secure, you shall immediately notify such risk to the Company by contacting us at email@example.com.
12. External Websites
Occasionally, the Company’s website(s) (hereinafter “Company Website”) may provide references or links to, or facilitate access to other websites or other online services, including applications (hereinafter “External Websites“).
The Company does not control such External Websites or any of their content.
The Company shall in no way be responsible or liable for such External Websites to which the Company makes reference or provides a link thereto, whether directly or indirectly. The Company shall in particular be in no way responsible or liable for External Websites’ content, any information displayed thereon, policies, privacy standards, failures, promotions, products, any practice, services or actions and/or any damages, losses, failures or problems caused by, related to, or arising from those sites.
Please be aware that the inclusion of a link or any other reference within the Company Website does not imply endorsement of an External Website by the Company and it remains that such External Websites have separate and independent privacy policies. The Company consequently encourages you to review the policies, rules, terms, privacy practices and regulations of each site that you visit.
The Company seeks to protect the integrity of the Company Website and thus welcomes any feedback about External Websites referred to within the Company Website.
13. Storage of your Personal Data
In this vein, the Company keeps client documents for at least 10 years as from the termination of the relevant contractual relationship.
15. Merger/Corporate Acquisition
16. Questions or complaints
If you do not feel satisfied with the response given or actions taken, you have the right to lodge a complaint with the Commission Nationale pour la Protection des Données (the data protection authority in Luxembourg) having its seat at 1, avenue du Rock’n’Roll, L-4361 Esch-sur-Alzette (Luxembourg).
17. Applicable law & jurisdiction
The provision of the Company Services to persons in the European Union shall be governed by and construed in accordance with the laws of the Grand-Duchy of Luxembourg, excluding to the largest extent legally permitted by law any provisions of Luxembourg private international law as well as any provision of law that would result in the application of the law of a different jurisdiction. This shall be without prejudice to the protection of the mandatory provisions of the law of another Member State of the European Union that would be applicable in the absence of the present paragraph and that would under public order rules and principles have to prevail in Luxembourg.
Any disputes arising from the provision of the Company Services to persons in the European Union shall be submitted to the jurisdiction of the Courts of the district of Luxembourg-City (Grand-Duchy of Luxembourg).