Data Protection Policy

1.Purpose

In connection with its business, the VIGO Law Office processes the personal data of its clients and contacts and uses the results of such data processing.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, also known as the General Data Protection Regulation (hereinafter the “GDPR”) establishes the legal framework applicable to personal data processing. It enhances the rights and reinforces the duties of controllers, processors, data subjects and data recipients.

Article 12 of the GDPR provides that data subjects must be informed of their rights in a concise, transparent, intelligible and easily accessible form.

The purpose of this policy is to comply with the Law Office’s duty to inform and to formally set out the rights of its clients and contacts concerning the processing of their personal data.

2.Definitions

To ensure complete understanding of this policy, the terms below are defined:

– “client(s)”: means any natural or legal person who is a client of the Law Office;

– “contact(s)”: means any natural or legal person who is in contact with the Law Office but who is not a client (prospects, associates, partners, etc.);

– “controller”: means the natural or legal person who determines the purposes and means of the processing of personal data. For the purposes of this policy, the controllers are the partners of the VIGO Law Office.

– “Processor”: means any natural or legal person who processes personal data on behalf of the controller. In practice, these are service providers with whom the VIGO Law Office works and who carry out operations on the personal data it processes;

– “data subjects”: means natural persons who can be identified directly or indirectly. They are referred to herein as “clients” or “contacts”;

– “recipients”: means the natural or legal persons to whom personal data is disclosed. Data recipients may therefore be both internal recipients and external organisations (providers of support services, the courts and legal personnel, professional associations, etc.).

3.Scope

This personal data protection policy applies to the processing of personal data of the clients and contacts of the VIGO Law Office.

It concerns only the processing of “structured” data processing for which the Law Office is responsible. Furthermore, the policy does not concern processing operations by the Law Office’s employees in the course of managing their personal clients.

The processing of personal data may be managed directly by the VIGO Law Office or by a processor it specifically appoints.

This policy is independent of any other document that may apply to the contractual relationship between the Law Office and its clients and contacts, in particular our cookie policy.

4.General principles and commitment

The personal data of our clients and contacts is collected and processed in accordance with the general principles of the GDPR.

Clients and contacts will be informed of any new processing, or of changes to or the cancellation of existing processing, by means of an amendment to this policy.

5.Types of data collected

NON-TECHNICAL DATA (as applicable):

– Identification: last name, first name, title, position
– Contact details: Telephone number, e-mail address, postal address, fax number, etc.
– Bank data if necessary

TECHNICAL DATA (as applicable)

– Identification data (IP)
– Connection data (in particular, logs)
– Consent data (click), mainly for online subscriptions

The VIGO Law Office does not process sensitive data within the meaning of Article 9 of the GDPR, except data within the scope of Article 9.2 f, i.e. data necessary “for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.

6.Origins of data

The VIGO Law Office collects client and contact data from:

– data provided by clients in connection with matters entrusted to the Law Office (client file); – business cards;
– registrations or subscriptions on our website;
– exchanges via social networks.

7.Purposes of processing operations

As applicable, the VIGO Law Office will process your data for the following purposes:

– handling matters entrusted to the Law Office;
– managing the client relationship;
– sending our newsletters or all other information materials;
– responding to public or private calls for tender;
– managing applications for associate positions or internships;
– sending of greetings from the Law Office;
– improving our services;
– complying with our administrative obligations;
– compiling statistics.

8.Legal grounds

The purposes of the processing operations described above are derived from the following legal grounds:

Clients: Pre-contractual or contractual performance

Contacts: Legitimate interest and consent when required

9.Data recipients

The Law Office ensures that the data can be accessed only by authorised internal or external data recipients, in compliance with professional confidentiality rules.

Internal recipients:

– Lawyers
– Non-lawyer staff
– Interns
– Communications Department
– IT Department

External recipients:

– Service providers or providers of support services (e.g. translation services, IT service provider, photocopying, etc.);
– Courts, legal personnel, colleagues, experts, trustees, bailiffs, investigators, etc.
– Professional associations
– Government agencies

10.Retention period

The Law Office determines the data retention period on the basis of its legal and contractual obligations. This duration is set in accordance with its retention period policy.

When the time periods set in said policy expire, the data will be either deleted or stored after having been anonymised.

Clients and contacts should note that deletion and anonymisation are irreversible processes and that thereafter the Law Office will be unable to restore the data.

11.Right of access (right to a copy of data)

Clients and contacts are traditionally entitled to request that the Law Office confirm whether their data is processed or not.

Clients and contacts also have a right of access, provided the following requirements are met:

– the request is made by the person himself/herself and is accompanied by a copy of an up-to-date identity document;
– the request is submitted in writing to the following address: VIGO Law Office, 9 rue Boissy d’Anglas, 75008 Paris, or to the following e-mail address: RGPD@vigo-avocats.com

Clients and contacts are entitled to request a copy of their personal data that is processed by the Law Office. However, if an additional copy is requested, the Law Office may require clients and contacts to pay the cost thereof.

If clients and contacts submit their request for a copy of their data electronically, the information requested will be provided to them  in a commonly used electronic form, unless otherwise requested.

Clients and contacts are informed that this right of access does not apply to information or data that is confidential or whose disclosure is prohibited by law. This right shall under no circumstances grant access to documents and records entrusted to the Law Office and that are subject to professional confidentiality.

The right of access must not be abused.

12.Updates – Revision and rectification

This right can be exercised through your usual contact or, alternatively, through the team in charge, which may be reached at RGPD@vigo-avocats.com.

To regularly update the personal data it collects, the Law Office may contact its clients and contacts, who will thus have an opportunity to comply with its requests.

The Law Office cannot be held responsible for not revising the data if the client or contact does not update their data.

13.Right to erasure

Clients and contacts may request the erasure of their data in the following cases:

– if the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; – if the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;

– if the data subject objects to processing that is necessary for the purposes of the legitimate interests pursued by the Law Office and there are no overriding legitimate grounds for the processing;

– if the data subject objects to the processing of their personal data for direct marketing purposes, including profiling;

– if the personal data has been processed unlawfully.

The right to erasure held by clients and contacts does not apply in cases where the processing is carried out to comply with a legal obligation.

14.Right to restriction of processing

Clients and contacts are informed that this right is inapplicable because the processing carried out by the Law Office is lawful and all personal data collected is necessary to perform the commercial contract.

15.Right to data portability

The Law Office will comply with the right to data portability in the specific case of data communicated by clients or contacts themselves on the online services the Law Office offers and for purposes based solely on the consent of individuals. In this case, the data will be provided in a structured, commonly used and machine-readable format.

16.Automated individual decision-making

The Law Office does not make automated individual decisions.

17.Post-mortem rights

Clients and contacts are informed that they have the right to provide instructions concerning the retention, erasure and disclosure of their data after their death. Specific post-mortem instructions may be provided and this right may be exercised by e-mail: RGPD@vigo-avocats.com or by post at the following address: VIGO Law Office, 9 rue Boissy d’Anglas, 75008 Paris, together with a signed copy of an identity document.

18.Proof of identity

You are hereby informed that, in accordance with the personal data protection laws, all of the above rights of clients or contacts are individual rights which can only be exercised by data subjects in relation to their own information. To comply with this obligation, we will verify the identity of data subjects.

19.Right of use

Clients and contacts grant the Law Office the right to use and process their personal data for the purposes described above.

However, enhanced data that is the result of the Law Office’s processing and analysis work (“enhanced data”) is its sole property (use analysis, statistics, etc.).

20.Processors

The Law Office informs its clients and contacts that it may appoint any processor of its choice for the purpose of processing their personal data.

In such case, the Law Office will ensure the processor complies with its obligations under the GDPR.

The Law Office undertakes to sign a written contract with all its processors and will impose on the processors the same data protection obligations that apply to it. Moreover, the Law Office reserves the right to audit its processors to ensure they comply with the provisions of the GDPR.

21Security

The Law Office is responsible for defining and implementing the technical, physical and logical security measures it deems appropriate to prevent the accidental or unlawful destruction, loss, alteration or unauthorised disclosure of data.

These measures include primarily:

– the use of security measures to access premises (locking offices, badges, etc.);– securing access to our computer workstations and smartphones (access codes changed regularly);– login and password for all our business applications;– managing authorisations to access data (in particular for our financial, accounting and communication departments).

For these purposes, the Law Office may be assisted by any third party of its choice to carry out vulnerability audits or intrusion tests as frequently as it deems necessary.

In any event, if the means intended to ensure the security and confidentiality of personal data changes, the Law Office undertakes to replace them with means providing superior performance. No change shall lead to a regression in the level of security.

If some or all of the processing of personal data is outsourced, the Law Office undertakes to contractually require its processors to provide security guarantees by implementing technical measures to protect such data, as well as the appropriate human resources.

22.Data breaches

In the event of a personal data breach, the Law Office will notify the CNIL (the French Data Protection Agency) in accordance with the requirements of the GDPR.

If the breach places clients and contacts at high risk and the data has not been protected, the Law Office will:

– notify the relevant clients and contacts;
– provide the relevant clients and contacts with the necessary information and recommendations.

23.Register of processing operations

The Law Office is not required to keep a register of processing operations.

24.Right to lodge a complaint with the CNIL

Clients and contacts concerned by the processing of their personal data are informed that they have a right to lodge a complaint with a supervisory authority, i.e. the CNIL in France, if they believe that the processing of their personal data is not in compliance with the European data protection regulation, at the following address:

CNIL – Service des plaintes (Complaints Department)
3 place de Fontenoy – TSA 80715 – 75334 Paris Cedex 07
Tel.: 01 53 73 22 22

25.Amendments

This policy may be amended or revised at any time in the event of changes in the law, case law, the decisions and recommendations of the CNIL or industry practice.

Clients and contacts will be informed of any new version of this policy by any means at the Law Office’s discretion, including electronic means (e.g. distribution by e-mail or online).

26.For additional information:

For additional information, please write to our contact person at the following e-mail address: RGPD@vigo-avocats.com

For more general information on personal data protection data, you can visit the CNIL website: www.cnil.fr.