Privacy Statement

1. For what processing activities do we use personal data?

In the context of our legal services, we process personal data in various ways. We’ve categorized our processing activities as follows:

• Interacting via our website and social media;
• Providing services to our clients;
• Obtaining services from our suppliers;
• Searching and assessing new talent.

2. About whom do we process personal data?

In the context of our legal services, we process personal about the following categories of individuals:

• Website visitors and social media contacts: visitors of our website www.thedatalawyers.com and contacts of our social media profiles;
• Clients: (contact persons of) our (potential) clients that engage our services;
• Suppliers: (contact persons of) our suppliers that we engage for our services;
• Job applicants: job applicants or persons we think might be suitable to work at The Data Lawyers.

We may also process personal data about other persons about whom we obtain personal data in the context of our services, such as business contacts of our clients and other attorneys. We only process personal data about these persons on an incidental basis.

We – The Data Lawyers B.V. – are responsible for the processing of personal data about the persons set out under Nos. 1-5 above. Although other parties may also process personal data about these categories of persons, we are independently responsible for our processing of their personal data in the context of our services.

3. How do we use your personal data?

Below, we have specified per processing activity, for which purposes we generally use personal data and what data is concerned.

Interacting via our website and social media

Providing services to our clients

Obtaining services from our suppliers

Searching and assessing new talent

4. What is our legal ground for processing your personal data?

Below, we have specified per processing activity, on which legal ground we base our processing.

Interacting via our website and social media

• Legitimate interests. When you visit our website, we will process some personal data about you based on our legitimate interests involved with this, or the legitimate interests of a third party. The same applies if we are in contact via social media or if we can view your social media profile because it is set to ‘public’ or because we are indirectly connected. Our legitimate interests are to achieve the purposes mentioned in the previous section (‘How do we use your personal data?’). For example, we may place certain cookies for which we do not require your consent for the proper functioning of our website and process your IP-address.
  We only process personal data based on our legitimate interests for as far as such processing is necessary to achieve our purposes. We do not use more data than necessary. Furthermore, we make a balance of interests on a case-by-case basis. Only if the legitimate interests prevail over your privacy interests or other interests or fundamental rights, will we base our processing on this legal ground. You can contact us for more information on the legitimate interests in relation to a specific processing operation.
• Legal obligation. Under circumstances, we will process personal data not for purposes as established by ourselves, but to comply with applicable legal or regulatory requirements. In the context of our website and social media usage, this legal ground will not likely be applicable. However, under exceptional circumstances it could for example apply if a competent supervisory authority has started an investigation and we are required by law to provide information about you which we obtained via our website our social media usage.
• Consent. In principle, in the context of our website and social media usage, we do not process personal data about you based on your consent. However, it may be that in a specific instance we do require your consent. In that case, you will be informed about this separately.

For more information on how we use your information when you visit our website, please be referred to our Cookie Policy.

Providing services to our clients

• Performance of a contract. In the context of the legal services we provide to our clients, we process some personal data about (contact persons of) our (prospective) clients, based on the performance of a contract with such client. For example, we will process the contract details for execution of the contract.
• Legitimate interests. In the context of the legal services we provide to our clients, we will process some personal data about (contact persons of) our clients based on our legitimate interests involved with this, or the legitimate interests of a third party. Our legitimate interests are to achieve the purposes mentioned in the previous section (‘How do we use your personal data?’). For example, we may process your contact details before we concluded an agreement, to be able to contact you. We only process personal data based on our legitimate interests for as far as such processing is necessary to achieve our purposes. We do not use more data than necessary. Furthermore, we make a balance of interests on a case-by-case basis. Only if the legitimate interests prevail over your privacy interests or other interests or fundamental rights, will we base our processing on this legal ground. You can contact us for more information on the legitimate interests in relation to a specific processing operation.
• Legal obligation. Under circumstances, we will process personal data not for purposes as established by ourselves or the party on whose behalf we process the data, but to comply with applicable legal or regulatory requirements. A common example is when we need to retain certain data longer than necessary for our processing purpose, to apply with a minimum retention obligation.
• Consent. In principle, in the context of the legal services we provide to our clients, we do not process personal data about you based on your consent. However, it may be that in a specific instance we do require your consent. In that case, you will be informed about this separately.

Obtaining services from our suppliers

• Performance of a contract. In the context of obtaining services from our suppliers, we may process some personal data about (contact persons of) our suppliers, based on the performance of a contract with such party. For example, we will process the contract details themselves for execution of the contract (i.e. payment).
• Legitimate interests. In the context of obtaining services from our suppliers, we will process some personal data about (contact persons of) our suppliers based on our legitimate interests involved with this, or the legitimate interests of a third party. Our legitimate interests are to achieve the purposes mentioned in the previous section (‘How do we use your personal data?’).
  For example, we may process your contact details before we concluded an agreement, to be able to contact you. We only process personal data based on our legitimate interests for as far as such processing is necessary to achieve our purposes. We do not use more data than necessary. Furthermore, we make a balance of interests on a case-by-case basis. Only if the legitimate interests prevail over your privacy interests or other interests or fundamental rights, will we base our processing on this legal ground. You can contact us for more information on the legitimate interests in relation to a specific processing operation.
• Legal obligation. Under circumstances, we will process personal data not for purposes as established by ourselves or the party on whose behalf we process the data, but to comply with applicable legal or regulatory requirements. A common example is when we need to retain certain data longer than necessary for our processing purpose, to apply with a minimum retention obligation.
• Consent. In principle, in the context of obtaining services from our clients, we do not process personal data about you based on your consent. However, it may be that in a specific instance we do require your consent. In that case, you will be informed about this separately.

Searching and assessing new talent

• Legitimate interests. When we search for new talent or if you’ve applied for a position with us, we will process some personal data about you based on our legitimate interests involved with this. Our legitimate interests are to achieve the purposes mentioned in the previous section (‘How do we use your personal data?’). For example, we may view your profile on LinkedIn. We only process personal data based on our legitimate interests for as far as such processing is necessary to achieve our purposes. We do not use more data than necessary. Furthermore, we make a balance of interests on a case-by-case basis. Only if the legitimate interests prevail over your privacy interests or other interests or fundamental rights, will we base our processing on this legal ground. You can contact us for more information on the legitimate interests in relation to a specific processing operation.
• Consent. In the context of searching and assessing new talent, we may also process some personal data about new talent based on their consent. This means that we will not process such information for the related purposes if you do not provide your consent for this. For example, we will only verify your references with your consent.
• Legal obligation. Under circumstances, we will process personal data not for purposes as established by ourselves, but to comply with applicable legal or regulatory requirements. In the context of searching and assessing new talent, this legal ground will not likely be applicable. However, under exceptional circumstances it could for example apply if a competent supervisory authority has started an investigation and we are required by law to provide information about you which we obtained during your application for a position with us.

5. How do we obtain your personal data?

Means of collection

• Provided by you. We use information you have actively provided to us. For example, if you contact us to obtain information about our services.
• Automatically retrieved. We obtain some information about you in an automated manner. When you visit our website for example, we automatically obtain information about you via cookies. For more information on this, please see our Cookie Policy.
• Third-party sources. We also obtain information about you from third parties. For example, we may request information about you or your company from public sources, such as the Trade Register of the Chamber of Commerce, or professional social media platforms like LinkedIn.
• Derived. We may perform analysis on personal data about you. The resulting data can also qualify as personal data. For example, we may analyze which webpages on our website are visited most frequently.

Required provision

It may be that providing certain personal data to us is a statutory or contractual requirement, a requirement necessary to enter into a contract, or that you are otherwise obliged to provide the data to us. If that is the case, we will inform you thereof separately if this is not evidently clear. In such case we will also explain the possible consequences if you fail to provide the personal data to us.

6. With whom do we share your personal data?

Conditions for sharing your data

We only share your personal data with trusted third parties if they require this for the provision of their services. Furthermore, they need to confirm that they comply with the applicable privacy legislation. This means for instance that such third party needs to put adequate security measures in place; and that where applicable, transfer of the data complies with the legitimization requirements for cross border transfer.

Parties with whom we may share your data

We only share your personal data on a strictly need-to-know basis. “Need-to-know” means that a party will only gain access to your personal data if and for as far as necessary for the activities of such party. We share your personal data with the below parties.

• Authorized persons working for us, involved with the processing;
• Authorized persons working for one of our suppliers (incl. subcontractors or service providers), involved with the processing, such as hosting and payment providers;
• Authorized persons working for the client that has engaged our services;
• Authorized persons working for competent authorities, where legally required, such as supervisory authorities, enforcement agencies and courts.

7. How do we secure your personal data?

We take appropriate security measures to protect your personal data and to prevent misuse, loss or alteration thereof. These comprise technical measures (e.g. logical and physical security) as well as organizational measures (e.g. promote privacy and security awareness among employees). Furthermore, the persons involved are bound by appropriate confidentiality obligations and must abide by our instructions aimed at the adequate protection of your data.

8. Do we transfer your personal data to other countries?

Transfer in general

Parties involved with processing your personal data may be located outside of your jurisdiction. Depending on where these parties are located, this may involve transferring your data to countries outside the European Economic Area (EEA). See this link for an overview of countries outside the EEA.

Transfer outside the EEA

Transfers of your personal data to a country outside the EEA may in the first place be legitimized on the basis of a so-called adequacy decision. This is a decision in which the European Commission states that e.g. a certain country offers a level of data protection similar to the General Data Protection Regulation ((EU) 2016/679; GDPR). See this link for the current list of adequacy decisions.

If and insofar as we share personal data with parties in countries outside the EEA to which no adequacy decision applies, we will agree with these parties to data protection provisions for transfer set by the European Commission, so-called standard contractual clauses.

Please contact us if you would like to obtain additional information on the transfer of your personal data outside of the EEA.

9. For how long do we store your personal data?

Main rule

In principle, we do not store your personal data any longer than is strictly necessary for the purposes for which we process your personal data. For example, we erase data on job applicants four weeks after the end of the selection procedure, unless the applicant is employed by us or consents to an extended retention period of one year. In some cases, the period we require your personal data for our processing purposes, is determined by a professional body to which we are subject. For example, in conformity with the recommendation of the Dutch Bar Association we retain the files we have handled for a period of twenty years.

We apply (longer) standard retention periods if this is required to comply with minimum statutory retention periods. For example, data required for our bookkeeping is retained for seven years.

Exception: shorter retention period

If you or another person successfully exercises one of your privacy rights, it can be that the relevant personal data may no longer be retained. In such cases, we may process your personal data for a shorter period, than as stated under the ‘main rule’ above. Please be referred to the ‘What are your privacy rights?’ section below, for more information on this.

Exception: longer retention period

In exceptional cases, we may process your personal data longer than as stated under the ‘main rule’ above. This is the case if we need to process your personal data for a longer period in view of:

• A legal procedure;
• The right to freedom of expression and to information;
• A task carried out in the public interest or in the exercise of official authority vested in the controller.

10. What are your privacy rights?

A description of your privacy rights

• Right to withdraw consent. If our processing of your personal data is based on your consent, you have the right to withdraw such consent at any time (see the section ‘What is our legal ground for processing your personal data?’). After you have withdrawn your consent, we may no longer process your personal data for the related purposes.
• Right of access. You have the right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you (but not necessarily the documents themselves). We will then also provide you with further specifics of our processing of your personal data.
• Right of rectification. You have the right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected. However, this right is not meant to change any professional impressions, opinions, or conclusions with which you might not agree. In that we may consider adding a transcript of your point of view to the relevant data set.
• Right to erasure. Under certain circumstances, you have the right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where: (i) the personal data are no longer necessary, (ii) you have withdrawn your consent, (iii) you have objected to the processing activities, (iv) the personal data have been unlawfully processed, (v) the personal data have to be erased on the basis of a legal requirement, or (vi) where the personal data have been collected in relation to the offer of information society services.
• Right to object. Under certain circumstances, you have the right to object to processing of your personal data where we are relying on legitimate interests as processing ground (see the section ‘What is our legal ground for processing your personal data?’). Insofar as the processing of your personal data takes place for direct marketing purposes, we will always honor your request. If it concerns processing for other purposes, we will make a new balance of interests and determine whether we have compelling legitimate grounds that override your interests.
• Right to restriction. You have the right to restriction of your personal data if we may not or no longer process the data, or during our assessment of certain other requests of you. Restriction of your personal data means that we will only store the data and no longer process it in any other way, unless: (i) with your consent, (ii) for the establishment, exercise or defense of legal claims, (iii) for the protection of the rights of another natural or legal person, (iv) or for reasons of important public interest.
• Right to data portability. Under certain circumstances, you have the right to data portability, if it concerns processing that is carried out by us by automated means, and only if the processing ground for such processing is your consent or the performance of a contract to which you are a party (see the section ‘What is our legal ground for processing your personal data?’). This right entails that we may provide certain personal data to you or a third party of your choice in a structured, commonly used, machine-readable format.
• Right in relation to automated decision-making. Under certain circumstances, you have the right not to be subject to a decision based solely on automated processing, which significantly impacts you (“which produces legal effects concerning you or similarly significantly affects you”). In this respect, please be informed that when processing your personal data, we do not make use of automated decision-making.
• Right to complaint. In addition to the above-mentioned rights you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work or where the alleged infringement of the GDPR took place. Please be referred to this webpage for an overview of the supervisory authorities and their contact details. However, we would appreciate the chance to deal with your concerns ourselves before you approach the supervisory authority. Therefore, please contact us if you have a complaint on how we handle your personal data, and we can try to solve the issue.

For more information on your privacy rights, please be referred to this webpage of the European Commission (in English) or this webpage of the Dutch Data Protection Authority (in Dutch).

How you can use your privacy rights

The exercise of the abovementioned privacy rights is free of charge and can be carried out by e-mail, post or phone via the contact details displayed below. If requests are manifestly unfounded or excessive, in particular because of the repetitive character, we will either charge you a reasonable fee or refuse to comply with the request. We may also ask for certain additional information from you to help us confirm your identity before we comply with such request.

How we handle privacy right requests

We will provide you with information about the follow-up of your request without undue delay and in principle within one month of receipt of the request. Depending on the complexity of the request and on the number of requests, this period can be extended by another two months. We will notify you of such an extension within one month of receipt of the request. If we will not grand your request, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

11. How can you contact us?

For any questions, comments or requests in relation to our processing of your personal data, you may contact us by post or by e-mail:

• Postal address: Haarlemmerweg 331A, 1051 LH Amsterdam;
• E-mail address: info@thedatalawyers.com;
• Phone number: +31 (0)20 21 01 327.

12. Miscellaneous

Privacy Statements of other parties

Our website contains hyperlinks to websites of other parties and social media buttons. We are not responsible for the content of these websites or the services of the particular social media platform, or the manner in which they process your personal data.

Children

We do not aim our website our services at persons under the age of 16 and do not deliberately process personal data about such minors. If we become aware that we did accidentally process personal data about minors, we will take appropriate actions, such as immediately deleting the data.

Changes to this Privacy Statement

Please know that we may make changes to this Privacy Statement from time to time. Where required, we will inform you of such updates. The current version is always available on our website www.thedatalawyers.com. This Privacy Statement was last amended in May 2020.