Privacy Policy

EURAALEX LAW FIRM is a Luxembourg law firm registered with and regulated by the Luxembourg Bar Association (“Ordre des Avocats du Barreau de Luxembourg”) having its registered office at L-1946 Luxembourg, 20 rue Louvigny (the “Law Firm”, “we” or “us”), which is committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information we collect and process in accordance with the General Data Protection Regulation 2016 (GDPR).

The GDPR replaces the EU Data Protection Directive of 1995 and supersedes the laws of individual Member States that were developed in compliance with the Data Protection Directive 95/46/EC. Its purpose is to protect the “rights and freedoms” of natural persons (i.e., living individuals) and to ensure that personal data is not processed without their knowledge, and, wherever possible, that it is processed with their consent.

This privacy policy aims at informing you of the type of personal information (“personal data”) we collect and receive, how we process it, the legal basis for doing so, when we transfer it to others, as the case may be, and your rights as Data Subjects in that respect, as well as the way to exercise such rights.

Policy statement

	Compliance with the GDPR is described by this policy (the “Policy”) and other relevant policies such as the Website Policies, Privacy Notice along with internal connected processes and procedures.
	The general principles stated in this Policy apply to all of our personal data processing functions, including those performed on clients’, employees’, suppliers’ and partners’ personal data, and any other personal data the organisation processes from any source.
	The Law Firm has established objectives for data protection and privacy, which are in the GDPR register of processing.
	The Lawyer is a data controller and/or data processor under the GDPR. The Lawyer is responsible for reviewing the GDPR register of processing annually in the light of any changes to our activities (as determined by changes to the data inventory register and the management review) and to any additional requirements identified by means of data protection impact assessments. Please note that this register needs to be available on the supervisory authority’s request.
	Any breach of the GDPR or this Policy will be dealt with under our disciplinary policy and may also be a criminal offence, in which case the matter will be reported as soon as possible to the appropriate authorities.
	Any third parties and partners working with or for us, and who have or may have access to personal data controlled or processed by us, will be expected to have read, understood and to comply with this policy. No third party may access personal data held by us without having first entered into a data processing agreement which imposes on the third-party obligations no less onerous than those to which we are committed, and which gives us the right to audit compliance with the agreement.

Definitions

Clients – the natural persons acting in their own right or representing, or working for or on behalf of, any entity, company or undertaking (irrespective of form or jurisdiction and including any entity which forms part of the group of companies to which the client or prospect belongs) to whom the Lawyer provides or is likely to provide legal services (irrespective of whether done for remuneration or on pro-bono basis).

Data controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data subject – any living individual who is the subject of personal data held by an organisation.

Data subject consent - means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.

Filing system – any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.

Personal data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data breach – a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. There is an obligation on the controller to report personal data breaches to the supervisory authority and where the breach is likely to adversely affect the personal data or privacy of the data subject.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Profiling – is any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyse or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behaviour. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.

Prospect – means natural persons acting in their own right or representing, or working for or on behalf of, any undertaking (irrespective of form or jurisdiction and including any entity which forms part of the group of companies to which the client or prospect belongs) to whom are likely to provide services (irrespective of whether done on a pro-bono basis or for remuneration)

Special categories of personal data – personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Third-party – a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Privacy policy

1.1 Who are we?

EURAALEX LAW FIRM is a Luxembourg law firm registered with and regulated by the Luxembourg Bar Association (“Ordre des Avocats du Barreau de Luxembourg”) having its registered office at L-1946 Luxembourg, 20 rue Louvigny (the “Law Firm”, “we” or “us”), whose founding partners, Jackye Elombo and Shaohui Zhang are attorney-at-law (“avocat à la Cour”) admitted to and registered with the Luxembourg Bar Association (List I).

The Law Firm is primarily engaged by corporate entities and as such these entities are not data subjects. However, as part of such instructions personal information may be provided to us (e.g., personal information relating to any of our corporate clients; or prospective clients; officers or personnel, any opponent or vendor or purchaser or personal information relating to their legal advisors or personnel, as relevant or similar). If you are an individual whose personal information is processed by us as a result of providing legal services (including individual and corporate clients) we will process a variety of different personal information depending on the legal services provided. Our data protection representatives can be contacted directly here:

• privacy@euraalex.com

• or +352 27 76 81 42

All employees/staff, contractors, partners of the Law Firm who interact with Data Subjects are responsible for ensuring that this Policy is drawn to Data Subject’s attention and their consent to the processing of their data is secured.

1.2 Which Personal Information do we collect?

We collect, receive and otherwise process personal data (i.e., any information related to living individuals) about existing and former clients, prospects, counterparties, adverse parties, lawyers, advisers, service providers, suppliers, regulators, public authorities, and other persons including (when any of the latter are not natural persons) their respective representatives, members, staff members and agents, whether or not we have a contractual relationship with any of them or the entity they represent or work for (the “data subjects”).

This may include personal data relating, without limitation, to any of our corporate clients or prospective clients; officers or personnel, any opponent or vendor or purchaser personal data including personal data relating to their legal advisors, other advisors or personnel as relevant or similar.

More specifically, the personal data we may collect from/process on you are:

Identification Data: such as name, surname, marital status, date of birth, national identiﬁcation number, ID or passport number, photo, gender, social media account, copy of ID card or passport, pictures taken during events we organise or attend, telephone recordings,
Business contacts Data: such as current and former directors, employees, ofﬁcers, committee members, advisors board members, members of managing bodies, interns, secondees, direct and indirect shareholders, ultimate beneﬁcial owners, members, investors, partners of or other persons having an interest (either economically or otherwise) in the legal person concerned, competitors, service providers, own clients and customers, afﬁliated companies, investors, investment partners, shareholders, and, as the case may be, counterparties, adverse parties and their representatives identification data,
Contact Data: such as email address, telephone number, billing address and related billing information, …
Financial Data: such as bank account number, payment card details, details about payments to and from the Data Subject, tax & VAT number, allowances, aids, subsidies, participation in a stock option plan, shareholdings, ownership of all types of assets, pension scheme, details of exit, payments received and made, options,
Technical Data: such as information collected when visiting its website, IP address, browser type and version, time zone setting and location, subscription to our newsletter via our website, cookies, connection times to our website and more generally information about use of our website, use of our WIFI,
Professional Data: such as education, job title and positions (including any board membership) and professional experience, preferred language, Curriculum Vitae, seniority, areas of practice, hourly rates, publications, performance appraisal, pension scheme, stock option plan, shareholding, relationships with business partners, contact details of secretary, personal assistants and associates, …

Given the nature of our business and our related activities, it is difﬁcult to provide an exhaustive description of all the personal data we process. This list is therefore non-exhaustive.

Disclosure and Obtention of Personal data

We may also collect, receive and obtain personal data in paper form or through electronic means from one or more sources, in particular:

upon direct contact: i.e., when you contact the Law firm as data subject or indirectly through persons you instruct to contact us in your name and/or on your behalf or when you provide us with your contact details, we will obtain the personal information from you (e.g., request for services, attendance to events. We expect you to inform us in writing and without undue delay of changes in the information you provided to us or others about you, so that we can keep it up to date.
Through third parties: e.g., clients, prospects, counterparties, adverse parties, lawyers, advisers, service providers, suppliers, regulators, public authorities, whether or not we have a contractual relationship with any of them or the entity they represent or work for. This includes anyone with whom we have a business relationship. Personal data will comprise any information such third parties provide us with in relation to the subject matter, such as documents regarding the legal matters for which our advice is requested or which have to be shared with us in the context of a transaction (including physical or virtual data rooms), advice, legal analysis or (potential or actual) litigation.
From public sources: i.e., public authorities (e.g., social security, ministries and governmental departments), public registers (such as trade registers and intellectual property registers, sanctions lists), social media, subscription-based services or databases (such as World-Check) or other publicly available sources (internet, brochures, directories etc).

Personal data must be disposed of securely in accordance with the sixth principle of the GDPR – processed in an appropriate manner to maintain security, thereby protecting the “rights and freedoms” of data subjects. We cannot always control the extent of personal data that is provided or made accessible to us by you and third parties. Files, documents, agreements and correspondence (without limitation as to the type of support) that are provided to us may contain personal data that we have not speciﬁcally requested or do not need for the intended purpose. In addition, and as a result of our legal and regulatory obligation to keep such data, we will nevertheless store such personal data in our electronic information system or paper form ﬁles. We may also have access to data rooms comprising personal data that is not all relevant to us.

Consequently, you should not provide us with documents, agreements, correspondences and information which is not relevant for the intended purpose unless personal data contained therein is redacted, removed, pseudonymised, anonymised or otherwise made unavailable to us prior to providing us (including by way of remote access) with the latter. If you provide us with personal information not relating to you (e.g., information about your respective representatives, staff members and agents, beneﬁcial owners, shareholders, etc. or about any third party), you must ﬁrst inform them about this fact and make sure they acknowledge that we can use such information as set out in this privacy policy. In particular, you must provide them with the information relating to their rights as data subjects.

We will assume that you and anyone who is providing us with personal data is doing so in compliance with laws and in particular with the applicable data protection legislation. We also assume that third parties are informed of the processing of any personal information relating to them that we may carry out and of the disclosure of the same to third parties and countries as described herein and that, as far as necessary, you obtained these data subjects’ prior written consent.

1.3 For which purpose do we collect Personal Data and our legal basis to use or process?

The personal data we collect will be used for the following purposes:

Performance of services: It is necessary for us to use your personal data to perform legal services in accordance with any contract that we may have with you or for requested precontractual steps, especially to improve, develop our services. We collect and process personal data to carry out requests made by you in relation to our legal services as agreed by way of an engagement letter, special terms or any other means and, where relevant, provision of the related services. It may as well be in our legitimate interest or a third party's legitimate interest to use your personal data in such a way to ensure that we provide the very best client service we can to you or others. Please note also that our Terms and Conditions apply when we provide legal services.
Recruitment and Staff: to fulfil contractual obligation, ensure compliance with national labour law; process salaries, including income tax withheld at source and social security contributions (relevant data is shared with our payroll services provider and the appointed auditor). Where we use your personal data in connection with recruitment it will be in connection with us taking steps at your request to enter a contract, we may have with you or it is in our legitimate interest to use personal data in such a way to ensure that we can make the best recruitment decisions for the Law Firm.
Business administration and legal compliance: To comply with our legal and regulatory obligation we use your personal data to comply with any legal obligations imposed upon us, e.g., verifying of your identity (including any Anti-Money Laundering and Know Your Customer duties or Anti-Bribery, conflicts or similar obligations), prevent fraud and comply with the professional rules set out by the Luxembourg Bar Association, noting that clients’ names, dates and places of birth, nationality, ID/passport numbers and professional/residential addresses are required by law.

We may also collect, receive and process data related to public and/or professional positions held, and or political opinions, membership of trade unions or similar groups, as part of our Anti-Money Laundering and customer identiﬁcation (AML - Know Your Customer – “KYC”) duties and/or when performing certain types of legal assignments/mandates as requested from us.

We may process personal data when it is necessary for our or a third party’s legitimate interests (as listed here) and where your interests do not override these interests, in particular in order to:

Conduct internal or external audits
Ensure the maintenance of our IT systems or repairing any IT defects or failures, securing communication channels and IT systems
Organise marketing activities and commercial communications, such as the distribution of newsletters, newsﬂashes and brochures or invitations to seminars and events. Please note that Data Subjects have the right to object at any time to such processing by unsubscribing or contacting the data ofﬁcer at privacy@euraalex.com
Organise meetings, seminars and events, for which we may process information about your dietary requirements, hobbies and family (e.g. to adapt our invitations to your interests)
Connect and communicate through social media
Improve our marketing activities and communication, including through our website by monitoring its use.

We neither collect nor process sensitive personal data such as genetic, biometric and health data, as well as personal data revealing racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership, unless we process sensitive data for the purpose of complying with a legal obligation, or to perform legal services in accordance with any contract that we may have with you. Sensitive data directly received from the Data Subject is considered to have been received with the consent to use it in relation to the legal services requested from us. Where we receive sensitive information about a Data Subject from a third-party, we assume that the third-party lawfully processes such sensitive data.

1.4 Consent

Consent is required for us to process both types of personal data collection and processing, but it must be explicitly given. We may request your consent to process personal data about you for certain speciﬁc purposes or in certain speciﬁc circumstances. Where we are asking you for sensitive personal data, we will always tell you why and how the information will be used.

We understand “consent” to mean that it has been explicitly and freely given, and a specific, informed and unambiguous indication of the Data Subject’s wishes that, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

By consenting to this Privacy Policy you are giving us permission to process your personal data specifically for the purposes identified, and more specifically to process such personal data and to disclose such data for defending your interests, for communication with other lawyers involved or to be involved in the matter for which you request our services or on the basis of your consent.

Data Subjects can withdraw their consent at any time. In cases where we process personal data on the basis of your consent, you may withdraw your consent at any time, without this affecting the processing carried out before such withdrawal and without prejudice to any retention or processing that may be required from us by law.

You may withdraw consent by sending an email to our privacy officer at privacy@euraalex.com, clearly specifying that you are withdrawing your consent to process your personal data.

1.5 How long do we keep your personal data for?

We will retain relevant personal data as long as necessary for the implementation of the purposes described in this Privacy Policy and as long as we are required to do so according to our regulatory obligations, professional indemnity obligations or where required for us to assert or defend against legal claims, until the end of the relevant retention period or until the claims in question have been settled.

We shall not keep personal data in a form that permits identification of Data Subjects for a longer period than is necessary, in relation to the purpose(s) for which the data was originally collected. We may then destroy such files without further notice or liability.

We will keep personal data as long as necessary for satisfying the purposes for which it was collected, subject always to the legal periods of limitation and to the situations where the applicable laws require or allow that the personal data is retained for a certain period of time after the termination of the contractual or commercial relationship, such as:

the legal obligation to keep accounting documents for a period of 10 years after the end of the accounting period to which they relate;
the time-limit for court action providing for attorney’s discharge of liability (including the keeping of documents received from clients) 5 year after termination of the assignment, justifying that we keep documents relating to our mandates for that period;
the contractual limitation of liability with respect to clients' mandates after 10 years as from the termination of the relevant contractual relationship, justifying that we keep documents relating to our mandates for that period;
the obligation to keep identiﬁcation documentation for a period of 10 years as from the termination of the relevant contractual relationship.

We may also keep and process personal data after the termination of our contractual and commercial relationship for speciﬁc purposes such as the compliance with legal and regulatory obligations or the establishment, exercise or defence of legal claims.

We may store data for longer periods if the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the implementation of appropriate technical and organisational measures to safeguard the rights and freedoms of the data subject.

1.6 Who do we share your personal information with?

Your personal data may be shared and processed by any member of the Law Firm, located in Luxembourg.

We will not pass on your personal data to third parties without first obtaining your consent.

The following third parties will receive your personal data for the following purpose(s) as part of the processing activities:

our lawyers (including partners, counsel, associates, trainees, secondees), employees, service providers, agents, external consultants or other persons acting on our behalf (in Luxembourg and abroad, including when we travel abroad (including outside of the EU/EEA)) within the limits of their function or assignments;
our information technology service providers and consultants located in Luxembourg for hosting, back-up, and maintenance IT security and IT support purposes;
external entities such as accountants, advisers, auditors or ﬁduciary ﬁrms and other service providers or other third parties related to our clients (in Luxembourg or abroad);
our relevant clients in the course of providing services to them;
client’s partners, e.g., co-investors, co-shareholders, investment partners and directors, employees, ofﬁcers, direct and indirect shareholders, ultimate beneﬁcial owners, members of our client or any such other entity or persons (in Luxembourg or abroad) to whom our client directs or allows us to disclose personal information;
lawyers, authorised employees, agents or other persons acting on behalf of correspondent law ﬁrms or counterpart law ﬁrms (in Luxembourg or abroad);
third parties (in Luxembourg or abroad) with respect to a transaction, advice or project, including administrative, regulatory, governmental or judicial bodies, lawyers and any other third-party adviser or service provider of our clients and related persons, notaries public, bailiffs, courts;
public authorities, i.e., administrative, regulatory, governmental or judicial bodies in Luxembourg or abroad as may be required by the laws of any jurisdiction applicable to us;
third-party service providers who assist us in organising seminars and events and who host such events;
third parties, on a conﬁdential basis, for the purposes of collecting your feedback on our services (including legal directories).

Depending on the nature and scope of our assignment, mandate or the services requested from us and in relation to our marketing activities, we may transfer personal data abroad to the extent that such transmission is deemed reasonably necessary or desirable for satisfying the purposes mentioned in section 1.3 above, including outside of the European Union/European Economic Area, in countries not recognised by the European Commission as having an adequate level of protection for personal data.

Personal data may be sent to, or accessed from, any country where:

it is necessary or useful in the context of our services;
we travel (since we can access our ﬁles remotely through mobile devices or using a secure virtual private network);
we have a law ﬁrm with whom we work in exclusive association.

We may also share personal data with a variety of the following categories of third parties as necessary, such as:

Third parties engaged in the course of the services we provide to clients such as notaries, bailiffs, clerks, court, opposing party and their lawyers, experts such as tax advisors or claim valuers.
Third parties to whom we outsource certain services such as, without limitation, translation services, IT systems or software providers, IT Support service providers, document and information storage providers.
Government or regulatory authorities.
Regulators/tax authorities/corporate registries.
Our professional advisers such as lawyers and accountants.
Insurers.
Third party service providers to assist us with client insight analytics, such as Google Analytics.
Third party postal or courier providers who assist us in delivering documents related to a matter.

We will conduct an appropriate level of due diligence and put in place contractual documentation in relation to any sub-contractor we may appoint to ensure that they process personal data appropriately and according to our legal and regulatory obligations.

1.7 What Are Your rights as a data subject?

Data subjects have the following rights regarding data processing, and the data that is recorded about them:

To make subject access requests regarding the nature of information held and to whom it has been disclosed.
To prevent processing likely to cause damage or distress.
To prevent processing for purposes of direct marketing.
To be informed about the mechanics of automated decision-taking process that will significantly affect them.
To not have significant decisions that will affect them taken solely by automated process.
To sue for compensation if they suffer damage by any contravention of the GDPR.
To take action to rectify, block, erased, including the right to be forgotten, or destroy inaccurate data.
To request the supervisory authority to assess whether any provision of the GDPR has been contravened.
To have personal data provided to them in a structured, commonly used and machine-readable format, and the right to have that data transmitted to another controller.
To object to any automated profiling that is occurring without consent.

At any point while we are in possession of or processing your personal data, you, the Data Subject, have the following rights:

Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
Right to data portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review: in the event that the Law Firm refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.

All of the above requests will be forwarded on should there be a third-party involved (as stated in 1.6. above) in the processing of your personal data.

In the event that you wish to make a complaint about how your personal data is being processed by the Law Firm (or third parties as described in 3.2.3 above), or how your complaint has been handled, you have the right to lodge a complaint directly with the Supervisory Authority and our data protection representative.

The details for each of these contacts are:

	Supervisory authority contact details	The controller contact details
Contact Name:	Commission Nationale pour la protection des données (CNPD)	EURAALEX LAW FIRM
Address line 1:	1, avenue du Rock’n’roll	20, rue Louvigny
Address line 2:	L-4361 Esch-sur-Alzette	L-1946 Luxembourg
Address line 3:		LUXEMBOURG
Website/email:	https://cnpd.public.lu/en.html	privacy@euraalex.com
Telephone:	(+352) 26 10 60-1	(+352)-27 76 81 42

Changes to this Privacy Notice

We may update this Privacy Policy from time to time to comply with applicable privacy laws or regulatory requirements, to ensure that you are always aware of how we use your personal information and to reflect any changes to our use of your personal information. In case of any such changes, we will post the changed Privacy Policy on our website or publish it otherwise.